hooks: fix nvidia hook when running under the lxc-start AppArmor profile

For a reason that I don't understand, the profile transition needs to be done on the current process. Changing the attributes for a subsequent execve(2) (with /proc/self/attr/exec) will cause the kernel to set AT_SECURE in the auxiliary vector and thus secure_getenv(3) inside libnvidia-container will return NULL. Signed-off-by: Felix Abecassis <fabecassis@nvidia.com>

hooks: fix nvidia hook when running under the lxc-start AppArmor profile
4a0a5e89 · Felix Abecassis · d3435415 · 4a0a5e89
Commit 4a0a5e89 authored Mar 19, 2018 by Felix Abecassis
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

nvidia hooks/nvidia +5 -0

No files found.
--- a/hooks/nvidia
+++ b/hooks/nvidia
@@ -235,5 +235,10 @@ if [ "${CLI_DISABLE_REQUIRE}" = "false" ]; then
    done
 fi

+if [ -d "/sys/kernel/security/apparmor" ]; then
+    # Try to transition to the unconfined AppArmor profile.
+    echo "changeprofile unconfined" > /proc/self/attr/current || true
+fi
+
 set -x
 exec nvidia-container-cli ${global_args[@]} configure ${configure_args[@]} "${LXC_ROOTFS_MOUNT}"