-/*
- Define a mapping between the systemd method calls and the SELinux access to check.
- We define two tables, one for access checks on unit files, and one for
- access checks for the system in general.
-
- If we do not find a match in either table, then the "undefined" system
- check will be called.
-*/
-
-static const char unit_methods[] =
- "DisableUnitFiles\0" "disable\0"
- "EnableUnitFiles\0" "enable\0"
- "GetUnit\0" "status\0"
- "GetUnitFileState\0" "status\0"
- "Kill\0" "stop\0"
- "KillUnit\0" "stop\0"
- "LinkUnitFiles\0" "enable\0"
- "MaskUnitFiles\0" "disable\0"
- "PresetUnitFiles\0" "enable\0"
- "ReenableUnitFiles\0" "enable\0"
- "ReloadOrRestart\0" "start\0"
- "ReloadOrRestartUnit\0" "start\0"
- "ReloadOrTryRestart\0" "start\0"
- "ReloadOrTryRestartUnit\0" "start\0"
- "Reload\0" "reload\0"
- "ReloadUnit\0" "reload\0"
- "ResetFailedUnit\0" "stop\0"
- "Restart\0" "start\0"
- "RestartUnit\0" "start\0"
- "Start\0" "start\0"
- "StartUnit\0" "start\0"
- "StartUnitReplace\0" "start\0"
- "Stop\0" "stop\0"
- "StopUnit\0" "stop\0"
- "TryRestart\0" "start\0"
- "TryRestartUnit\0" "start\0"
- "UnmaskUnitFiles\0" "enable\0";
-
-static const char system_methods[] =
- "ClearJobs\0" "reboot\0"
- "CreateSnapshot\0" "status\0"
- "Dump\0" "status\0"
- "Exit\0" "halt\0"
- "FlushDevices\0" "halt\0"
- "Get\0" "status\0"
- "GetAll\0" "status\0"
- "GetJob\0" "status\0"
- "GetSeat\0" "status\0"
- "GetSession\0" "status\0"
- "GetSessionByPID\0" "status\0"
- "GetUnitByPID\0" "status\0"
- "GetUser\0" "status\0"
- "Halt\0" "halt\0"
- "Introspect\0" "status\0"
- "KExec\0" "reboot\0"
- "KillSession\0" "halt\0"
- "KillUser\0" "halt\0"
- "LoadUnit\0" "reload\0"
- "ListJobs\0" "status\0"
- "ListSeats\0" "status\0"
- "ListSessions\0" "status\0"
- "ListUnits\0" "status\0"
- "ListUnitFiles\0" "status\0"
- "ListUsers\0" "status\0"
- "LockSession\0" "halt\0"
- "PowerOff\0" "halt\0"
- "Reboot\0" "reboot\0"
- "Reload\0" "reload\0"
- "Reexecute\0" "reload\0"
- "ResetFailed\0" "reload\0"
- "Subscribe\0" "status\0"
- "SwithcRoot\0" "reboot\0"
- "SetEnvironment\0" "status\0"
- "SetUserLinger\0" "halt\0"
- "TerminateSeat\0" "halt\0"
- "TerminateSession\0" "halt\0"
- "TerminateUser\0" "halt\0"
- "Unsubscribe\0" "status\0"
- "UnsetEnvironment\0" "status\0"
- "UnsetAndSetEnvironment\0" "status\0";
-
-/*
- If the admin toggles the selinux enforcment mode this callback
- will get called before the next access check
-*/
-static int setenforce_callback(int enforcing)
-{
- selinux_enforcing = enforcing;
- return 0;
-}
-
-/* This mimics dbus_bus_get_unix_user() */
-static int bus_get_selinux_security_context(
- DBusConnection *connection,
- const char *name,
- char **scon,
- DBusError *error) {
-
- DBusMessage *m = NULL, *reply = NULL;
- int r;
-
- m = dbus_message_new_method_call(
- DBUS_SERVICE_DBUS,
- DBUS_PATH_DBUS,
- DBUS_INTERFACE_DBUS,
- "GetConnectionSELinuxSecurityContext");
- if (!m) {
- r = -errno;
- dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, NULL);
- goto finish;
- }
-
- r = dbus_message_append_args(
- m,
- DBUS_TYPE_STRING, &name,
- DBUS_TYPE_INVALID);
- if (!r) {
- r = -errno;
- dbus_set_error_const(error, DBUS_ERROR_NO_MEMORY, NULL);
- goto finish;
- }
-
- reply = dbus_connection_send_with_reply_and_block(connection, m, -1, error);
- if (!reply) {
- r = -errno;
- goto finish;
- }
-
- r = dbus_set_error_from_message(error, reply);
- if (!r) {
- r = -errno;
- goto finish;
- }
-
- r = dbus_message_get_args(
- reply, error,
- DBUS_TYPE_STRING, scon,
- DBUS_TYPE_INVALID);
- if (!r) {
- r = -errno;
- goto finish;
- }
-
- r = 0;
-finish:
- if (m)
- dbus_message_unref(m);
-
- if (reply)
- dbus_message_unref(reply);
-
- return r;
-}
-
-/* This mimics dbus_bus_get_unix_user() */
-static int bus_get_audit_data(
- DBusConnection *connection,
- const char *name,
- struct auditstruct *audit,
- DBusError *error) {
-
- pid_t pid;
- int r;
-
- pid = bus_get_unix_process_id(connection, name, error);
- if (pid <= 0)
- return -EINVAL;
-
- r = audit_loginuid_from_pid(pid, &audit->loginuid);
- if (r < 0)
- return r;
-
- r = get_process_uid(pid, &audit->uid);
- if (r < 0)
- return r;
-
- r = get_process_gid(pid, &audit->gid);
- if (r < 0)
- return r;
-
- r = get_process_cmdline(pid, LINE_MAX, true, &audit->cmdline);
- if (r < 0)
- return r;
-
- return 0;
-}
-