add support for apparmor in lxc-enter-namespace

2024-12-22 05:35:25 +00:00 · 2014-03-03 11:26:45 +01:00 · 2014-03-03 11:26:45 +01:00 · ef7dc7d429
commit ef7dc7d429
parent 500b2e9655
2 changed files with 22 additions and 0 deletions
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@ -2,6 +2,13 @@

  #include <abstractions/base>

+  # Needed for lxc-enter-namespace
+  capability sys_admin,
+  capability sys_chroot,
+
+  # Added for lxc-enter-namespace --cmd /bin/bash
+  /bin/bash PUx,
+
  /usr/sbin/cron PUx,
  /usr/lib/systemd/systemd PUx,

--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@ -33,6 +33,9 @@
 #ifdef WITH_SELINUX
 # include <selinux/selinux.h>
 #endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif

 #define VIR_FROM_THIS VIR_FROM_NONE

@ -239,6 +242,18 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
                       _("Support for SELinux is not enabled"));
        goto error;
+#endif
+    } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+        if (aa_change_profile(label->label) < 0) {
+            virReportSystemError(errno, _("error changing profile to %s"),
+                                 label->label);
+            goto error;
+        }
+#else
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("Support for AppArmor is not enabled"));
+        goto error;
 #endif
    } else {
        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,