apparmor: cache the are-we-enabled decision

Since we check /sys/kernel/security/ files when deciding whether apparmor is enabled, and that might not be mounted in the container, we cannot re-make the decision at apparmor_process_label_set() time. Luckily we don't have to - just cache the decision made at lsm_apparmor_drv_init(). Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: cache the are-we-enabled decision
7e6966e5 · Serge Hallyn · Stéphane Graber · 33662399 · 7e6966e5
Commit 7e6966e5 authored Oct 23, 2013 by Serge Hallyn Committed by Stéphane Graber Oct 23, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

apparmor.c src/lxc/lsm/apparmor.c +5 -1

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -32,6 +32,9 @@
 lxc_log_define(lxc_apparmor, lxc);
+/* set by lsm_apparmor_drv_init if true */
+static int aa_enabled = 0;
 #define AA_DEF_PROFILE "lxc-container-default"
 #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
 #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
@@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
 static int apparmor_process_label_set(const char *label, int use_default,
 				      int on_exec)
 {
-	if (!apparmor_enabled())
+	if (!aa_enabled)
 		return 0;
 	if (!label) {
@@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
 {
 	if (!apparmor_enabled())
 		return NULL;
+	aa_enabled = 1;
 	return &apparmor_drv;
 }