confile: properly namespace security keys

author Christian Brauner <christian.brauner@ubuntu.com>

Fri, 23 Jun 2017 13:35:17 +0000 (15:35 +0200)

committer Christian Brauner <christian.brauner@ubuntu.com>

Fri, 23 Jun 2017 13:37:55 +0000 (15:37 +0200)
author Christian Brauner <christian.brauner@ubuntu.com>
Fri, 23 Jun 2017 13:35:17 +0000 (15:35 +0200)
committer Christian Brauner <christian.brauner@ubuntu.com>
Fri, 23 Jun 2017 13:37:55 +0000 (15:37 +0200)
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am

index 588c9f38bde4b077f9705e9a61a4d1764df8e98d..ea1982ea7dbd1d8fadfccc7af219318dfbe32cbd 100644 (file)
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -21,7 +21,7 @@ noinst_HEADERS = \
         caps.h \
         conf.h \
         confile.h \
-       confile_network_legacy.h \
+       confile_legacy.h \
         confile_utils.h \
         console.h \
         error.h \
@@ -104,7 +104,7 @@ liblxc_la_SOURCES = \
         namespace.h namespace.c \
         conf.c conf.h \
         confile.c confile.h \
-       confile_network_legacy.c confile_network_legacy.h \
+       confile_legacy.c confile_legacy.h \
         confile_utils.c confile_utils.h \
         list.h \
         state.c state.h \
diff --git a/src/lxc/conf.c b/src/lxc/conf.c

index 881a68829246427a9865dd2b44818490b2ce1e5e..7ecfc82ec1059f8b65ff50c5a8be66940c22bdda 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1455,6 +1455,7 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs,
                 } else {
                         DEBUG("cleared all (%d) mounts from \"%s\"", ret, path);
                 }
+
                 ret = unlink(path);
                 if (ret < 0) {
                         SYSERROR("error unlinking %s", path);
diff --git a/src/lxc/confile.c b/src/lxc/confile.c

index 97583f7f75bd5840c0e74f17a27fc1b37e4ccd99..cfad6c5a85e493cff083217ecfd2ba5dbe870b88 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -45,7 +45,7 @@
  #include "parse.h"
  #include "config.h"
  #include "confile.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
  #include "confile_utils.h"
  #include "utils.h"
  #include "log.h"
@@ -93,24 +93,24 @@ static int get_config_kmsg(const char *, char *, int, struct lxc_conf *,
                            void *);
  static int clr_config_kmsg(const char *, struct lxc_conf *, void *);
  
-static int set_config_lsm_aa_profile(const char *, const char *,
-                                    struct lxc_conf *, void *);
-static int get_config_lsm_aa_profile(const char *, char *, int,
-                                    struct lxc_conf *, void *);
-static int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);
+static int set_config_apparmor_profile(const char *, const char *,
+                                      struct lxc_conf *, void *);
+static int get_config_apparmor_profile(const char *, char *, int,
+                                      struct lxc_conf *, void *);
+static int clr_config_apparmor_profile(const char *, struct lxc_conf *, void *);
  
-static int set_config_lsm_aa_incomplete(const char *, const char *,
-                                       struct lxc_conf *, void *);
-static int get_config_lsm_aa_incomplete(const char *, char *, int,
-                                       struct lxc_conf *, void *);
-static int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
-                                       void *);
+static int set_config_apparmor_allow_incomplete(const char *, const char *,
+                                               struct lxc_conf *, void *);
+static int get_config_apparmor_allow_incomplete(const char *, char *, int,
+                                               struct lxc_conf *, void *);
+static int clr_config_apparmor_allow_incomplete(const char *, struct lxc_conf *,
+                                               void *);
  
-static int set_config_lsm_se_context(const char *, const char *,
-                                    struct lxc_conf *, void *);
-static int get_config_lsm_se_context(const char *, char *, int,
-                                    struct lxc_conf *, void *);
-static int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
+static int set_config_selinux_context(const char *, const char *,
+                                     struct lxc_conf *, void *);
+static int get_config_selinux_context(const char *, char *, int,
+                                     struct lxc_conf *, void *);
+static int clr_config_selinux_context(const char *, struct lxc_conf *, void *);
  
  static int set_config_cgroup(const char *, const char *, struct lxc_conf *,
                              void *);
@@ -424,98 +424,107 @@ static int get_config_limit(const char *, char *, int, struct lxc_conf *,
  static int clr_config_limit(const char *, struct lxc_conf *, void *);
  
  static struct lxc_config_t config[] = {
-       { "lxc.arch",                 set_config_personality,          get_config_personality,          clr_config_personality,       },
-       { "lxc.pts",                  set_config_pts,                  get_config_pts,                  clr_config_pts,               },
-       { "lxc.tty",                  set_config_tty,                  get_config_tty,                  clr_config_tty,               },
-       { "lxc.devttydir",            set_config_ttydir,               get_config_ttydir,               clr_config_ttydir,            },
-       { "lxc.kmsg",                 set_config_kmsg,                 get_config_kmsg,                 clr_config_kmsg,              },
-       { "lxc.aa_profile",           set_config_lsm_aa_profile,       get_config_lsm_aa_profile,       clr_config_lsm_aa_profile,    },
-       { "lxc.aa_allow_incomplete",  set_config_lsm_aa_incomplete,    get_config_lsm_aa_incomplete,    clr_config_lsm_aa_incomplete, },
-       { "lxc.se_context",           set_config_lsm_se_context,       get_config_lsm_se_context,       clr_config_lsm_se_context,    },
-       { "lxc.cgroup",               set_config_cgroup,               get_config_cgroup,               clr_config_cgroup,            },
-       { "lxc.id_map",               set_config_idmaps,               get_config_idmaps,               clr_config_idmaps,            },
-       { "lxc.loglevel",             set_config_loglevel,             get_config_loglevel,             clr_config_loglevel,          },
-       { "lxc.logfile",              set_config_logfile,              get_config_logfile,              clr_config_logfile,           },
-       { "lxc.mount.entry",          set_config_mount,                get_config_mount,                clr_config_mount,             },
-       { "lxc.mount.auto",           set_config_mount_auto,           get_config_mount_auto,           clr_config_mount_auto,        },
-       { "lxc.mount",                set_config_fstab,                get_config_fstab,                clr_config_fstab,             },
-       { "lxc.rootfs.mount",         set_config_rootfs_mount,         get_config_rootfs_mount,         clr_config_rootfs_mount,      },
-       { "lxc.rootfs.options",       set_config_rootfs_options,       get_config_rootfs_options,       clr_config_rootfs_options,    },
-       { "lxc.rootfs.backend",       set_config_rootfs_backend,       get_config_rootfs_backend,       clr_config_rootfs_backend,    },
-       { "lxc.rootfs",               set_config_rootfs,               get_config_rootfs,               clr_config_rootfs,            },
-       { "lxc.pivotdir",             set_config_pivotdir,             get_config_pivotdir,             clr_config_pivotdir,          },
-       { "lxc.utsname",              set_config_utsname,              get_config_utsname,              clr_config_utsname,           },
-       { "lxc.hook.pre-start",       set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.pre-mount",       set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.mount",           set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.autodev",         set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.start",           set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.stop",            set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.post-stop",       set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.clone",           set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook.destroy",         set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       { "lxc.hook",                 set_config_hooks,                get_config_hooks,                clr_config_hooks,             },
-       /* legacy network keys */
-       { "lxc.network.type",         set_config_network_legacy_type,         get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.flags",        set_config_network_legacy_flags,        get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.link",         set_config_network_legacy_link,         get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.name",         set_config_network_legacy_name,         get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.macvlan.mode", set_config_network_legacy_macvlan_mode, get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.veth.pair",    set_config_network_legacy_veth_pair,    get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.script.up",    set_config_network_legacy_script_up,    get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.script.down",  set_config_network_legacy_script_down,  get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.hwaddr",       set_config_network_legacy_hwaddr,       get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.mtu",          set_config_network_legacy_mtu,          get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.vlan.id",      set_config_network_legacy_vlan_id,      get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.ipv4.gateway", set_config_network_legacy_ipv4_gateway, get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.ipv4",         set_config_network_legacy_ipv4,         get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.ipv6.gateway", set_config_network_legacy_ipv6_gateway, get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.ipv6",         set_config_network_legacy_ipv6,         get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network.",             set_config_network_legacy_nic,          get_config_network_legacy_item,         clr_config_network_legacy_item, },
-       { "lxc.network",              set_config_network_legacy,              get_config_network_legacy,              clr_config_network_legacy,      },
-
-       { "lxc.net.type",             set_config_net_type,             get_config_net_type,             clr_config_net_type,          },
-       { "lxc.net.flags",            set_config_net_flags,            get_config_net_flags,            clr_config_net_flags,         },
-       { "lxc.net.link",             set_config_net_link,             get_config_net_link,             clr_config_net_link,          },
-       { "lxc.net.name",             set_config_net_name,             get_config_net_name,             clr_config_net_name,          },
-       { "lxc.net.macvlan.mode",     set_config_net_macvlan_mode,     get_config_net_macvlan_mode,     clr_config_net_macvlan_mode,  },
-       { "lxc.net.veth.pair",        set_config_net_veth_pair,        get_config_net_veth_pair,        clr_config_net_veth_pair,     },
-       { "lxc.net.script.up",        set_config_net_script_up,        get_config_net_script_up,        clr_config_net_script_up,     },
-       { "lxc.net.script.down",      set_config_net_script_down,      get_config_net_script_down,      clr_config_net_script_down,   },
-       { "lxc.net.hwaddr",           set_config_net_hwaddr,           get_config_net_hwaddr,           clr_config_net_hwaddr,        },
-       { "lxc.net.mtu",              set_config_net_mtu,              get_config_net_mtu,              clr_config_net_mtu,           },
-       { "lxc.net.vlan.id",          set_config_net_vlan_id,          get_config_net_vlan_id,          clr_config_net_vlan_id,       },
-       { "lxc.net.ipv4.gateway",     set_config_net_ipv4_gateway,     get_config_net_ipv4_gateway,     clr_config_net_ipv4_gateway,  },
-       { "lxc.net.ipv4",             set_config_net_ipv4,             get_config_net_ipv4,             clr_config_net_ipv4,          },
-       { "lxc.net.ipv6.gateway",     set_config_net_ipv6_gateway,     get_config_net_ipv6_gateway,     clr_config_net_ipv6_gateway,  },
-       { "lxc.net.ipv6",             set_config_net_ipv6,             get_config_net_ipv6,             clr_config_net_ipv6,          },
-       { "lxc.net.",                 set_config_net_nic,              get_config_net_nic,              clr_config_net_nic,           },
-       { "lxc.net",                  set_config_net,                  get_config_net,                  clr_config_net,               },
-
-
-       { "lxc.cap.drop",             set_config_cap_drop,             get_config_cap_drop,             clr_config_cap_drop,          },
-       { "lxc.cap.keep",             set_config_cap_keep,             get_config_cap_keep,             clr_config_cap_keep,          },
-       { "lxc.console.logfile",      set_config_console_logfile,      get_config_console_logfile,      clr_config_console_logfile,   },
-       { "lxc.console",              set_config_console,              get_config_console,              clr_config_console,           },
-       { "lxc.seccomp",              set_config_seccomp,              get_config_seccomp,              clr_config_seccomp,           },
-       { "lxc.include",              set_config_includefiles,         get_config_includefiles,         clr_config_includefiles,      },
-       { "lxc.autodev",              set_config_autodev,              get_config_autodev,              clr_config_autodev,           },
-       { "lxc.haltsignal",           set_config_haltsignal,           get_config_haltsignal,           clr_config_haltsignal,        },
-       { "lxc.rebootsignal",         set_config_rebootsignal,         get_config_rebootsignal,         clr_config_rebootsignal,      },
-       { "lxc.stopsignal",           set_config_stopsignal,           get_config_stopsignal,           clr_config_stopsignal,        },
-       { "lxc.start.auto",           set_config_start,                get_config_start,                clr_config_start,             },
-       { "lxc.start.delay",          set_config_start,                get_config_start,                clr_config_start,             },
-       { "lxc.start.order",          set_config_start,                get_config_start,                clr_config_start,             },
-       { "lxc.monitor.unshare",      set_config_monitor,              get_config_monitor,              clr_config_monitor,           },
-       { "lxc.group",                set_config_group,                get_config_group,                clr_config_group,             },
-       { "lxc.environment",          set_config_environment,          get_config_environment,          clr_config_environment,       },
-       { "lxc.init_cmd",             set_config_init_cmd,             get_config_init_cmd,             clr_config_init_cmd,          },
-       { "lxc.init_uid",             set_config_init_uid,             get_config_init_uid,             clr_config_init_uid,          },
-       { "lxc.init_gid",             set_config_init_gid,             get_config_init_gid,             clr_config_init_gid,          },
-       { "lxc.ephemeral",            set_config_ephemeral,            get_config_ephemeral,            clr_config_ephemeral,         },
-       { "lxc.syslog",               set_config_syslog,               get_config_syslog,               clr_config_syslog,            },
-       { "lxc.no_new_privs",         set_config_no_new_privs,         get_config_no_new_privs,         clr_config_no_new_privs,      },
-       { "lxc.limit",                set_config_limit,                get_config_limit,                clr_config_limit,             },
+       { "lxc.arch",                      set_config_personality,                 get_config_personality,                 clr_config_personality,               },
+       { "lxc.pts",                       set_config_pts,                         get_config_pts,                         clr_config_pts,                       },
+       { "lxc.tty",                       set_config_tty,                         get_config_tty,                         clr_config_tty,                       },
+       { "lxc.devttydir",                 set_config_ttydir,                      get_config_ttydir,                      clr_config_ttydir,                    },
+       { "lxc.kmsg",                      set_config_kmsg,                        get_config_kmsg,                        clr_config_kmsg,                      },
+       { "lxc.apparmor.profile",          set_config_apparmor_profile,            get_config_apparmor_profile,            clr_config_apparmor_profile,          },
+       { "lxc.apparmor.allow_incomplete", set_config_apparmor_allow_incomplete,   get_config_apparmor_allow_incomplete,   clr_config_apparmor_allow_incomplete, },
+       { "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
+
+       /* REMOVE IN LXC 3.0
+          legacy security keys
+        */
+       { "lxc.aa_profile",                set_config_lsm_aa_profile,              get_config_lsm_aa_profile,              clr_config_lsm_aa_profile,            },
+       { "lxc.aa_allow_incomplete",       set_config_lsm_aa_incomplete,           get_config_lsm_aa_incomplete,           clr_config_lsm_aa_incomplete,         },
+       { "lxc.se_context",                set_config_lsm_se_context,              get_config_lsm_se_context,              clr_config_lsm_se_context,            },
+
+       { "lxc.cgroup",                    set_config_cgroup,                      get_config_cgroup,                      clr_config_cgroup,                    },
+       { "lxc.id_map",                    set_config_idmaps,                      get_config_idmaps,                      clr_config_idmaps,                    },
+       { "lxc.loglevel",                  set_config_loglevel,                    get_config_loglevel,                    clr_config_loglevel,                  },
+       { "lxc.logfile",                   set_config_logfile,                     get_config_logfile,                     clr_config_logfile,                   },
+       { "lxc.mount.entry",               set_config_mount,                       get_config_mount,                       clr_config_mount,                     },
+       { "lxc.mount.auto",                set_config_mount_auto,                  get_config_mount_auto,                  clr_config_mount_auto,                },
+       { "lxc.mount",                     set_config_fstab,                       get_config_fstab,                       clr_config_fstab,                     },
+       { "lxc.rootfs.mount",              set_config_rootfs_mount,                get_config_rootfs_mount,                clr_config_rootfs_mount,              },
+       { "lxc.rootfs.options",            set_config_rootfs_options,              get_config_rootfs_options,              clr_config_rootfs_options,            },
+       { "lxc.rootfs.backend",            set_config_rootfs_backend,              get_config_rootfs_backend,              clr_config_rootfs_backend,            },
+       { "lxc.rootfs",                    set_config_rootfs,                      get_config_rootfs,                      clr_config_rootfs,                    },
+       { "lxc.pivotdir",                  set_config_pivotdir,                    get_config_pivotdir,                    clr_config_pivotdir,                  },
+       { "lxc.utsname",                   set_config_utsname,                     get_config_utsname,                     clr_config_utsname,                   },
+       { "lxc.hook.pre-start",            set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.pre-mount",            set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.mount",                set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.autodev",              set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.start",                set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.stop",                 set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.post-stop",            set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.clone",                set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook.destroy",              set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+       { "lxc.hook",                      set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
+
+       /* REMOVE IN LXC 3.0
+          legacy security keys
+        */
+       { "lxc.network.type",              set_config_network_legacy_type,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.flags",             set_config_network_legacy_flags,        get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.link",              set_config_network_legacy_link,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.name",              set_config_network_legacy_name,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.macvlan.mode",      set_config_network_legacy_macvlan_mode, get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.veth.pair",         set_config_network_legacy_veth_pair,    get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.script.up",         set_config_network_legacy_script_up,    get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.script.down",       set_config_network_legacy_script_down,  get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.hwaddr",            set_config_network_legacy_hwaddr,       get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.mtu",               set_config_network_legacy_mtu,          get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.vlan.id",           set_config_network_legacy_vlan_id,      get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.ipv4.gateway",      set_config_network_legacy_ipv4_gateway, get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.ipv4",              set_config_network_legacy_ipv4,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.ipv6.gateway",      set_config_network_legacy_ipv6_gateway, get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.ipv6",              set_config_network_legacy_ipv6,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network.",                  set_config_network_legacy_nic,          get_config_network_legacy_item,         clr_config_network_legacy_item,       },
+       { "lxc.network",                   set_config_network_legacy,              get_config_network_legacy,              clr_config_network_legacy,            },
+
+       { "lxc.net.type",                  set_config_net_type,                    get_config_net_type,                    clr_config_net_type,                  },
+       { "lxc.net.flags",                 set_config_net_flags,                   get_config_net_flags,                   clr_config_net_flags,                 },
+       { "lxc.net.link",                  set_config_net_link,                    get_config_net_link,                    clr_config_net_link,                  },
+       { "lxc.net.name",                  set_config_net_name,                    get_config_net_name,                    clr_config_net_name,                  },
+       { "lxc.net.macvlan.mode",          set_config_net_macvlan_mode,            get_config_net_macvlan_mode,            clr_config_net_macvlan_mode,          },
+       { "lxc.net.veth.pair",             set_config_net_veth_pair,               get_config_net_veth_pair,               clr_config_net_veth_pair,             },
+       { "lxc.net.script.up",             set_config_net_script_up,               get_config_net_script_up,               clr_config_net_script_up,             },
+       { "lxc.net.script.down",           set_config_net_script_down,             get_config_net_script_down,             clr_config_net_script_down,           },
+       { "lxc.net.hwaddr",                set_config_net_hwaddr,                  get_config_net_hwaddr,                  clr_config_net_hwaddr,                },
+       { "lxc.net.mtu",                   set_config_net_mtu,                     get_config_net_mtu,                     clr_config_net_mtu,                   },
+       { "lxc.net.vlan.id",               set_config_net_vlan_id,                 get_config_net_vlan_id,                 clr_config_net_vlan_id,               },
+       { "lxc.net.ipv4.gateway",          set_config_net_ipv4_gateway,            get_config_net_ipv4_gateway,            clr_config_net_ipv4_gateway,          },
+       { "lxc.net.ipv4",                  set_config_net_ipv4,                    get_config_net_ipv4,                    clr_config_net_ipv4,                  },
+       { "lxc.net.ipv6.gateway",          set_config_net_ipv6_gateway,            get_config_net_ipv6_gateway,            clr_config_net_ipv6_gateway,          },
+       { "lxc.net.ipv6",                  set_config_net_ipv6,                    get_config_net_ipv6,                    clr_config_net_ipv6,                  },
+       { "lxc.net.",                      set_config_net_nic,                     get_config_net_nic,                     clr_config_net_nic,                   },
+       { "lxc.net",                       set_config_net,                         get_config_net,                         clr_config_net,                       },
+       { "lxc.cap.drop",                  set_config_cap_drop,                    get_config_cap_drop,                    clr_config_cap_drop,                  },
+       { "lxc.cap.keep",                  set_config_cap_keep,                    get_config_cap_keep,                    clr_config_cap_keep,                  },
+       { "lxc.console.logfile",           set_config_console_logfile,             get_config_console_logfile,             clr_config_console_logfile,           },
+       { "lxc.console",                   set_config_console,                     get_config_console,                     clr_config_console,                   },
+       { "lxc.seccomp",                   set_config_seccomp,                     get_config_seccomp,                     clr_config_seccomp,                   },
+       { "lxc.include",                   set_config_includefiles,                get_config_includefiles,                clr_config_includefiles,              },
+       { "lxc.autodev",                   set_config_autodev,                     get_config_autodev,                     clr_config_autodev,                   },
+       { "lxc.haltsignal",                set_config_haltsignal,                  get_config_haltsignal,                  clr_config_haltsignal,                },
+       { "lxc.rebootsignal",              set_config_rebootsignal,                get_config_rebootsignal,                clr_config_rebootsignal,              },
+       { "lxc.stopsignal",                set_config_stopsignal,                  get_config_stopsignal,                  clr_config_stopsignal,                },
+       { "lxc.start.auto",                set_config_start,                       get_config_start,                       clr_config_start,                     },
+       { "lxc.start.delay",               set_config_start,                       get_config_start,                       clr_config_start,                     },
+       { "lxc.start.order",               set_config_start,                       get_config_start,                       clr_config_start,                     },
+       { "lxc.monitor.unshare",           set_config_monitor,                     get_config_monitor,                     clr_config_monitor,                   },
+       { "lxc.group",                     set_config_group,                       get_config_group,                       clr_config_group,                     },
+       { "lxc.environment",               set_config_environment,                 get_config_environment,                 clr_config_environment,               },
+       { "lxc.init_cmd",                  set_config_init_cmd,                    get_config_init_cmd,                    clr_config_init_cmd,                  },
+       { "lxc.init_uid",                  set_config_init_uid,                    get_config_init_uid,                    clr_config_init_uid,                  },
+       { "lxc.init_gid",                  set_config_init_gid,                    get_config_init_gid,                    clr_config_init_gid,                  },
+       { "lxc.ephemeral",                 set_config_ephemeral,                   get_config_ephemeral,                   clr_config_ephemeral,                 },
+       { "lxc.syslog",                    set_config_syslog,                      get_config_syslog,                      clr_config_syslog,                    },
+       { "lxc.no_new_privs",              set_config_no_new_privs,                get_config_no_new_privs,                clr_config_no_new_privs,              },
+       { "lxc.limit",                     set_config_limit,                       get_config_limit,                       clr_config_limit,                     },
  };
  
  struct signame {
@@ -1585,14 +1594,16 @@ static int set_config_kmsg(const char *key, const char *value,
         return 0;
  }
  
-static int set_config_lsm_aa_profile(const char *key, const char *value,
-                                    struct lxc_conf *lxc_conf, void *data)
+static int set_config_apparmor_profile(const char *key, const char *value,
+                                      struct lxc_conf *lxc_conf, void *data)
  {
         return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
  }
  
-static int set_config_lsm_aa_incomplete(const char *key, const char *value,
-                                       struct lxc_conf *lxc_conf, void *data)
+static int set_config_apparmor_allow_incomplete(const char *key,
+                                               const char *value,
+                                               struct lxc_conf *lxc_conf,
+                                               void *data)
  {
         /* Set config value to default. */
         if (lxc_config_value_empty(value)) {
@@ -1613,8 +1624,8 @@ static int set_config_lsm_aa_incomplete(const char *key, const char *value,
         return 0;
  }
  
-static int set_config_lsm_se_context(const char *key, const char *value,
-                                    struct lxc_conf *lxc_conf, void *data)
+static int set_config_selinux_context(const char *key, const char *value,
+                                     struct lxc_conf *lxc_conf, void *data)
  {
         return set_config_string_item(&lxc_conf->lsm_se_context, value);
  }
@@ -2615,17 +2626,6 @@ int lxc_fill_elevated_privileges(char *flaglist, int *flags)
         return 0;
  }
  
-static inline int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen,
-                                  int v)
-{
-       if (!retv)
-               inlen = 0;
-       else
-               memset(retv, 0, inlen);
-
-       return snprintf(retv, inlen, "%d", v);
-}
-
  /* Write out a configuration file. */
  void write_config(FILE *fout, struct lxc_conf *c)
  {
@@ -3100,16 +3100,6 @@ static int get_config_tty(const char *key, char *retv, int inlen,
         return lxc_get_conf_int(c, retv, inlen, c->tty);
  }
  
-static inline int lxc_get_conf_str(char *retv, int inlen, const char *value)
-{
-       if (!value)
-               return 0;
-       if (retv && inlen >= strlen(value) + 1)
-               strncpy(retv, value, strlen(value) + 1);
-
-       return strlen(value);
-}
-
  static int get_config_ttydir(const char *key, char *retv, int inlen,
                              struct lxc_conf *c, void *data)
  {
@@ -3122,21 +3112,22 @@ static int get_config_kmsg(const char *key, char *retv, int inlen,
         return lxc_get_conf_int(c, retv, inlen, c->kmsg);
  }
  
-static int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
-                                    struct lxc_conf *c, void *data)
+static int get_config_apparmor_profile(const char *key, char *retv, int inlen,
+                                      struct lxc_conf *c, void *data)
  {
         return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
  }
  
-static int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
-                                       struct lxc_conf *c, void *data)
+static int get_config_apparmor_allow_incomplete(const char *key, char *retv,
+                                               int inlen, struct lxc_conf *c,
+                                               void *data)
  {
         return lxc_get_conf_int(c, retv, inlen,
                                 c->lsm_aa_allow_incomplete);
  }
  
-static int get_config_lsm_se_context(const char *key, char *retv, int inlen,
-                                    struct lxc_conf *c, void *data)
+static int get_config_selinux_context(const char *key, char *retv, int inlen,
+                                     struct lxc_conf *c, void *data)
  {
         return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
  }
@@ -3710,23 +3701,24 @@ static inline int clr_config_kmsg(const char *key, struct lxc_conf *c,
         return 0;
  }
  
-static inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
-                                           void *data)
+static inline int clr_config_apparmor_profile(const char *key,
+                                             struct lxc_conf *c, void *data)
  {
         free(c->lsm_aa_profile);
         c->lsm_aa_profile = NULL;
         return 0;
  }
  
-static inline int clr_config_lsm_aa_incomplete(const char *key,
-                                              struct lxc_conf *c, void *data)
+static inline int clr_config_apparmor_allow_incomplete(const char *key,
+                                                      struct lxc_conf *c,
+                                                      void *data)
  {
         c->lsm_aa_allow_incomplete = 0;
         return 0;
  }
  
-static inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
-                                           void *data)
+static inline int clr_config_selinux_context(const char *key,
+                                            struct lxc_conf *c, void *data)
  {
         free(c->lsm_se_context);
         c->lsm_se_context = NULL;
diff --git a/src/lxc/confile_network_legacy.c b/src/lxc/confile_legacy.c

similarity index 92%

rename from src/lxc/confile_network_legacy.c

rename to src/lxc/confile_legacy.c

index 14aef21ea06ba50f8a9265c211b4229439bb4f69..7f86cdb0effea53d72aeae1d7576dacadd92a01f 100644 (file)
--- a/src/lxc/confile_network_legacy.c
+++ b/src/lxc/confile_legacy.c
@@ -46,7 +46,7 @@
  #include "config.h"
  #include "confile.h"
  #include "confile_utils.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
  #include "utils.h"
  #include "log.h"
  #include "conf.h"
@@ -59,7 +59,7 @@
  #include <../include/ifaddrs.h>
  #endif
  
-lxc_log_define(lxc_confile_network_legacy, lxc);
+lxc_log_define(lxc_confile_legacy, lxc);
  
  /*
   * Config entry is something like "lxc.network.0.ipv4" the key 'lxc.network.'
@@ -1003,3 +1003,79 @@ inline int clr_config_network_legacy(const char *key, struct lxc_conf *c, void *
  {
         return lxc_clear_config_network(c);
  }
+
+inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
+                                    void *data)
+{
+       free(c->lsm_aa_profile);
+       c->lsm_aa_profile = NULL;
+       return 0;
+}
+
+inline int clr_config_lsm_aa_incomplete(const char *key, struct lxc_conf *c,
+                                       void *data)
+{
+       c->lsm_aa_allow_incomplete = 0;
+       return 0;
+}
+
+int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
+                             struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
+}
+
+int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
+                                struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_int(c, retv, inlen,
+                               c->lsm_aa_allow_incomplete);
+}
+
+int set_config_lsm_aa_profile(const char *key, const char *value,
+                             struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
+}
+
+int set_config_lsm_aa_incomplete(const char *key, const char *value,
+                                struct lxc_conf *lxc_conf, void *data)
+{
+       /* Set config value to default. */
+       if (lxc_config_value_empty(value)) {
+               lxc_conf->lsm_aa_allow_incomplete = 0;
+               return 0;
+       }
+
+       /* Parse new config value. */
+       if (lxc_safe_uint(value, &lxc_conf->lsm_aa_allow_incomplete) < 0)
+               return -1;
+
+       if (lxc_conf->lsm_aa_allow_incomplete > 1) {
+               ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only "
+                     "be set to 0 or 1");
+               return -1;
+       }
+
+       return 0;
+}
+
+int set_config_lsm_se_context(const char *key, const char *value,
+                             struct lxc_conf *lxc_conf, void *data)
+{
+       return set_config_string_item(&lxc_conf->lsm_se_context, value);
+}
+
+int get_config_lsm_se_context(const char *key, char *retv, int inlen,
+                             struct lxc_conf *c, void *data)
+{
+       return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
+}
+
+inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
+                                    void *data)
+{
+       free(c->lsm_se_context);
+       c->lsm_se_context = NULL;
+       return 0;
+}
diff --git a/src/lxc/confile_network_legacy.h b/src/lxc/confile_legacy.h

similarity index 78%

rename from src/lxc/confile_network_legacy.h

rename to src/lxc/confile_legacy.h

index 55cb2a12577ae4894ed51202a38314d2f46377ec..cbe6ce8bc69d780fadb1bb76b8848c9c2dbb896b 100644 (file)
--- a/src/lxc/confile_network_legacy.h
+++ b/src/lxc/confile_legacy.h
@@ -21,8 +21,8 @@
   * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
   */
  
-#ifndef __LXC_CONFILE_NETWORK_LEGACY_H
-#define __LXC_CONFILE_NETWORK_LEGACY_H
+#ifndef __LXC_CONFILE_LEGACY_H
+#define __LXC_CONFILE_LEGACY_H
  
  #include <stdio.h>
  #include <lxc/attach_options.h>
@@ -78,4 +78,23 @@ extern int lxc_list_nicconfigs_legacy(struct lxc_conf *c, const char *key,
  extern int lxc_listconfigs(char *retv, int inlen);
  
  extern bool network_new_hwaddrs(struct lxc_conf *conf);
-#endif
+
+extern int set_config_lsm_aa_profile(const char *, const char *,
+                                    struct lxc_conf *, void *);
+extern int get_config_lsm_aa_profile(const char *, char *, int,
+                                    struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);
+
+extern int set_config_lsm_aa_incomplete(const char *, const char *,
+                               struct lxc_conf *, void *);
+extern int get_config_lsm_aa_incomplete(const char *, char *, int,
+                               struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
+                                       void *);
+
+extern int set_config_lsm_se_context(const char *, const char *,
+                            struct lxc_conf *, void *);
+extern int get_config_lsm_se_context(const char *, char *, int,
+                            struct lxc_conf *, void *);
+extern int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
+#endif /* __LXC_CONFILE_LEGACY_H */
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c

index d2df78a45f7b65195e0760264ce87b332e684de1..4c6f1117f0b9e3aef55b115b9701efb81a220ac4 100644 (file)
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -582,3 +582,23 @@ bool new_hwaddr(char *hwaddr)
  
         return true;
  }
+
+int lxc_get_conf_str(char *retv, int inlen, const char *value)
+{
+       if (!value)
+               return 0;
+       if (retv && inlen >= strlen(value) + 1)
+               strncpy(retv, value, strlen(value) + 1);
+
+       return strlen(value);
+}
+
+int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
+{
+       if (!retv)
+               inlen = 0;
+       else
+               memset(retv, 0, inlen);
+
+       return snprintf(retv, inlen, "%d", v);
+}
diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h

index 67762d2c8e3c5f80fdf5df70c3e826ed427e9e20..5831df5c20e292e8b3a2e5e7b204b70463511748 100644 (file)
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -81,5 +81,7 @@ extern int network_ifname(char **valuep, const char *value);
  extern int rand_complete_hwaddr(char *hwaddr);
  extern void update_hwaddr(const char *line);
  extern bool new_hwaddr(char *hwaddr);
+extern int lxc_get_conf_str(char *retv, int inlen, const char *value);
+extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v);
  
  #endif /* __LXC_CONFILE_UTILS_H */
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c

index 0a784e90db12f3752c0e711ee2b2f59e071e4bf1..3de4fb90e383f54c8b2b6515e95aad87d648dfca 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -47,7 +47,7 @@
  #include "config.h"
  #include "commands.h"
  #include "confile.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
  #include "console.h"
  #include "criu.h"
  #include "log.h"
diff --git a/src/tests/parse_config_file.c b/src/tests/parse_config_file.c

index 3fcfdd50e02cf7c45679de09f8a149ff837ef3ed..6618596c6c319966c0f1b92138334f5bdeb24dbe 100644 (file)
--- a/src/tests/parse_config_file.c
+++ b/src/tests/parse_config_file.c
@@ -328,20 +328,54 @@ int main(int argc, char *argv[])
                 goto non_test_error;
         }
  
-       /* lxc.aa_profile */
+       /* REMOVE IN LXC 3.0
+          legacy security keys
+        */
         if (set_get_compare_clear_save_load(c, "lxc.aa_profile", "unconfined",
                                             tmpf, true) < 0) {
                 lxc_error("%s\n", "lxc.aa_profile");
                 goto non_test_error;
         }
  
-       /* lxc.aa_allow_incomplete */
+       /* REMOVE IN LXC 3.0
+          legacy security keys
+        */
         if (set_get_compare_clear_save_load(c, "lxc.aa_allow_incomplete", "1",
                                             tmpf, true) < 0) {
                 lxc_error("%s\n", "lxc.aa_allow_incomplete");
                 goto non_test_error;
         }
  
+       /* REMOVE IN LXC 3.0
+          legacy security keys
+        */
+       if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
+                                           tmpf, true) < 0) {
+               lxc_error("%s\n", "lxc.apparmor.se_context");
+               goto non_test_error;
+       }
+
+       /* lxc.apparmor.profile */
+       if (set_get_compare_clear_save_load(c, "lxc.apparmor.profile", "unconfined",
+                                           tmpf, true) < 0) {
+               lxc_error("%s\n", "lxc.apparmor.profile");
+               goto non_test_error;
+       }
+
+       /* lxc.apparmor.allow_incomplete */
+       if (set_get_compare_clear_save_load(c, "lxc.apparmor.allow_incomplete", "1",
+                                           tmpf, true) < 0) {
+               lxc_error("%s\n", "lxc.apparmor.allow_incomplete");
+               goto non_test_error;
+       }
+
+       /* lxc.selinux.context */
+       if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
+                                           tmpf, true) < 0) {
+               lxc_error("%s\n", "lxc.apparmor.selinux.context");
+               goto non_test_error;
+       }
+
         /* lxc.cgroup.cpuset.cpus */
         if (set_get_compare_clear_save_load(c, "lxc.cgroup.cpuset.cpus",
                                             "1-100", tmpf, false) < 0) {
author	Christian Brauner <christian.brauner@ubuntu.com>
	Fri, 23 Jun 2017 13:35:17 +0000 (15:35 +0200)
committer	Christian Brauner <christian.brauner@ubuntu.com>
	Fri, 23 Jun 2017 13:37:55 +0000 (15:37 +0200)
src/lxc/Makefile.am		patch \| blob \| blame \| history
src/lxc/conf.c		patch \| blob \| blame \| history
src/lxc/confile.c		patch \| blob \| blame \| history
src/lxc/confile_legacy.c	[moved from src/lxc/confile_network_legacy.c with 92% similarity]	patch \| blob \| blame \| history
src/lxc/confile_legacy.h	[moved from src/lxc/confile_network_legacy.h with 78% similarity]	patch \| blob \| blame \| history
src/lxc/confile_utils.c		patch \| blob \| blame \| history
src/lxc/confile_utils.h		patch \| blob \| blame \| history
src/lxc/lxccontainer.c		patch \| blob \| blame \| history
src/tests/parse_config_file.c		patch \| blob \| blame \| history