[CRIU] [PATCH 2/4] lsm: Postpone lsm_profile vs kerndat checks
Pavel Emelyanov
xemul at virtuozzo.com
Mon Jun 26 16:20:07 MSK 2017
We need to keep the host LSM mode on kerndat (next patches),
at the same time the --lsm-profile option needs to correspond
to it.
So split the option handling into two parts -- first keep it
as is, next -- check for kerndat correspondance.
Signed-off-by: Pavel Emelyanov <xemul at virtuozzo.com>
---
criu/cr-dump.c | 6 ++++++
criu/cr-restore.c | 3 +++
criu/crtools.c | 4 ++--
criu/include/lsm.h | 2 +-
criu/lsm.c | 27 +++++++++------------------
5 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 47251b5..3f9f8d0 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -1641,6 +1641,9 @@ int cr_pre_dump_tasks(pid_t pid)
if (kerndat_init())
goto err;
+ if (lsm_check_opts())
+ goto err;
+
if (irmap_load_cache())
goto err;
@@ -1834,6 +1837,9 @@ int cr_dump_tasks(pid_t pid)
if (kerndat_init())
goto err;
+ if (lsm_check_opts())
+ goto err;
+
if (irmap_load_cache())
goto err;
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 094c19a..0880ada 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2407,6 +2407,9 @@ int cr_restore_tasks(void)
if (kerndat_init())
goto err;
+ if (lsm_check_opts())
+ goto err;
+
timing_start(TIME_RESTORE);
if (cpu_init() < 0)
diff --git a/criu/crtools.c b/criu/crtools.c
index 18ca217..b0f7b94 100644
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -552,8 +552,8 @@ int main(int argc, char *argv[], char *envp[])
return -1;
break;
case 1071:
- if (parse_lsm_arg(optarg) < 0)
- return -1;
+ opts.lsm_profile = optarg;
+ opts.lsm_supplied = true;
break;
case 1072:
opts.timeout = atoi(optarg);
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b97195e..b4fce13 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -33,5 +33,5 @@ int validate_lsm(char *profile);
*/
int render_lsm_profile(char *profile, char **val);
-extern int parse_lsm_arg(char *arg);
+extern int lsm_check_opts(void);
#endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index acdb1fb..aef4397 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -108,14 +108,6 @@ static int selinux_get_label(pid_t pid, char **output)
void kerndat_lsm(void)
{
- /* On restore, if someone passes --lsm-profile, we might end up doing
- * detection twice, once during flag parsing and once for
- * kerndat_init(). Let's detect when we've already done detection
- * and not do it again.
- */
- if (name)
- return;
-
if (access(AA_SECURITYFS_PATH, F_OK) == 0) {
get_label = apparmor_get_label;
lsmtype = LSMTYPE__APPARMOR;
@@ -207,43 +199,42 @@ int render_lsm_profile(char *profile, char **val)
return 0;
}
-int parse_lsm_arg(char *arg)
+int lsm_check_opts(void)
{
char *aux;
- kerndat_lsm();
+ if (!opts.lsm_supplied)
+ return 0;
- aux = strchr(arg, ':');
+ aux = strchr(opts.lsm_profile, ':');
if (aux == NULL) {
- pr_err("invalid argument %s for --lsm-profile\n", arg);
+ pr_err("invalid argument %s for --lsm-profile\n", opts.lsm_profile);
return -1;
}
*aux = '\0';
aux++;
- if (strcmp(arg, "apparmor") == 0) {
+ if (strcmp(opts.lsm_profile, "apparmor") == 0) {
if (lsmtype != LSMTYPE__APPARMOR) {
pr_err("apparmor LSM specified but apparmor not supported by kernel\n");
return -1;
}
opts.lsm_profile = aux;
- } else if (strcmp(arg, "selinux") == 0) {
+ } else if (strcmp(opts.lsm_profile, "selinux") == 0) {
if (lsmtype != LSMTYPE__SELINUX) {
pr_err("selinux LSM specified but selinux not supported by kernel\n");
return -1;
}
opts.lsm_profile = aux;
- } else if (strcmp(arg, "none") == 0) {
+ } else if (strcmp(opts.lsm_profile, "none") == 0) {
opts.lsm_profile = NULL;
} else {
- pr_err("unknown lsm %s\n", arg);
+ pr_err("unknown lsm %s\n", opts.lsm_profile);
return -1;
}
- opts.lsm_supplied = true;
-
return 0;
}
--
2.1.4
More information about the CRIU
mailing list