From 961878dac19af1ab6723d05c08bd461eaf4d9b64 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 3 Sep 2021 10:01:51 +0200
Subject: [PATCH] lsm: fix integer comparisons

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 7 +++----
 src/lxc/lsm/selinux.c  | 2 +-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 0667526d4..2d81acdc8 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -406,7 +406,7 @@ static int __apparmor_process_label_open(struct lsm_ops *ops, pid_t pid, int o_f
 
 	/* first try the apparmor subdir */
 	ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/apparmor/current", pid);
-	if (ret < 0 || ret >= LXC_LSMATTRLEN)
+	if (ret < 0 || (size_t)ret >= LXC_LSMATTRLEN)
 		return -1;
 
 	labelfd = open(path, o_flags);
@@ -417,7 +417,7 @@ static int __apparmor_process_label_open(struct lsm_ops *ops, pid_t pid, int o_f
 
 	/* fallback to legacy global attr directory */
 	ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid);
-	if (ret < 0 || ret >= LXC_LSMATTRLEN)
+	if (ret < 0 || (size_t)ret >= LXC_LSMATTRLEN)
 		return -1;
 
 	labelfd = open(path, o_flags);
@@ -721,13 +721,12 @@ static void append_all_remount_rules(char **profile, size_t *size)
 	const size_t buf_append_pos = strlen(buf);
 
 	const size_t opt_count = ARRAY_SIZE(REMOUNT_OPTIONS);
-	size_t opt_bits;
 
 	must_append_sized(profile, size,
 			  "# allow various ro-bind-*re*mounts\n",
 			  sizeof("# allow various ro-bind-*re*mounts\n")-1);
 
-	for (opt_bits = 0; opt_bits != 1 << opt_count; ++opt_bits) {
+	for (size_t opt_bits = 0; opt_bits != (size_t)1 << opt_count; ++opt_bits) {
 		size_t at = buf_append_pos;
 		unsigned bit = 1;
 		size_t o;
diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
index 34987a6c7..e0833f1b7 100644
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -136,7 +136,7 @@ static int selinux_process_label_fd_get(struct lsm_ops *ops, pid_t pid, bool on_
 		ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/exec", pid);
 	else
 		ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid);
-	if (ret < 0 || ret >= LXC_LSMATTRLEN)
+	if (ret < 0 || (size_t)ret >= LXC_LSMATTRLEN)
 		return -1;
 
 	labelfd = open(path, O_RDWR);
-- 
2.47.2