Skip to content

Commit

Permalink
confile: properly namespace security keys
Browse files Browse the repository at this point in the history
- lxc.aa_profile => lxc.apparmor.profile
- lxc.aa_allow_incomplete => lxc.apparmor.allow_incomplete
- lxc.se_context => lxc.selinux.context

The legacy keys will be kept around until LXC 3.0 and then will be removed.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
  • Loading branch information
Christian Brauner committed Jun 23, 2017
1 parent a7ff221 commit 953fe44
Show file tree
Hide file tree
Showing 9 changed files with 302 additions and 158 deletions.
4 changes: 2 additions & 2 deletions src/lxc/Makefile.am
Expand Up @@ -21,7 +21,7 @@ noinst_HEADERS = \
caps.h \
conf.h \
confile.h \
confile_network_legacy.h \
confile_legacy.h \
confile_utils.h \
console.h \
error.h \
Expand Down Expand Up @@ -104,7 +104,7 @@ liblxc_la_SOURCES = \
namespace.h namespace.c \
conf.c conf.h \
confile.c confile.h \
confile_network_legacy.c confile_network_legacy.h \
confile_legacy.c confile_legacy.h \
confile_utils.c confile_utils.h \
list.h \
state.c state.h \
Expand Down
1 change: 1 addition & 0 deletions src/lxc/conf.c
Expand Up @@ -1455,6 +1455,7 @@ static int lxc_setup_dev_console(const struct lxc_rootfs *rootfs,
} else {
DEBUG("cleared all (%d) mounts from \"%s\"", ret, path);
}

ret = unlink(path);
if (ret < 0) {
SYSERROR("error unlinking %s", path);
Expand Down
288 changes: 140 additions & 148 deletions src/lxc/confile.c

Large diffs are not rendered by default.

80 changes: 78 additions & 2 deletions src/lxc/confile_network_legacy.c → src/lxc/confile_legacy.c
Expand Up @@ -46,7 +46,7 @@
#include "config.h"
#include "confile.h"
#include "confile_utils.h"
#include "confile_network_legacy.h"
#include "confile_legacy.h"
#include "utils.h"
#include "log.h"
#include "conf.h"
Expand All @@ -59,7 +59,7 @@
#include <../include/ifaddrs.h>
#endif

lxc_log_define(lxc_confile_network_legacy, lxc);
lxc_log_define(lxc_confile_legacy, lxc);

/*
* Config entry is something like "lxc.network.0.ipv4" the key 'lxc.network.'
Expand Down Expand Up @@ -1003,3 +1003,79 @@ inline int clr_config_network_legacy(const char *key, struct lxc_conf *c, void *
{
return lxc_clear_config_network(c);
}

inline int clr_config_lsm_aa_profile(const char *key, struct lxc_conf *c,
void *data)
{
free(c->lsm_aa_profile);
c->lsm_aa_profile = NULL;
return 0;
}

inline int clr_config_lsm_aa_incomplete(const char *key, struct lxc_conf *c,
void *data)
{
c->lsm_aa_allow_incomplete = 0;
return 0;
}

int get_config_lsm_aa_profile(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data)
{
return lxc_get_conf_str(retv, inlen, c->lsm_aa_profile);
}

int get_config_lsm_aa_incomplete(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data)
{
return lxc_get_conf_int(c, retv, inlen,
c->lsm_aa_allow_incomplete);
}

int set_config_lsm_aa_profile(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
return set_config_string_item(&lxc_conf->lsm_aa_profile, value);
}

int set_config_lsm_aa_incomplete(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
/* Set config value to default. */
if (lxc_config_value_empty(value)) {
lxc_conf->lsm_aa_allow_incomplete = 0;
return 0;
}

/* Parse new config value. */
if (lxc_safe_uint(value, &lxc_conf->lsm_aa_allow_incomplete) < 0)
return -1;

if (lxc_conf->lsm_aa_allow_incomplete > 1) {
ERROR("Wrong value for lxc.lsm_aa_allow_incomplete. Can only "
"be set to 0 or 1");
return -1;
}

return 0;
}

int set_config_lsm_se_context(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
return set_config_string_item(&lxc_conf->lsm_se_context, value);
}

int get_config_lsm_se_context(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data)
{
return lxc_get_conf_str(retv, inlen, c->lsm_se_context);
}

inline int clr_config_lsm_se_context(const char *key, struct lxc_conf *c,
void *data)
{
free(c->lsm_se_context);
c->lsm_se_context = NULL;
return 0;
}
25 changes: 22 additions & 3 deletions src/lxc/confile_network_legacy.h → src/lxc/confile_legacy.h
Expand Up @@ -21,8 +21,8 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/

#ifndef __LXC_CONFILE_NETWORK_LEGACY_H
#define __LXC_CONFILE_NETWORK_LEGACY_H
#ifndef __LXC_CONFILE_LEGACY_H
#define __LXC_CONFILE_LEGACY_H

#include <stdio.h>
#include <lxc/attach_options.h>
Expand Down Expand Up @@ -78,4 +78,23 @@ extern int lxc_list_nicconfigs_legacy(struct lxc_conf *c, const char *key,
extern int lxc_listconfigs(char *retv, int inlen);

extern bool network_new_hwaddrs(struct lxc_conf *conf);
#endif

extern int set_config_lsm_aa_profile(const char *, const char *,
struct lxc_conf *, void *);
extern int get_config_lsm_aa_profile(const char *, char *, int,
struct lxc_conf *, void *);
extern int clr_config_lsm_aa_profile(const char *, struct lxc_conf *, void *);

extern int set_config_lsm_aa_incomplete(const char *, const char *,
struct lxc_conf *, void *);
extern int get_config_lsm_aa_incomplete(const char *, char *, int,
struct lxc_conf *, void *);
extern int clr_config_lsm_aa_incomplete(const char *, struct lxc_conf *,
void *);

extern int set_config_lsm_se_context(const char *, const char *,
struct lxc_conf *, void *);
extern int get_config_lsm_se_context(const char *, char *, int,
struct lxc_conf *, void *);
extern int clr_config_lsm_se_context(const char *, struct lxc_conf *, void *);
#endif /* __LXC_CONFILE_LEGACY_H */
20 changes: 20 additions & 0 deletions src/lxc/confile_utils.c
Expand Up @@ -582,3 +582,23 @@ bool new_hwaddr(char *hwaddr)

return true;
}

int lxc_get_conf_str(char *retv, int inlen, const char *value)
{
if (!value)
return 0;
if (retv && inlen >= strlen(value) + 1)
strncpy(retv, value, strlen(value) + 1);

return strlen(value);
}

int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v)
{
if (!retv)
inlen = 0;
else
memset(retv, 0, inlen);

return snprintf(retv, inlen, "%d", v);
}
2 changes: 2 additions & 0 deletions src/lxc/confile_utils.h
Expand Up @@ -81,5 +81,7 @@ extern int network_ifname(char **valuep, const char *value);
extern int rand_complete_hwaddr(char *hwaddr);
extern void update_hwaddr(const char *line);
extern bool new_hwaddr(char *hwaddr);
extern int lxc_get_conf_str(char *retv, int inlen, const char *value);
extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v);

#endif /* __LXC_CONFILE_UTILS_H */
2 changes: 1 addition & 1 deletion src/lxc/lxccontainer.c
Expand Up @@ -47,7 +47,7 @@
#include "config.h"
#include "commands.h"
#include "confile.h"
#include "confile_network_legacy.h"
#include "confile_legacy.h"
#include "console.h"
#include "criu.h"
#include "log.h"
Expand Down
38 changes: 36 additions & 2 deletions src/tests/parse_config_file.c
Expand Up @@ -328,20 +328,54 @@ int main(int argc, char *argv[])
goto non_test_error;
}

/* lxc.aa_profile */
/* REMOVE IN LXC 3.0
legacy security keys
*/
if (set_get_compare_clear_save_load(c, "lxc.aa_profile", "unconfined",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.aa_profile");
goto non_test_error;
}

/* lxc.aa_allow_incomplete */
/* REMOVE IN LXC 3.0
legacy security keys
*/
if (set_get_compare_clear_save_load(c, "lxc.aa_allow_incomplete", "1",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.aa_allow_incomplete");
goto non_test_error;
}

/* REMOVE IN LXC 3.0
legacy security keys
*/
if (set_get_compare_clear_save_load(c, "lxc.se_context", "system_u:system_r:lxc_t:s0:c22",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.se_context");
goto non_test_error;
}

/* lxc.apparmor.profile */
if (set_get_compare_clear_save_load(c, "lxc.apparmor.profile", "unconfined",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.profile");
goto non_test_error;
}

/* lxc.apparmor.allow_incomplete */
if (set_get_compare_clear_save_load(c, "lxc.apparmor.allow_incomplete", "1",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.allow_incomplete");
goto non_test_error;
}

/* lxc.selinux.context */
if (set_get_compare_clear_save_load(c, "lxc.selinux.context", "system_u:system_r:lxc_t:s0:c22",
tmpf, true) < 0) {
lxc_error("%s\n", "lxc.apparmor.selinux.context");
goto non_test_error;
}

/* lxc.cgroup.cpuset.cpus */
if (set_get_compare_clear_save_load(c, "lxc.cgroup.cpuset.cpus",
"1-100", tmpf, false) < 0) {
Expand Down

0 comments on commit 953fe44

Please sign in to comment.