chiark / gitweb /
Revert "socket: introduce SELinuxLabelViaNet option"
authorLennart Poettering <lennart@poettering.net>
Tue, 19 Aug 2014 17:16:08 +0000 (19:16 +0200)
committerLennart Poettering <lennart@poettering.net>
Tue, 19 Aug 2014 17:16:08 +0000 (19:16 +0200)
This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec.

Needs more discussion on the mailing list.

man/systemd.socket.xml
src/core/execute.c
src/core/execute.h
src/core/load-fragment-gperf.gperf.m4
src/core/socket.c
src/core/socket.h
src/shared/label.c
src/shared/label.h

index f376f72..4483905 100644 (file)
                         </varlistentry>
 
                         <varlistentry>
-                          <term><varname>SELinuxLabelViaNet=</varname></term>
-                          <listitem><para>Takes a boolean
-                          value. Controls whether systemd attempts to figure out
-                          SELinux label used for instantiated service from
-                          information handed by peer over the
-                          network. Configuration option has effect only
-                          on sockets with <literal>Accept=</literal>
-                          mode set to <literal>yes</literal>.</para></listitem>
-                        </varlistentry>
-
-                        <varlistentry>
                                 <term><varname>PipeSize=</varname></term>
                                 <listitem><para>Takes a size in
                                 bytes. Controls the pipe buffer size
index 1297912..d8452a6 100644 (file)
@@ -83,7 +83,6 @@
 #include "af-list.h"
 #include "mkdir.h"
 #include "apparmor-util.h"
-#include "label.h"
 
 #ifdef HAVE_SECCOMP
 #include "seccomp-util.h"
@@ -1730,22 +1729,6 @@ int exec_spawn(ExecCommand *command,
                                         goto fail_child;
                                 }
                         }
-
-                        if (context->selinux_label_via_net && use_selinux()) {
-                                _cleanup_free_ char *label = NULL;
-
-                                err = label_get_child_label(socket_fd, command->path, &label);
-                                if (err < 0) {
-                                        r = EXIT_SELINUX_CONTEXT;
-                                        goto fail_child;
-                                }
-
-                                err = setexeccon(label);
-                                if (err < 0) {
-                                        r = EXIT_SELINUX_CONTEXT;
-                                        goto fail_child;
-                                }
-                        }
 #endif
 
 #ifdef HAVE_APPARMOR
@@ -2129,8 +2112,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 "%sPrivateDevices: %s\n"
                 "%sProtectHome: %s\n"
                 "%sProtectSystem: %s\n"
-                "%sIgnoreSIGPIPE: %s\n"
-                "%sSELinuxLabelViaNet: %s\n",
+                "%sIgnoreSIGPIPE: %s\n",
                 prefix, c->umask,
                 prefix, c->working_directory ? c->working_directory : "/",
                 prefix, c->root_directory ? c->root_directory : "/",
@@ -2140,8 +2122,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 prefix, yes_no(c->private_devices),
                 prefix, protect_home_to_string(c->protect_home),
                 prefix, protect_system_to_string(c->protect_system),
-                prefix, yes_no(c->ignore_sigpipe),
-                prefix, yes_no(c->selinux_label_via_net));
+                prefix, yes_no(c->ignore_sigpipe));
 
         STRV_FOREACH(e, c->environment)
                 fprintf(f, "%sEnvironment: %s\n", prefix, *e);
index d23a980..9d05d3a 100644 (file)
@@ -136,7 +136,6 @@ struct ExecContext {
 
         bool selinux_context_ignore;
         char *selinux_context;
-        bool selinux_label_via_net;
 
         bool apparmor_profile_ignore;
         char *apparmor_profile;
index d5ff848..b4e2b25 100644 (file)
@@ -262,9 +262,6 @@ Socket.SmackLabelIPOut,          config_parse_string,                0,
 `Socket.SmackLabel,              config_parse_warn_compat,           0,                             0
 Socket.SmackLabelIPIn,           config_parse_warn_compat,           0,                             0
 Socket.SmackLabelIPOut,          config_parse_warn_compat,           0,                             0')
-m4_ifdef(`HAVE_SELINUX',
-`Socket.SELinuxLabelViaNet,      config_parse_bool,                  0,                             offsetof(Socket, selinux_label_via_net)',
-`Socket.SELinuxLabelViaNet,      config_parse_warn_compat,           0,                             0')
 EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
 CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
 KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
index 34ce1b1..a16b20d 100644 (file)
 #include <mqueue.h>
 #include <sys/xattr.h>
 
-#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#endif
-
 #include "sd-event.h"
 #include "log.h"
 #include "load-dropin.h"
@@ -492,8 +488,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 "%sPassCredentials: %s\n"
                 "%sPassSecurity: %s\n"
                 "%sTCPCongestion: %s\n"
-                "%sRemoveOnStop: %s\n"
-                "%sSELinuxLabelViaNet: %s\n",
+                "%sRemoveOnStop: %s\n",
                 prefix, socket_state_to_string(s->state),
                 prefix, socket_result_to_string(s->result),
                 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -508,8 +503,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 prefix, yes_no(s->pass_cred),
                 prefix, yes_no(s->pass_sec),
                 prefix, strna(s->tcp_congestion),
-                prefix, yes_no(s->remove_on_stop),
-                prefix, yes_no(s->selinux_label_via_net));
+                prefix, yes_no(s->remove_on_stop));
 
         if (s->control_pid > 0)
                 fprintf(f,
@@ -1136,14 +1130,7 @@ static int socket_open_fds(Socket *s) {
                         continue;
 
                 if (p->type == SOCKET_SOCKET) {
-#ifdef HAVE_SELINUX
-                        if (!know_label && s->selinux_label_via_net) {
-                                r = getcon(&label);
-                                if (r < 0)
-                                        return r;
-                                know_label = true;
-                        }
-#endif
+
                         if (!know_label) {
 
                                 r = socket_instantiate_service(s);
@@ -1842,9 +1829,6 @@ static void socket_enter_running(Socket *s, int cfd) {
                 cfd = -1;
                 s->n_connections ++;
 
-                if (s->selinux_label_via_net)
-                        service->exec_context.selinux_label_via_net = true;
-
                 r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, true, &error, NULL);
                 if (r < 0)
                         goto fail;
index ab342c3..eede705 100644 (file)
@@ -165,8 +165,6 @@ struct Socket {
         char *smack_ip_in;
         char *smack_ip_out;
 
-        bool selinux_label_via_net;
-
         char *user, *group;
 };
 
index dd89bec..25a8b36 100644 (file)
@@ -31,7 +31,6 @@
 #ifdef HAVE_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/label.h>
-#include <selinux/context.h>
 #endif
 
 #include "label.h"
@@ -244,74 +243,6 @@ fail:
         return r;
 }
 
-int label_get_child_label(int socket_fd, const char *exe, char **label) {
-        int r = 0;
-
-#ifdef HAVE_SELINUX
-
-        security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
-        security_class_t sclass;
-        context_t pcon = NULL, bcon = NULL;
-        const char *range = NULL;
-
-        assert(socket_fd >= 0);
-        assert(exe);
-        assert(label);
-
-        r = getcon(&mycon);
-        if (r < 0)
-                goto out;
-
-        r = getpeercon(socket_fd, &peercon);
-        if (r < 0)
-                goto out;
-
-        r = getfilecon(exe, &fcon);
-        if (r < 0)
-                goto out;
-
-        bcon = context_new(mycon);
-        if (!bcon)
-                goto out;
-
-        pcon = context_new(peercon);
-        if (!pcon)
-                goto out;
-
-        range = context_range_get(pcon);
-        if (!range)
-                goto out;
-
-        r = context_range_set(bcon, range);
-        if (r)
-                goto out;
-
-        freecon(mycon);
-        mycon = context_str(bcon);
-        if (!mycon)
-                goto out;
-
-        sclass = string_to_security_class("process");
-        r = security_compute_create(mycon, fcon, sclass, &ret);
-        if (r < 0)
-                goto out;
-
-        *label = ret;
-
-out:
-        if (r && security_getenforce() == 1)
-                r = -errno;
-
-        freecon(mycon);
-        freecon(peercon);
-        freecon(fcon);
-        context_free(pcon);
-        context_free(bcon);
-
-#endif
-        return r;
-}
-
 int label_context_set(const char *path, mode_t mode) {
         int r = 0;
 
index 4163f7f..7294820 100644 (file)
@@ -39,7 +39,6 @@ void label_context_clear(void);
 void label_free(const char *label);
 
 int label_get_create_label_from_exe(const char *exe, char **label);
-int label_get_child_label(int socket_fd, const char *exec, char **label);
 
 int label_mkdir(const char *path, mode_t mode);