Skip to content

Commit

Permalink
snapcraft/commands/lxc: escape Apparmor as late as possible
Browse files Browse the repository at this point in the history
Most of the `lxc` command uses don't require escaping the Apparmor profile.
However, executing an editor (`lxc config edit`) or interacting with the VGA
console (`lxc console --type=vga`) among other things requires the escaping.

Rather than escaping at the begining and re-exec'ing the `lxc` wrapper script,
let's escape just when calling the actual command. The aim is to avoid the
overhead of calling `/bin/sh` again and rechecking the Apparmor label.

Signed-off-by: Simon Deziel <[email protected]>
(cherry picked from commit 323ae72)
  • Loading branch information
simondeziel authored and tomponline committed Nov 7, 2024
1 parent 2dfd4eb commit e296652
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions snapcraft/commands/lxc
Original file line number Diff line number Diff line change
@@ -1,14 +1,6 @@
#!/bin/sh
set -eu

# Re-exec outside of apparmor confinement
if [ -d /sys/kernel/security/apparmor ]; then
label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)"
if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
exec /usr/bin/aa-exec -p unconfined -- "$0" "$@"
fi
fi

# Fill SNAP_REAL_HOME if missing
if [ -z "${SNAP_REAL_HOME:-""}" ]; then
SNAP_REAL_HOME="${HOME}"
Expand Down Expand Up @@ -56,5 +48,13 @@ if [ -x "${SNAP_COMMON}/lxc.debug" ]; then
LXC="${SNAP_COMMON}/lxc.debug"
fi

# Run lxc itself outside of apparmor confinement
if [ -d /sys/kernel/security/apparmor ]; then
label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)"
if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then
exec /usr/bin/aa-exec -p unconfined -- "${LXC}" "$@"
fi
fi

# Run lxc itself
exec "${LXC}" "$@"

0 comments on commit e296652

Please sign in to comment.