Apparmor: use lxc-default-cgns if cgns is enabled

Because containers need to - and safely can - mount cgroufs in that case. Note that if cgns is enabled but the unshare fails, we fail the container start, so checking whether they are enabled is enough. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

Apparmor: use lxc-default-cgns if cgns is enabled
603fd084 · Serge Hallyn · dc76ac7a · 603fd084
Commit 603fd084 authored Feb 21, 2016 by Serge Hallyn
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

apparmor.c src/lxc/lsm/apparmor.c +8 -2

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -31,6 +31,7 @@
 #include "log.h"
 #include "lsm/lsm.h"
 #include "conf.h"
+#include "utils.h"

 lxc_log_define(lxc_apparmor, lxc);

@@ -40,6 +41,7 @@ static int aa_enabled = 0;
 static int mount_features_enabled = 0;

 #define AA_DEF_PROFILE "lxc-container-default"
+#define AA_DEF_PROFILE_CGNS "lxc-container-default-cgns"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
 #define AA_UNCHANGED "unchanged"
@@ -202,8 +204,12 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 	free(curlabel);

 	if (!label) {
-		if (use_default)
-			label = AA_DEF_PROFILE;
+		if (use_default) {
+			if (cgns_supported())
+				label = AA_DEF_PROFILE_CGNS;
+			else
+				label = AA_DEF_PROFILE;
+		}
 		else
 			label = "unconfined";
 	}