From d002827b03d78e31503a6b706ad4b4049ebf9a07 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 4 Feb 2014 22:56:07 +0100 Subject: [PATCH] nspawn: various fixes in selinux hookup - As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string --- man/systemd-nspawn.xml | 8 ++++---- src/nspawn/nspawn.c | 46 +++++++++++++++++++++--------------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 08b0457d1..c5d90c423 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -253,9 +253,9 @@ Sets the mandatory - access control (MAC) file label to be - used by tmpfs file systems in the - container. + access control (MAC/SELinux) file + label to be used by virtual API file + systems in the container. @@ -264,7 +264,7 @@ Sets the mandatory - access control (MAC) label to be used by + access control (MAC/SELinux) label to be used by processes in the container. diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c91f6cce2..cd63bf6a7 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -80,8 +80,8 @@ static char *arg_directory = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; -static char *process_label = NULL; -static char *file_label = NULL; +static char *arg_process_label = NULL; +static char *arg_file_label = NULL; static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; @@ -130,8 +130,10 @@ static int help(void) { " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" " -S --slice=SLICE Place the container in the specified slice\n" - " -L --file-label=LABEL Set the MAC file label to be used by tmpfs file systems in container\n" - " -Z --process-label=LABEL Set the MAC label to be used by processes in container\n" + " -L --file-label=LABEL Set the MAC file label to be used by tmpfs file\n" + " systems in the container\n" + " -Z --process-label=LABEL Set the MAC label to be used by processes in\n" + " the container\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" @@ -257,17 +259,11 @@ static int parse_argv(int argc, char *argv[]) { break; case 'L': - file_label = strdup(optarg); - if (!file_label) - return log_oom(); - + arg_file_label = optarg; break; case 'Z': - process_label = strdup(optarg); - if (!process_label) - return log_oom(); - + arg_process_label = optarg; break; case ARG_READ_ONLY: @@ -419,7 +415,10 @@ static int mount_all(const char *dest) { for (k = 0; k < ELEMENTSOF(mount_table); k++) { _cleanup_free_ char *where = NULL; +#ifdef HAVE_SELINUX _cleanup_free_ char *options = NULL; +#endif + const char *o; int t; where = strjoin(dest, "/", mount_table[k].where, NULL); @@ -443,21 +442,22 @@ static int mount_all(const char *dest) { mkdir_p(where, 0755); #ifdef HAVE_SELINUX - if (file_label && (streq_ptr(mount_table[k].what, "tmpfs") || - streq_ptr(mount_table[k].what, "devpts"))) - options = strjoin(mount_table[k].options, ",context=\"", file_label, "\"", NULL); - else + if (arg_file_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { + options = strjoin(mount_table[k].options, ",context=\"", arg_file_label, "\"", NULL); + if (!options) + return log_oom(); + + o = options; + } else #endif - options = strjoin(mount_table[k].options, NULL); + o = mount_table[k].options; - if (!options) - return log_oom(); if (mount(mount_table[k].what, where, mount_table[k].type, mount_table[k].flags, - options) < 0 && + o) < 0 && mount_table[k].fatal) { log_error("mount(%s) failed: %m", where); @@ -1527,9 +1527,9 @@ int main(int argc, char *argv[]) { env_use = (char**) envp; #if HAVE_SELINUX - if (process_label) - if (setexeccon(process_label) < 0) - log_error("setexeccon(\"%s\") failed: %m", process_label); + if (arg_process_label) + if (setexeccon(arg_process_label) < 0) + log_error("setexeccon(\"%s\") failed: %m", arg_process_label); #endif if (arg_boot) { char **a; -- 2.30.2