Skip to content

L
lxc
Commit 7196c7b3 by Serge Hallyn
Options

apparmor: check for mount feature at a better time

Check for it when we check for apparmor being enabled, rather than doing it during the middle of a container setup. This avoid the need to try mounting /sys and /sys/kernel/security in the middle of startup, which we may not be allowed to anyway. Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@ubuntu.com> Acked-by: 's avatarDwight Engen <dwight.engen@oracle.com>
parent cc4ae28d
Showing with 15 additions and 30 deletions
src/lxc/lsm/apparmor.c
...@@ -37,43 +37,25 @@ lxc_log_define(lxc_apparmor, lxc); ...@@ -37,43 +37,25 @@ lxc_log_define(lxc_apparmor, lxc);
/* set by lsm_apparmor_drv_init if true */ /* set by lsm_apparmor_drv_init if true */
static int aa_enabled = 0; static int aa_enabled = 0;
static int mount_features_enabled = 0;
#define AA_DEF_PROFILE "lxc-container-default" #define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask" #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled" #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
static bool mount_feature_enabled(void) static bool check_mount_feature_enabled(void)
{
return mount_features_enabled == 1;
}
static void load_mount_features_enabled(void)
{ {
struct stat statbuf; struct stat statbuf;
struct statfs sf;
int ret; int ret;
bool mountedsys = false, mountedk = false, bret = true;
ret = statfs("/sys", &sf);
if (ret < 0 || sf.f_type != 0x62656572) {
if (mount("sysfs", "/sys", "sysfs", 0, NULL) < 0) {
SYSERROR("Error mounting sysfs");
return false;
}
mountedsys = true;
}
if (stat("/sys/kernel/security/apparmor", &statbuf) < 0) {
if (mount("securityfs", "/sys/kernel/security", "securityfs", 0, NULL) < 0) {
SYSERROR("Error mounting securityfs");
if (mountedsys)
umount2("/sys", MNT_DETACH);
return false;
}
mountedk = true;
}
ret = stat(AA_MOUNT_RESTR, &statbuf); ret = stat(AA_MOUNT_RESTR, &statbuf);
if (ret != 0) if (ret == 0)
bret = false; mount_features_enabled = 1;
if (mountedk)
umount2("/sys/kernel/security", MNT_DETACH);
if (mountedsys)
umount2("/sys", MNT_DETACH);
return bret;
} }
/* aa_getcon is not working right now. Use our hand-rolled version below */ /* aa_getcon is not working right now. Use our hand-rolled version below */
...@@ -88,8 +70,11 @@ static int apparmor_enabled(void) ...@@ -88,8 +70,11 @@ static int apparmor_enabled(void)
return 0; return 0;
ret = fscanf(fin, "%c", &e); ret = fscanf(fin, "%c", &e);
fclose(fin); fclose(fin);
if (ret == 1 && e == 'Y') if (ret == 1 && e == 'Y') {
load_mount_features_enabled();
return 1; return 1;
}
return 0; return 0;
} }
...@@ -180,7 +165,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf ...@@ -180,7 +165,7 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
label = "unconfined"; label = "unconfined";
} }
if (!mount_feature_enabled() && strcmp(label, "unconfined") != 0) { if (!check_mount_feature_enabled() && strcmp(label, "unconfined") != 0) {
WARN("Incomplete AppArmor support in your kernel"); WARN("Incomplete AppArmor support in your kernel");
if (!conf->lsm_aa_allow_incomplete) { if (!conf->lsm_aa_allow_incomplete) {
ERROR("If you really want to start this container, set"); ERROR("If you really want to start this container, set");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment