lsm: get host lsm type from the host mntns

We check files in /sys, so we must do this from host mount namespaces. The write_img_inventory() is called after kerndat_init() and it's only called on dump. The bug is triggered on restore, because the mount namespace of the restored process doesn't have /sys/kernel/security/apparmor/ I think it's better to initialize the host lsm in a one place for dump and restore. Currently we initialize the host lsm when we try to use it at a first time. It works fine for the dump operation. On restore it doesn't work because criu checks files in a restored mount namespace and it does this for each process, what isn't optimal. Signed-off-by: Andrew Vagin <avagin@openvz.org> Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

lsm: get host lsm type from the host mntns
We check files in /sys, so we must do this from host mount namespaces. The write_img_inventory() is called after kerndat_init() and it's only called on dump. The bug is triggered on restore, because the mount namespace of the restored process doesn't have /sys/kernel/security/apparmor/ I think it's better to initialize the host lsm in a one place for dump and restore. Currently we initialize the host lsm when we try to use it at a first time. It works fine for the dump operation. On restore it doesn't work because criu checks files in a restored mount namespace and it does this for each process, what isn't optimal. Signed-off-by: Andrew Vagin <avagin@openvz.org> Signed-off-by: Andrey Vagin <avagin@openvz.org> Acked-by: Tycho Andersen <tycho.andersen@canonical.com> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
7424ccaa · Andrey Vagin · Pavel Emelyanov · a6e13e1a · 7424ccaa · 7424ccaa
Commit 7424ccaa authored May 18, 2015 by Andrey Vagin Committed by Pavel Emelyanov May 19, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 10 deletions

lsm.h include/lsm.h +5 -0

kerndat.c kerndat.c +5 -0

lsm.c lsm.c +1 -10

No files found.
--- a/include/lsm.h
+++ b/include/lsm.h
@@ -9,6 +9,11 @@
 */
 extern Lsmtype host_lsm_type();

+/*
+ * Initilize the Lsmtype for the current host
+ */
+extern void kerndat_lsm();
+
 /*
 * Read the LSM profile for the pstree item
 */

--- a/kerndat.c
+++ b/kerndat.c
@@ -18,6 +18,7 @@
 #include "asm/types.h"
 #include "cr_options.h"
 #include "util.h"
+#include "lsm.h"

 struct kerndat_s kdat = {
 	.tcp_max_rshare = 3U << 20,
@@ -323,6 +324,8 @@ int kerndat_init(void)
 	if (!ret)
 		ret = kerndat_fdinfo_has_lock();

+	kerndat_lsm();
+
 	return ret;
 }

@@ -342,5 +345,7 @@ int kerndat_init_rst(void)
 	if (!ret)
 		ret = kerndat_has_memfd_create();

+	kerndat_lsm();
+
 	return ret;
 }
--- a/lsm.c
+++ b/lsm.c
@@ -102,7 +102,7 @@ static int selinux_get_label(pid_t pid, char **output)
 }
 #endif

-static void get_host_lsm()
+void kerndat_lsm()
 {
 	if (access("/sys/kernel/security/apparmor", F_OK) == 0) {
 		get_label = apparmor_get_label;
@@ -132,17 +132,11 @@ static void get_host_lsm()

 Lsmtype host_lsm_type()
 {
-	if (name == NULL)
-		get_host_lsm();
-
 	return lsmtype;
 }

 int collect_lsm_profile(pid_t pid, CredsEntry *ce)
 {
-	if (name == NULL)
-		get_host_lsm();
-
 	ce->lsm_profile = NULL;

 	if (lsmtype == LSMTYPE__NO_LSM)
@@ -162,9 +156,6 @@ extern Lsmtype image_lsm;

 int validate_lsm(CredsEntry *ce)
 {
-	if (name == NULL)
-		get_host_lsm();
-
 	if (image_lsm == LSMTYPE__NO_LSM || image_lsm == lsmtype)
 		return 0;