[CRIU] [PATCH 2/4] lsm: Postpone lsm_profile vs kerndat checks

Pavel Emelyanov xemul at virtuozzo.com
Mon Jun 26 16:20:07 MSK 2017


We need to keep the host LSM mode on kerndat (next patches),
at the same time the --lsm-profile option needs to correspond
to it.

So split the option handling into two parts -- first keep it
as is, next -- check for kerndat correspondance.

Signed-off-by: Pavel Emelyanov <xemul at virtuozzo.com>
---
 criu/cr-dump.c     |  6 ++++++
 criu/cr-restore.c  |  3 +++
 criu/crtools.c     |  4 ++--
 criu/include/lsm.h |  2 +-
 criu/lsm.c         | 27 +++++++++------------------
 5 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/criu/cr-dump.c b/criu/cr-dump.c
index 47251b5..3f9f8d0 100644
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -1641,6 +1641,9 @@ int cr_pre_dump_tasks(pid_t pid)
 	if (kerndat_init())
 		goto err;
 
+	if (lsm_check_opts())
+		goto err;
+
 	if (irmap_load_cache())
 		goto err;
 
@@ -1834,6 +1837,9 @@ int cr_dump_tasks(pid_t pid)
 	if (kerndat_init())
 		goto err;
 
+	if (lsm_check_opts())
+		goto err;
+
 	if (irmap_load_cache())
 		goto err;
 
diff --git a/criu/cr-restore.c b/criu/cr-restore.c
index 094c19a..0880ada 100644
--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2407,6 +2407,9 @@ int cr_restore_tasks(void)
 	if (kerndat_init())
 		goto err;
 
+	if (lsm_check_opts())
+		goto err;
+
 	timing_start(TIME_RESTORE);
 
 	if (cpu_init() < 0)
diff --git a/criu/crtools.c b/criu/crtools.c
index 18ca217..b0f7b94 100644
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -552,8 +552,8 @@ int main(int argc, char *argv[], char *envp[])
 				return -1;
 			break;
 		case 1071:
-			if (parse_lsm_arg(optarg) < 0)
-				return -1;
+			opts.lsm_profile = optarg;
+			opts.lsm_supplied = true;
 			break;
 		case 1072:
 			opts.timeout = atoi(optarg);
diff --git a/criu/include/lsm.h b/criu/include/lsm.h
index b97195e..b4fce13 100644
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -33,5 +33,5 @@ int validate_lsm(char *profile);
  */
 int render_lsm_profile(char *profile, char **val);
 
-extern int parse_lsm_arg(char *arg);
+extern int lsm_check_opts(void);
 #endif /* __CR_LSM_H__ */
diff --git a/criu/lsm.c b/criu/lsm.c
index acdb1fb..aef4397 100644
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -108,14 +108,6 @@ static int selinux_get_label(pid_t pid, char **output)
 
 void kerndat_lsm(void)
 {
-	/* On restore, if someone passes --lsm-profile, we might end up doing
-	 * detection twice, once during flag parsing and once for
-	 * kerndat_init(). Let's detect when we've already done detection
-	 * and not do it again.
-	 */
-	if (name)
-		return;
-
 	if (access(AA_SECURITYFS_PATH, F_OK) == 0) {
 		get_label = apparmor_get_label;
 		lsmtype = LSMTYPE__APPARMOR;
@@ -207,43 +199,42 @@ int render_lsm_profile(char *profile, char **val)
 	return 0;
 }
 
-int parse_lsm_arg(char *arg)
+int lsm_check_opts(void)
 {
 	char *aux;
 
-	kerndat_lsm();
+	if (!opts.lsm_supplied)
+		return 0;
 
-	aux = strchr(arg, ':');
+	aux = strchr(opts.lsm_profile, ':');
 	if (aux == NULL) {
-		pr_err("invalid argument %s for --lsm-profile\n", arg);
+		pr_err("invalid argument %s for --lsm-profile\n", opts.lsm_profile);
 		return -1;
 	}
 
 	*aux = '\0';
 	aux++;
 
-	if (strcmp(arg, "apparmor") == 0) {
+	if (strcmp(opts.lsm_profile, "apparmor") == 0) {
 		if (lsmtype != LSMTYPE__APPARMOR) {
 			pr_err("apparmor LSM specified but apparmor not supported by kernel\n");
 			return -1;
 		}
 
 		opts.lsm_profile = aux;
-	} else if (strcmp(arg, "selinux") == 0) {
+	} else if (strcmp(opts.lsm_profile, "selinux") == 0) {
 		if (lsmtype != LSMTYPE__SELINUX) {
 			pr_err("selinux LSM specified but selinux not supported by kernel\n");
 			return -1;
 		}
 
 		opts.lsm_profile = aux;
-	} else if (strcmp(arg, "none") == 0) {
+	} else if (strcmp(opts.lsm_profile, "none") == 0) {
 		opts.lsm_profile = NULL;
 	} else {
-		pr_err("unknown lsm %s\n", arg);
+		pr_err("unknown lsm %s\n", opts.lsm_profile);
 		return -1;
 	}
 
-	opts.lsm_supplied = true;
-
 	return 0;
 }
-- 
2.1.4



More information about the CRIU mailing list