Merge pull request #3766 from brauner/2021-04-02/fixes_2

lsm: fixes

Merge pull request #3766 from brauner/2021-04-02/fixes_2
d75ddd9b · Stéphane Graber · GitHub · 6fde9fb1 · 8f899a4a · d75ddd9b
Unverified Commit d75ddd9b authored Apr 02, 2021 by Stéphane Graber Committed by GitHub Apr 02, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 74 additions and 4 deletions

confile.c src/lxc/confile.c +74 -4

No files found.
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -1555,7 +1555,11 @@ static int set_config_tty_dir(const char *key, const char *value,
 static int set_config_apparmor_profile(const char *key, const char *value,
 				       struct lxc_conf *lxc_conf, void *data)
 {
+#if HAVE_APPARMOR
 	return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int set_config_apparmor_allow_incomplete(const char *key,
@@ -1563,6 +1567,7 @@ static int set_config_apparmor_allow_incomplete(const char *key,
 						struct lxc_conf *lxc_conf,
 						void *data)
 {
+#if HAVE_APPARMOR
 	int ret;

 	if (lxc_config_value_empty(value)) {
@@ -1578,6 +1583,9 @@ static int set_config_apparmor_allow_incomplete(const char *key,
 		return ret_errno(EINVAL);

 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int set_config_apparmor_allow_nesting(const char *key,
@@ -1585,6 +1593,7 @@ static int set_config_apparmor_allow_nesting(const char *key,
 					     struct lxc_conf *lxc_conf,
 					     void *data)
 {
+#if HAVE_APPARMOR
 	int ret;

 	if (lxc_config_value_empty(value))
@@ -1598,6 +1607,9 @@ static int set_config_apparmor_allow_nesting(const char *key,
 		return ret_errno(EINVAL);

 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int set_config_apparmor_raw(const char *key,
@@ -1605,6 +1617,7 @@ static int set_config_apparmor_raw(const char *key,
 				   struct lxc_conf *lxc_conf,
 				   void *data)
 {
+#if HAVE_APPARMOR
 	__do_free char *elem = NULL;
 	__do_free struct lxc_list *list = NULL;

@@ -1623,18 +1636,29 @@ static int set_config_apparmor_raw(const char *key,
 	lxc_list_add_tail(&lxc_conf->lsm_aa_raw, move_ptr(list));

 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int set_config_selinux_context(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
+#if HAVE_SELINUX
 	return set_config_string_item(&lxc_conf->lsm_se_context, value);
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static int set_config_selinux_context_keyring(const char *key, const char *value,
 					      struct lxc_conf *lxc_conf, void *data)
 {
+#if HAVE_SELINUX
 	return set_config_string_item(&lxc_conf->lsm_se_keyring_context, value);
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static int set_config_keyring_session(const char *key, const char *value,
@@ -3690,29 +3714,40 @@ static int get_config_tty_dir(const char *key, char *retv, int inlen,
 static int get_config_apparmor_profile(const char *key, char *retv, int inlen,
 				       struct lxc_conf *c, void *data)
 {
+#if HAVE_APPARMOR
 	return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int get_config_apparmor_allow_incomplete(const char *key, char *retv,
 						int inlen, struct lxc_conf *c,
 						void *data)
 {
-	return lxc_get_conf_int(c, retv, inlen,
-				c->lsm_aa_allow_incomplete);
+#if HAVE_APPARMOR
+	return lxc_get_conf_int(c, retv, inlen, c->lsm_aa_allow_incomplete);
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int get_config_apparmor_allow_nesting(const char *key, char *retv,
 					     int inlen, struct lxc_conf *c,
 					     void *data)
 {
-	return lxc_get_conf_int(c, retv, inlen,
-				c->lsm_aa_allow_nesting);
+#if HAVE_APPARMOR
+	return lxc_get_conf_int(c, retv, inlen, c->lsm_aa_allow_nesting);
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int get_config_apparmor_raw(const char *key, char *retv,
 				   int inlen, struct lxc_conf *c,
 				   void *data)
 {
+#if HAVE_APPARMOR
 	int len;
 	struct lxc_list *it;
 	int fulllen = 0;
@@ -3727,18 +3762,29 @@ static int get_config_apparmor_raw(const char *key, char *retv,
 	}

 	return fulllen;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static int get_config_selinux_context(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
 {
+#if HAVE_SELINUX
 	return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static int get_config_selinux_context_keyring(const char *key, char *retv, int inlen,
 					      struct lxc_conf *c, void *data)
 {
+#if HAVE_SELINUX
 	return lxc_get_conf_str(retv, inlen, c->lsm_se_keyring_context);
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static int get_config_keyring_session(const char *key, char *retv, int inlen,
@@ -4710,45 +4756,69 @@ static inline int clr_config_tty_dir(const char *key, struct lxc_conf *c,
 static inline int clr_config_apparmor_profile(const char *key,
 					      struct lxc_conf *c, void *data)
 {
+#if HAVE_APPARMOR
 	free_disarm(c->lsm_aa_profile);
 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static inline int clr_config_apparmor_allow_incomplete(const char *key,
 						       struct lxc_conf *c,
 						       void *data)
 {
+#if HAVE_APPARMOR
 	c->lsm_aa_allow_incomplete = 0;
 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static inline int clr_config_apparmor_allow_nesting(const char *key,
 						    struct lxc_conf *c,
 						    void *data)
 {
+#if HAVE_APPARMOR
 	c->lsm_aa_allow_nesting = 0;
 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static inline int clr_config_apparmor_raw(const char *key,
 					  struct lxc_conf *c,
 					  void *data)
 {
+#if HAVE_APPARMOR
 	return lxc_clear_apparmor_raw(c);
+#else
+	return syserror_set(-EINVAL, "Built without AppArmor support");
+#endif
 }

 static inline int clr_config_selinux_context(const char *key,
 					     struct lxc_conf *c, void *data)
 {
+#if HAVE_SELINUX
 	free_disarm(c->lsm_se_context);
 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static inline int clr_config_selinux_context_keyring(const char *key,
 						     struct lxc_conf *c, void *data)
 {
+#if HAVE_SELINUX
 	free_disarm(c->lsm_se_keyring_context);
 	return 0;
+#else
+	return syserror_set(-EINVAL, "Built without SELinux support");
+#endif
 }

 static inline int clr_config_keyring_session(const char *key,