Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 301a5f8e786c61fb3dcc107a9ae18ae507857895 https://github.com/lxc/lxc/commit/301a5f8e786c61fb3dcc107a9ae18ae507857895 Author: Aleksa Sarai <cyp...@cyphar.com> Date: 2021-02-19 (Fri, 19 Feb 2021)
Changed paths: M src/lxc/lsm/apparmor.c Log Message: ----------- apparmor: clean up apparmor_process_label_get Rather than open-coding file reading and retry semantics and implementing the path generation logic separately to apparmor_process_label_fd_get, refactor the logic so that it looks closer to the pidfd version. This will make it easier to implement the two-step handling for /proc/self/attr/apparmor/current and makes this code slightly less confusing. Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> Commit: 47f4914d88dfb8d8b2207c955c37af347032444d https://github.com/lxc/lxc/commit/47f4914d88dfb8d8b2207c955c37af347032444d Author: Aleksa Sarai <cyp...@cyphar.com> Date: 2021-02-19 (Fri, 19 Feb 2021) Changed paths: M src/lxc/lsm/apparmor.c M src/lxc/macro.h Log Message: ----------- apparmor: prefer /proc/.../attr/apparmor/current over legacy interface It turns out that since Linux 5.1 there are now per-LSM subdirectories for major LSMs, which users are recommended to use over the "legacy" top-level /proc/$pid/attr/... files[1]: > Process attributes associated with “major” security modules should be > accessed and maintained using the special files in /proc/.../attr. A > security module may maintain a module specific subdirectory there, > named after the module. /proc/.../attr/smack is provided by the Smack > security module and contains all its special files. The files directly > in /proc/.../attr remain as legacy interfaces for modules that provide > subdirectories. AppArmor has had such a directory since Linux 5.8[2], and it turns out that with certain CONFIG_LSM configurations you can end up with AppArmor files not being accessible from the legacy interface. Arch Linux recently added BPF as one of the enabled LSM in their configuration, and this broke runc[3] and LXC. The solution is to first try to use /proc/$pid/attr/apparmor/current and fall back to /proc/$pid/attr/current if the former is not available. [1]: https://www.kernel.org/doc/html/latest/admin-guide/LSM/index.html [2]: Linux 5.8 ; commit 6413f852ce08 ("apparmor: add proc subdir to attrs") [3]: https://github.com/opencontainers/runc/issues/2801 Signed-off-by: Aleksa Sarai <cyp...@cyphar.com> Commit: f43ed6a0ab5a2b3658cebf6f4360a0fb76aeec52 https://github.com/lxc/lxc/commit/f43ed6a0ab5a2b3658cebf6f4360a0fb76aeec52 Author: Christian Brauner <christian.brau...@ubuntu.com> Date: 2021-02-19 (Fri, 19 Feb 2021) Changed paths: M src/lxc/lsm/apparmor.c M src/lxc/macro.h Log Message: ----------- Merge pull request #3686 from cyphar/apparmor-attr-subdir apparmor: prefer /proc/.../attr/apparmor/current over legacy interface Compare: https://github.com/lxc/lxc/compare/35a68d6df2c2...f43ed6a0ab5a _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel