From fbf281d3f449ff56401d3c691ff3f18ae534b7ee Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Sun, 31 Jan 2021 21:48:00 +0100
Subject: [PATCH] lsm/apparmor: cleanup apparmor_process_label_set()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 44 +++++++++++++++---------------------------
 1 file changed, 16 insertions(+), 28 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index f4d9281de..d72ca032d 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -1196,45 +1196,33 @@ static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, cons
 static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel,
 				      struct lxc_conf *conf, bool on_exec)
 {
-	int label_fd, ret;
-	pid_t tid;
+	__do_close int label_fd = -EBADF;
+	int ret;
 	const char *label;
 
 	if (!ops->aa_enabled)
-		return log_error(-1, "AppArmor not enabled");
+		return log_error_errno(-EOPNOTSUPP, EOPNOTSUPP, "AppArmor not enabled");
 
 	label = inlabel ? inlabel : conf->lsm_aa_profile_computed;
-	if (!label) {
-		ERROR("LSM wasn't prepared");
-		return -1;
-	}
+	if (!label)
+		return log_error_errno(-EINVAL, EINVAL, "LSM wasn't prepared");
 
 	/* user may request that we just ignore apparmor */
-	if (strcmp(label, AA_UNCHANGED) == 0) {
-		INFO("AppArmor profile unchanged per user request");
-		return 0;
-	}
+	if (strcmp(label, AA_UNCHANGED) == 0)
+		return log_info(0, "AppArmor profile unchanged per user request");
 
-	if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined(ops)) {
-		INFO("AppArmor profile unchanged");
-		return 0;
-	}
-	tid = lxc_raw_gettid();
-	label_fd = apparmor_process_label_fd_get(ops, tid, on_exec);
-	if (label_fd < 0) {
-		SYSERROR("Failed to change AppArmor profile to %s", label);
-		return -1;
-	}
+	if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined(ops))
+		return log_info(0, "AppArmor profile unchanged");
+
+	label_fd = apparmor_process_label_fd_get(ops, lxc_raw_gettid(), on_exec);
+	if (label_fd < 0)
+		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
 
 	ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec);
-	close(label_fd);
-	if (ret < 0) {
-		ERROR("Failed to change AppArmor profile to %s", label);
-		return -1;
-	}
+	if (ret < 0)
+		return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
 
-	INFO("Changed AppArmor profile to %s", label);
-	return 0;
+	return log_info(0, "Changed AppArmor profile to %s", label);
 }
 
 static struct lsm_ops apparmor_ops = {
-- 
2.47.2