← Back to branch summary

~ubuntu-branches/ubuntu/precise/lxc/precise

« back to all changes in this revision

Viewing changes to src/lxc/start.c

  • Committer: Package Import Robot
  • Author(s): Serge Hallyn
  • Date: 2012-03-25 21:45:03 UTC
  • Revision ID: package-import@ubuntu.com-20120325214503-qk432hp80ssw027c
Tags: 0.7.5-3ubuntu45
https://launchpad.net/bugs/963388
* 0064-apparmor-mount-proc: mount /proc if we need to before changing
  apparmor profile (LP: #963388).  (Also fixes two bad error paths)
* lxc.postinst: use the right filename for loading profile

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/lxc/start.c
538
538
#define AA_DEF_PROFILE "lxc-container-default"
539
539
static int apparmor_load(struct lxc_handler *handler)
540
540
{
 
541
        int mounted;
 
542
 
541
543
        if (!apparmor_enabled) {
542
544
                INFO("apparmor not enabled");
543
545
                return 0;
552
554
                return 0;
553
555
        }
554
556
 
555
 
        /* aa_change_onexec makes more sense since we want to transition when
556
 
         * /sbin/init is exec'd.  But the transitions doesn't seem to work
557
 
         * then (refused).  aa_change_onexec will work since we're doing it
558
 
         * right before the exec, so we'll just use that for now.
559
 
         */
560
557
        //if (aa_change_onexec(handler->conf->aa_profile) < 0) {
561
558
        if (aa_change_profile(handler->conf->aa_profile) < 0) {
562
559
                SYSERROR("failed to change apparmor profile to %s", handler->conf->aa_profile);
563
560
                return -1;
564
561
        }
 
562
        if (handler->conf->umount_proc == 1)
 
563
                umount("/proc");
 
564
 
565
565
        INFO("changed apparmor profile to %s", handler->conf->aa_profile);
566
566
 
567
567
        return 0;
598
598
        if (handler->conf->need_utmp_watch) {
599
599
                if (prctl(PR_CAPBSET_DROP, CAP_SYS_BOOT, 0, 0, 0)) {
600
600
                        SYSERROR("failed to remove CAP_SYS_BOOT capability");
601
 
                        return -1;
 
601
                        goto out_warn_father;
602
602
                }
603
603
                DEBUG("Dropped cap_sys_boot\n");
604
604
        }
609
609
                goto out_warn_father;
610
610
        }
611
611
 
 
612
        if (apparmor_load(handler) < 0)
 
613
                goto out_warn_father;
 
614
 
612
615
        close(handler->sigfd);
613
616
 
614
 
        if (apparmor_load(handler) < 0)
615
 
                return -1;
616
 
 
617
617
        /* after this call, we are in error because this
618
618
         * ops should not return as it execs */
619
619
        if (handler->ops->start(handler, handler->data))