/* * apparmor_process_label_set: Set AppArmor process profile * * @label : the profile to set * @default : use the default profile if label is NULL * @on_exec : the new profile will take effect on exec(2) not immediately * * Returns 0 on success, < 0 on failure * * Notes: This relies on /proc being available. */ static int apparmor_process_label_set(const char *label, int use_default, int on_exec) { if (!aa_enabled) return 0; if (!label) { if (use_default) label = AA_DEF_PROFILE; else return 0; } if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) { INFO("apparmor profile unchanged"); return 0; } if (on_exec) { if (aa_change_onexec(label) < 0) { SYSERROR("failed to change exec apparmor profile to %s", label); return -1; } } else { if (aa_change_profile(label) < 0) { SYSERROR("failed to change apparmor profile to %s", label); return -1; } } INFO("changed apparmor%s profile to %s", on_exec ? " exec" : "", label); return 0; }
/* * apparmor_process_label_set: Set AppArmor process profile * * @label : the profile to set * @default : use the default profile if label is NULL * @on_exec : this is ignored. Apparmor profile will be changed immediately * * Returns 0 on success, < 0 on failure * * Notes: This relies on /proc being available. */ static int apparmor_process_label_set(const char *label, int use_default, int on_exec) { if (!aa_enabled) return 0; /* user may request that we just ignore apparmor */ if (label && strcmp(label, AA_UNCHANGED) == 0) { INFO("apparmor profile unchanged per user request"); return 0; } /* * If we are already confined and no profile was requested, * then default to unchanged */ if (in_aa_confined_container() && !aa_stacking_supported()) { if (label) { ERROR("already apparmor confined, but new label requested."); return -1; } return 0; } if (!label) { if (use_default) label = AA_DEF_PROFILE; else return 0; } if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) { INFO("apparmor profile unchanged"); return 0; } if (aa_change_profile(label) < 0) { SYSERROR("failed to change apparmor profile to %s", label); return -1; } INFO("changed apparmor profile to %s", label); return 0; }
/* * apparmor_process_label_set: Set AppArmor process profile * * @label : the profile to set * @conf : the container configuration to use @label is NULL * @default : use the default profile if label is NULL * @on_exec : this is ignored. Apparmor profile will be changed immediately * * Returns 0 on success, < 0 on failure * * Notes: This relies on /proc being available. */ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf, int use_default, int on_exec) { const char *label = inlabel ? inlabel : conf->lsm_aa_profile; if (!aa_enabled) return 0; if (!label) { if (use_default) label = AA_DEF_PROFILE; else label = "unconfined"; } if (!check_mount_feature_enabled() && strcmp(label, "unconfined") != 0) { WARN("Incomplete AppArmor support in your kernel"); if (!conf->lsm_aa_allow_incomplete) { ERROR("If you really want to start this container, set"); ERROR("lxc.aa_allow_incomplete = 1"); ERROR("in your container configuration file"); return -1; } } if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) { INFO("apparmor profile unchanged"); return 0; } if (aa_change_profile(label) < 0) { SYSERROR("failed to change apparmor profile to %s", label); return -1; } INFO("changed apparmor profile to %s", label); return 0; }
/* * apparmor_process_label_set: Set AppArmor process profile * * @label : the profile to set * @conf : the container configuration to use @label is NULL * @default : use the default profile if label is NULL * @on_exec : this is ignored. Apparmor profile will be changed immediately * * Returns 0 on success, < 0 on failure * * Notes: This relies on /proc being available. */ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf, int use_default, int on_exec) { const char *label = inlabel ? inlabel : conf->lsm_aa_profile; char *curlabel; if (!aa_enabled) return 0; /* user may request that we just ignore apparmor */ if (label && strcmp(label, AA_UNCHANGED) == 0) { INFO("apparmor profile unchanged per user request"); return 0; } curlabel = apparmor_process_label_get(getpid()); if (!aa_stacking_supported() && aa_needs_transition(curlabel)) { // we're already confined, and stacking isn't supported if (!label || strcmp(curlabel, label) == 0) { // no change requested free(curlabel); return 0; } ERROR("already apparmor confined, but new label requested."); free(curlabel); return -1; } free(curlabel); if (!label) { if (use_default) { if (cgns_supported()) label = AA_DEF_PROFILE_CGNS; else label = AA_DEF_PROFILE; } else label = "unconfined"; } if (!check_mount_feature_enabled() && strcmp(label, "unconfined") != 0) { WARN("Incomplete AppArmor support in your kernel"); if (!conf->lsm_aa_allow_incomplete) { ERROR("If you really want to start this container, set"); ERROR("lxc.aa_allow_incomplete = 1"); ERROR("in your container configuration file"); return -1; } } if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined()) { INFO("apparmor profile unchanged"); return 0; } if (aa_change_profile(label) < 0) { SYSERROR("failed to change apparmor profile to %s", label); return -1; } INFO("changed apparmor profile to %s", label); return 0; }