#include <sys/epoll.h>
#include <signal.h>
#include <arpa/inet.h>
-#include <selinux/selinux.h>
#include "unit.h"
#include "socket.h"
#include "missing.h"
#include "special.h"
#include "bus-errors.h"
+#include "label.h"
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
[SOCKET_DEAD] = UNIT_INACTIVE,
if (r < 0)
return r;
+ u->meta.no_gc = true;
s->service = SERVICE(u);
return 0;
}
if ((r = unit_add_two_dependencies_by_name(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, SPECIAL_SYSINIT_TARGET, NULL, true)) < 0)
return r;
- return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_SHUTDOWN_TARGET, NULL, true);
+ return unit_add_two_dependencies_by_name(UNIT(s), UNIT_BEFORE, UNIT_CONFLICTED_BY, SPECIAL_SHUTDOWN_TARGET, NULL, true);
}
static int socket_load(Unit *u) {
if (p->type == SOCKET_SOCKET) {
const char *t;
int r;
- char *k;
+ char *k = NULL;
if ((r = socket_address_print(&p->address, &k)) < 0)
t = strerror(-r);
else
t = k;
- fprintf(f, "%s%s: %s\n", prefix, listen_lookup(p->address.type), k);
+ fprintf(f, "%s%s: %s\n", prefix, listen_lookup(p->address.type), t);
free(k);
} else
fprintf(f, "%sListenFIFO: %s\n", prefix, p->path);
log_warning("F_SETPIPE_SZ: %m");
}
-static int selinux_getconfromexe(
- const char *exe,
- security_context_t *newcon) {
-
- security_context_t mycon = NULL, fcon = NULL;
- security_class_t sclass;
- int r = 0;
-
- r = getcon(&mycon);
- if (r < 0)
- goto fail;
-
- r = getfilecon(exe, &fcon);
- if (r < 0)
- goto fail;
-
- sclass = string_to_security_class("process");
- r = security_compute_create(mycon, fcon, sclass, newcon);
-
-fail:
- if (r < 0)
- r = -errno;
-
- freecon(mycon);
- freecon(fcon);
- return r;
-}
-
-static int selinux_getfileconfrompath(
- const security_context_t scon,
- const char *path,
- const char *class,
- security_context_t *fcon) {
-
- security_context_t dir_con = NULL;
- security_class_t sclass;
- int r = 0;
-
- r = getfilecon(path, &dir_con);
- if (r >= 0) {
- r = -1;
- if ((sclass = string_to_security_class(class)) != 0)
- r = security_compute_create(scon, dir_con, sclass, fcon);
- }
- if (r < 0)
- r = -errno;
-
- freecon(dir_con);
- return r;
-}
static int fifo_address_create(
const char *path,
mode_t directory_mode,
mode_t socket_mode,
- security_context_t scon,
+ const char *label,
int *_fd) {
int fd = -1, r = 0;
struct stat st;
mode_t old_mask;
- security_context_t filecon = NULL;
assert(path);
assert(_fd);
mkdir_parents(path, directory_mode);
- if (scon) {
- if (scon && ((r = selinux_getfileconfrompath(scon, path, "fifo_file", &filecon)) == 0)) {
- r = setfscreatecon(filecon);
-
- if (r < 0) {
- log_error("Failed to set SELinux file context (%s) on %s: %m", scon, path);
- r = -errno;
- }
-
- freecon(filecon);
- }
-
- if (r < 0 && security_getenforce() == 1)
- goto fail;
- }
+ if ((r = label_fifofile_set(label, path)) < 0)
+ goto fail;
/* Enforce the right access mode for the fifo */
old_mask = umask(~ socket_mode);
goto fail;
}
- setfscreatecon(NULL);
+ label_file_clear();
if (fstat(fd, &st) < 0) {
r = -errno;
return 0;
fail:
- setfscreatecon(NULL);
+ label_file_clear();
+
if (fd >= 0)
close_nointr_nofail(fd);
static int socket_open_fds(Socket *s) {
SocketPort *p;
int r;
- security_context_t scon = NULL;
+ char *label = NULL;
assert(s);
if ((r = socket_instantiate_service(s)) < 0)
return r;
- if (selinux_getconfromexe(s->service->exec_command[SERVICE_EXEC_START]->path, &scon) < 0) {
- log_error("Failed to get SELinux exec context for %s \n", s->service->exec_command[SERVICE_EXEC_START]->path);
- if (security_getenforce() == 1)
- return -errno;
- }
+ if ((r = label_get_socket_label_from_exe(s->service->exec_command[SERVICE_EXEC_START]->path, &label)) < 0)
+ return r;
- log_debug("SELinux Socket context for %s set to %s\n", s->service->exec_command[SERVICE_EXEC_START]->path, scon);
LIST_FOREACH(port, p, s->ports) {
if (p->fd >= 0)
s->free_bind,
s->directory_mode,
s->socket_mode,
- scon,
+ label,
&p->fd)) < 0)
goto rollback;
p->path,
s->directory_mode,
s->socket_mode,
- scon,
+ label,
&p->fd)) < 0)
goto rollback;
assert_not_reached("Unknown port type");
}
- freecon(scon);
+ label_free(label);
return 0;
rollback:
socket_close_fds(s);
- freecon(scon);
+ label_free(label);
return r;
}
s->service = NULL;
s->n_accepted ++;
+ service->meta.no_gc = false;
+
unit_choose_id(UNIT(service), name);
free(name);
static int socket_deserialize_item(Unit *u, const char *key, const char *value, FDSet *fds) {
Socket *s = SOCKET(u);
- int r;
assert(u);
assert(key);
} else if (streq(key, "n-accepted")) {
unsigned k;
- if ((r = safe_atou(value, &k)) < 0)
+ if (safe_atou(value, &k) < 0)
log_debug("Failed to parse n-accepted value %s", value);
else
s->n_accepted += k;
} else if (streq(key, "control-pid")) {
pid_t pid;
- if ((r = parse_pid(value, &pid)) < 0)
+ if (parse_pid(value, &pid) < 0)
log_debug("Failed to parse control-pid value %s", value);
else
s->control_pid = pid;
if (p->fd >= 0)
rn_fds++;
- if (!(rfds = new(int, rn_fds)) < 0)
+ if (!(rfds = new(int, rn_fds)))
return -ENOMEM;
k = 0;
~ianmdlvl / elogind.git / blobdiff