apparmor: clean up apparmor_process_label_get

Rather than open-coding file reading and retry semantics and implementing the path generation logic separately to apparmor_process_label_fd_get, refactor the logic so that it looks closer to the pidfd version. This will make it easier to implement the two-step handling for /proc/self/attr/apparmor/current and makes this code slightly less confusing. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

apparmor: clean up apparmor_process_label_get
38c072c1 · Aleksa Sarai · Christian Brauner · 2ec2c3d2 · 38c072c1
Unverified Commit 38c072c1 authored Feb 19, 2021 by Aleksa Sarai Committed by Christian Brauner Feb 26, 2021
Show whitespace changes
Inline Side-by-side

Showing with 34 additions and 58 deletions

apparmor.c src/lxc/lsm/apparmor.c +34 -58

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -395,52 +395,43 @@ static int apparmor_enabled(struct lsm_ops *ops)
 	return 0;
 }
+static int __apparmor_process_label_open(struct lsm_ops *ops, pid_t pid, int o_flags, bool on_exec)
+{
+	int ret = -1;
+	int labelfd;
+	char path[LXC_LSMATTRLEN];
+	if (on_exec)
+		TRACE("On-exec not supported with AppArmor");
+	ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid);
+	if (ret < 0 || ret >= LXC_LSMATTRLEN)
+		return -1;
+	labelfd = open(path, o_flags);
+	if (labelfd < 0)
+		return log_error_errno(-errno, errno, "Unable to open AppArmor LSM label file descriptor");
+	return labelfd;
+}
 static char *apparmor_process_label_get(struct lsm_ops *ops, pid_t pid)
 {
-	char path[100], *space;
+	int label_fd;
-	int ret;
+	__do_free char *label = NULL;
-	char *buf = NULL, *newbuf;
+	size_t len;
-	int sz = 0;
-	FILE *f;
-	ret = snprintf(path, 100, "/proc/%d/attr/current", pid);
+	label_fd = __apparmor_process_label_open(ops, pid, O_RDONLY, false);
-	if (ret < 0 || ret >= 100) {
+	if (label_fd < 0)
-		ERROR("path name too long");
-		return NULL;
-	}
-again:
-	f = fopen_cloexec(path, "r");
-	if (!f) {
-		SYSERROR("opening %s", path);
-		free(buf);
-		return NULL;
-	}
-	sz += 1024;
-	newbuf = realloc(buf, sz);
-	if (!newbuf) {
-		free(buf);
-		ERROR("out of memory");
-		fclose(f);
-		return NULL;
-	}
-	buf = newbuf;
-	memset(buf, 0, sz);
-	ret = fread(buf, 1, sz - 1, f);
-	fclose(f);
-	if (ret < 0) {
-		ERROR("reading %s", path);
-		free(buf);
 		return NULL;
-	}
-	if (ret >= sz)
+	fd_to_buf(label_fd, &label, &len);
-		goto again;
-	space = strchr(buf, '\n');
+	len = strcspn(label, "\n \t");
-	if (space)
+	if (len)
-		*space = '\0';
+		label[len] = '\0';
-	space = strchr(buf, ' ');
-	if (space)
+	return move_ptr(label);
-		*space = '\0';
-	return buf;
 }
 static char *apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
@@ -1141,22 +1132,7 @@ static int apparmor_keyring_label_set(struct lsm_ops *ops, const char *label)
 static int apparmor_process_label_fd_get(struct lsm_ops *ops, pid_t pid, bool on_exec)
 {
-	int ret = -1;
+	return __apparmor_process_label_open(ops, pid, O_RDWR, on_exec);
-	int labelfd;
-	char path[LXC_LSMATTRLEN];
-	if (on_exec)
-		TRACE("On-exec not supported with AppArmor");
-	ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid);
-	if (ret < 0 || ret >= LXC_LSMATTRLEN)
-		return -1;
-	labelfd = open(path, O_RDWR);
-	if (labelfd < 0)
-		return log_error_errno(-errno, errno, "Unable to open AppArmor LSM label file descriptor");
-	return labelfd;
 }
 static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, const char *label, bool on_exec)