Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
L
lxc
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Chen Yisong
lxc
Commits
f43ed6a0
Unverified
Commit
f43ed6a0
authored
Feb 19, 2021
by
Christian Brauner
Committed by
GitHub
Feb 19, 2021
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #3686 from cyphar/apparmor-attr-subdir
apparmor: prefer /proc/.../attr/apparmor/current over legacy interface
parents
35a68d6d
47f4914d
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
54 additions
and
61 deletions
+54
-61
apparmor.c
src/lxc/lsm/apparmor.c
+51
-60
macro.h
src/lxc/macro.h
+3
-1
No files found.
src/lxc/lsm/apparmor.c
View file @
f43ed6a0
...
...
@@ -395,52 +395,56 @@ static int apparmor_enabled(struct lsm_ops *ops)
return
0
;
}
static
int
__apparmor_process_label_open
(
struct
lsm_ops
*
ops
,
pid_t
pid
,
int
o_flags
,
bool
on_exec
)
{
int
ret
=
-
1
;
int
labelfd
;
char
path
[
LXC_LSMATTRLEN
];
if
(
on_exec
)
TRACE
(
"On-exec not supported with AppArmor"
);
/* first try the apparmor subdir */
ret
=
snprintf
(
path
,
LXC_LSMATTRLEN
,
"/proc/%d/attr/apparmor/current"
,
pid
);
if
(
ret
<
0
||
ret
>=
LXC_LSMATTRLEN
)
return
-
1
;
labelfd
=
open
(
path
,
o_flags
);
if
(
labelfd
>=
0
)
return
labelfd
;
else
if
(
errno
!=
ENOENT
)
goto
error
;
/* fallback to legacy global attr directory */
ret
=
snprintf
(
path
,
LXC_LSMATTRLEN
,
"/proc/%d/attr/current"
,
pid
);
if
(
ret
<
0
||
ret
>=
LXC_LSMATTRLEN
)
return
-
1
;
labelfd
=
open
(
path
,
o_flags
);
if
(
labelfd
>=
0
)
return
labelfd
;
error:
return
log_error_errno
(
-
errno
,
errno
,
"Unable to open AppArmor LSM label file descriptor"
);
}
static
char
*
apparmor_process_label_get
(
struct
lsm_ops
*
ops
,
pid_t
pid
)
{
char
path
[
100
],
*
space
;
int
ret
;
char
*
buf
=
NULL
,
*
newbuf
;
int
sz
=
0
;
FILE
*
f
;
int
label_fd
;
__do_free
char
*
label
=
NULL
;
size_t
len
;
ret
=
snprintf
(
path
,
100
,
"/proc/%d/attr/current"
,
pid
);
if
(
ret
<
0
||
ret
>=
100
)
{
ERROR
(
"path name too long"
);
return
NULL
;
}
again:
f
=
fopen_cloexec
(
path
,
"r"
);
if
(
!
f
)
{
SYSERROR
(
"opening %s"
,
path
);
free
(
buf
);
return
NULL
;
}
sz
+=
1024
;
newbuf
=
realloc
(
buf
,
sz
);
if
(
!
newbuf
)
{
free
(
buf
);
ERROR
(
"out of memory"
);
fclose
(
f
);
return
NULL
;
}
buf
=
newbuf
;
memset
(
buf
,
0
,
sz
);
ret
=
fread
(
buf
,
1
,
sz
-
1
,
f
);
fclose
(
f
);
if
(
ret
<
0
)
{
ERROR
(
"reading %s"
,
path
);
free
(
buf
);
label_fd
=
__apparmor_process_label_open
(
ops
,
pid
,
O_RDONLY
,
false
);
if
(
label_fd
<
0
)
return
NULL
;
}
if
(
ret
>=
sz
)
goto
again
;
space
=
strchr
(
buf
,
'\n'
);
if
(
space
)
*
space
=
'\0'
;
space
=
strchr
(
buf
,
' '
);
if
(
space
)
*
space
=
'\0'
;
return
buf
;
fd_to_buf
(
label_fd
,
&
label
,
&
len
);
len
=
strcspn
(
label
,
"
\n
\t
"
);
if
(
len
)
label
[
len
]
=
'\0'
;
return
move_ptr
(
label
);
}
static
char
*
apparmor_process_label_get_at
(
struct
lsm_ops
*
ops
,
int
fd_pid
)
...
...
@@ -448,14 +452,16 @@ static char *apparmor_process_label_get_at(struct lsm_ops *ops, int fd_pid)
__do_free
char
*
label
=
NULL
;
size_t
len
;
label
=
read_file_at
(
fd_pid
,
"attr/current"
,
PROTECT_OPEN
,
PROTECT_LOOKUP_BENEATH
);
/* first try the apparmor subdir, then fall back to legacy interface */
label
=
read_file_at
(
fd_pid
,
"attr/apparmor/current"
,
PROTECT_OPEN
,
PROTECT_LOOKUP_BENEATH
);
if
(
!
label
&&
errno
==
ENOENT
)
label
=
read_file_at
(
fd_pid
,
"attr/current"
,
PROTECT_OPEN
,
PROTECT_LOOKUP_BENEATH
);
if
(
!
label
)
return
log_error_errno
(
NULL
,
errno
,
"Failed to get AppArmor context"
);
len
=
strcspn
(
label
,
"
\n
\t
"
);
if
(
len
)
label
[
len
]
=
'\0'
;
return
move_ptr
(
label
);
}
...
...
@@ -1141,22 +1147,7 @@ static int apparmor_keyring_label_set(struct lsm_ops *ops, const char *label)
static
int
apparmor_process_label_fd_get
(
struct
lsm_ops
*
ops
,
pid_t
pid
,
bool
on_exec
)
{
int
ret
=
-
1
;
int
labelfd
;
char
path
[
LXC_LSMATTRLEN
];
if
(
on_exec
)
TRACE
(
"On-exec not supported with AppArmor"
);
ret
=
snprintf
(
path
,
LXC_LSMATTRLEN
,
"/proc/%d/attr/current"
,
pid
);
if
(
ret
<
0
||
ret
>=
LXC_LSMATTRLEN
)
return
-
1
;
labelfd
=
open
(
path
,
O_RDWR
);
if
(
labelfd
<
0
)
return
log_error_errno
(
-
errno
,
errno
,
"Unable to open AppArmor LSM label file descriptor"
);
return
labelfd
;
return
__apparmor_process_label_open
(
ops
,
pid
,
O_RDWR
,
on_exec
);
}
static
int
apparmor_process_label_set_at
(
struct
lsm_ops
*
ops
,
int
label_fd
,
const
char
*
label
,
bool
on_exec
)
...
...
src/lxc/macro.h
View file @
f43ed6a0
...
...
@@ -333,11 +333,13 @@
* +
* /attr/ = 6
* +
* /apparmor/ = 10
* +
* /current = 8
* +
* \0 = 1
*/
#define LXC_LSMATTRLEN (6 + INTTYPE_TO_STRLEN(pid_t) + 6 + 8 + 1)
#define LXC_LSMATTRLEN (6 + INTTYPE_TO_STRLEN(pid_t) + 6 +
10 +
8 + 1)
/* MAX_NS_PROC_NAME = MAX_NS_PROC_NAME
* +
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
