From 1be8cb04506792e1f6e25fb46b7a2b83a23af398 Mon Sep 17 00:00:00 2001 From: Marcos Paulo de Souza Date: Wed, 7 Feb 2018 12:51:38 -0200 Subject: [PATCH 1/2] selinux: simplify check for default label Signed-off-by: Marcos Paulo de Souza Signed-off-by: Christian Brauner --- src/lxc/lsm/selinux.c | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c index ecdffc36d..21833748b 100644 --- a/src/lxc/lsm/selinux.c +++ b/src/lxc/lsm/selinux.c @@ -23,13 +23,15 @@ #include #include -#include +#include +#include #include #include +#include +#include "conf.h" #include "log.h" #include "lsm.h" -#include "conf.h" #define DEFAULT_LABEL "unconfined_t" @@ -74,29 +76,31 @@ static char *selinux_process_label_get(pid_t pid) static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf, bool use_default, bool on_exec) { - const char *label = inlabel ? inlabel : conf->lsm_se_context; + int ret; + const char *label; + + label = inlabel ? inlabel : conf->lsm_se_context; if (!label) { - if (use_default) - label = DEFAULT_LABEL; - else - return -1; + if (!use_default) + return -EINVAL; + + label = DEFAULT_LABEL; } - if (!strcmp(label, "unconfined_t")) + + if (strcmp(label, "unconfined_t") == 0) return 0; - if (on_exec) { - if (setexeccon_raw((char *)label) < 0) { - SYSERROR("failed to set new SELinux exec context %s", label); - return -1; - } - } else { - if (setcon_raw((char *)label) < 0) { - SYSERROR("failed to set new SELinux context %s", label); - return -1; - } + if (on_exec) + ret = setexeccon_raw((char *)label); + else + ret = setcon_raw((char *)label); + if (ret < 0) { + SYSERROR("Failed to set SELinux%s context to \"%s\"", + on_exec ? " exec" : "", label); + return -1; } - INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label); + INFO("Changed SELinux%s context to \"%s\"", on_exec ? " exec" : "", label); return 0; } From 08fccae2bb6570ac8988cd308ebea058a5365064 Mon Sep 17 00:00:00 2001 From: Marcos Paulo de Souza Date: Wed, 7 Feb 2018 13:06:43 -0200 Subject: [PATCH 2/2] lsm: fix missing @ in function documentation Signed-off-by: Marcos Paulo de Souza --- src/lxc/lsm/apparmor.c | 5 ++--- src/lxc/lsm/selinux.c | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index 85b70de8d..ec4168847 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -162,8 +162,8 @@ static bool aa_needs_transition(char *curlabel) * apparmor_process_label_set: Set AppArmor process profile * * @label : the profile to set - * @conf : the container configuration to use @label is NULL - * @default : use the default profile if label is NULL + * @conf : the container configuration to use if @label is NULL + * @default : use the default profile if @label is NULL * @on_exec : this is ignored. Apparmor profile will be changed immediately * * Returns 0 on success, < 0 on failure @@ -230,7 +230,6 @@ static int apparmor_process_label_set(const char *inlabel, struct lxc_conf *conf INFO("apparmor profile unchanged"); return 0; } - tid = lxc_raw_gettid(); label_fd = lsm_process_label_fd_get(tid, on_exec); if (label_fd < 0) { diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c index 21833748b..bd6541cfa 100644 --- a/src/lxc/lsm/selinux.c +++ b/src/lxc/lsm/selinux.c @@ -65,8 +65,8 @@ static char *selinux_process_label_get(pid_t pid) * selinux_process_label_set: Set SELinux context of a process * * @label : label string - * @conf : the container configuration to use @label is NULL - * @default : use the default context if label is NULL + * @conf : the container configuration to use if @label is NULL + * @default : use the default context if @label is NULL * @on_exec : the new context will take effect on exec(2) not immediately * * Returns 0 on success, < 0 on failure