[lxc-devel] [PATCH 2/3] add lsm op for checking if an lsm is present/enabled

Serge Hallyn serge.hallyn at ubuntu.com
Wed Oct 16 17:03:51 UTC 2013 

Quoting Dwight Engen (dwight.engen at oracle.com):
> Signed-off-by: Dwight Engen <dwight.engen at oracle.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

I do wonder if the name should be more precise (host_lsm_enabled()
or host_lsm_enforcing() or something).  Just the name 'enabled'
could lead some to believe that it means it is enabled for this
container, which is a different question.

> ---
>  src/lxc/lsm/apparmor.c | 1 +
>  src/lxc/lsm/lsm.c      | 7 +++++++
>  src/lxc/lsm/lsm.h      | 3 +++
>  src/lxc/lsm/nop.c      | 6 ++++++
>  src/lxc/lsm/selinux.c  | 1 +
>  5 files changed, 18 insertions(+)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index c13613a..146564f 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -167,6 +167,7 @@ static int apparmor_process_label_set(const char *label, int use_default)
>  
>  static struct lsm_drv apparmor_drv = {
>  	.name = "AppArmor",
> +	.enabled           = apparmor_enabled,
>  	.process_label_get = apparmor_process_label_get,
>  	.process_label_set = apparmor_process_label_set,
>  };
> diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> index 3974f11..f022de9 100644
> --- a/src/lxc/lsm/lsm.c
> +++ b/src/lxc/lsm/lsm.c
> @@ -62,6 +62,13 @@ void lsm_init(void)
>  	INFO("Initialized LSM security driver %s", drv->name);
>  }
>  
> +int lsm_enabled()
> +{
> +	if (drv)
> +		return drv->enabled();
> +	return 0;
> +}
> +
>  char *lsm_process_label_get(pid_t pid)
>  {
>  	if (!drv) {
> diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> index 2a82c66..ee093da 100644
> --- a/src/lxc/lsm/lsm.h
> +++ b/src/lxc/lsm/lsm.h
> @@ -31,18 +31,21 @@ struct lxc_conf;
>  struct lsm_drv {
>  	const char *name;
>  
> +	int   (*enabled)(void);
>  	char *(*process_label_get)(pid_t pid);
>  	int   (*process_label_set)(const char *label, int use_default);
>  };
>  
>  #if HAVE_APPARMOR || HAVE_SELINUX
>  void  lsm_init(void);
> +int   lsm_enabled(void);
>  char *lsm_process_label_get(pid_t pid);
>  int   lsm_process_label_set(const char *label, int use_default);
>  int   lsm_proc_mount(struct lxc_conf *lxc_conf);
>  void  lsm_proc_unmount(struct lxc_conf *lxc_conf);
>  #else
>  static inline void  lsm_init(void) { }
> +static inline int   lsm_enabled(void) { return 0; }
>  static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
>  static inline int   lsm_process_label_set(char *label, int use_default) { return 0; }
>  static inline int   lsm_proc_mount(struct lxc_conf *lxc_conf) { return 0; }
> diff --git a/src/lxc/lsm/nop.c b/src/lxc/lsm/nop.c
> index 9184e6b..e39b0f5 100644
> --- a/src/lxc/lsm/nop.c
> +++ b/src/lxc/lsm/nop.c
> @@ -34,8 +34,14 @@ static int nop_process_label_set(const char *label, int use_default)
>  	return 0;
>  }
>  
> +static int nop_enabled(void)
> +{
> +	return 0;
> +}
> +
>  static struct lsm_drv nop_drv = {
>  	.name = "nop",
> +	.enabled           = nop_enabled,
>  	.process_label_get = nop_process_label_get,
>  	.process_label_set = nop_process_label_set,
>  };
> diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> index 6e44e8b..ef5beb0 100644
> --- a/src/lxc/lsm/selinux.c
> +++ b/src/lxc/lsm/selinux.c
> @@ -89,6 +89,7 @@ static int selinux_process_label_set(const char *label, int use_default)
>  
>  static struct lsm_drv selinux_drv = {
>  	.name = "SELinux",
> +	.enabled           = is_selinux_enabled,
>  	.process_label_get = selinux_process_label_get,
>  	.process_label_set = selinux_process_label_set,
>  };
> -- 
> 1.8.3.1
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

More information about the lxc-devel mailing list