X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fshared%2Fselinux-util.c;h=c59ad31edaef623caa59e19d0db6cdaf822fe530;hb=7f416dae9bcf1cfb63689ee9ac851adf738f072b;hp=5a5bfbdb0a9f020bab09530b107dc2d76fe20b2b;hpb=6baa7db00812437bbc87e73faa1a11b6cf631958;p=elogind.git diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 5a5bfbdb0..c59ad31ed 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -113,22 +113,25 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { #ifdef HAVE_SELINUX struct stat st; - security_context_t fcon; + assert(path); + + /* if mac_selinux_init() wasn't called before we are a NOOP */ if (!label_hnd) return 0; r = lstat(path, &st); - if (r == 0) { + if (r >= 0) { + _cleanup_security_context_free_ security_context_t fcon = NULL; + r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); /* If there's no label to set, then exit without warning */ if (r < 0 && errno == ENOENT) return 0; - if (r == 0) { + if (r >= 0) { r = lsetfilecon(path, fcon); - freecon(fcon); /* If the FS doesn't support labels, then exit without warning */ if (r < 0 && errno == ENOTSUP) @@ -144,8 +147,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { if (ignore_erofs && errno == EROFS) return 0; - log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, - "Unable to fix label of %s: %m", path); + log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path); r = security_getenforce() == 1 ? -errno : 0; } #endif @@ -156,46 +158,38 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { void mac_selinux_finish(void) { #ifdef HAVE_SELINUX - if (!mac_selinux_use()) + if (!label_hnd) return; - if (label_hnd) - selabel_close(label_hnd); + selabel_close(label_hnd); #endif } int mac_selinux_get_create_label_from_exe(const char *exe, char **label) { - - int r = 0; + int r = -EOPNOTSUPP; #ifdef HAVE_SELINUX - security_context_t mycon = NULL, fcon = NULL; + _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL; security_class_t sclass; - if (!mac_selinux_use()) { - *label = NULL; - return 0; - } + assert(exe); + assert(label); + + if (!mac_selinux_use()) + return -EOPNOTSUPP; r = getcon(&mycon); if (r < 0) - goto fail; + return -errno; r = getfilecon(exe, &fcon); if (r < 0) - goto fail; + return -errno; sclass = string_to_security_class("process"); r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); - if (r == 0) - log_debug("SELinux Socket context for %s will be set to %s", exe, *label); - -fail: - if (r < 0 && security_getenforce() == 1) - r = -errno; - - freecon(mycon); - freecon(fcon); + if (r < 0) + return -errno; #endif return r; @@ -204,14 +198,15 @@ fail: int mac_selinux_get_our_label(char **label) { int r = -EOPNOTSUPP; + assert(label); + #ifdef HAVE_SELINUX - char *l = NULL; + if (!mac_selinux_use()) + return -EOPNOTSUPP; - r = getcon(&l); + r = getcon(label); if (r < 0) - return r; - - *label = l; + return -errno; #endif return r; @@ -221,91 +216,65 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label int r = -EOPNOTSUPP; #ifdef HAVE_SELINUX - - _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL; + _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL; _cleanup_context_free_ context_t pcon = NULL, bcon = NULL; security_class_t sclass; - const char *range = NULL; assert(socket_fd >= 0); assert(exe); assert(label); + if (!mac_selinux_use()) + return -EOPNOTSUPP; + r = getcon(&mycon); - if (r < 0) { - r = -EINVAL; - goto out; - } + if (r < 0) + return -errno; r = getpeercon(socket_fd, &peercon); - if (r < 0) { - r = -EINVAL; - goto out; - } + if (r < 0) + return -errno; r = getexeccon(&fcon); - if (r < 0) { - r = -EINVAL; - goto out; - } + if (r < 0) + return -errno; if (!fcon) { /* If there is no context set for next exec let's use context of target executable */ r = getfilecon(exe, &fcon); - if (r < 0) { - r = -errno; - goto out; - } + if (r < 0) + return -errno; } bcon = context_new(mycon); - if (!bcon) { - r = -ENOMEM; - goto out; - } + if (!bcon) + return -ENOMEM; pcon = context_new(peercon); - if (!pcon) { - r = -ENOMEM; - goto out; - } + if (!pcon) + return -ENOMEM; range = context_range_get(pcon); - if (!range) { - r = -errno; - goto out; - } + if (!range) + return -errno; r = context_range_set(bcon, range); - if (r) { - r = -errno; - goto out; - } + if (r) + return -errno; freecon(mycon); mycon = strdup(context_str(bcon)); - if (!mycon) { - r = -errno; - goto out; - } + if (!mycon) + return -ENOMEM; sclass = string_to_security_class("process"); - r = security_compute_create(mycon, fcon, sclass, &ret); - if (r < 0) { - r = -EINVAL; - goto out; - } - - *label = ret; - ret = NULL; - r = 0; - -out: - if (r < 0 && security_getenforce() == 1) - return r; + r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); + if (r < 0) + return -errno; #endif + return r; } @@ -313,7 +282,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) { int r = 0; #ifdef HAVE_SELINUX - security_context_t filecon = NULL; + _cleanup_security_context_free_ security_context_t filecon = NULL; if (!mac_selinux_use() || !label_hnd) return 0; @@ -327,8 +296,6 @@ int mac_selinux_context_set(const char *path, mode_t mode) { log_error("Failed to set SELinux file context on %s: %m", path); r = -errno; } - - freecon(filecon); } if (r < 0 && security_getenforce() == 0) @@ -395,7 +362,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) { #ifdef HAVE_SELINUX /* Creates a directory and labels it according to the SELinux policy */ - security_context_t fcon = NULL; + _cleanup_security_context_free_ security_context_t fcon = NULL; if (!label_hnd) return 0; @@ -430,7 +397,6 @@ int mac_selinux_mkdir(const char *path, mode_t mode) { finish: setfscreatecon(NULL); - freecon(fcon); #endif return r; @@ -441,7 +407,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { /* Binds a socket and label its file system object according to the SELinux policy */ #ifdef HAVE_SELINUX - security_context_t fcon = NULL; + _cleanup_security_context_free_ security_context_t fcon = NULL; const struct sockaddr_un *un; char *path; int r; @@ -498,8 +464,6 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { finish: setfscreatecon(NULL); - freecon(fcon); - return r; skipped: