From 0e8effda05dcffb35cf7536c9069d9585b6377df Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 9 Aug 2021 15:58:53 +0200
Subject: [PATCH 1/2] lsm/apparmor: log failure to write AppArmor profile

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 3e4aa40d7..6bf6c6eea 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -1163,7 +1163,8 @@ static int apparmor_process_label_fd_get(struct lsm_ops *ops, pid_t pid, bool on
 	return __apparmor_process_label_open(ops, pid, O_RDWR, on_exec);
 }
 
-static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, const char *label, bool on_exec)
+static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd,
+					 const char *label, bool on_exec)
 {
 	__do_free char *command = NULL;
 	int ret = -1;
@@ -1182,9 +1183,12 @@ static int apparmor_process_label_set_at(struct lsm_ops *ops, int label_fd, cons
 		return -EFBIG;
 
 	ret = lxc_write_nointr(label_fd, command, len - 1);
+	if (ret < 0)
+		return syserror("Failed to write AppArmor profile \"%s\" to %d",
+				label, label_fd);
 
 	INFO("Set AppArmor label to \"%s\"", label);
-	return ret;
+	return 0;
 }
 
 /*

From a36e286bea5f34be9689ff0353dcfa7f893c0ddd Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 9 Aug 2021 15:59:26 +0200
Subject: [PATCH 2/2] lsm/apparmor: use cleanup macro

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/lsm/apparmor.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index 6bf6c6eea..a0d81ea01 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -611,8 +611,8 @@ out:
 
 static bool file_is_yes(const char *path)
 {
+	__do_close int fd = -EBADF;
 	ssize_t rd;
-	int fd;
 	char buf[8]; /* we actually just expect "yes" or "no" */
 
 	fd = open(path, O_RDONLY | O_CLOEXEC);
@@ -620,7 +620,6 @@ static bool file_is_yes(const char *path)
 		return false;
 
 	rd = lxc_read_nointr(fd, buf, sizeof(buf));
-	close(fd);
 
 	return rd >= 4 && strnequal(buf, "yes\n", 4);
 }