[CRIU] [PATCH 2/2] lsm: get host lsm type from the host mntns

Andrew Vagin avagin at odin.com
Tue May 19 06:07:30 PDT 2015 

On Tue, May 19, 2015 at 05:24:59AM -0700, Tycho Andersen wrote:
> On Mon, May 18, 2015 at 09:50:39PM +0300, Andrey Vagin wrote:
> > We check files in /sys, so we must do this from host mount namespaces.
> 
> Doesn't this get initialized in write_img_inventory, which is called
> in the same sequence as kerndat_init()? I'm confused as to what this
> changes.

write_img_inventory() is called after kerndat_init() and it's only
called on dump. The bug is triggered on restore, because the mount
namespace of the restored process doesn't have
/sys/kernel/security/apparmor/

I think it's better to initialize the host lsm in a one place for dump
and restore.

Currently we initialize the host lsm when we try to use it at a first
time. It works fine for the dump operation. On restore it doesn't work
because criu checks files in a restored mount namespace and it does this
for each process, what isn't optimal.

> 
> Tycho
> 
> > Signed-off-by: Andrew Vagin <avagin at openvz.org>
> > Signed-off-by: Andrey Vagin <avagin at openvz.org>
> > ---
> >  include/lsm.h |  5 +++++
> >  kerndat.c     |  5 +++++
> >  lsm.c         | 11 +----------
> >  3 files changed, 11 insertions(+), 10 deletions(-)
> > 
> > diff --git a/include/lsm.h b/include/lsm.h
> > index d3b0c97..05737ff 100644
> > --- a/include/lsm.h
> > +++ b/include/lsm.h
> > @@ -10,6 +10,11 @@
> >  extern Lsmtype host_lsm_type();
> >  
> >  /*
> > + * Initilize the Lsmtype for the current host
> > + */
> > +extern void kerndat_lsm();
> > +
> > +/*
> >   * Read the LSM profile for the pstree item
> >   */
> >  extern int collect_lsm_profile(pid_t, CredsEntry *);
> > diff --git a/kerndat.c b/kerndat.c
> > index 65e2c75..54ba8c7 100644
> > --- a/kerndat.c
> > +++ b/kerndat.c
> > @@ -18,6 +18,7 @@
> >  #include "asm/types.h"
> >  #include "cr_options.h"
> >  #include "util.h"
> > +#include "lsm.h"
> >  
> >  struct kerndat_s kdat = {
> >  	.tcp_max_rshare = 3U << 20,
> > @@ -323,6 +324,8 @@ int kerndat_init(void)
> >  	if (!ret)
> >  		ret = kerndat_fdinfo_has_lock();
> >  
> > +	kerndat_lsm();
> > +
> >  	return ret;
> >  }
> >  
> > @@ -342,5 +345,7 @@ int kerndat_init_rst(void)
> >  	if (!ret)
> >  		ret = kerndat_has_memfd_create();
> >  
> > +	kerndat_lsm();
> > +
> >  	return ret;
> >  }
> > diff --git a/lsm.c b/lsm.c
> > index 90b395f..5acaa42 100644
> > --- a/lsm.c
> > +++ b/lsm.c
> > @@ -102,7 +102,7 @@ static int selinux_get_label(pid_t pid, char **output)
> >  }
> >  #endif
> >  
> > -static void get_host_lsm()
> > +void kerndat_lsm()
> >  {
> >  	if (access("/sys/kernel/security/apparmor", F_OK) == 0) {
> >  		get_label = apparmor_get_label;
> > @@ -132,17 +132,11 @@ static void get_host_lsm()
> >  
> >  Lsmtype host_lsm_type()
> >  {
> > -	if (name == NULL)
> > -		get_host_lsm();
> > -
> >  	return lsmtype;
> >  }
> >  
> >  int collect_lsm_profile(pid_t pid, CredsEntry *ce)
> >  {
> > -	if (name == NULL)
> > -		get_host_lsm();
> > -
> >  	ce->lsm_profile = NULL;
> >  
> >  	if (lsmtype == LSMTYPE__NO_LSM)
> > @@ -162,9 +156,6 @@ extern Lsmtype image_lsm;
> >  
> >  int validate_lsm(CredsEntry *ce)
> >  {
> > -	if (name == NULL)
> > -		get_host_lsm();
> > -
> >  	if (image_lsm == LSMTYPE__NO_LSM || image_lsm == lsmtype)
> >  		return 0;
> >  
> > -- 
> > 2.1.0
> > 
> > _______________________________________________
> > CRIU mailing list
> > CRIU at openvz.org
> > https://lists.openvz.org/mailman/listinfo/criu

More information about the CRIU mailing list