confile: properly namespace security keys

- lxc.aa_profile => lxc.apparmor.profile
- lxc.aa_allow_incomplete => lxc.apparmor.allow_incomplete
- lxc.se_context => lxc.selinux.context

The legacy keys will be kept around until LXC 3.0 and then will be removed.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

src/lxc/Makefile.am

@@ -21,7 +21,7 @@ noinst_HEADERS = \
 	caps.h \
 	conf.h \
 	confile.h \
-	confile_network_legacy.h \
+	confile_legacy.h \
 	confile_utils.h \
 	console.h \
 	error.h \
@@ -104,7 +104,7 @@ liblxc_la_SOURCES = \
 	namespace.h namespace.c \
 	conf.c conf.h \
 	confile.c confile.h \
-	confile_network_legacy.c confile_network_legacy.h \
+	confile_legacy.c confile_legacy.h \
 	confile_utils.c confile_utils.h \
 	list.h \
 	state.c state.h \

src/lxc/conf.c

@@ -1455,6 +1455,7 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs,
 		} else {
 			DEBUG("cleared all (%d) mounts from \"%s\"", ret, path);
 		}
+
 		ret = unlink(path);
 		if (ret < 0) {
 			SYSERROR("error unlinking %s", path);

src/lxc/confile.c

@@ -45,7 +45,7 @@
 #include "parse.h"
 #include "config.h"
 #include "confile.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
 #include "confile_utils.h"
 #include "utils.h"
 #include "log.h"
@@ -93,24 +93,24 @@ static int get_config_kmsg(const char *, char *, int, struct lxc_conf *,
 			   void *);
 static int clr_config_kmsg(const char *, struct lxc_conf *, void *);
 
-static int set_config_lsm_aa_profile(const char *, const char *,
+static int set_config_apparmor_profile(const char *, const char *,
 				       struct lxc_conf *, void *);
-static int get_config_lsm_aa_profile(const char *, char *, int,
+static int get_config_apparmor_profile(const char *, char *, int,
 				       struct lxc_conf *, void *);
-static int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);
+static int clr_config_apparmor_profile(const char *, struct lxc_conf *, void *);
 
-static int set_config_lsm_aa_incomplete(const char *, const char *,
+static int set_config_apparmor_allow_incomplete(const char *, const char *,
 						struct lxc_conf *, void *);
-static int get_config_lsm_aa_incomplete(const char *, char *, int,
+static int get_config_apparmor_allow_incomplete(const char *, char *, int,
 						struct lxc_conf *, void *);
-static int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
+static int clr_config_apparmor_allow_incomplete(const char *, struct lxc_conf *,
 						void *);
 
-static int set_config_lsm_se_context(const char *, const char *,
+static int set_config_selinux_context(const char *, const char *,
 				      struct lxc_conf *, void *);
-static int get_config_lsm_se_context(const char *, char *, int,
+static int get_config_selinux_context(const char *, char *, int,
 				      struct lxc_conf *, void *);
-static int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
+static int clr_config_selinux_context(const char *, struct lxc_conf *, void *);
 
 static int set_config_cgroup(const char *, const char *, struct lxc_conf *,
 			     void *);
@@ -429,9 +429,17 @@ static struct lxc_config_t config[] = {
 	{ "lxc.tty",                       set_config_tty,                         get_config_tty,                         clr_config_tty,                       },
 	{ "lxc.devttydir",                 set_config_ttydir,                      get_config_ttydir,                      clr_config_ttydir,                    },
 	{ "lxc.kmsg",                      set_config_kmsg,                        get_config_kmsg,                        clr_config_kmsg,                      },
+	{ "lxc.apparmor.profile",          set_config_apparmor_profile,            get_config_apparmor_profile,            clr_config_apparmor_profile,          },
+	{ "lxc.apparmor.allow_incomplete", set_config_apparmor_allow_incomplete,   get_config_apparmor_allow_incomplete,   clr_config_apparmor_allow_incomplete, },
+	{ "lxc.selinux.context",           set_config_selinux_context,             get_config_selinux_context,             clr_config_selinux_context,           },
+
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
 	{ "lxc.aa_profile",                set_config_lsm_aa_profile,              get_config_lsm_aa_profile,              clr_config_lsm_aa_profile,            },
 	{ "lxc.aa_allow_incomplete",       set_config_lsm_aa_incomplete,           get_config_lsm_aa_incomplete,           clr_config_lsm_aa_incomplete,         },
 	{ "lxc.se_context",                set_config_lsm_se_context,              get_config_lsm_se_context,              clr_config_lsm_se_context,            },
+
 	{ "lxc.cgroup",                    set_config_cgroup,                      get_config_cgroup,                      clr_config_cgroup,                    },
 	{ "lxc.id_map",                    set_config_idmaps,                      get_config_idmaps,                      clr_config_idmaps,                    },
 	{ "lxc.loglevel",                  set_config_loglevel,                    get_config_loglevel,                    clr_config_loglevel,                  },
@@ -455,7 +463,10 @@ static struct lxc_config_t config[] = {
 	{ "lxc.hook.clone",                set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
 	{ "lxc.hook.destroy",              set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
 	{ "lxc.hook",                      set_config_hooks,                       get_config_hooks,                       clr_config_hooks,                     },
-	/* legacy network keys */
+
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
 	{ "lxc.network.type",              set_config_network_legacy_type,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
 	{ "lxc.network.flags",             set_config_network_legacy_flags,        get_config_network_legacy_item,         clr_config_network_legacy_item,       },
 	{ "lxc.network.link",              set_config_network_legacy_link,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
@@ -491,8 +502,6 @@ static struct lxc_config_t config[] = {
 	{ "lxc.net.ipv6",                  set_config_net_ipv6,                    get_config_net_ipv6,                    clr_config_net_ipv6,                  },
 	{ "lxc.net.",                      set_config_net_nic,                     get_config_net_nic,                     clr_config_net_nic,                   },
 	{ "lxc.net",                       set_config_net,                         get_config_net,                         clr_config_net,                       },
-
-
 	{ "lxc.cap.drop",                  set_config_cap_drop,                    get_config_cap_drop,                    clr_config_cap_drop,                  },
 	{ "lxc.cap.keep",                  set_config_cap_keep,                    get_config_cap_keep,                    clr_config_cap_keep,                  },
 	{ "lxc.console.logfile",           set_config_console_logfile,             get_config_console_logfile,             clr_config_console_logfile,           },
@@ -1585,14 +1594,16 @@ static int set_config_kmsg(const char *key, const char *value,
 	return 0;
 }
 
-static int set_config_lsm_aa_profile(const char *key, const char *value,
+static int set_config_apparmor_profile(const char *key, const char *value,
 				       struct lxc_conf *lxc_conf, void *data)
 {
 	return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
 }
 
-static int set_config_lsm_aa_incomplete(const char *key, const char *value,
+static int set_config_apparmor_allow_incomplete(const char *key,
-					struct lxc_conf *lxc_conf, void *data)
+						const char *value,
+						struct lxc_conf *lxc_conf,
+						void *data)
 {
 	/* Set config value to default. */
 	if (lxc_config_value_empty(value)) {
@@ -1613,7 +1624,7 @@ static int set_config_lsm_aa_incomplete(const char *key, const char *value,
 	return 0;
 }
 
-static int set_config_lsm_se_context(const char *key, const char *value,
+static int set_config_selinux_context(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
 	return set_config_string_item(&lxc_conf->lsm_se_context, value);
@@ -2615,17 +2626,6 @@ int lxc_fill_elevated_privileges(char *flaglist, int *flags)
 	return 0;
 }
 
-static inline int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen,
-				   int v)
-{
-	if (!retv)
-		inlen = 0;
-	else
-		memset(retv, 0, inlen);
-
-	return snprintf(retv, inlen, "%d", v);
-}
-
 /* Write out a configuration file. */
 void write_config(FILE *fout, struct lxc_conf *c)
 {
@@ -3100,16 +3100,6 @@ static int get_config_tty(const char *key, char *retv, int inlen,
 	return lxc_get_conf_int(c, retv, inlen, c->tty);
 }
 
-static inline int lxc_get_conf_str(char *retv, int inlen, const char *value)
-{
-	if (!value)
-		return 0;
-	if (retv && inlen >= strlen(value) + 1)
-		strncpy(retv, value, strlen(value) + 1);
-
-	return strlen(value);
-}
-
 static int get_config_ttydir(const char *key, char *retv, int inlen,
 			     struct lxc_conf *c, void *data)
 {
@@ -3122,20 +3112,21 @@ static int get_config_kmsg(const char *key, char *retv, int inlen,
 	return lxc_get_conf_int(c, retv, inlen, c->kmsg);
 }
 
-static int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
+static int get_config_apparmor_profile(const char *key, char *retv, int inlen,
 				       struct lxc_conf *c, void *data)
 {
 	return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
 }
 
-static int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
+static int get_config_apparmor_allow_incomplete(const char *key, char *retv,
-					struct lxc_conf *c, void *data)
+						int inlen, struct lxc_conf *c,
+						void *data)
 {
 	return lxc_get_conf_int(c, retv, inlen,
 				c->lsm_aa_allow_incomplete);
 }
 
-static int get_config_lsm_se_context(const char *key, char *retv, int inlen,
+static int get_config_selinux_context(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
 {
 	return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
@@ -3710,23 +3701,24 @@ static inline int clr_config_kmsg(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
-static inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
+static inline int clr_config_apparmor_profile(const char *key,
-					    void *data)
+					      struct lxc_conf *c, void *data)
 {
 	free(c->lsm_aa_profile);
 	c->lsm_aa_profile = NULL;
 	return 0;
 }
 
-static inline int clr_config_lsm_aa_incomplete(const char *key,
+static inline int clr_config_apparmor_allow_incomplete(const char *key,
-					       struct lxc_conf *c, void *data)
+						       struct lxc_conf *c,
+						       void *data)
 {
 	c->lsm_aa_allow_incomplete = 0;
 	return 0;
 }
 
-static inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
+static inline int clr_config_selinux_context(const char *key,
-					    void *data)
+					     struct lxc_conf *c, void *data)
 {
 	free(c->lsm_se_context);
 	c->lsm_se_context = NULL;

src/lxc/confile_legacy.c

@@ -46,7 +46,7 @@
 #include "config.h"
 #include "confile.h"
 #include "confile_utils.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
 #include "utils.h"
 #include "log.h"
 #include "conf.h"
@@ -59,7 +59,7 @@
 #include <../include/ifaddrs.h>
 #endif
 
-lxc_log_define(lxc_confile_network_legacy, lxc);
+lxc_log_define(lxc_confile_legacy, lxc);
 
 /*
  * Config entry is something like "lxc.network.0.ipv4" the key 'lxc.network.'
@@ -1003,3 +1003,79 @@ inline int clr_config_network_legacy(const char *key, struct lxc_conf *c, void *
 {
 	return lxc_clear_config_network(c);
 }
+
+inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
+				     void *data)
+{
+	free(c->lsm_aa_profile);
+	c->lsm_aa_profile = NULL;
+	return 0;
+}
+
+inline int clr_config_lsm_aa_incomplete(const char *key, struct lxc_conf *c,
+					void *data)
+{
+	c->lsm_aa_allow_incomplete = 0;
+	return 0;
+}
+
+int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
+			      struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
+}
+
+int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
+				 struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_int(c, retv, inlen,
+				c->lsm_aa_allow_incomplete);
+}
+
+int set_config_lsm_aa_profile(const char *key, const char *value,
+			      struct lxc_conf *lxc_conf, void *data)
+{
+	return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
+}
+
+int set_config_lsm_aa_incomplete(const char *key, const char *value,
+				 struct lxc_conf *lxc_conf, void *data)
+{
+	/* Set config value to default. */
+	if (lxc_config_value_empty(value)) {
+		lxc_conf->lsm_aa_allow_incomplete = 0;
+		return 0;
+	}
+
+	/* Parse new config value. */
+	if (lxc_safe_uint(value, &lxc_conf->lsm_aa_allow_incomplete) < 0)
+		return -1;
+
+	if (lxc_conf->lsm_aa_allow_incomplete > 1) {
+		ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only "
+		      "be set to 0 or 1");
+		return -1;
+	}
+
+	return 0;
+}
+
+int set_config_lsm_se_context(const char *key, const char *value,
+			      struct lxc_conf *lxc_conf, void *data)
+{
+	return set_config_string_item(&lxc_conf->lsm_se_context, value);
+}
+
+int get_config_lsm_se_context(const char *key, char *retv, int inlen,
+			      struct lxc_conf *c, void *data)
+{
+	return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
+}
+
+inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
+				     void *data)
+{
+	free(c->lsm_se_context);
+	c->lsm_se_context = NULL;
+	return 0;
+}

src/lxc/confile_legacy.h

@@ -21,8 +21,8 @@
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
-#ifndef __LXC_CONFILE_NETWORK_LEGACY_H
+#ifndef __LXC_CONFILE_LEGACY_H
-#define __LXC_CONFILE_NETWORK_LEGACY_H
+#define __LXC_CONFILE_LEGACY_H
 
 #include <stdio.h>
 #include <lxc/attach_options.h>
@@ -78,4 +78,23 @@ extern int lxc_list_nicconfigs_legacy(struct lxc_conf *c, const char *key,
 extern int lxc_listconfigs(char *retv, int inlen);
 
 extern bool network_new_hwaddrs(struct lxc_conf *conf);
-#endif
+
+extern int set_config_lsm_aa_profile(const char *, const char *,
+				     struct lxc_conf *, void *);
+extern int get_config_lsm_aa_profile(const char *, char *, int,
+				     struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);
+
+extern int set_config_lsm_aa_incomplete(const char *, const char *,
+ 				struct lxc_conf *, void *);
+extern int get_config_lsm_aa_incomplete(const char *, char *, int,
+ 				struct lxc_conf *, void *);
+extern int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
+					void *);
+
+extern int set_config_lsm_se_context(const char *, const char *,
+         		     struct lxc_conf *, void *);
+extern int get_config_lsm_se_context(const char *, char *, int,
+         		     struct lxc_conf *, void *);
+extern int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
+#endif /* __LXC_CONFILE_LEGACY_H */

src/lxc/confile_utils.c

@@ -582,3 +582,23 @@ bool new_hwaddr(char *hwaddr)
 
 	return true;
 }
+
+int lxc_get_conf_str(char *retv, int inlen, const char *value)
+{
+	if (!value)
+		return 0;
+	if (retv && inlen >= strlen(value) + 1)
+		strncpy(retv, value, strlen(value) + 1);
+
+	return strlen(value);
+}
+
+int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
+{
+	if (!retv)
+		inlen = 0;
+	else
+		memset(retv, 0, inlen);
+
+	return snprintf(retv, inlen, "%d", v);
+}

src/lxc/confile_utils.h

@@ -81,5 +81,7 @@ extern int network_ifname(char **valuep, const char *value);
 extern int rand_complete_hwaddr(char *hwaddr);
 extern void update_hwaddr(const char *line);
 extern bool new_hwaddr(char *hwaddr);
+extern int lxc_get_conf_str(char *retv, int inlen, const char *value);
+extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v);
 
 #endif /* __LXC_CONFILE_UTILS_H */

src/lxc/lxccontainer.c

@@ -47,7 +47,7 @@
 #include "config.h"
 #include "commands.h"
 #include "confile.h"
-#include "confile_network_legacy.h"
+#include "confile_legacy.h"
 #include "console.h"
 #include "criu.h"
 #include "log.h"

src/tests/parse_config_file.c

@@ -328,20 +328,54 @@ int main(int argc, char *argv[])
 		goto non_test_error;
 	}
 
-	/* lxc.aa_profile */
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
 	if (set_get_compare_clear_save_load(c, "lxc.aa_profile", "unconfined",
 					    tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.aa_profile");
 		goto non_test_error;
 	}
 
-	/* lxc.aa_allow_incomplete */
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
 	if (set_get_compare_clear_save_load(c, "lxc.aa_allow_incomplete", "1",
 					    tmpf, true) < 0) {
 		lxc_error("%s\n", "lxc.aa_allow_incomplete");
 		goto non_test_error;
 	}
 
+	/* REMOVE IN LXC 3.0
+	   legacy security keys
+	 */
+	if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.se_context");
+		goto non_test_error;
+	}
+
+	/* lxc.apparmor.profile */
+	if (set_get_compare_clear_save_load(c, "lxc.apparmor.profile", "unconfined",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.profile");
+		goto non_test_error;
+	}
+
+	/* lxc.apparmor.allow_incomplete */
+	if (set_get_compare_clear_save_load(c, "lxc.apparmor.allow_incomplete", "1",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.allow_incomplete");
+		goto non_test_error;
+	}
+
+	/* lxc.selinux.context */
+	if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
+					    tmpf, true) < 0) {
+		lxc_error("%s\n", "lxc.apparmor.selinux.context");
+		goto non_test_error;
+	}
+
 	/* lxc.cgroup.cpuset.cpus */
 	if (set_get_compare_clear_save_load(c, "lxc.cgroup.cpuset.cpus",
 					    "1-100", tmpf, false) < 0) {