[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 1/1] lxc: allow fallback to no apparmor.



On 19.09.2014 18:14, Serge Hallyn wrote:
The security_driver line in /etc/libvirt/qemu.conf is best-effort - if
selinux is not available on the host, then 'none' will be used.

The security_driver line in /etc/libvirt/lxc.conf doesn't behave the
same way - if apparmor is specified but policies are not available
on the host, then container creation fails.

This patch always tries to fall back to 'none' if the requested
driver is not available.  A better patch would allow an option list
like qemu.conf allows, but this patch doesn't do that.

Signed-off-by: Serge Hallyn <serge hallyn ubuntu com>
---
  src/lxc/lxc_driver.c | 5 +++++
  1 file changed, 5 insertions(+)

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c3cd62c..233e558 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1541,6 +1541,11 @@ lxcSecurityInit(virLXCDriverConfigPtr cfg)
                                                        cfg->securityDefaultConfined,
                                                        cfg->securityRequireConfined);
      if (!mgr)
+        mgr = virSecurityManagerNew(NULL, LXC_DRIVER_NAME, false,
+                                                      cfg->securityDefaultConfined,
+                                                      cfg->securityRequireConfined);
+
+    if (!mgr)
          goto error;

      return mgr;


IIUC the code, the new sec manager is created from cfg->securityDriverName which has no default value. It contains only what user specified in lxc.conf. Well, if user sets apparmor there but it's not available for whatever reason, we must fail and not workaround it.

Michal


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]