|
 |
2d9f68 |
From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
|
|
|
2d9f68 |
From: Andrei Vagin <avagin@gmail.com>
|
|
|
2d9f68 |
Date: Sat, 4 May 2019 20:01:52 -0700
|
|
|
2d9f68 |
Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
|
|
|
2d9f68 |
|
|
|
2d9f68 |
Fixes #693
|
|
|
2d9f68 |
---
|
|
|
2d9f68 |
criu/lsm.c | 16 ++++++++++++++--
|
|
|
2d9f68 |
1 file changed, 14 insertions(+), 2 deletions(-)
|
|
|
2d9f68 |
|
|
|
2d9f68 |
diff --git a/criu/lsm.c b/criu/lsm.c
|
|
|
2d9f68 |
index 9c9ac7f80e..5921138392 100644
|
|
|
2d9f68 |
--- a/criu/lsm.c
|
|
|
2d9f68 |
+++ b/criu/lsm.c
|
|
|
2d9f68 |
@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
|
|
|
2d9f68 |
|
|
|
2d9f68 |
int reset_setsockcreatecon()
|
|
|
2d9f68 |
{
|
|
|
2d9f68 |
- return setsockcreatecon_raw(NULL);
|
|
|
2d9f68 |
+ /* Currently this only works for SELinux. */
|
|
|
2d9f68 |
+ if (kdat.lsm != LSMTYPE__SELINUX)
|
|
|
2d9f68 |
+ return 0;
|
|
|
2d9f68 |
+
|
|
|
2d9f68 |
+ if (setsockcreatecon_raw(NULL)) {
|
|
|
2d9f68 |
+ pr_perror("Unable to reset socket SELinux context");
|
|
|
2d9f68 |
+ return -1;
|
|
|
2d9f68 |
+ }
|
|
|
2d9f68 |
+ return 0;
|
|
|
2d9f68 |
}
|
|
|
2d9f68 |
|
|
|
2d9f68 |
int run_setsockcreatecon(FdinfoEntry *e)
|
|
|
2d9f68 |
@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
|
|
|
2d9f68 |
|
|
|
2d9f68 |
ctx = e->xattr_security_selinux;
|
|
|
2d9f68 |
/* Writing to the FD using fsetxattr() did not work for some reason. */
|
|
|
2d9f68 |
- return setsockcreatecon_raw(ctx);
|
|
|
2d9f68 |
+ if (setsockcreatecon_raw(ctx)) {
|
|
|
2d9f68 |
+ pr_perror("Unable to set the %s socket SELinux context", ctx);
|
|
|
2d9f68 |
+ return -1;
|
|
|
2d9f68 |
+ }
|
|
|
2d9f68 |
+ return 0;
|
|
|
2d9f68 |
}
|
|
|
2d9f68 |
|
|
|
2d9f68 |
int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
|