}
#ifdef HAVE_SELINUX
-static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
+static int mac_selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
Manager *m = userdata;
const char *verb, *path;
Unit *u = NULL;
if (object_path_startswith("/org/freedesktop/systemd1", path)) {
- r = selinux_access_check(message, verb, error);
+ r = mac_selinux_access_check(message, verb, error);
if (r < 0)
return r;
if (!u)
return 0;
- r = selinux_unit_access_check(u, message, verb, error);
+ r = mac_selinux_unit_access_check(u, message, verb, error);
if (r < 0)
return r;
assert(bus);
#ifdef HAVE_SELINUX
- r = sd_bus_add_filter(bus, NULL, selinux_filter, m);
+ r = sd_bus_add_filter(bus, NULL, mac_selinux_filter, m);
if (r < 0) {
log_error("Failed to add SELinux access filter: %s", strerror(-r));
return r;
assert(m);
assert(bus);
+ /* Let's make sure we have enough credential bits so that we can make security and selinux decisions */
+ r = sd_bus_negotiate_creds(bus, 1,
+ SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|
+ SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS|
+ SD_BUS_CREDS_SELINUX_CONTEXT);
+ if (r < 0)
+ log_warning("Failed to enable credential passing, ignoring: %s", strerror(-r));
+
r = bus_setup_api_vtables(m, bus);
if (r < 0)
return r;
left = strpcpy(&p, left, "/systemd/private");
salen = sizeof(sa.un) - left;
-
- mkdir_parents_label(sa.un.sun_path, 0755);
}
- unlink(sa.un.sun_path);
+ (void) mkdir_parents_label(sa.un.sun_path, 0755);
+ (void) unlink(sa.un.sun_path);
fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (fd < 0) {
e = startswith(line, "subscribed=");
if (!e)
- return 0;
+ return -EINVAL;
return strv_extend(l, e);
}