selinux: make sure we do not try to print missing fields

[elogind.git] / src / core / selinux-access.c

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 53e08af395f1dcefcd907ad4d4d29f7321ea178e..351d48f8a45cf026a55a703e5800cc47cea869d3 100644 (file)
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -53,7 +53,7 @@ struct audit_info {
 
 /*
    Any time an access gets denied this callback will be called
-   with the aduit data.  We then need to just copy the audit data into the msgbuf.
+   with the audit data.  We then need to just copy the audit data into the msgbuf.
 */
 static int audit_callback(
                 void *auditdata,
@@ -64,14 +64,20 @@ static int audit_callback(
         const struct audit_info *audit = auditdata;
         uid_t uid = 0, login_uid = 0;
         gid_t gid = 0;
+        char login_uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
+        char uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
+        char gid_buf[DECIMAL_STR_MAX(gid_t)] = "n/a";
 
-        sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid);
-        sd_bus_creds_get_uid(audit->creds, &uid);
-        sd_bus_creds_get_gid(audit->creds, &gid);
+        if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
+                snprintf(login_uid_buf, sizeof(login_uid_buf), UID_FMT, login_uid);
+        if (sd_bus_creds_get_uid(audit->creds, &uid) >= 0)
+                snprintf(uid_buf, sizeof(uid_buf), UID_FMT, uid);
+        if (sd_bus_creds_get_gid(audit->creds, &gid) >= 0)
+                snprintf(gid_buf, sizeof(gid_buf), GID_FMT, gid);
 
         snprintf(msgbuf, msgbufsize,
-                 "auid=%d uid=%d gid=%d%s%s%s%s%s%s",
-                 login_uid, uid, gid,
+                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
+                 login_uid_buf, uid_buf, gid_buf,
                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
                  audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
 
@@ -142,7 +148,7 @@ static int selinux_access_init(sd_bus_error *error) {
         if (initialized)
                 return 0;
 
-        if (!use_selinux())
+        if (!mac_selinux_use())
                 return 0;
 
         r = access_init();
@@ -186,7 +192,7 @@ int selinux_generic_access_check(
         assert(permission);
         assert(error);
 
-        if (!use_selinux())
+        if (!mac_selinux_use())
                 return 0;
 
         r = selinux_access_init(error);
@@ -250,10 +256,30 @@ finish:
         return r;
 }
 
+int selinux_unit_access_check_strv(char **units,
+                                sd_bus_message *message,
+                                Manager *m,
+                                const char *permission,
+                                sd_bus_error *error) {
+        char **i;
+        Unit *u;
+        int r;
+
+        STRV_FOREACH(i, units) {
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = selinux_unit_access_check(u, message, permission, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
+
+        return 0;
+}
+
 #else
 
 int selinux_generic_access_check(
-                sd_bus *bus,
                 sd_bus_message *message,
                 const char *path,
                 const char *permission,
@@ -265,4 +291,12 @@ int selinux_generic_access_check(
 void selinux_access_free(void) {
 }
 
+int selinux_unit_access_check_strv(char **units,
+                                sd_bus_message *message,
+                                Manager *m,
+                                const char *permission,
+                                sd_bus_error *error) {
+        return 0;
+}
+
 #endif