From: Christian Brauner Date: Mon, 22 Jan 2018 09:54:38 +0000 (+0100) Subject: lsm: add lsm_process_label_fd_get() X-Git-Tag: lxc-2.0.10~375 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4364c487df403aefe8739fd4270b11199fe75888;p=thirdparty%2Flxc.git lsm: add lsm_process_label_fd_get() Signed-off-by: Christian Brauner --- diff --git a/src/lxc/attach.c b/src/lxc/attach.c index f3cec064f..48f7f6d13 100644 --- a/src/lxc/attach.c +++ b/src/lxc/attach.c @@ -82,44 +82,6 @@ lxc_log_define(lxc_attach, lxc); -/* /proc/pid-to-str/current\0 = (5 + 21 + 7 + 1) */ -#define __LSMATTRLEN (5 + (LXC_NUMSTRLEN64) + 7 + 1) -static int lsm_open(pid_t pid, int on_exec) -{ - const char *name; - char path[__LSMATTRLEN]; - int ret = -1; - int labelfd = -1; - - name = lsm_name(); - - if (strcmp(name, "nop") == 0) - return 0; - - if (strcmp(name, "none") == 0) - return 0; - - /* We don't support on-exec with AppArmor */ - if (strcmp(name, "AppArmor") == 0) - on_exec = 0; - - if (on_exec) - ret = snprintf(path, __LSMATTRLEN, "/proc/%d/attr/exec", pid); - else - ret = snprintf(path, __LSMATTRLEN, "/proc/%d/attr/current", pid); - if (ret < 0 || ret >= __LSMATTRLEN) - return -1; - - labelfd = open(path, O_RDWR); - if (labelfd < 0) { - SYSERROR("%s - Unable to open file descriptor to set LSM label", - strerror(errno)); - return -1; - } - - return labelfd; -} - static int lsm_set_label_at(int lsm_labelfd, int on_exec, char *lsm_label) { int fret = -1; @@ -1342,11 +1304,12 @@ int lxc_attach(const char *name, const char *lxcpath, if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags & LXC_ATTACH_LSM) && init_ctx->lsm_label) { - int labelfd, on_exec; int ret = -1; + int labelfd; + bool on_exec; - on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0; - labelfd = lsm_open(attached_pid, on_exec); + on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false; + labelfd = lsm_process_label_fd_get(attached_pid, on_exec); if (labelfd < 0) goto close_mainloop; TRACE("Opened LSM label file descriptor %d", labelfd); diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c index 75f20f13b..98bf083bb 100644 --- a/src/lxc/lsm/lsm.c +++ b/src/lxc/lsm/lsm.c @@ -85,6 +85,42 @@ char *lsm_process_label_get(pid_t pid) return drv->process_label_get(pid); } +int lsm_process_label_fd_get(pid_t pid, bool on_exec) +{ + int ret = -1; + int labelfd = -1; + const char *name; + char path[LXC_LSMATTRLEN]; + + name = lsm_name(); + + if (strcmp(name, "nop") == 0) + return 0; + + if (strcmp(name, "none") == 0) + return 0; + + /* We don't support on-exec with AppArmor */ + if (strcmp(name, "AppArmor") == 0) + on_exec = 0; + + if (on_exec) + ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/exec", pid); + else + ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid); + if (ret < 0 || ret >= LXC_LSMATTRLEN) + return -1; + + labelfd = open(path, O_RDWR); + if (labelfd < 0) { + SYSERROR("%s - Unable to %s LSM label file descriptor", + name, strerror(errno)); + return -1; + } + + return labelfd; +} + int lsm_process_label_set(const char *label, struct lxc_conf *conf, bool use_default, bool on_exec) { diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h index 3b08b3be7..db8738411 100644 --- a/src/lxc/lsm/lsm.h +++ b/src/lxc/lsm/lsm.h @@ -48,6 +48,7 @@ extern const char *lsm_name(void); extern char *lsm_process_label_get(pid_t pid); extern int lsm_process_label_set(const char *label, struct lxc_conf *conf, bool use_default, bool on_exec); +extern int lsm_process_label_fd_get(pid_t pid, bool on_exec); #else static inline void lsm_init(void) { @@ -74,6 +75,11 @@ static inline int lsm_process_label_set(const char *label, { return 0; } + +static inline int lsm_process_label_fd_get(pid_t pid, bool on_exec) +{ + return 0; +} #endif #endif