apparmor: don't do on-exec profile changes

always change profile immediately. Otherwise there are weird corner cases where the profile change may not happen. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

apparmor: don't do on-exec profile changes
dd666a90 · Serge Hallyn · Stéphane Graber · 223b1e0c · dd666a90
Commit dd666a90 authored Feb 21, 2014 by Serge Hallyn Committed by Stéphane Graber Feb 25, 2014
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 9 deletions

apparmor.c src/lxc/lsm/apparmor.c +2 -9

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -125,7 +125,7 @@ static int apparmor_am_unconfined(void)
 *
 * @label   : the profile to set
 * @default : use the default profile if label is NULL
- * @on_exec : the new profile will take effect on exec(2) not immediately
+ * @on_exec : this is ignored.  Apparmor profile will be changed immediately
 *
 * Returns 0 on success, < 0 on failure
 *
@@ -149,19 +149,12 @@ static int apparmor_process_label_set(const char *label, int use_default,
 		return 0;
 	}
-	if (on_exec) {
-		if (aa_change_onexec(label) < 0) {
-			SYSERROR("failed to change exec apparmor profile to %s", label);
-			return -1;
-		}
-	} else {
 	if (aa_change_profile(label) < 0) {
 		SYSERROR("failed to change apparmor profile to %s", label);
 		return -1;
 	}
-	}
-	INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label);
+	INFO("changed apparmor profile to %s", label);
 	return 0;
 }