Re: [lxc-devel] [PATCH 2/3] add lsm op for checking if an lsm is present/enabled

Wed, 16 Oct 2013 10:06:28 -0700 

Quoting Dwight Engen (dwight.en...@oracle.com):
> Signed-off-by: Dwight Engen <dwight.en...@oracle.com>

Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>

I do wonder if the name should be more precise (host_lsm_enabled()
or host_lsm_enforcing() or something).  Just the name 'enabled'
could lead some to believe that it means it is enabled for this
container, which is a different question.

> ---
>  src/lxc/lsm/apparmor.c | 1 +
>  src/lxc/lsm/lsm.c      | 7 +++++++
>  src/lxc/lsm/lsm.h      | 3 +++
>  src/lxc/lsm/nop.c      | 6 ++++++
>  src/lxc/lsm/selinux.c  | 1 +
>  5 files changed, 18 insertions(+)
> 
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index c13613a..146564f 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -167,6 +167,7 @@ static int apparmor_process_label_set(const char *label, 
> int use_default)
>  
>  static struct lsm_drv apparmor_drv = {
>       .name = "AppArmor",
> +     .enabled           = apparmor_enabled,
>       .process_label_get = apparmor_process_label_get,
>       .process_label_set = apparmor_process_label_set,
>  };
> diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> index 3974f11..f022de9 100644
> --- a/src/lxc/lsm/lsm.c
> +++ b/src/lxc/lsm/lsm.c
> @@ -62,6 +62,13 @@ void lsm_init(void)
>       INFO("Initialized LSM security driver %s", drv->name);
>  }
>  
> +int lsm_enabled()
> +{
> +     if (drv)
> +             return drv->enabled();
> +     return 0;
> +}
> +
>  char *lsm_process_label_get(pid_t pid)
>  {
>       if (!drv) {
> diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> index 2a82c66..ee093da 100644
> --- a/src/lxc/lsm/lsm.h
> +++ b/src/lxc/lsm/lsm.h
> @@ -31,18 +31,21 @@ struct lxc_conf;
>  struct lsm_drv {
>       const char *name;
>  
> +     int   (*enabled)(void);
>       char *(*process_label_get)(pid_t pid);
>       int   (*process_label_set)(const char *label, int use_default);
>  };
>  
>  #if HAVE_APPARMOR || HAVE_SELINUX
>  void  lsm_init(void);
> +int   lsm_enabled(void);
>  char *lsm_process_label_get(pid_t pid);
>  int   lsm_process_label_set(const char *label, int use_default);
>  int   lsm_proc_mount(struct lxc_conf *lxc_conf);
>  void  lsm_proc_unmount(struct lxc_conf *lxc_conf);
>  #else
>  static inline void  lsm_init(void) { }
> +static inline int   lsm_enabled(void) { return 0; }
>  static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
>  static inline int   lsm_process_label_set(char *label, int use_default) { 
> return 0; }
>  static inline int   lsm_proc_mount(struct lxc_conf *lxc_conf) { return 0; }
> diff --git a/src/lxc/lsm/nop.c b/src/lxc/lsm/nop.c
> index 9184e6b..e39b0f5 100644
> --- a/src/lxc/lsm/nop.c
> +++ b/src/lxc/lsm/nop.c
> @@ -34,8 +34,14 @@ static int nop_process_label_set(const char *label, int 
> use_default)
>       return 0;
>  }
>  
> +static int nop_enabled(void)
> +{
> +     return 0;
> +}
> +
>  static struct lsm_drv nop_drv = {
>       .name = "nop",
> +     .enabled           = nop_enabled,
>       .process_label_get = nop_process_label_get,
>       .process_label_set = nop_process_label_set,
>  };
> diff --git a/src/lxc/lsm/selinux.c b/src/lxc/lsm/selinux.c
> index 6e44e8b..ef5beb0 100644
> --- a/src/lxc/lsm/selinux.c
> +++ b/src/lxc/lsm/selinux.c
> @@ -89,6 +89,7 @@ static int selinux_process_label_set(const char *label, int 
> use_default)
>  
>  static struct lsm_drv selinux_drv = {
>       .name = "SELinux",
> +     .enabled           = is_selinux_enabled,
>       .process_label_get = selinux_process_label_get,
>       .process_label_set = selinux_process_label_set,
>  };
> -- 
> 1.8.3.1
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Reply via email to