[libvirt] [PATCH 5/5] add support for apparmor in lxc-enter-namespace

Friday, 21 February 2014

---
 examples/apparmor/libvirt-lxc |  7 +++++++
 src/libvirt-lxc.c             | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 47f27b1..d404328 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -2,6 +2,13 @@
 
   #include <abstractions/base>
 
+  # Needed for lxc-enter-namespace
+  capability sys_admin,
+  capability sys_chroot,
+
+  # Added for lxc-enter-namespace --cmd /bin/bash
+  /bin/bash PUx,
+
   /usr/sbin/cron PUx,
   /usr/lib/systemd/systemd PUx,
 
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index 074809a..f10fafc 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -33,6 +33,9 @@
 #ifdef WITH_SELINUX
 # include <selinux/selinux.h>
 #endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -240,6 +243,16 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
                        _("Support for SELinux is not enabled"));
         goto error;
 #endif
+    } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+        if (aa_change_profile(label->label) < 0)
+            virReportSystemError(errno, _("error changing profile to %s"),
+                                 label->label);
+#else
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("Support for AppArmor is not enabled"));
+        goto error;
+#endif
     } else {
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
                        _("Security model %s cannot be entered"),
-- 
1.8.5.2


    