From: Michal Sekletar Date: Wed, 12 Nov 2014 12:53:27 +0000 (+0100) Subject: selinux: figure out selinux context applied on exec() before closing all fds X-Git-Tag: v218~120 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=9008e1ac925afcdef7b45042c03fa5444f1c52c2 selinux: figure out selinux context applied on exec() before closing all fds We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument. --- diff --git a/src/core/execute.c b/src/core/execute.c index ea745aa19..b7ac4c7b2 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1238,6 +1238,7 @@ static int exec_child(ExecCommand *command, int *error) { _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL; + _cleanup_free_ char *mac_selinux_context_net = NULL; const char *username = NULL, *home = NULL, *shell = NULL; unsigned n_dont_close = 0; int dont_close[n_fds + 4]; @@ -1584,6 +1585,16 @@ static int exec_child(ExecCommand *command, } } +#ifdef HAVE_SELINUX + if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) { + err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + } +#endif + /* We repeat the fd closing here, to make sure that * nothing is leaked from the PAM modules. Note that * we are more aggressive this time since socket_fd @@ -1683,24 +1694,10 @@ static int exec_child(ExecCommand *command, #ifdef HAVE_SELINUX if (mac_selinux_use()) { - if (context->selinux_context) { - err = setexeccon(context->selinux_context); - if (err < 0 && !context->selinux_context_ignore) { - *error = EXIT_SELINUX_CONTEXT; - return err; - } - } - - if (params->selinux_context_net && socket_fd >= 0) { - _cleanup_free_ char *label = NULL; - - err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label); - if (err < 0) { - *error = EXIT_SELINUX_CONTEXT; - return err; - } + char *exec_context = mac_selinux_context_net ?: context->selinux_context; - err = setexeccon(label); + if (exec_context) { + err = setexeccon(exec_context); if (err < 0) { *error = EXIT_SELINUX_CONTEXT; return err; diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 6bd3bf1c8..a2233e0cf 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -233,7 +233,7 @@ int mac_selinux_get_our_label(char **label) { return r; } -int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) { +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) { int r = -EOPNOTSUPP; #ifdef HAVE_SELINUX @@ -257,11 +257,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label if (r < 0) return -errno; - r = getexeccon(&fcon); - if (r < 0) - return -errno; - - if (!fcon) { + if (!exec_label) { /* If there is no context set for next exec let's use context of target executable */ r = getfilecon(exe, &fcon); diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h index 7ff8c607b..a69444100 100644 --- a/src/shared/selinux-util.h +++ b/src/shared/selinux-util.h @@ -36,7 +36,7 @@ int mac_selinux_apply(const char *path, const char *label); int mac_selinux_get_create_label_from_exe(const char *exe, char **label); int mac_selinux_get_our_label(char **label); -int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label); +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label); void mac_selinux_free(char *label); int mac_selinux_create_file_prepare(const char *path, mode_t mode);