add lsm op for checking if an lsm is present/enabled

Signed-off-by: Dwight Engen <dwight.engen@oracle.com> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

add lsm op for checking if an lsm is present/enabled
9e4bf8b1 · Dwight Engen · Serge Hallyn · fefddf9f · 9e4bf8b1 · 9e4bf8b1
Commit 9e4bf8b1 authored Oct 15, 2013 by Dwight Engen Committed by Serge Hallyn Oct 17, 2013
Showing with 18 additions and 0 deletions

apparmor.c src/lxc/lsm/apparmor.c +1 -0

lsm.c src/lxc/lsm/lsm.c +7 -0

lsm.h src/lxc/lsm/lsm.h +3 -0

nop.c src/lxc/lsm/nop.c +6 -0

selinux.c src/lxc/lsm/selinux.c +1 -0

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -167,6 +167,7 @@ static int apparmor_process_label_set(const char *label, int use_default)

 static struct lsm_drv apparmor_drv = {
 	.name = "AppArmor",
+	.enabled           = apparmor_enabled,
 	.process_label_get = apparmor_process_label_get,
 	.process_label_set = apparmor_process_label_set,
 };

--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
@@ -62,6 +62,13 @@ void lsm_init(void)
 	INFO("Initialized LSM security driver %s", drv->name);
 }

+int lsm_enabled()
+{
+	if (drv)
+		return drv->enabled();
+	return 0;
+}
+
 char *lsm_process_label_get(pid_t pid)
 {
 	if (!drv) {

--- a/src/lxc/lsm/lsm.h
+++ b/src/lxc/lsm/lsm.h
@@ -31,18 +31,21 @@ struct lxc_conf;
 struct lsm_drv {
 	const char *name;

+	int   (*enabled)(void);
 	char *(*process_label_get)(pid_t pid);
 	int   (*process_label_set)(const char *label, int use_default);
 };

 #if HAVE_APPARMOR || HAVE_SELINUX
 void  lsm_init(void);
+int   lsm_enabled(void);
 char *lsm_process_label_get(pid_t pid);
 int   lsm_process_label_set(const char *label, int use_default);
 int   lsm_proc_mount(struct lxc_conf *lxc_conf);
 void  lsm_proc_unmount(struct lxc_conf *lxc_conf);
 #else
 static inline void  lsm_init(void) { }
+static inline int   lsm_enabled(void) { return 0; }
 static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
 static inline int   lsm_process_label_set(char *label, int use_default) { return 0; }
 static inline int   lsm_proc_mount(struct lxc_conf *lxc_conf) { return 0; }

--- a/src/lxc/lsm/nop.c
+++ b/src/lxc/lsm/nop.c
@@ -34,8 +34,14 @@ static int nop_process_label_set(const char *label, int use_default)
 	return 0;
 }

+static int nop_enabled(void)
+{
+	return 0;
+}
+
 static struct lsm_drv nop_drv = {
 	.name = "nop",
+	.enabled           = nop_enabled,
 	.process_label_get = nop_process_label_get,
 	.process_label_set = nop_process_label_set,
 };

--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -89,6 +89,7 @@ static int selinux_process_label_set(const char *label, int use_default)

 static struct lsm_drv selinux_drv = {
 	.name = "SELinux",
+	.enabled           = is_selinux_enabled,
 	.process_label_get = selinux_process_label_get,
 	.process_label_set = selinux_process_label_set,
 };