X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fselinux-access.c;h=f6389584f75ae4a77bb7fffd9c1a9eaea70eaea1;hp=184f202c1e698c43ed19bda1c5df9101fa7abe1b;hb=05bae4a60c32e29797597979cee2f3684eb3bc1e;hpb=e94937df954451eb4aa63573f0d7404ed2db987e diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 184f202c1..f6389584f 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -53,7 +53,7 @@ struct audit_info { /* Any time an access gets denied this callback will be called - with the aduit data. We then need to just copy the audit data into the msgbuf. + with the audit data. We then need to just copy the audit data into the msgbuf. */ static int audit_callback( void *auditdata, @@ -64,14 +64,20 @@ static int audit_callback( const struct audit_info *audit = auditdata; uid_t uid = 0, login_uid = 0; gid_t gid = 0; + char login_uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a"; + char uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a"; + char gid_buf[DECIMAL_STR_MAX(gid_t)] = "n/a"; - sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid); - sd_bus_creds_get_uid(audit->creds, &uid); - sd_bus_creds_get_gid(audit->creds, &gid); + if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0) + snprintf(login_uid_buf, sizeof(login_uid_buf), UID_FMT, login_uid); + if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0) + snprintf(uid_buf, sizeof(uid_buf), UID_FMT, uid); + if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0) + snprintf(gid_buf, sizeof(gid_buf), GID_FMT, gid); snprintf(msgbuf, msgbufsize, - "auid=%d uid=%d gid=%d%s%s%s%s%s%s", - login_uid, uid, gid, + "auid=%s uid=%s gid=%s%s%s%s%s%s%s", + login_uid_buf, uid_buf, gid_buf, audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); @@ -106,7 +112,7 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { #endif va_start(ap, fmt); - log_metav(LOG_USER | LOG_INFO, __FILE__, __LINE__, __FUNCTION__, fmt, ap); + log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap); va_end(ap); return 0; @@ -120,10 +126,8 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { static int access_init(void) { int r = 0; - if (avc_open(NULL, 0)) { - log_error("avc_open() failed: %m"); - return -errno; - } + if (avc_open(NULL, 0)) + return log_error_errno(errno, "avc_open() failed: %m"); selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback); @@ -136,13 +140,13 @@ static int access_init(void) { return r; } -static int selinux_access_init(sd_bus_error *error) { +static int mac_selinux_access_init(sd_bus_error *error) { int r; if (initialized) return 0; - if (!use_selinux()) + if (!mac_selinux_use()) return 0; r = access_init(); @@ -152,14 +156,17 @@ static int selinux_access_init(sd_bus_error *error) { initialized = true; return 0; } +#endif -void selinux_access_free(void) { +void mac_selinux_access_free(void) { +#ifdef HAVE_SELINUX if (!initialized) return; avc_destroy(); initialized = false; +#endif } /* @@ -168,12 +175,13 @@ void selinux_access_free(void) { If the machine is in permissive mode it will return ok. Audit messages will still be generated if the access would be denied in enforcing mode. */ -int selinux_generic_access_check( +int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL; const char *tclass = NULL, *scon = NULL; struct audit_info audit_info = {}; @@ -186,18 +194,19 @@ int selinux_generic_access_check( assert(permission); assert(error); - if (!use_selinux()) + if (!mac_selinux_use()) return 0; - r = selinux_access_init(error); + r = mac_selinux_access_init(error); if (r < 0) return r; r = sd_bus_query_sender_creds( message, - SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID| + SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID| SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID| - SD_BUS_CREDS_SELINUX_CONTEXT, + SD_BUS_CREDS_SELINUX_CONTEXT| + SD_BUS_CREDS_AUGMENT /* get more bits from /proc */, &creds); if (r < 0) goto finish; @@ -248,13 +257,17 @@ finish: } return r; +#else + return 0; +#endif } -int selinux_unit_access_check_strv(char **units, +int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX char **i; Unit *u; int r; @@ -262,35 +275,11 @@ int selinux_unit_access_check_strv(char **units, STRV_FOREACH(i, units) { u = manager_get_unit(m, *i); if (u) { - r = selinux_unit_access_check(u, message, permission, error); + r = mac_selinux_unit_access_check(u, message, permission, error); if (r < 0) return r; } } - - return 0; -} - -#else - -int selinux_generic_access_check( - sd_bus_message *message, - const char *path, - const char *permission, - sd_bus_error *error) { - - return 0; -} - -void selinux_access_free(void) { -} - -int selinux_unit_access_check_strv(char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { +#endif return 0; } - -#endif