Merge branch 'marcosps-selinux_simplification' into lxc/master

ca20a3b3 · Christian Brauner · 5c80e9fc · 08fccae2 · ca20a3b3 · ca20a3b3
Unverified Commit ca20a3b3 authored Feb 08, 2018 by Christian Brauner
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 24 deletions

apparmor.c src/lxc/lsm/apparmor.c +2 -3

selinux.c src/lxc/lsm/selinux.c +25 -21

No files found.
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -162,8 +162,8 @@ static bool aa_needs_transition(char *curlabel)
 * apparmor_process_label_set: Set AppArmor process profile
 *
 * @label   : the profile to set
- * @conf    : the container configuration to use @label is NULL
+ * @conf    : the container configuration to use if @label is NULL
- * @default : use the default profile if label is NULL
+ * @default : use the default profile if @label is NULL
 * @on_exec : this is ignored.  Apparmor profile will be changed immediately
 *
 * Returns 0 on success, < 0 on failure
@@ -230,7 +230,6 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		INFO("apparmor profile unchanged");
 		return 0;
 	}
 	tid = lxc_raw_gettid();
 	label_fd = lsm_process_label_fd_get(tid, on_exec);
 	if (label_fd < 0) {

--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@@ -23,13 +23,15 @@
 #include <errno.h>
 #include <stdlib.h>
-#include <sys/types.h>
+#include <stdbool.h>
+#include <string.h>
 #include <unistd.h>
 #include <selinux/selinux.h>
+#include <sys/types.h>
+#include "conf.h"
 #include "log.h"
 #include "lsm.h"
-#include "conf.h"
 #define DEFAULT_LABEL "unconfined_t"
@@ -63,8 +65,8 @@ static char *selinux_process_label_get(pid_t pid)
 * selinux_process_label_set: Set SELinux context of a process
 *
 * @label   : label string
- * @conf    : the container configuration to use @label is NULL
+ * @conf    : the container configuration to use if @label is NULL
- * @default : use the default context if label is NULL
+ * @default : use the default context if @label is NULL
 * @on_exec : the new context will take effect on exec(2) not immediately
 *
 * Returns 0 on success, < 0 on failure
@@ -74,29 +76,31 @@ static char *selinux_process_label_get(pid_t pid)
 static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
 				     bool use_default, bool on_exec)
 {
-	const char *label = inlabel ? inlabel : conf->lsm_se_context;
+	int ret;
+	const char *label;
+	label = inlabel ? inlabel : conf->lsm_se_context;
 	if (!label) {
-		if (use_default)
+		if (!use_default)
-			label = DEFAULT_LABEL;
+			return -EINVAL;
-		else
-			return -1;
+		label = DEFAULT_LABEL;
 	}
-	if (!strcmp(label, "unconfined_t"))
+	if (strcmp(label, "unconfined_t") == 0)
 		return 0;
-	if (on_exec) {
+	if (on_exec)
-		if (setexeccon_raw((char *)label) < 0) {
+		ret = setexeccon_raw((char *)label);
-			SYSERROR("failed to set new SELinux exec context %s", label);
+	else
-			return -1;
+		ret = setcon_raw((char *)label);
-		}
+	if (ret < 0) {
-	} else {
+		SYSERROR("Failed to set SELinux%s context to \"%s\"",
-		if (setcon_raw((char *)label) < 0) {
+			 on_exec ? " exec" : "", label);
-			SYSERROR("failed to set new SELinux context %s", label);
+		return -1;
-			return -1;
-		}
 	}
-	INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label);
+	INFO("Changed SELinux%s context to \"%s\"", on_exec ? " exec" : "", label);
 	return 0;
 }