#include <sys/stat.h>
#include <unistd.h>
#include <malloc.h>
+#include <sys/socket.h>
+#include <sys/un.h>
#include "label.h"
#include "util.h"
static struct selabel_handle *label_hnd = NULL;
+static int use_selinux_cached = -1;
+
static inline bool use_selinux(void) {
- static int use_selinux_cached = -1;
if (use_selinux_cached < 0)
use_selinux_cached = is_selinux_enabled() > 0;
return use_selinux_cached;
}
+void label_retest_selinux(void) {
+ use_selinux_cached = -1;
+}
+
#endif
int label_init(void) {
if (!use_selinux() || !label_hnd)
return 0;
- if ((r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFIFO)) == 0) {
- if ((r = setfscreatecon(filecon)) < 0) {
+ r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFIFO);
+ if (r < 0)
+ r = -errno;
+ else if (r == 0) {
+ r = setfscreatecon(filecon);
+ if (r < 0) {
log_error("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
if (!use_selinux() || !label_hnd)
return 0;
- if ((r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFLNK)) == 0) {
- if ((r = setfscreatecon(filecon)) < 0) {
+ r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFLNK);
+ if (r < 0)
+ r = -errno;
+ else if (r == 0) {
+ r = setfscreatecon(filecon);
+ if (r < 0) {
log_error("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
#endif
}
-int label_mkdir(
- const char *path,
- mode_t mode) {
+int label_mkdir(const char *path, mode_t mode) {
/* Creates a directory and labels it according to the SELinux policy */
int r;
security_context_t fcon = NULL;
- if (use_selinux() && label_hnd) {
+ if (!use_selinux() || label_hnd)
+ goto skipped;
- if (path_is_absolute(path))
- r = selabel_lookup_raw(label_hnd, &fcon, path, mode);
- else {
- char *newpath = NULL;
+ if (path_is_absolute(path))
+ r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
+ else {
+ char *newpath;
- if (!(newpath = path_make_absolute_cwd(path)))
- return -ENOMEM;
+ newpath = path_make_absolute_cwd(path);
+ if (!newpath)
+ return -ENOMEM;
- r = selabel_lookup_raw(label_hnd, &fcon, newpath, mode);
- free(newpath);
- }
+ r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
+ free(newpath);
+ }
- if (r == 0)
- r = setfscreatecon(fcon);
+ if (r == 0)
+ r = setfscreatecon(fcon);
- if (r < 0 && errno != ENOENT) {
- log_error("Failed to set security context %s for %s: %m", fcon, path);
- r = -errno;
+ if (r < 0 && errno != ENOENT) {
+ log_error("Failed to set security context %s for %s: %m", fcon, path);
- if (security_getenforce() == 1)
- goto finish;
+ if (security_getenforce() == 1) {
+ r = -errno;
+ goto finish;
}
}
- if ((r = mkdir(path, mode)) < 0)
+ r = mkdir(path, mode);
+ if (r < 0)
r = -errno;
finish:
- if (use_selinux() && label_hnd) {
- setfscreatecon(NULL);
- freecon(fcon);
+ setfscreatecon(NULL);
+ freecon(fcon);
+
+ return r;
+
+skipped:
+#endif
+ return mkdir(path, mode) < 0 ? -errno : 0;
+}
+
+int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
+
+ /* Binds a socket and label its file system object according to the SELinux policy */
+
+#ifdef HAVE_SELINUX
+ int r;
+ security_context_t fcon = NULL;
+ const struct sockaddr_un *un;
+ char *path = NULL;
+
+ assert(fd >= 0);
+ assert(addr);
+ assert(addrlen >= sizeof(sa_family_t));
+
+ if (!use_selinux() || !label_hnd)
+ goto skipped;
+
+ /* Filter out non-local sockets */
+ if (addr->sa_family != AF_UNIX)
+ goto skipped;
+
+ /* Filter out anonymous sockets */
+ if (addrlen < sizeof(sa_family_t) + 1)
+ goto skipped;
+
+ /* Filter out abstract namespace sockets */
+ un = (const struct sockaddr_un*) addr;
+ if (un->sun_path[0] == 0)
+ goto skipped;
+
+ path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
+ if (!path)
+ return -ENOMEM;
+
+ if (path_is_absolute(path))
+ r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
+ else {
+ char *newpath;
+
+ newpath = path_make_absolute_cwd(path);
+
+ if (!newpath) {
+ free(path);
+ return -ENOMEM;
+ }
+
+ r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
+ free(newpath);
+ }
+
+ if (r == 0)
+ r = setfscreatecon(fcon);
+
+ if (r < 0 && errno != ENOENT) {
+ log_error("Failed to set security context %s for %s: %m", fcon, path);
+
+ if (security_getenforce() == 1) {
+ r = -errno;
+ goto finish;
+ }
}
+ r = bind(fd, addr, addrlen);
+ if (r < 0)
+ r = -errno;
+
+finish:
+ setfscreatecon(NULL);
+ freecon(fcon);
+ free(path);
+
return r;
-#else
- return mkdir(path, mode);
+
+skipped:
#endif
+ return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
~ianmdlvl / elogind.git / blobdiff