From 6fc8a0dd822843fc96738f2b3c1c59e1c77fcd50 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 1 Feb 2021 20:15:16 +0100
Subject: [PATCH] lsm: harden read_file_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 2 +-
 src/lxc/lsm/selinux.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 369f7939d..fef503613 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -447,7 +447,7 @@ static char *apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
 	__do_free char *label = NULL;
 	size_t len;
 
-	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
 	if (!label)
 		return log_error_errno(NULL, errno, "Failed to get AppArmor context");
 
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 5ed99fb3e..e20a835fe 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -57,7 +57,7 @@ static char *selinux_process_label_get_at(struct lsm_ops *ops, int fd_pid)
 	__do_free char *label = NULL;
 	size_t len;
 
-	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
 	if (!label)
 		return log_error_errno(NULL, errno, "Failed to get SELinux context");
 
-- 
2.47.3