lsm: harden read_file_at()

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

lsm: harden read_file_at()
6fc8a0dd · Christian Brauner · 46bf13b7 · 6fc8a0dd · 6fc8a0dd
Unverified Commit 6fc8a0dd authored Feb 01, 2021 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

apparmor.c src/lxc/lsm/apparmor.c +1 -1

selinux.c src/lxc/lsm/selinux.c +1 -1

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -447,7 +447,7 @@ static char *apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
 	__do_free char *label = NULL;
 	size_t len;
-	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
 	if (!label)
 		return log_error_errno(NULL, errno, "Failed to get AppArmor context");

--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -57,7 +57,7 @@ static char *selinux_process_label_get_at(struct lsm_ops *ops, int fd_pid)
 	__do_free char *label = NULL;
 	size_t len;
-	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, 0);
+	label = read_file_at(fd_pid, "attr/current", PROTECT_OPEN, PROTECT_LOOKUP_BENEATH);
 	if (!label)
 		return log_error_errno(NULL, errno, "Failed to get SELinux context");