Merge branch 'marcosps-selinux_simplification' into lxc/master

2025-07-27 08:12:20 +00:00 · 2018-02-08 10:50:10 +01:00 · 2018-02-08 10:50:10 +01:00 · ca20a3b350
commit ca20a3b350
parent 5c80e9fcb4 08fccae2bb
2 changed files with 27 additions and 24 deletions
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@ -162,8 +162,8 @@ static bool aa_needs_transition(char *curlabel)
 * apparmor_process_label_set: Set AppArmor process profile
 *
 * @label   : the profile to set
- * @conf    : the container configuration to use @label is NULL
- * @default : use the default profile if label is NULL
+ * @conf    : the container configuration to use if @label is NULL
+ * @default : use the default profile if @label is NULL
 * @on_exec : this is ignored.  Apparmor profile will be changed immediately
 *
 * Returns 0 on success, < 0 on failure
@ -230,7 +230,6 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf
 		INFO("apparmor profile unchanged");
 		return 0;
 	}
-
 	tid = lxc_raw_gettid();
 	label_fd = lsm_process_label_fd_get(tid, on_exec);
 	if (label_fd < 0) {
--- a/src/lxc/lsm/selinux.c
+++ b/src/lxc/lsm/selinux.c
@ -23,13 +23,15 @@

 #include <errno.h>
 #include <stdlib.h>
-#include <sys/types.h>
+#include <stdbool.h>
+#include <string.h>
 #include <unistd.h>
 #include <selinux/selinux.h>
+#include <sys/types.h>

+#include "conf.h"
 #include "log.h"
 #include "lsm.h"
-#include "conf.h"

 #define DEFAULT_LABEL "unconfined_t"

@ -63,8 +65,8 @@ static char *selinux_process_label_get(pid_t pid)
 * selinux_process_label_set: Set SELinux context of a process
 *
 * @label   : label string
- * @conf    : the container configuration to use @label is NULL
- * @default : use the default context if label is NULL
+ * @conf    : the container configuration to use if @label is NULL
+ * @default : use the default context if @label is NULL
 * @on_exec : the new context will take effect on exec(2) not immediately
 *
 * Returns 0 on success, < 0 on failure
@ -74,29 +76,31 @@ static char *selinux_process_label_get(pid_t pid)
 static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
 				     bool use_default, bool on_exec)
 {
-	const char *label = inlabel ? inlabel : conf->lsm_se_context;
+	int ret;
+	const char *label;
+
+	label = inlabel ? inlabel : conf->lsm_se_context;
 	if (!label) {
-		if (use_default)
-			label = DEFAULT_LABEL;
-		else
-			return -1;
+		if (!use_default)
+			return -EINVAL;
+
+		label = DEFAULT_LABEL;
 	}
-	if (!strcmp(label, "unconfined_t"))
+
+	if (strcmp(label, "unconfined_t") == 0)
 		return 0;

-	if (on_exec) {
-		if (setexeccon_raw((char *)label) < 0) {
-			SYSERROR("failed to set new SELinux exec context %s", label);
-			return -1;
-		}
-	} else {
-		if (setcon_raw((char *)label) < 0) {
-			SYSERROR("failed to set new SELinux context %s", label);
-			return -1;
-		}
+	if (on_exec)
+		ret = setexeccon_raw((char *)label);
+	else
+		ret = setcon_raw((char *)label);
+	if (ret < 0) {
+		SYSERROR("Failed to set SELinux%s context to \"%s\"",
+			 on_exec ? " exec" : "", label);
+		return -1;
 	}

-	INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label);
+	INFO("Changed SELinux%s context to \"%s\"", on_exec ? " exec" : "", label);
 	return 0;
 }