X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fexecute.c;h=4735ab24178e25db6c06f04ab92bb34351a156ac;hb=821d4b6e068b2afaad94d43db22171c34a30400e;hp=c19f613641c2952c8ce52104b087de07c951e1ca;hpb=56f64d95763a799ba4475daf44d8e9f72a1bd474;p=elogind.git diff --git a/src/core/execute.c b/src/core/execute.c index c19f61364..4735ab241 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -86,6 +86,7 @@ #include "smack-util.h" #include "bus-kernel.h" #include "label.h" +#include "cap-list.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -129,7 +130,7 @@ static int shift_fds(int fds[], unsigned n_fds) { fds[i] = nfd; /* Hmm, the fd we wanted isn't free? Then - * let's remember that and try again from here*/ + * let's remember that and try again from here */ if (nfd != i+3 && restart_from < 0) restart_from = i; } @@ -1238,11 +1239,12 @@ static int exec_child(ExecCommand *command, int *error) { _cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL; + _cleanup_free_ char *mac_selinux_context_net = NULL; const char *username = NULL, *home = NULL, *shell = NULL; unsigned n_dont_close = 0; int dont_close[n_fds + 4]; - uid_t uid = (uid_t) -1; - gid_t gid = (gid_t) -1; + uid_t uid = UID_INVALID; + gid_t gid = GID_INVALID; int i, err; assert(command); @@ -1349,7 +1351,7 @@ static int exec_child(ExecCommand *command, } if (params->cgroup_path) { - err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0); + err = cg_attach_everywhere(params->cgroup_supported, params->cgroup_path, 0, NULL, NULL); if (err < 0) { *error = EXIT_CGROUP; return err; @@ -1436,7 +1438,7 @@ static int exec_child(ExecCommand *command, #ifdef ENABLE_KDBUS if (params->bus_endpoint_fd >= 0 && context->bus_endpoint) { - uid_t ep_uid = (uid == (uid_t) -1) ? 0 : uid; + uid_t ep_uid = (uid == UID_INVALID) ? 0 : uid; err = bus_kernel_set_endpoint_policy(params->bus_endpoint_fd, ep_uid, context->bus_endpoint); if (err < 0) { @@ -1584,6 +1586,16 @@ static int exec_child(ExecCommand *command, } } +#ifdef HAVE_SELINUX + if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) { + err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + } +#endif + /* We repeat the fd closing here, to make sure that * nothing is leaked from the PAM modules. Note that * we are more aggressive this time since socket_fd @@ -1683,24 +1695,10 @@ static int exec_child(ExecCommand *command, #ifdef HAVE_SELINUX if (mac_selinux_use()) { - if (context->selinux_context) { - err = setexeccon(context->selinux_context); - if (err < 0 && !context->selinux_context_ignore) { - *error = EXIT_SELINUX_CONTEXT; - return err; - } - } - - if (params->selinux_context_net && socket_fd >= 0) { - _cleanup_free_ char *label = NULL; + char *exec_context = mac_selinux_context_net ?: context->selinux_context; - err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label); - if (err < 0) { - *error = EXIT_SELINUX_CONTEXT; - return err; - } - - err = setexeccon(label); + if (exec_context) { + err = setexeccon(exec_context); if (err < 0) { *error = EXIT_SELINUX_CONTEXT; return err; @@ -1986,7 +1984,7 @@ int exec_context_destroy_runtime_directory(ExecContext *c, const char *runtime_p /* We execute this synchronously, since we need to be * sure this is gone when we start the service * next. */ - rm_rf_dangerous(p, false, true, false); + rm_rf(p, false, true, false); } return 0; @@ -2009,7 +2007,7 @@ void exec_command_done_array(ExecCommand *c, unsigned n) { exec_command_done(c+i); } -void exec_command_free_list(ExecCommand *c) { +ExecCommand* exec_command_free_list(ExecCommand *c) { ExecCommand *i; while ((i = c)) { @@ -2017,15 +2015,15 @@ void exec_command_free_list(ExecCommand *c) { exec_command_done(i); free(i); } + + return NULL; } void exec_command_free_array(ExecCommand **c, unsigned n) { unsigned i; - for (i = 0; i < n; i++) { - exec_command_free_list(c[i]); - c[i] = NULL; - } + for (i = 0; i < n; i++) + c[i] = exec_command_free_list(c[i]); } int exec_context_load_environment(const ExecContext *c, const char *unit_id, char ***l) { @@ -2299,13 +2297,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sCapabilityBoundingSet:", prefix); for (l = 0; l <= cap_last_cap(); l++) - if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) { - _cleanup_cap_free_charp_ char *t; - - t = cap_to_name(l); - if (t) - fprintf(f, " %s", t); - } + if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) + fprintf(f, " %s", strna(capability_to_name(l))); fputs("\n", f); }