add support for apparmor in lxc-enter-namespace

examples/apparmor/libvirt-lxc

@@ -2,6 +2,13 @@
 
   #include <abstractions/base>
 
+  # Needed for lxc-enter-namespace
+  capability sys_admin,
+  capability sys_chroot,
+
+  # Added for lxc-enter-namespace --cmd /bin/bash
+  /bin/bash PUx,
+
   /usr/sbin/cron PUx,
   /usr/lib/systemd/systemd PUx,
 

src/libvirt-lxc.c

@@ -33,6 +33,9 @@
 #ifdef WITH_SELINUX
 # include <selinux/selinux.h>
 #endif
+#ifdef WITH_APPARMOR
+# include <sys/apparmor.h>
+#endif
 
 #define VIR_FROM_THIS VIR_FROM_NONE
 
@@ -239,6 +242,18 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
                        _("Support for SELinux is not enabled"));
         goto error;
+#endif
+    } else if (STREQ(model->model, "apparmor")) {
+#ifdef WITH_APPARMOR
+        if (aa_change_profile(label->label) < 0) {
+            virReportSystemError(errno, _("error changing profile to %s"),
+                                 label->label);
+            goto error;
+        }
+#else
+        virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED, "%s",
+                       _("Support for AppArmor is not enabled"));
+        goto error;
 #endif
     } else {
         virReportError(VIR_ERR_ARGUMENT_UNSUPPORTED,