X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;ds=sidebyside;f=src%2Fbasic%2Fselinux-util.c;h=92473d0327b58e9a27e462cc56e117ce4291d1a0;hb=2b5cdb47b5a4a367bc2be8fe4457423f785884f0;hp=cea80b678fe701e4d78959991c5ff9f007fed2ef;hpb=4ebadef69ff96e92122a133cfecadf60816c4fa3;p=elogind.git diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index cea80b678..92473d032 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -21,17 +21,26 @@ #include #include +#include +#include +#include +#include #include +#include #ifdef HAVE_SELINUX -#include -#include #include +#include +#include #endif -#include "strv.h" +#include "alloc-util.h" #include "path-util.h" #include "selinux-util.h" +#include "log.h" +#include "macro.h" +#include "time-util.h" +#include "util.h" #ifdef HAVE_SELINUX DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon); @@ -57,8 +66,7 @@ bool mac_selinux_use(void) { #endif } -/// UNNEEDED by elogind -#if 0 +#if 0 /// UNNEEDED by elogind void mac_selinux_retest(void) { #ifdef HAVE_SELINUX cached_use = -1; @@ -112,8 +120,7 @@ int mac_selinux_init(const char *prefix) { return r; } -/// UNNEEDED by elogind -#if 0 +#if 0 /// UNNEEDED by elogind void mac_selinux_finish(void) { #ifdef HAVE_SELINUX @@ -174,20 +181,19 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { return 0; } -/// UNNEDED by elogind -#if 0 +#if 0 /// UNNEDED by elogind int mac_selinux_apply(const char *path, const char *label) { #ifdef HAVE_SELINUX - assert(path); - assert(label); - if (!mac_selinux_use()) return 0; + assert(path); + assert(label); + if (setfilecon(path, (security_context_t) label) < 0) { log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path); - if (security_getenforce() == 1) + if (security_getenforce() > 0) return -errno; } #endif @@ -303,22 +309,28 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char * return r; } -void mac_selinux_free(char *label) { +char* mac_selinux_free(char *label) { #ifdef HAVE_SELINUX + if (!label) + return NULL; + if (!mac_selinux_use()) - return; + return NULL; + freecon((security_context_t) label); #endif + + return NULL; } #endif // 0 int mac_selinux_create_file_prepare(const char *path, mode_t mode) { - int r = 0; #ifdef HAVE_SELINUX _cleanup_security_context_free_ security_context_t filecon = NULL; + int r; assert(path); @@ -328,34 +340,33 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) { if (path_is_absolute(path)) r = selabel_lookup_raw(label_hnd, &filecon, path, mode); else { - _cleanup_free_ char *newpath; + _cleanup_free_ char *newpath = NULL; - newpath = path_make_absolute_cwd(path); - if (!newpath) - return -ENOMEM; + r = path_make_absolute_cwd(path, &newpath); + if (r < 0) + return r; r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode); } + if (r < 0) { /* No context specified by the policy? Proceed without setting it. */ - if (r < 0 && errno == ENOENT) + if (errno == ENOENT) return 0; - if (r < 0) - r = -errno; - else { - r = setfscreatecon(filecon); - if (r < 0) { + log_enforcing("Failed to determine SELinux security context for %s: %m", path); + } else { + if (setfscreatecon(filecon) >= 0) + return 0; /* Success! */ + log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path); - r = -errno; - } } - if (r < 0 && security_getenforce() == 0) - r = 0; -#endif + if (security_getenforce() > 0) + return -errno; - return r; +#endif + return 0; } void mac_selinux_create_file_clear(void) { @@ -370,8 +381,7 @@ void mac_selinux_create_file_clear(void) { #endif } -/// UNNEEDED by elogind -#if 0 +#if 0 /// UNNEEDED by elogind int mac_selinux_create_socket_prepare(const char *label) { #ifdef HAVE_SELINUX @@ -410,6 +420,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { #ifdef HAVE_SELINUX _cleanup_security_context_free_ security_context_t fcon = NULL; const struct sockaddr_un *un; + bool context_changed = false; char *path; int r; @@ -425,7 +436,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { goto skipped; /* Filter out anonymous sockets */ - if (addrlen < sizeof(sa_family_t) + 1) + if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1) goto skipped; /* Filter out abstract namespace sockets */ @@ -438,37 +449,45 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { if (path_is_absolute(path)) r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK); else { - _cleanup_free_ char *newpath; + _cleanup_free_ char *newpath = NULL; - newpath = path_make_absolute_cwd(path); - if (!newpath) - return -ENOMEM; + r = path_make_absolute_cwd(path, &newpath); + if (r < 0) + return r; r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK); } - if (r == 0) - r = setfscreatecon(fcon); + if (r < 0) { + /* No context specified by the policy? Proceed without setting it */ + if (errno == ENOENT) + goto skipped; - if (r < 0 && errno != ENOENT) { - log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path); + log_enforcing("Failed to determine SELinux security context for %s: %m", path); + if (security_getenforce() > 0) + return -errno; - if (security_getenforce() == 1) { - r = -errno; - goto finish; - } + } else { + if (setfscreatecon(fcon) < 0) { + log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path); + if (security_getenforce() > 0) + return -errno; + } else + context_changed = true; } - r = bind(fd, addr, addrlen); - if (r < 0) - r = -errno; + r = bind(fd, addr, addrlen) < 0 ? -errno : 0; -finish: + if (context_changed) setfscreatecon(NULL); + return r; skipped: #endif - return bind(fd, addr, addrlen) < 0 ? -errno : 0; + if (bind(fd, addr, addrlen) < 0) + return -errno; + + return 0; } #endif // 0