lsm: harden read_file_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 369f7939d3c2c6f8c4ab1c07251a04485711d97f..fef5036131168422d74ab5f2b61cb224a6a5ea25 100644 (file)
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -447,7 +447,7 @@ static char *apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
        __do_free char *label = NULL;
        size_t len;
 
-       label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+       label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
        if (!label)
                return log_error_errno(NULL, errno, "Failed to get AppArmor context");
 

diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 5ed99fb3e2b80db3ae814fbe734b342de1dded6f..e20a835fecb3fd702f078d2ff7a7264d659c67b1 100644 (file)
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -57,7 +57,7 @@ static char *selinux_process_label_get_at(struct lsm_ops *ops, int fd_pid)
        __do_free char *label = NULL;
        size_t len;
 
-       label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+       label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
        if (!label)
                return log_error_errno(NULL, errno, "Failed to get SELinux context");