chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Prep v228: Condense elogind source masks (1/5)
[elogind.git]
/
src
/
basic
/
selinux-util.c
diff --git
a/src/basic/selinux-util.c
b/src/basic/selinux-util.c
index 69885d9fc9b8456f19518171c7e93cbc18eaa6ec..09ee7be917c54c93da482b13a9560d1d9a844a0f 100644
(file)
--- a/
src/basic/selinux-util.c
+++ b/
src/basic/selinux-util.c
@@
-24,14
+24,15
@@
#include <sys/un.h>
#ifdef HAVE_SELINUX
#include <sys/un.h>
#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#include <selinux/label.h>
#include <selinux/context.h>
#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
#endif
#endif
-#include "
strv
.h"
+#include "
alloc-util
.h"
#include "path-util.h"
#include "selinux-util.h"
#include "path-util.h"
#include "selinux-util.h"
+#include "strv.h"
#ifdef HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
#ifdef HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
@@
-57,11
+58,14
@@
bool mac_selinux_use(void) {
#endif
}
#endif
}
+/// UNNEEDED by elogind
+#if 0
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
#endif
}
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
#endif
}
+#endif // 0
int mac_selinux_init(const char *prefix) {
int r = 0;
int mac_selinux_init(const char *prefix) {
int r = 0;
@@
-109,6
+113,8
@@
int mac_selinux_init(const char *prefix) {
return r;
}
return r;
}
+/// UNNEEDED by elogind
+#if 0
void mac_selinux_finish(void) {
#ifdef HAVE_SELINUX
void mac_selinux_finish(void) {
#ifdef HAVE_SELINUX
@@
-119,6
+125,7
@@
void mac_selinux_finish(void) {
label_hnd = NULL;
#endif
}
label_hnd = NULL;
#endif
}
+#endif // 0
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
@@
-173,21
+180,20
@@
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
int mac_selinux_apply(const char *path, const char *label) {
#ifdef HAVE_SELINUX
int mac_selinux_apply(const char *path, const char *label) {
#ifdef HAVE_SELINUX
- assert(path);
- assert(label);
-
if (!mac_selinux_use())
return 0;
if (!mac_selinux_use())
return 0;
+ assert(path);
+ assert(label);
+
if (setfilecon(path, (security_context_t) label) < 0) {
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
if (setfilecon(path, (security_context_t) label) < 0) {
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
- if (security_getenforce()
== 1
)
+ if (security_getenforce()
> 0
)
return -errno;
}
#endif
return 0;
}
return -errno;
}
#endif
return 0;
}
-#endif // 0
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
int r = -EOPNOTSUPP;
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
int r = -EOPNOTSUPP;
@@
-202,11
+208,11
@@
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
if (!mac_selinux_use())
return -EOPNOTSUPP;
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(&mycon);
+ r = getcon
_raw
(&mycon);
if (r < 0)
return -errno;
if (r < 0)
return -errno;
- r = getfilecon(exe, &fcon);
+ r = getfilecon
_raw
(exe, &fcon);
if (r < 0)
return -errno;
if (r < 0)
return -errno;
@@
-228,7
+234,7
@@
int mac_selinux_get_our_label(char **label) {
if (!mac_selinux_use())
return -EOPNOTSUPP;
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(label);
+ r = getcon
_raw
(label);
if (r < 0)
return -errno;
#endif
if (r < 0)
return -errno;
#endif
@@
-252,7
+258,7
@@
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
if (!mac_selinux_use())
return -EOPNOTSUPP;
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(&mycon);
+ r = getcon
_raw
(&mycon);
if (r < 0)
return -errno;
if (r < 0)
return -errno;
@@
-263,7
+269,7
@@
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
- r = getfilecon(exe, &fcon);
+ r = getfilecon
_raw
(exe, &fcon);
if (r < 0)
return -errno;
}
if (r < 0)
return -errno;
}
@@
-298,21
+304,28
@@
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
return r;
}
return r;
}
-
void
mac_selinux_free(char *label) {
+
char*
mac_selinux_free(char *label) {
#ifdef HAVE_SELINUX
#ifdef HAVE_SELINUX
+ if (!label)
+ return NULL;
+
if (!mac_selinux_use())
if (!mac_selinux_use())
- return;
+ return NULL;
+
freecon((security_context_t) label);
#endif
freecon((security_context_t) label);
#endif
+
+ return NULL;
}
}
+#endif // 0
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
- int r = 0;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t filecon = NULL;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t filecon = NULL;
+ int r;
assert(path);
assert(path);
@@
-322,34
+335,33
@@
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
else {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
else {
- _cleanup_free_ char *newpath;
+ _cleanup_free_ char *newpath
= NULL
;
-
newpath = path_make_absolute_cwd(
path);
- if (
!newpath
)
- return
-ENOMEM
;
+
r = path_make_absolute_cwd(path, &new
path);
+ if (
r < 0
)
+ return
r
;
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
+ if (r < 0) {
/* No context specified by the policy? Proceed without setting it. */
/* No context specified by the policy? Proceed without setting it. */
-
if (r < 0 &&
errno == ENOENT)
+
if (
errno == ENOENT)
return 0;
return 0;
- if (r < 0)
- r = -errno;
- else {
- r = setfscreatecon(filecon);
- if (r < 0) {
+ log_enforcing("Failed to determine SELinux security context for %s: %m", path);
+ } else {
+ if (setfscreatecon(filecon) >= 0)
+ return 0; /* Success! */
+
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
- r = -errno;
- }
}
}
- if (r < 0 && security_getenforce() == 0)
- r = 0;
-#endif
+ if (security_getenforce() > 0)
+ return -errno;
- return r;
+#endif
+ return 0;
}
void mac_selinux_create_file_clear(void) {
}
void mac_selinux_create_file_clear(void) {
@@
-364,6
+376,8
@@
void mac_selinux_create_file_clear(void) {
#endif
}
#endif
}
+/// UNNEEDED by elogind
+#if 0
int mac_selinux_create_socket_prepare(const char *label) {
#ifdef HAVE_SELINUX
int mac_selinux_create_socket_prepare(const char *label) {
#ifdef HAVE_SELINUX
@@
-402,6
+416,7
@@
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t fcon = NULL;
const struct sockaddr_un *un;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t fcon = NULL;
const struct sockaddr_un *un;
+ bool context_changed = false;
char *path;
int r;
char *path;
int r;
@@
-417,7
+432,7
@@
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
goto skipped;
/* Filter out anonymous sockets */
goto skipped;
/* Filter out anonymous sockets */
- if (addrlen <
sizeof(sa_family_t
) + 1)
+ if (addrlen <
offsetof(struct sockaddr_un, sun_path
) + 1)
goto skipped;
/* Filter out abstract namespace sockets */
goto skipped;
/* Filter out abstract namespace sockets */
@@
-430,36
+445,45
@@
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
- _cleanup_free_ char *newpath;
+ _cleanup_free_ char *newpath
= NULL
;
-
newpath = path_make_absolute_cwd(
path);
- if (
!newpath
)
- return
-ENOMEM
;
+
r = path_make_absolute_cwd(path, &new
path);
+ if (
r < 0
)
+ return
r
;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
}
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
}
- if (r == 0)
- r = setfscreatecon(fcon);
+ if (r < 0) {
+ /* No context specified by the policy? Proceed without setting it */
+ if (errno == ENOENT)
+ goto skipped;
- if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
+ log_enforcing("Failed to determine SELinux security context for %s: %m", path);
+ if (security_getenforce() > 0)
+ return -errno;
- if (security_getenforce() == 1) {
- r = -errno;
- goto finish;
- }
+ } else {
+ if (setfscreatecon(fcon) < 0) {
+ log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
+ if (security_getenforce() > 0)
+ return -errno;
+ } else
+ context_changed = true;
}
}
- r = bind(fd, addr, addrlen);
- if (r < 0)
- r = -errno;
+ r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
-finish:
+ if (context_changed)
setfscreatecon(NULL);
setfscreatecon(NULL);
+
return r;
skipped:
#endif
return r;
skipped:
#endif
- return bind(fd, addr, addrlen) < 0 ? -errno : 0;
+ if (bind(fd, addr, addrlen) < 0)
+ return -errno;
+
+ return 0;
}
}
+#endif // 0