Don't try to change aa label if we are already apparmor-confined

Closes #1459 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Don't try to change aa label if we are already apparmor-confined
9bfdc0ad · Serge Hallyn · Stéphane Graber · 642e2c5e · 9bfdc0ad
Commit 9bfdc0ad authored Jan 04, 2016 by Serge Hallyn Committed by Stéphane Graber Jan 04, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 35 additions and 3 deletions

apparmor.c src/lxc/lsm/apparmor.c +35 -3

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -127,12 +127,31 @@ again:
 	return buf;
 }

-static int apparmor_am_unconfined(void)
+/*
+ * Probably makes sense to reorganize these to only read
+ * the label once
+ */
+static bool apparmor_am_unconfined(void)
 {
 	char *p = apparmor_process_label_get(getpid());
-	int ret = 0;
+	bool ret = false;
 	if (!p || strcmp(p, "unconfined") == 0)
-		ret = 1;
+		ret = true;
+	free(p);
+	return ret;
+}
+
+/* aa stacking is not yet supported */
+static bool aa_stacking_supported(void) {
+	return false;
+}
+
+/* are we in a confined container? */
+static bool in_aa_confined_container(void) {
+	char *p = apparmor_process_label_get(getpid());
+	bool ret = false;
+	if (p && strcmp(p, "/usr/bin/lxc-start") != 0)
+		ret = true;
 	free(p);
 	return ret;
 }
@@ -163,6 +182,19 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		return 0;
 	}

+	/*
+	 * If we are already confined and no profile was requested,
+	 * then default to unchanged
+	 */
+	if (in_aa_confined_container() && !aa_stacking_supported()) {
+		if (label) {
+			ERROR("already apparmor confined, but new label requested.");
+			return -1;
+		}
+		INFO("Already apparmor-confined");
+		return 0;
+	}
+
 	if (!label) {
 		if (use_default)
 			label = AA_DEF_PROFILE;