lsm: add lsm_process_label_fd_get()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm: add lsm_process_label_fd_get()
47ce2cb7 · Christian Brauner · e6e89974 · 47ce2cb7 · 47ce2cb7 · 47ce2cb7
Unverified Commit 47ce2cb7 authored Jan 22, 2018 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 41 deletions

attach.c src/lxc/attach.c +4 -41

lsm.c src/lxc/lsm/lsm.c +36 -0

lsm.h src/lxc/lsm/lsm.h +6 -0

No files found.
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -88,44 +88,6 @@
 lxc_log_define(lxc_attach, lxc);
-/* /proc/pid-to-str/current\0 = (5 + 21 + 7 + 1) */
-#define __LSMATTRLEN (5 + (LXC_NUMSTRLEN64) + 7 + 1)
-static int lsm_open(pid_t pid, int on_exec)
-{
-	const char *name;
-	char path[__LSMATTRLEN];
-	int ret = -1;
-	int labelfd = -1;
-	name = lsm_name();
-	if (strcmp(name, "nop") == 0)
-		return 0;
-	if (strcmp(name, "none") == 0)
-		return 0;
-	/* We don't support on-exec with AppArmor */
-	if (strcmp(name, "AppArmor") == 0)
-		on_exec = 0;
-	if (on_exec)
-		ret = snprintf(path, __LSMATTRLEN, "/proc/%d/attr/exec", pid);
-	else
-		ret = snprintf(path, __LSMATTRLEN, "/proc/%d/attr/current", pid);
-	if (ret < 0 || ret >= __LSMATTRLEN)
-		return -1;
-	labelfd = open(path, O_RDWR);
-	if (labelfd < 0) {
-		SYSERROR("%s - Unable to open file descriptor to set LSM label",
-			 strerror(errno));
-		return -1;
-	}
-	return labelfd;
-}
 static int lsm_set_label_at(int lsm_labelfd, int on_exec, char *lsm_label)
 {
 	int fret = -1;
@@ -1396,11 +1358,12 @@ int lxc_attach(const char *name, const char *lxcpath,
 		if ((options->namespaces & CLONE_NEWNS) &&
 		    (options->attach_flags & LXC_ATTACH_LSM) &&
 		    init_ctx->lsm_label) {
-			int labelfd, on_exec;
 			int ret = -1;
+			int labelfd;
+			bool on_exec;
-			on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
+			on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true : false;
-			labelfd = lsm_open(attached_pid, on_exec);
+			labelfd = lsm_process_label_fd_get(attached_pid, on_exec);
 			if (labelfd < 0)
 				goto close_mainloop;
 			TRACE("Opened LSM label file descriptor %d", labelfd);

--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
@@ -85,6 +85,42 @@ char *lsm_process_label_get(pid_t pid)
 	return drv->process_label_get(pid);
 }
+int lsm_process_label_fd_get(pid_t pid, bool on_exec)
+{
+	int ret = -1;
+	int labelfd = -1;
+	const char *name;
+	char path[LXC_LSMATTRLEN];
+	name = lsm_name();
+	if (strcmp(name, "nop") == 0)
+		return 0;
+	if (strcmp(name, "none") == 0)
+		return 0;
+	/* We don't support on-exec with AppArmor */
+	if (strcmp(name, "AppArmor") == 0)
+		on_exec = 0;
+	if (on_exec)
+		ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/exec", pid);
+	else
+		ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid);
+	if (ret < 0 || ret >= LXC_LSMATTRLEN)
+		return -1;
+	labelfd = open(path, O_RDWR);
+	if (labelfd < 0) {
+		SYSERROR("%s - Unable to %s LSM label file descriptor",
+			 name, strerror(errno));
+		return -1;
+	}
+	return labelfd;
+}
 int lsm_process_label_set(const char *label, struct lxc_conf *conf,
 			  bool use_default, bool on_exec)
 {

--- a/src/lxc/lsm/lsm.h
+++ b/src/lxc/lsm/lsm.h
@@ -48,6 +48,7 @@ extern const char *lsm_name(void);
 extern char *lsm_process_label_get(pid_t pid);
 extern int lsm_process_label_set(const char *label, struct lxc_conf *conf,
 				 bool use_default, bool on_exec);
+extern int lsm_process_label_fd_get(pid_t pid, bool on_exec);
 #else
 static inline void lsm_init(void)
 {
@@ -74,6 +75,11 @@ static inline int lsm_process_label_set(const char *label,
 {
 	return 0;
 }
+static inline int lsm_process_label_fd_get(pid_t pid, bool on_exec)
+{
+	return 0;
+}
 #endif
 #endif