X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fselinux-access.c;h=351d48f8a45cf026a55a703e5800cc47cea869d3;hb=ebc5788e88eb9e1ebd032bd61507c196142acbab;hp=21c7a8c5bcadd562419a70e22926dc88f347ff68;hpb=5b12334d35eadf1f45cc3d631fd1a2e72ffaea0a;p=elogind.git diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 21c7a8c5b..351d48f8a 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -53,7 +53,7 @@ struct audit_info { /* Any time an access gets denied this callback will be called - with the aduit data. We then need to just copy the audit data into the msgbuf. + with the audit data. We then need to just copy the audit data into the msgbuf. */ static int audit_callback( void *auditdata, @@ -64,14 +64,20 @@ static int audit_callback( const struct audit_info *audit = auditdata; uid_t uid = 0, login_uid = 0; gid_t gid = 0; + char login_uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a"; + char uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a"; + char gid_buf[DECIMAL_STR_MAX(gid_t)] = "n/a"; - sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid); - sd_bus_creds_get_uid(audit->creds, &uid); - sd_bus_creds_get_gid(audit->creds, &gid); + if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0) + snprintf(login_uid_buf, sizeof(login_uid_buf), UID_FMT, login_uid); + if (sd_bus_creds_get_uid(audit->creds, &uid) >= 0) + snprintf(uid_buf, sizeof(uid_buf), UID_FMT, uid); + if (sd_bus_creds_get_gid(audit->creds, &gid) >= 0) + snprintf(gid_buf, sizeof(gid_buf), GID_FMT, gid); snprintf(msgbuf, msgbufsize, - "auid=%d uid=%d gid=%d%s%s%s%s%s%s", - login_uid, uid, gid, + "auid=%s uid=%s gid=%s%s%s%s%s%s%s", + login_uid_buf, uid_buf, gid_buf, audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "", audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : ""); @@ -142,7 +148,7 @@ static int selinux_access_init(sd_bus_error *error) { if (initialized) return 0; - if (!use_selinux()) + if (!mac_selinux_use()) return 0; r = access_init(); @@ -169,7 +175,6 @@ void selinux_access_free(void) { still be generated if the access would be denied in enforcing mode. */ int selinux_generic_access_check( - sd_bus *bus, sd_bus_message *message, const char *path, const char *permission, @@ -183,12 +188,11 @@ int selinux_generic_access_check( char **cmdline = NULL; int r = 0; - assert(bus); assert(message); assert(permission); assert(error); - if (!use_selinux()) + if (!mac_selinux_use()) return 0; r = selinux_access_init(error); @@ -252,10 +256,30 @@ finish: return r; } +int selinux_unit_access_check_strv(char **units, + sd_bus_message *message, + Manager *m, + const char *permission, + sd_bus_error *error) { + char **i; + Unit *u; + int r; + + STRV_FOREACH(i, units) { + u = manager_get_unit(m, *i); + if (u) { + r = selinux_unit_access_check(u, message, permission, error); + if (r < 0) + return r; + } + } + + return 0; +} + #else int selinux_generic_access_check( - sd_bus *bus, sd_bus_message *message, const char *path, const char *permission, @@ -267,4 +291,12 @@ int selinux_generic_access_check( void selinux_access_free(void) { } +int selinux_unit_access_check_strv(char **units, + sd_bus_message *message, + Manager *m, + const char *permission, + sd_bus_error *error) { + return 0; +} + #endif