if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name);
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid);
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (mode < 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode);
- r = selinux_access_check(message, "start", error);
+ r = mac_selinux_access_check(message, "start", error);
if (r < 0)
return r;
if (!j)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id);
- r = selinux_unit_access_check(j->unit, message, "status", error);
+ r = mac_selinux_unit_access_check(j->unit, message, "status", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "start", error);
+ r = mac_selinux_access_check(message, "start", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "stop", error);
+ r = mac_selinux_access_check(message, "stop", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
-#ifdef HAVE_SELINUX
- char **i;
-#endif
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
UnitFileScope scope;
if (r < 0)
return r;
-#ifdef HAVE_SELINUX
- STRV_FOREACH(i, l) {
- Unit *u;
-
- u = manager_get_unit(m, *i);
- if (u) {
- r = selinux_unit_access_check(u, message, verb, error);
- if (r < 0)
- return r;
- }
- }
-#endif
+ r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
+ if (r < 0)
+ return r;
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
-#ifdef HAVE_SELINUX
- char **i;
-#endif
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
Manager *m = userdata;
return -EINVAL;
}
-#ifdef HAVE_SELINUX
- STRV_FOREACH(i, l) {
- Unit *u;
-
- u = manager_get_unit(m, *i);
- if (u) {
- r = selinux_unit_access_check(u, message, "enable", error);
- if (r < 0)
- return r;
- }
- }
-#endif
+ r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
+ if (r < 0)
+ return r;
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, verb, error);
+ r = mac_selinux_access_check(message, verb, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r = mac_selinux_access_check(message, "enable", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r = mac_selinux_access_check(message, "enable", error);
if (r < 0)
return r;
return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes);
}
+static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
+ _cleanup_strv_free_ char **l = NULL;
+ Manager *m = userdata;
+ UnitFileChange *changes = NULL;
+ unsigned n_changes = 0;
+ UnitFileScope scope;
+ int runtime, force, r;
+ char *target;
+ char *type;
+ UnitDependency dep;
+
+ assert(bus);
+ assert(message);
+ assert(m);
+
+ r = bus_verify_manage_unit_files_async(m, message, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
+
+ r = sd_bus_message_read_strv(message, &l);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_message_read(message, "ssbb", &target, &type, &runtime, &force);
+ if (r < 0)
+ return r;
+
+ dep = unit_dependency_from_string(type);
+ if (dep < 0)
+ return -EINVAL;
+
+ r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
+ if (r < 0)
+ return r;
+
+ scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
+
+ r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes);
+ if (r < 0)
+ return r;
+
+ return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes);
+}
+
const sd_bus_vtable bus_manager_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("GetDefaultTarget", NULL, "s", method_get_default_target, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
+ SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_SIGNAL("UnitNew", "so", 0),
SD_BUS_SIGNAL("UnitRemoved", "so", 0),