[libvirt] [PATCH 1/1] lxc: allow fallback to no apparmor.

Michal Privoznik mprivozn at redhat.com
Tue Sep 23 11:41:09 UTC 2014


On 19.09.2014 18:14, Serge Hallyn wrote:
> The security_driver line in /etc/libvirt/qemu.conf is best-effort - if
> selinux is not available on the host, then 'none' will be used.
>
> The security_driver line in /etc/libvirt/lxc.conf doesn't behave the
> same way - if apparmor is specified but policies are not available
> on the host, then container creation fails.
>
> This patch always tries to fall back to 'none' if the requested
> driver is not available.  A better patch would allow an option list
> like qemu.conf allows, but this patch doesn't do that.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
>   src/lxc/lxc_driver.c | 5 +++++
>   1 file changed, 5 insertions(+)
>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index c3cd62c..233e558 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -1541,6 +1541,11 @@ lxcSecurityInit(virLXCDriverConfigPtr cfg)
>                                                         cfg->securityDefaultConfined,
>                                                         cfg->securityRequireConfined);
>       if (!mgr)
> +        mgr = virSecurityManagerNew(NULL, LXC_DRIVER_NAME, false,
> +                                                      cfg->securityDefaultConfined,
> +                                                      cfg->securityRequireConfined);
> +
> +    if (!mgr)
>           goto error;
>
>       return mgr;
>

IIUC the code, the new sec manager is created from 
cfg->securityDriverName which has no default value. It contains only 
what user specified in lxc.conf. Well, if user sets apparmor there but 
it's not available for whatever reason, we must fail and not workaround it.

Michal




More information about the libvir-list mailing list