From e2966521494112ea231e05432c3d775f8774d923 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Thu, 24 Oct 2024 12:22:03 -0400 Subject: [PATCH] snapcraft/commands/lxc: escape Apparmor as late as possible Most of the `lxc` command uses don't require escaping the Apparmor profile. However, executing an editor (`lxc config edit`) or interacting with the VGA console (`lxc console --type=vga`) among other things requires the escaping. Rather than escaping at the begining and re-exec'ing the `lxc` wrapper script, let's escape just when calling the actual command. The aim is to avoid the overhead of calling `/bin/sh` again and rechecking the Apparmor label. Signed-off-by: Simon Deziel (cherry picked from commit 323ae726bb04f563f6a2dae45c025661e9584405) --- snapcraft/commands/lxc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/snapcraft/commands/lxc b/snapcraft/commands/lxc index f37600d53..778e2d70d 100755 --- a/snapcraft/commands/lxc +++ b/snapcraft/commands/lxc @@ -1,14 +1,6 @@ #!/bin/sh set -eu -# Re-exec outside of apparmor confinement -if [ -d /sys/kernel/security/apparmor ]; then - label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" - if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then - exec /usr/bin/aa-exec -p unconfined -- "$0" "$@" - fi -fi - # Fill SNAP_REAL_HOME if missing if [ -z "${SNAP_REAL_HOME:-""}" ]; then SNAP_REAL_HOME="${HOME}" @@ -56,5 +48,13 @@ if [ -x "${SNAP_COMMON}/lxc.debug" ]; then LXC="${SNAP_COMMON}/lxc.debug" fi +# Run lxc itself outside of apparmor confinement +if [ -d /sys/kernel/security/apparmor ]; then + label="$(while read -r l; do echo "$l"; done < /proc/self/attr/current)" + if [ "$label" != "unconfined" ] && [ -n "${label##*(unconfined)}" ]; then + exec /usr/bin/aa-exec -p unconfined -- "${LXC}" "$@" + fi +fi + # Run lxc itself exec "${LXC}" "$@"