X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fselinux-access.c;h=bc195f3c56e746746bd03d3a5cb2edc0baeb9f34;hb=a6b26d9011de60e1c41f51e8d2aab1d2f7bbf0f5;hp=3a244ad9ffab422c0bcbd829fe529d01dc778735;hpb=cad45ba11ec3572296361f53f5852ffb97a97fa3;p=elogind.git

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 3a244ad9f..bc195f3c5 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -19,32 +19,30 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
-#include "util.h"
-#include "job.h"
-#include "manager.h"
 #include "selinux-access.h"
 
 #ifdef HAVE_SELINUX
-#include "dbus.h"
-#include "log.h"
-#include "dbus-unit.h"
-#include "bus-errors.h"
-#include "dbus-common.h"
-#include "audit.h"
-#include "selinux-util.h"
 
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
+#include <limits.h>
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
 #ifdef HAVE_AUDIT
 #include <libaudit.h>
 #endif
-#include <limits.h>
+#include <dbus.h>
+
+#include "util.h"
+#include "log.h"
+#include "bus-errors.h"
+#include "dbus-common.h"
+#include "audit.h"
+#include "selinux-util.h"
+#include "audit-fd.h"
 
 static bool initialized = false;
-static int audit_fd = -1;
 
 struct auditstruct {
         const char *path;
@@ -61,6 +59,10 @@ static int bus_get_selinux_security_context(
                 DBusError *error) {
 
         _cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
+        DBusMessageIter iter, sub;
+        const char *bytes;
+        char *b;
+        int nbytes;
 
         m = dbus_message_new_method_call(
                         DBUS_SERVICE_DBUS,
@@ -87,12 +89,21 @@ static int bus_get_selinux_security_context(
         if (dbus_set_error_from_message(error, reply))
                 return -EIO;
 
-        if (!dbus_message_get_args(
-                            reply, error,
-                            DBUS_TYPE_STRING, scon,
-                            DBUS_TYPE_INVALID))
+        if (!dbus_message_iter_init(reply, &iter))
                 return -EIO;
 
+        if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY)
+                return -EIO;
+
+        dbus_message_iter_recurse(&iter, &sub);
+        dbus_message_iter_get_fixed_array(&sub, &bytes, &nbytes);
+
+        b = strndup(bytes, nbytes);
+        if (!b)
+                return -ENOMEM;
+
+        *scon = b;
+
         return 0;
 }
 
@@ -121,7 +132,7 @@ static int bus_get_audit_data(
         if (r < 0)
                 return r;
 
-        r = get_process_cmdline(pid, LINE_MAX, true, &audit->cmdline);
+        r = get_process_cmdline(pid, 0, true, &audit->cmdline);
         if (r < 0)
                 return r;
 
@@ -169,14 +180,19 @@ static int log_callback(int type, const char *fmt, ...) {
         va_start(ap, fmt);
 
 #ifdef HAVE_AUDIT
-        if (audit_fd >= 0) {
-                char buf[LINE_MAX];
+        if (get_audit_fd() >= 0) {
+                _cleanup_free_ char *buf = NULL;
+                int r;
 
-                vsnprintf(buf, sizeof(buf), fmt, ap);
-                audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+                r = vasprintf(&buf, fmt, ap);
                 va_end(ap);
 
-                return 0;
+                if (r >= 0) {
+                        audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+                        return 0;
+                }
+
+                va_start(ap, fmt);
         }
 #endif
         log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
@@ -210,12 +226,9 @@ static int access_init(void) {
         return r;
 }
 
-static int selinux_init(Manager *m, DBusError *error) {
+static int selinux_access_init(DBusError *error) {
         int r;
 
-#ifdef HAVE_AUDIT
-        audit_fd = m->audit_fd;
-#endif
         if (initialized)
                 return 0;
 
@@ -231,6 +244,14 @@ static int selinux_init(Manager *m, DBusError *error) {
         return 0;
 }
 
+void selinux_access_free(void) {
+        if (!initialized)
+                return;
+
+        avc_destroy();
+        initialized = false;
+}
+
 static int get_audit_data(
                 DBusConnection *connection,
                 DBusMessage *message,
@@ -240,7 +261,7 @@ static int get_audit_data(
         const char *sender;
         int r, fd;
         struct ucred ucred;
-        socklen_t len;
+        socklen_t len = sizeof(ucred);
 
         sender = dbus_message_get_sender(message);
         if (sender)
@@ -262,7 +283,7 @@ static int get_audit_data(
         if (r < 0)
                 return r;
 
-        r = get_process_cmdline(ucred.pid, LINE_MAX, true, &audit->cmdline);
+        r = get_process_cmdline(ucred.pid, 0, true, &audit->cmdline);
         if (r < 0)
                 return r;
 
@@ -294,7 +315,8 @@ static int get_calling_context(
                 if (r >= 0)
                         return r;
 
-                log_debug("bus_get_selinux_security_context failed %m");
+                log_error("bus_get_selinux_security_context failed: %m");
+                return r;
         }
 
         if (!dbus_connection_get_unix_fd(connection, &fd)) {
@@ -317,8 +339,7 @@ static int get_calling_context(
    If the machine is in permissive mode it will return ok.  Audit messages will
    still be generated if the access would be denied in enforcing mode.
 */
-static int selinux_access_check(
-                Manager *m,
+int selinux_access_check(
                 DBusConnection *connection,
                 DBusMessage *message,
                 const char *path,
@@ -330,20 +351,17 @@ static int selinux_access_check(
         const char *tclass = NULL;
         struct auditstruct audit;
 
-        assert(m);
         assert(connection);
         assert(message);
         assert(permission);
         assert(error);
 
-        r = selinux_init(m, error);
-        if (r < 0)
-                return r;
-
         if (!use_selinux())
                 return 0;
 
-        log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
+        r = selinux_access_init(error);
+        if (r < 0)
+                return r;
 
         audit.uid = audit.loginuid = (uid_t) -1;
         audit.gid = (gid_t) -1;
@@ -403,69 +421,19 @@ finish:
         return r;
 }
 
-int selinux_unit_access_check(
-                Unit *u,
-                DBusConnection *connection,
-                DBusMessage *message,
-                const char *permission,
-                DBusError *error) {
-
-        assert(u);
-        assert(connection);
-        assert(message);
-        assert(permission);
-        assert(error);
-
-        return selinux_access_check(u->manager, connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
-}
-
-int selinux_manager_access_check(
-                Manager *m,
-                DBusConnection *connection,
-                DBusMessage *message,
-                const char *permission,
-                DBusError *error) {
-
-        assert(m);
-        assert(connection);
-        assert(message);
-        assert(permission);
-        assert(error);
-
-        return selinux_access_check(m, connection, message, NULL, permission, error);
-}
-
-void selinux_access_finish(void) {
-        if (!initialized)
-                return;
-
-        avc_destroy();
-        initialized = false;
-}
-
 #else
 
-int selinux_unit_access_check(
-                Unit *u,
-                DBusConnection *connection,
-                DBusMessage *message,
-                const char *permission,
-                DBusError *error) {
-
-        return 0;
-}
-
-int selinux_manager_access_check(
-                Manager *m,
+int selinux_access_check(
                 DBusConnection *connection,
                 DBusMessage *message,
+                const char *path,
                 const char *permission,
                 DBusError *error) {
 
         return 0;
 }
 
-void selinux_access_finish(void) {
+void selinux_access_free(void) {
 }
 
 #endif