]>
git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/lsm/lsm.c
2 * lxc: linux Container library
5 * Copyright © 2012 Serge Hallyn <serge.hallyn@ubuntu.com>
6 * Copyright © 2012 Canonical Ltd.
7 * Dwight Engen <dwight.engen@oracle.com>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
24 #if HAVE_APPARMOR || HAVE_SELINUX
29 #include <sys/mount.h>
30 #include <sys/param.h>
36 lxc_log_define(lxc_lsm
, lxc
);
38 static struct lsm_drv
*drv
= NULL
;
40 extern struct lsm_drv
*lsm_apparmor_drv_init(void);
41 extern struct lsm_drv
*lsm_selinux_drv_init(void);
42 extern struct lsm_drv
*lsm_nop_drv_init(void);
44 __attribute__((constructor
))
48 INFO("LSM security driver %s", drv
->name
);
53 drv
= lsm_apparmor_drv_init();
57 drv
= lsm_selinux_drv_init();
61 drv
= lsm_nop_drv_init();
62 INFO("Initialized LSM security driver %s", drv
->name
);
65 char *lsm_process_label_get(pid_t pid
)
68 ERROR("LSM driver not inited");
71 return drv
->process_label_get(pid
);
74 int lsm_process_label_set(const char *label
, int use_default
)
77 ERROR("LSM driver not inited");
80 return drv
->process_label_set(label
, use_default
);
84 * _lsm_mount_proc: Mount /proc inside container to enable
85 * security domain transition
87 * @rootfs : the rootfs where proc should be mounted
89 * Returns < 0 on failure, 0 if the correct proc was already mounted
90 * and 1 if a new proc was mounted.
92 static int _lsm_proc_mount(const char *rootfs
)
94 char path
[MAXPATHLEN
];
98 ret
= snprintf(path
, MAXPATHLEN
, "%s/proc/self", rootfs
);
99 if (ret
< 0 || ret
>= MAXPATHLEN
) {
100 SYSERROR("proc path name too long");
104 linklen
= readlink(path
, link
, 20);
105 INFO("I am %d, /proc/self points to '%s'", getpid(), link
);
106 ret
= snprintf(path
, MAXPATHLEN
, "%s/proc", rootfs
);
107 if (linklen
< 0) /* /proc not mounted */
109 /* can't be longer than rootfs/proc/1 */
110 if (strncmp(link
, "1", linklen
) != 0) {
111 /* wrong /procs mounted */
112 umount2(path
, MNT_DETACH
); /* ignore failure */
115 /* the right proc is already mounted */
119 if (mount("proc", path
, "proc", 0, NULL
))
121 INFO("Mounted /proc in container for security transition");
125 int lsm_proc_mount(struct lxc_conf
*lxc_conf
)
129 if (!drv
|| strcmp(drv
->name
, "nop") == 0)
132 if (lxc_conf
->rootfs
.path
== NULL
|| strlen(lxc_conf
->rootfs
.path
) == 0) {
133 if (mount("proc", "/proc", "proc", 0, NULL
)) {
134 SYSERROR("Failed mounting /proc, proceeding");
139 mounted
= _lsm_proc_mount(lxc_conf
->rootfs
.mount
);
141 SYSERROR("failed to mount /proc in the container.");
143 } else if (mounted
== 1) {
144 lxc_conf
->lsm_umount_proc
= 1;
149 void lsm_proc_unmount(struct lxc_conf
*lxc_conf
)
151 if (lxc_conf
->lsm_umount_proc
== 1) {
153 lxc_conf
->lsm_umount_proc
= 0;