---
examples/apparmor/libvirt-lxc | 7 +++++++
src/libvirt-lxc.c | 13 +++++++++++++
2 files changed, 20 insertions(+)
diff --git a/examples/apparmor/libvirt-lxc b/examples/apparmor/libvirt-lxc
index 47f27b1..d404328 100644
--- a/examples/apparmor/libvirt-lxc
+++ b/examples/apparmor/libvirt-lxc
@@ -2,6 +2,13 @@
#include <abstractions/base>
+ # Needed for lxc-enter-namespace
+ capability sys_admin,
+ capability sys_chroot,
+
+ # Added for lxc-enter-namespace --cmd /bin/bash
+ /bin/bash PUx,
+
/usr/sbin/cron PUx,
/usr/lib/systemd/systemd PUx,
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index 074809a..f10fafc 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -33,6 +33,9 @@
#ifdef WITH_SELINUX
# include <selinux/selinux.h>
#endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -240,6 +243,16 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
_("Support for SELinux is not enabled"));
goto error;
#endif
+ } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+ if (aa_change_profile(label->label) < 0)
+ virReportSystemError(errno, _("error changing profile to %s"),
+ label->label);
+#else
+ virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+ _("Support for AppArmor is not enabled"));
+ goto error;
+#endif
} else {
virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,
_("Security model %s cannot be entered"),
--
1.8.5.2
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list