X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fexecute.c;h=129791294eea816d1f9e186b9dad22b76472a4f8;hb=cf8bd44339b00330fdbc91041d6731ba8aba9fec;hp=af8e7c725b39120314fb91c310a50c46f9c45ab1;hpb=de0671ee7fe465e108f62dcbbbe9366f81dd9e9a;p=elogind.git diff --git a/src/core/execute.c b/src/core/execute.c index af8e7c725..129791294 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,7 @@ #include "af-list.h" #include "mkdir.h" #include "apparmor-util.h" +#include "label.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -333,7 +334,7 @@ static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty i == EXEC_INPUT_TTY_FAIL, i == EXEC_INPUT_TTY_FORCE, false, - (usec_t) -1); + USEC_INFINITY); if (fd < 0) return fd; @@ -561,7 +562,7 @@ static int restore_confirm_stdio(int *saved_stdin, static int ask_for_confirmation(char *response, char **argv) { int saved_stdout = -1, saved_stdin = -1, r; - char *line; + _cleanup_free_ char *line = NULL; r = setup_confirm_stdio(&saved_stdin, &saved_stdout); if (r < 0) @@ -571,8 +572,7 @@ static int ask_for_confirmation(char *response, char **argv) { if (!line) return -ENOMEM; - r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line); - free(line); + r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line); restore_confirm_stdio(&saved_stdin, &saved_stdout); @@ -1465,7 +1465,7 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->timer_slack_nsec != (nsec_t) -1) + if (context->timer_slack_nsec != NSEC_INFINITY) if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) { err = -errno; r = EXIT_TIMERSLACK; @@ -1569,7 +1569,9 @@ int exec_spawn(ExecCommand *command, !strv_isempty(context->inaccessible_dirs) || context->mount_flags != 0 || (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) || - context->private_devices) { + context->private_devices || + context->protect_system != PROTECT_SYSTEM_NO || + context->protect_home != PROTECT_HOME_NO) { char *tmp = NULL, *var = NULL; @@ -1593,8 +1595,9 @@ int exec_spawn(ExecCommand *command, tmp, var, context->private_devices, + context->protect_home, + context->protect_system, context->mount_flags); - if (err < 0) { r = EXIT_NAMESPACE; goto fail_child; @@ -1727,6 +1730,22 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } + + if (context->selinux_label_via_net && use_selinux()) { + _cleanup_free_ char *label = NULL; + + err = label_get_child_label(socket_fd, command->path, &label); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + + err = setexeccon(label); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + } #endif #ifdef HAVE_APPARMOR @@ -1831,7 +1850,7 @@ void exec_context_init(ExecContext *c) { c->syslog_priority = LOG_DAEMON|LOG_INFO; c->syslog_level_prefix = true; c->ignore_sigpipe = true; - c->timer_slack_nsec = (nsec_t) -1; + c->timer_slack_nsec = NSEC_INFINITY; c->personality = 0xffffffffUL; c->runtime_directory_mode = 0755; } @@ -2021,7 +2040,7 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { return -EINVAL; } for (n = 0; n < count; n++) { - k = load_env_file(pglob.gl_pathv[n], NULL, &p); + k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p); if (k < 0) { if (ignore) continue; @@ -2055,8 +2074,8 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { } static bool tty_may_match_dev_console(const char *tty) { - char *active = NULL, *console; - bool b; + _cleanup_free_ char *active = NULL; + char *console; if (startswith(tty, "/dev/")) tty += 5; @@ -2071,10 +2090,7 @@ static bool tty_may_match_dev_console(const char *tty) { return true; /* "tty0" means the active VC, so it may be the same sometimes */ - b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); - free(active); - - return b; + return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); } bool exec_context_may_touch_console(ExecContext *ec) { @@ -2111,7 +2127,10 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateTmp: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateDevices: %s\n" - "%sIgnoreSIGPIPE: %s\n", + "%sProtectHome: %s\n" + "%sProtectSystem: %s\n" + "%sIgnoreSIGPIPE: %s\n" + "%sSELinuxLabelViaNet: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", @@ -2119,7 +2138,10 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_tmp), prefix, yes_no(c->private_network), prefix, yes_no(c->private_devices), - prefix, yes_no(c->ignore_sigpipe)); + prefix, protect_home_to_string(c->protect_home), + prefix, protect_system_to_string(c->protect_system), + prefix, yes_no(c->ignore_sigpipe), + prefix, yes_no(c->selinux_label_via_net)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); @@ -2174,7 +2196,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fputs("\n", f); } - if (c->timer_slack_nsec != (nsec_t) -1) + if (c->timer_slack_nsec != NSEC_INFINITY) fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec); fprintf(f, @@ -2460,10 +2482,10 @@ char *exec_command_line(char **argv) { } void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { - char *p2; + _cleanup_free_ char *p2 = NULL; const char *prefix2; - char *cmd; + _cleanup_free_ char *cmd = NULL; assert(c); assert(f); @@ -2479,11 +2501,7 @@ void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { "%sCommand Line: %s\n", prefix, cmd ? cmd : strerror(ENOMEM)); - free(cmd); - exec_status_dump(&c->exec_status, f, prefix2); - - free(p2); } void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {