Skip to content

Commit

Permalink
snapcraft/commands/lxc: always escape Apparmor if enabled
Browse files Browse the repository at this point in the history
Conditionally calling `aa-exec -p unconfined` was useful only when re-exec'ing
the whole wrapper script. It's not needed now that only the `${LXC}` binary is
executed unconfined.

Signed-off-by: Simon Deziel <[email protected]>
(cherry picked from commit 9bde3c0)
  • Loading branch information
simondeziel authored and tomponline committed Nov 7, 2024
1 parent dc91675 commit cbc3961
Showing 1 changed file with 1 addition and 4 deletions.
5 changes: 1 addition & 4 deletions snapcraft/commands/lxc
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,7 @@ fi

# Run lxc itself outside of apparmor confinement
if [ -d /sys/kernel/security/apparmor ]; then
label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)"
if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
exec /usr/bin/aa-exec -p unconfined -- "${LXC}" "$@"
fi
exec /usr/bin/aa-exec -p unconfined -- "${LXC}" "$@"
fi

# Run lxc itself
Expand Down

0 comments on commit cbc3961

Please sign in to comment.