Skip to content

L
lxc
Unverified Commit fbf281d3 by Christian Brauner
Options

lsm/apparmor: cleanup apparmor_process_label_set()

Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent d8764025
Showing with 16 additions and 28 deletions
src/lxc/lsm/apparmor.c
...@@ -1196,45 +1196,33 @@ static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, cons ...@@ -1196,45 +1196,33 @@ static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, cons
static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel, static int apparmor_process_label_set(struct lsm_ops *ops, const char *inlabel,
struct lxc_conf *conf, bool on_exec) struct lxc_conf *conf, bool on_exec)
{ {
int label_fd, ret; __do_close int label_fd = -EBADF;
pid_t tid; int ret;
const char *label; const char *label;
if (!ops->aa_enabled) if (!ops->aa_enabled)
return log_error(-1, "AppArmor not enabled"); return log_error_errno(-EOPNOTSUPP, EOPNOTSUPP, "AppArmor not enabled");
label = inlabel ? inlabel : conf->lsm_aa_profile_computed; label = inlabel ? inlabel : conf->lsm_aa_profile_computed;
if (!label) { if (!label)
ERROR("LSM wasn't prepared"); return log_error_errno(-EINVAL, EINVAL, "LSM wasn't prepared");
return -1;
}
/* user may request that we just ignore apparmor */ /* user may request that we just ignore apparmor */
if (strcmp(label, AA_UNCHANGED) == 0) { if (strcmp(label, AA_UNCHANGED) == 0)
INFO("AppArmor profile unchanged per user request"); return log_info(0, "AppArmor profile unchanged per user request");
return 0;
}
if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined(ops)) { if (strcmp(label, "unconfined") == 0 && apparmor_am_unconfined(ops))
INFO("AppArmor profile unchanged"); return log_info(0, "AppArmor profile unchanged");
return 0;
} label_fd = apparmor_process_label_fd_get(ops, lxc_raw_gettid(), on_exec);
tid = lxc_raw_gettid(); if (label_fd < 0)
label_fd = apparmor_process_label_fd_get(ops, tid, on_exec); return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
if (label_fd < 0) {
SYSERROR("Failed to change AppArmor profile to %s", label);
return -1;
}
ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec); ret = apparmor_process_label_set_at(ops, label_fd, label, on_exec);
close(label_fd); if (ret < 0)
if (ret < 0) { return log_error_errno(-EINVAL, EINVAL, "Failed to change AppArmor profile to %s", label);
ERROR("Failed to change AppArmor profile to %s", label);
return -1;
}
INFO("Changed AppArmor profile to %s", label); return log_info(0, "Changed AppArmor profile to %s", label);
return 0;
} }
static struct lsm_ops apparmor_ops = { static struct lsm_ops apparmor_ops = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment