Ejemplo n.º 1
0
/*
 * apparmor_process_label_set: Set AppArmor process profile
 *
 * @label   : the profile to set
 * @conf    : the container configuration to use @label is NULL
 * @default : use the default profile if label is NULL
 * @on_exec : this is ignored.  Apparmor profile will be changed immediately
 *
 * Returns 0 on success, < 0 on failure
 *
 * Notes: This relies on /proc being available.
 */
static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf,
				      int use_default, int on_exec)
{
	const char *label = inlabel ? inlabel : conf->lsm_aa_profile;

	if (!aa_enabled)
		return 0;

	if (!label) {
		if (use_default)
			label = AA_DEF_PROFILE;
		else
			label = "unconfined";
	}

	if (!check_mount_feature_enabled() && strcmp(label, "unconfined") != 0) {
		WARN("Incomplete AppArmor support in your kernel");
		if (!conf->lsm_aa_allow_incomplete) {
			ERROR("If you really want to start this container, set");
			ERROR("lxc.aa_allow_incomplete = 1");
			ERROR("in your container configuration file");
			return -1;
		}
	}


	if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) {
		INFO("apparmor profile unchanged");
		return 0;
	}

	if (aa_change_profile(label) < 0) {
		SYSERROR("failed to change apparmor profile to %s", label);
		return -1;
	}

	INFO("changed apparmor profile to %s", label);
	return 0;
}
Ejemplo n.º 2
0
Archivo: apparmor.c Proyecto: 4b42/lxc
/*
 * apparmor_process_label_set: Set AppArmor process profile
 *
 * @label   : the profile to set
 * @conf    : the container configuration to use @label is NULL
 * @default : use the default profile if label is NULL
 * @on_exec : this is ignored.  Apparmor profile will be changed immediately
 *
 * Returns 0 on success, < 0 on failure
 *
 * Notes: This relies on /proc being available.
 */
static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf,
				      int use_default, int on_exec)
{
	const char *label = inlabel ? inlabel : conf->lsm_aa_profile;
	char *curlabel;

	if (!aa_enabled)
		return 0;

	/* user may request that we just ignore apparmor */
	if (label && strcmp(label, AA_UNCHANGED) == 0) {
		INFO("apparmor profile unchanged per user request");
		return 0;
	}

	curlabel = apparmor_process_label_get(getpid());

	if (!aa_stacking_supported() && aa_needs_transition(curlabel)) {
		// we're already confined, and stacking isn't supported

		if (!label || strcmp(curlabel, label) == 0) {
			// no change requested
			free(curlabel);
			return 0;
		}

		ERROR("already apparmor confined, but new label requested.");
		free(curlabel);
		return -1;
	}
	free(curlabel);

	if (!label) {
		if (use_default) {
			if (cgns_supported())
				label = AA_DEF_PROFILE_CGNS;
			else
				label = AA_DEF_PROFILE;
		}
		else
			label = "unconfined";
	}

	if (!check_mount_feature_enabled() && strcmp(label, "unconfined") != 0) {
		WARN("Incomplete AppArmor support in your kernel");
		if (!conf->lsm_aa_allow_incomplete) {
			ERROR("If you really want to start this container, set");
			ERROR("lxc.aa_allow_incomplete = 1");
			ERROR("in your container configuration file");
			return -1;
		}
	}


	if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) {
		INFO("apparmor profile unchanged");
		return 0;
	}

	if (aa_change_profile(label) < 0) {
		SYSERROR("failed to change apparmor profile to %s", label);
		return -1;
	}

	INFO("changed apparmor profile to %s", label);
	return 0;
}