use proper config item depending on which lsm is enabled

On a system with AppArmor enabled, if lxc.se_context is configured but lxc.aa_profile is not (because the user just wants to use the default AppArmor profile) lxc was passing the lxc.se_context to be set as the new AppArmor profile. Determine which configuration item to use based on which lsm is enabled. Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

use proper config item depending on which lsm is enabled
e0b6898a · Dwight Engen · Serge Hallyn · 72863294 · e0b6898a
Commit e0b6898a authored Oct 18, 2013 by Dwight Engen Committed by Serge Hallyn Oct 18, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

start.c src/lxc/start.c +6 -3

No files found.
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
 static int do_start(void *data)
 {
 	struct lxc_handler *handler = data;
+	const char *lsm_label = NULL;
 	if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
 		SYSERROR("failed to set sigprocmask");
@@ -557,9 +558,11 @@ static int do_start(void *data)
 		return -1;
 	/* Set the label to change to when we exec(2) the container's init */
-	if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
+	if (!strcmp(lsm_name(), "AppArmor"))
-				  handler->conf->lsm_aa_profile :
+		lsm_label = handler->conf->lsm_aa_profile;
-				  handler->conf->lsm_se_context, 1, 1) < 0)
+	else if (!strcmp(lsm_name(), "SELinux"))
+		lsm_label = handler->conf->lsm_se_context;
+	if (lsm_process_label_set(lsm_label, 1, 1) < 0)
 		goto out_warn_father;
 	lsm_proc_unmount(handler->conf);