lsm: Postpone lsm_profile vs kerndat checks

We need to keep the host LSM mode on kerndat (next patches), at the same time the --lsm-profile option needs to correspond to it. So split the option handling into two parts -- first keep it as is, next -- check for kerndat correspondance. Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com> Signed-off-by: Andrei Vagin <avagin@virtuozzo.com>
2025-09-01 06:45:35 +00:00 · 2017-06-26 16:20:07 +03:00
parent ebc485385b
commit 09c131c8a3
5 changed files with 21 additions and 21 deletions
--- a/criu/cr-dump.c
+++ b/criu/cr-dump.c
@@ -1539,6 +1539,9 @@ int cr_pre_dump_tasks(pid_t pid)
 	if (kerndat_init())
 		goto err;

+	if (lsm_check_opts())
+		goto err;
+
 	if (irmap_load_cache())
 		goto err;

@@ -1689,6 +1692,9 @@ int cr_dump_tasks(pid_t pid)
 	if (kerndat_init())
 		goto err;

+	if (lsm_check_opts())
+		goto err;
+
 	if (irmap_load_cache())
 		goto err;

--- a/criu/cr-restore.c
+++ b/criu/cr-restore.c
@@ -2134,6 +2134,9 @@ int cr_restore_tasks(void)
 	if (kerndat_init())
 		goto err;

+	if (lsm_check_opts())
+		goto err;
+
 	timing_start(TIME_RESTORE);

 	if (cpu_init() < 0)
--- a/criu/crtools.c
+++ b/criu/crtools.c
@@ -511,8 +511,8 @@ int main(int argc, char *argv[], char *envp[])
 				return -1;
 			break;
 		case 1071:
-			if (parse_lsm_arg(optarg) < 0)
-				return -1;
+			opts.lsm_profile = optarg;
+			opts.lsm_supplied = true;
 			break;
 		case 1072:
 			opts.timeout = atoi(optarg);
--- a/criu/include/lsm.h
+++ b/criu/include/lsm.h
@@ -33,5 +33,5 @@ int validate_lsm(char *profile);
 */
 int render_lsm_profile(char *profile, char **val);

-extern int parse_lsm_arg(char *arg);
+extern int lsm_check_opts(void);
 #endif /* __CR_LSM_H__ */
--- a/criu/lsm.c
+++ b/criu/lsm.c
@@ -108,14 +108,6 @@ static int selinux_get_label(pid_t pid, char **output)

 void kerndat_lsm(void)
 {
-	/* On restore, if someone passes --lsm-profile, we might end up doing
-	 * detection twice, once during flag parsing and once for
-	 * kerndat_init(). Let's detect when we've already done detection
-	 * and not do it again.
-	 */
-	if (name)
-		return;
-
 	if (access(AA_SECURITYFS_PATH, F_OK) == 0) {
 		get_label = apparmor_get_label;
 		lsmtype = LSMTYPE__APPARMOR;
@@ -207,43 +199,42 @@ int render_lsm_profile(char *profile, char **val)
 	return 0;
 }

-int parse_lsm_arg(char *arg)
+int lsm_check_opts(void)
 {
 	char *aux;

-	kerndat_lsm();
+	if (!opts.lsm_supplied)
+		return 0;

-	aux = strchr(arg, ':');
+	aux = strchr(opts.lsm_profile, ':');
 	if (aux == NULL) {
-		pr_err("invalid argument %s for --lsm-profile\n", arg);
+		pr_err("invalid argument %s for --lsm-profile\n", opts.lsm_profile);
 		return -1;
 	}

 	*aux = '\0';
 	aux++;

-	if (strcmp(arg, "apparmor") == 0) {
+	if (strcmp(opts.lsm_profile, "apparmor") == 0) {
 		if (lsmtype != LSMTYPE__APPARMOR) {
 			pr_err("apparmor LSM specified but apparmor not supported by kernel\n");
 			return -1;
 		}

 		opts.lsm_profile = aux;
-	} else if (strcmp(arg, "selinux") == 0) {
+	} else if (strcmp(opts.lsm_profile, "selinux") == 0) {
 		if (lsmtype != LSMTYPE__SELINUX) {
 			pr_err("selinux LSM specified but selinux not supported by kernel\n");
 			return -1;
 		}

 		opts.lsm_profile = aux;
-	} else if (strcmp(arg, "none") == 0) {
+	} else if (strcmp(opts.lsm_profile, "none") == 0) {
 		opts.lsm_profile = NULL;
 	} else {
-		pr_err("unknown lsm %s\n", arg);
+		pr_err("unknown lsm %s\n", opts.lsm_profile);
 		return -1;
 	}

-	opts.lsm_supplied = true;
-
 	return 0;
 }