[systemd-commits] man/systemd-nspawn.xml src/nspawn

Lennart Poettering lennart at kemper.freedesktop.org
Tue Feb 4 13:59:52 PST 2014


 man/systemd-nspawn.xml |    8 ++++----
 src/nspawn/nspawn.c    |   46 +++++++++++++++++++++++-----------------------
 2 files changed, 27 insertions(+), 27 deletions(-)

New commits:
commit d002827b03d78e31503a6b706ad4b4049ebf9a07
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Feb 4 22:56:07 2014 +0100

    nspawn: various fixes in selinux hookup
    
    - As suggested, prefix argument variables with "arg_" how we do this
      usually.
    
    - As suggested, don't involve memory allocations when storing command
      line arguments.
    
    - Break --help text at 80 chars
    
    - man: explain that this is about SELinux
    
    - don't do unnecessary memory allocations when putting together mount
      option string

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 08b0457..c5d90c4 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -253,9 +253,9 @@
                                 <term><option>--file-label=</option></term>
 
                                 <listitem><para>Sets the mandatory
-                                access control (MAC) file label to be
-                                used by tmpfs file systems in the
-                                container.</para>
+                                access control (MAC/SELinux) file
+                                label to be used by virtual API file
+                                systems in the container.</para>
                                 </listitem>
                         </varlistentry>
 
@@ -264,7 +264,7 @@
                                 <term><option>--process-label=</option></term>
 
                                 <listitem><para>Sets the mandatory
-                                access control (MAC) label to be used by
+                                access control (MAC/SELinux) label to be used by
                                 processes in the container.</para>
                                 </listitem>
                         </varlistentry>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c91f6cc..cd63bf6 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -80,8 +80,8 @@ static char *arg_directory = NULL;
 static char *arg_user = NULL;
 static sd_id128_t arg_uuid = {};
 static char *arg_machine = NULL;
-static char *process_label = NULL;
-static char *file_label = NULL;
+static char *arg_process_label = NULL;
+static char *arg_file_label = NULL;
 static const char *arg_slice = NULL;
 static bool arg_private_network = false;
 static bool arg_read_only = false;
@@ -130,8 +130,10 @@ static int help(void) {
                "     --uuid=UUID            Set a specific machine UUID for the container\n"
                "  -M --machine=NAME         Set the machine name for the container\n"
                "  -S --slice=SLICE          Place the container in the specified slice\n"
-               "  -L --file-label=LABEL     Set the MAC file label to be used by tmpfs file systems in container\n"
-               "  -Z --process-label=LABEL  Set the MAC label to be used by processes in container\n"
+               "  -L --file-label=LABEL     Set the MAC file label to be used by tmpfs file\n"
+               "                            systems in the container\n"
+               "  -Z --process-label=LABEL  Set the MAC label to be used by processes in\n"
+               "                            the container\n"
                "     --private-network      Disable network in container\n"
                "     --read-only            Mount the root directory read-only\n"
                "     --capability=CAP       In addition to the default, retain specified\n"
@@ -257,17 +259,11 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case 'L':
-                        file_label = strdup(optarg);
-                        if (!file_label)
-                                return log_oom();
-
+                        arg_file_label = optarg;
                         break;
 
                 case 'Z':
-                        process_label = strdup(optarg);
-                        if (!process_label)
-                                return log_oom();
-
+                        arg_process_label = optarg;
                         break;
 
                 case ARG_READ_ONLY:
@@ -419,7 +415,10 @@ static int mount_all(const char *dest) {
 
         for (k = 0; k < ELEMENTSOF(mount_table); k++) {
                 _cleanup_free_ char *where = NULL;
+#ifdef HAVE_SELINUX
                 _cleanup_free_ char *options = NULL;
+#endif
+                const char *o;
                 int t;
 
                 where = strjoin(dest, "/", mount_table[k].where, NULL);
@@ -443,21 +442,22 @@ static int mount_all(const char *dest) {
                 mkdir_p(where, 0755);
 
 #ifdef HAVE_SELINUX
-                if (file_label && (streq_ptr(mount_table[k].what, "tmpfs") ||
-                              streq_ptr(mount_table[k].what, "devpts")))
-                        options = strjoin(mount_table[k].options, ",context=\"", file_label, "\"", NULL);
-                else
+                if (arg_file_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
+                        options = strjoin(mount_table[k].options, ",context=\"", arg_file_label, "\"", NULL);
+                        if (!options)
+                                return log_oom();
+
+                        o = options;
+                } else
 #endif
-                        options = strjoin(mount_table[k].options, NULL);
+                        o = mount_table[k].options;
 
-                if (!options)
-                        return log_oom();
 
                 if (mount(mount_table[k].what,
                           where,
                           mount_table[k].type,
                           mount_table[k].flags,
-                          options) < 0 &&
+                          o) < 0 &&
                     mount_table[k].fatal) {
 
                         log_error("mount(%s) failed: %m", where);
@@ -1527,9 +1527,9 @@ int main(int argc, char *argv[]) {
                                 env_use = (char**) envp;
 
 #if HAVE_SELINUX
-                        if (process_label)
-                                if (setexeccon(process_label) < 0)
-                                        log_error("setexeccon(\"%s\") failed: %m", process_label);
+                        if (arg_process_label)
+                                if (setexeccon(arg_process_label) < 0)
+                                        log_error("setexeccon(\"%s\") failed: %m", arg_process_label);
 #endif
                         if (arg_boot) {
                                 char **a;



More information about the systemd-commits mailing list