X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fima-setup.c;h=3416802bcb4d69acc7adad9aa03e6737008646e3;hb=652212b0c2b60b9ef9b2e24eae82401f880fa21a;hp=e8cc1ba8b6cb451775e06d189dd46c9a91d99193;hpb=5430f7f2bc7330f3088b894166bf3524a067e3d8;p=elogind.git diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index e8cc1ba8b..3416802bc 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -44,72 +44,62 @@ int ima_setup(void) { #ifdef HAVE_IMA - struct stat st; - ssize_t policy_size = 0, written = 0; - char *policy; - int policyfd = -1, imafd = -1; - int result = 0; - -#ifndef HAVE_SELINUX - /* Mount the securityfs filesystem */ - mount_setup_early(); -#endif - - if (stat(IMA_POLICY_PATH, &st) < 0) - return 0; - - policy_size = st.st_size; - if (stat(IMA_SECFS_DIR, &st) < 0) { - log_debug("IMA support is disabled in the kernel, ignoring."); - return 0; - } - - if (stat(IMA_SECFS_POLICY, &st) < 0) { - log_error("Another IMA custom policy has already been loaded, " - "ignoring."); - return 0; - } - - policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); - if (policyfd < 0) { - log_error("Failed to open the IMA custom policy file %s (%m), " - "ignoring.", IMA_POLICY_PATH); - return 0; - } - - imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); - if (imafd < 0) { - log_error("Failed to open the IMA kernel interface %s (%m), " - "ignoring.", IMA_SECFS_POLICY); - goto out; - } - - policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); - if (policy == MAP_FAILED) { - log_error("mmap() failed (%m), freezing"); - result = -errno; - goto out; - } - - written = loop_write(imafd, policy, (size_t)policy_size, false); - if (written != policy_size) { - log_error("Failed to load the IMA custom policy file %s (%m), " - "ignoring.", IMA_POLICY_PATH); - goto out_mmap; - } - - log_info("Successfully loaded the IMA custom policy %s.", - IMA_POLICY_PATH); + struct stat st; + ssize_t policy_size = 0, written = 0; + char *policy; + _cleanup_close_ int policyfd = -1, imafd = -1; + int result = 0; + + if (stat(IMA_POLICY_PATH, &st) < 0) + return 0; + + policy_size = st.st_size; + if (stat(IMA_SECFS_DIR, &st) < 0) { + log_debug("IMA support is disabled in the kernel, ignoring."); + return 0; + } + + if (stat(IMA_SECFS_POLICY, &st) < 0) { + log_error("Another IMA custom policy has already been loaded, ignoring."); + return 0; + } + + policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); + if (policyfd < 0) { + log_error_errno(errno, "Failed to open the IMA custom policy file %s (%m), ignoring.", + IMA_POLICY_PATH); + return 0; + } + + imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); + if (imafd < 0) { + log_error_errno(errno, "Failed to open the IMA kernel interface %s (%m), ignoring.", + IMA_SECFS_POLICY); + goto out; + } + + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); + if (policy == MAP_FAILED) { + log_error_errno(errno, "mmap() failed (%m), freezing"); + result = -errno; + goto out; + } + + written = loop_write(imafd, policy, (size_t)policy_size, false); + if (written != policy_size) { + log_error_errno(errno, "Failed to load the IMA custom policy file %s (%m), ignoring.", + IMA_POLICY_PATH); + goto out_mmap; + } + + log_info("Successfully loaded the IMA custom policy %s.", + IMA_POLICY_PATH); out_mmap: - munmap(policy, policy_size); + munmap(policy, policy_size); out: - if (policyfd >= 0) - close_nointr_nofail(policyfd); - if (imafd >= 0) - close_nointr_nofail(imafd); - if (result) - return result; + if (result) + return result; #endif /* HAVE_IMA */ - return 0; + return 0; }