chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
07788ab
)
mac: add mac_ prefix to distinguish origin security apis
author
WaLyong Cho
<walyong.cho@samsung.com>
Fri, 24 Oct 2014 12:15:25 +0000
(21:15 +0900)
committer
Lennart Poettering
<lennart@poettering.net>
Tue, 28 Oct 2014 13:31:48 +0000
(14:31 +0100)
12 files changed:
src/core/dbus-job.c
patch
|
blob
|
history
src/core/dbus-manager.c
patch
|
blob
|
history
src/core/dbus-snapshot.c
patch
|
blob
|
history
src/core/dbus-unit.c
patch
|
blob
|
history
src/core/dbus.c
patch
|
blob
|
history
src/core/main.c
patch
|
blob
|
history
src/core/selinux-access.c
patch
|
blob
|
history
src/core/selinux-access.h
patch
|
blob
|
history
src/core/selinux-setup.c
patch
|
blob
|
history
src/core/selinux-setup.h
patch
|
blob
|
history
src/core/smack-setup.c
patch
|
blob
|
history
src/core/smack-setup.h
patch
|
blob
|
history
diff --git
a/src/core/dbus-job.c
b/src/core/dbus-job.c
index 3f7a28a734b4d1ac1bc1c8af3ad4f1f519158701..09f5739315bb7bc138342bdc2bb16385c20b7aa0 100644
(file)
--- a/
src/core/dbus-job.c
+++ b/
src/core/dbus-job.c
@@
-80,7
+80,7
@@
int bus_job_method_cancel(sd_bus *bus, sd_bus_message *message, void *userdata,
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check(j->unit, message, "stop", error);
+ r =
mac_
selinux_unit_access_check(j->unit, message, "stop", error);
if (r < 0)
return r;
if (r < 0)
return r;
diff --git
a/src/core/dbus-manager.c
b/src/core/dbus-manager.c
index 57db1c9f6a03fff14f2939d8b81c8d0ec7cf9863..c54abd3b4e820af1ba0bd085c365f6f798558a8d 100644
(file)
--- a/
src/core/dbus-manager.c
+++ b/
src/core/dbus-manager.c
@@
-363,7
+363,7
@@
static int method_get_unit(sd_bus *bus, sd_bus_message *message, void *userdata,
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name);
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name);
- r = selinux_unit_access_check(u, message, "status", error);
+ r =
mac_
selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-409,7
+409,7
@@
static int method_get_unit_by_pid(sd_bus *bus, sd_bus_message *message, void *us
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid);
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid);
- r = selinux_unit_access_check(u, message, "status", error);
+ r =
mac_
selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-441,7
+441,7
@@
static int method_load_unit(sd_bus *bus, sd_bus_message *message, void *userdata
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check(u, message, "status", error);
+ r =
mac_
selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-648,7
+648,7
@@
static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi
if (mode < 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode);
if (mode < 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode);
- r = selinux_access_check(message, "start", error);
+ r =
mac_
selinux_access_check(message, "start", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-702,7
+702,7
@@
static int method_get_job(sd_bus *bus, sd_bus_message *message, void *userdata,
if (!j)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id);
if (!j)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id);
- r = selinux_unit_access_check(j->unit, message, "status", error);
+ r =
mac_
selinux_unit_access_check(j->unit, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-742,7
+742,7
@@
static int method_clear_jobs(sd_bus *bus, sd_bus_message *message, void *userdat
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r =
mac_
selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-759,7
+759,7
@@
static int method_reset_failed(sd_bus *bus, sd_bus_message *message, void *userd
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-782,7
+782,7
@@
static int list_units_filtered(sd_bus *bus, sd_bus_message *message, void *userd
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-870,7
+870,7
@@
static int method_list_jobs(sd_bus *bus, sd_bus_message *message, void *userdata
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-922,7
+922,7
@@
static int method_subscribe(sd_bus *bus, sd_bus_message *message, void *userdata
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-957,7
+957,7
@@
static int method_unsubscribe(sd_bus *bus, sd_bus_message *message, void *userda
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-985,7
+985,7
@@
static int method_dump(sd_bus *bus, sd_bus_message *message, void *userdata, sd_
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1016,7
+1016,7
@@
static int method_create_snapshot(sd_bus *bus, sd_bus_message *message, void *us
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "start", error);
+ r =
mac_
selinux_access_check(message, "start", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1048,7
+1048,7
@@
static int method_remove_snapshot(sd_bus *bus, sd_bus_message *message, void *us
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "stop", error);
+ r =
mac_
selinux_access_check(message, "stop", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1080,7
+1080,7
@@
static int method_reload(sd_bus *bus, sd_bus_message *message, void *userdata, s
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1114,7
+1114,7
@@
static int method_reexecute(sd_bus *bus, sd_bus_message *message, void *userdata
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1133,7
+1133,7
@@
static int method_exit(sd_bus *bus, sd_bus_message *message, void *userdata, sd_
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r =
mac_
selinux_access_check(message, "halt", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1153,7
+1153,7
@@
static int method_reboot(sd_bus *bus, sd_bus_message *message, void *userdata, s
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r =
mac_
selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1174,7
+1174,7
@@
static int method_poweroff(sd_bus *bus, sd_bus_message *message, void *userdata,
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r =
mac_
selinux_access_check(message, "halt", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1194,7
+1194,7
@@
static int method_halt(sd_bus *bus, sd_bus_message *message, void *userdata, sd_
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r =
mac_
selinux_access_check(message, "halt", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1214,7
+1214,7
@@
static int method_kexec(sd_bus *bus, sd_bus_message *message, void *userdata, sd
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r =
mac_
selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1236,7
+1236,7
@@
static int method_switch_root(sd_bus *bus, sd_bus_message *message, void *userda
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r =
mac_
selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1300,7
+1300,7
@@
static int method_set_environment(sd_bus *bus, sd_bus_message *message, void *us
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1326,7
+1326,7
@@
static int method_unset_environment(sd_bus *bus, sd_bus_message *message, void *
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1353,7
+1353,7
@@
static int method_unset_and_set_environment(sd_bus *bus, sd_bus_message *message
assert(message);
assert(m);
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r =
mac_
selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1391,7
+1391,7
@@
static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1444,7
+1444,7
@@
static int method_get_unit_file_state(sd_bus *bus, sd_bus_message *message, void
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1473,7
+1473,7
@@
static int method_get_default_target(sd_bus *bus, sd_bus_message *message, void
/* Anyone can call this method */
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r =
mac_
selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1585,7
+1585,7
@@
static int method_enable_unit_files_generic(
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check_strv(l, message, m, verb, error);
+ r =
mac_
selinux_unit_access_check_strv(l, message, m, verb, error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1659,7
+1659,7
@@
static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *messa
return -EINVAL;
}
return -EINVAL;
}
- r = selinux_unit_access_check_strv(l, message, m, "enable", error);
+ r =
mac_
selinux_unit_access_check_strv(l, message, m, "enable", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1696,7
+1696,7
@@
static int method_disable_unit_files_generic(
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, verb, error);
+ r =
mac_
selinux_access_check(message, verb, error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1743,7
+1743,7
@@
static int method_set_default_target(sd_bus *bus, sd_bus_message *message, void
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r =
mac_
selinux_access_check(message, "enable", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1779,7
+1779,7
@@
static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, vo
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r =
mac_
selinux_access_check(message, "enable", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-1837,7
+1837,7
@@
static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message
if (dep < 0)
return -EINVAL;
if (dep < 0)
return -EINVAL;
- r = selinux_unit_access_check_strv(l, message, m, "enable", error);
+ r =
mac_
selinux_unit_access_check_strv(l, message, m, "enable", error);
if (r < 0)
return r;
if (r < 0)
return r;
diff --git
a/src/core/dbus-snapshot.c
b/src/core/dbus-snapshot.c
index 2a5ef448ced3955c569160b241f58bb7cd82f9f7..06a58e429ec4ae11398f7131453af121308bd569 100644
(file)
--- a/
src/core/dbus-snapshot.c
+++ b/
src/core/dbus-snapshot.c
@@
-33,7
+33,7
@@
int bus_snapshot_method_remove(sd_bus *bus, sd_bus_message *message, void *userd
assert(message);
assert(s);
assert(message);
assert(s);
- r = selinux_unit_access_check(UNIT(s), message, "stop", error);
+ r =
mac_
selinux_unit_access_check(UNIT(s), message, "stop", error);
if (r < 0)
return r;
if (r < 0)
return r;
diff --git
a/src/core/dbus-unit.c
b/src/core/dbus-unit.c
index 5f2276af9c1ca92d451bba3c9e4d8d5dbb40e560..9b13c6ed1be6055fbafb8a69968511956c3d6d53 100644
(file)
--- a/
src/core/dbus-unit.c
+++ b/
src/core/dbus-unit.c
@@
-443,7
+443,7
@@
int bus_unit_method_kill(sd_bus *bus, sd_bus_message *message, void *userdata, s
if (signo <= 0 || signo >= _NSIG)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range.");
if (signo <= 0 || signo >= _NSIG)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range.");
- r = selinux_unit_access_check(u, message, "stop", error);
+ r =
mac_
selinux_unit_access_check(u, message, "stop", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-468,7
+468,7
@@
int bus_unit_method_reset_failed(sd_bus *bus, sd_bus_message *message, void *use
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_unit_access_check(u, message, "reload", error);
+ r =
mac_
selinux_unit_access_check(u, message, "reload", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-495,7
+495,7
@@
int bus_unit_method_set_properties(sd_bus *bus, sd_bus_message *message, void *u
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check(u, message, "start", error);
+ r =
mac_
selinux_unit_access_check(u, message, "start", error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-757,7
+757,7
@@
int bus_unit_queue_job(
type = JOB_RELOAD;
}
type = JOB_RELOAD;
}
- r = selinux_unit_access_check(
+ r =
mac_
selinux_unit_access_check(
u, message,
(type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" :
type == JOB_STOP ? "stop" : "reload", error);
u, message,
(type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" :
type == JOB_STOP ? "stop" : "reload", error);
diff --git
a/src/core/dbus.c
b/src/core/dbus.c
index 09b4a4ac6ffc603cc7ed37d24e460b886da440d0..185057b624e31d1ac2fea781fc145a6d3ae0806f 100644
(file)
--- a/
src/core/dbus.c
+++ b/
src/core/dbus.c
@@
-211,7
+211,7
@@
failed:
}
#ifdef HAVE_SELINUX
}
#ifdef HAVE_SELINUX
-static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
+static int
mac_
selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
Manager *m = userdata;
const char *verb, *path;
Unit *u = NULL;
Manager *m = userdata;
const char *verb, *path;
Unit *u = NULL;
@@
-239,7
+239,7
@@
static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata,
if (object_path_startswith("/org/freedesktop/systemd1", path)) {
if (object_path_startswith("/org/freedesktop/systemd1", path)) {
- r = selinux_access_check(message, verb, error);
+ r =
mac_
selinux_access_check(message, verb, error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-270,7
+270,7
@@
static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata,
if (!u)
return 0;
if (!u)
return 0;
- r = selinux_unit_access_check(u, message, verb, error);
+ r =
mac_
selinux_unit_access_check(u, message, verb, error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-536,7
+536,7
@@
static int bus_setup_api_vtables(Manager *m, sd_bus *bus) {
assert(bus);
#ifdef HAVE_SELINUX
assert(bus);
#ifdef HAVE_SELINUX
- r = sd_bus_add_filter(bus, NULL, selinux_filter, m);
+ r = sd_bus_add_filter(bus, NULL,
mac_
selinux_filter, m);
if (r < 0) {
log_error("Failed to add SELinux access filter: %s", strerror(-r));
return r;
if (r < 0) {
log_error("Failed to add SELinux access filter: %s", strerror(-r));
return r;
diff --git
a/src/core/main.c
b/src/core/main.c
index a0a6ae1f0ab3e23950def6a5a61ce70322ecbb14..d48604e6739330f80a23d83822d16a864cc1c615 100644
(file)
--- a/
src/core/main.c
+++ b/
src/core/main.c
@@
-1293,11
+1293,11
@@
int main(int argc, char *argv[]) {
if (!skip_setup) {
mount_setup_early();
dual_timestamp_get(&security_start_timestamp);
if (!skip_setup) {
mount_setup_early();
dual_timestamp_get(&security_start_timestamp);
- if (selinux_setup(&loaded_policy) < 0)
+ if (
mac_
selinux_setup(&loaded_policy) < 0)
goto finish;
if (ima_setup() < 0)
goto finish;
goto finish;
if (ima_setup() < 0)
goto finish;
- if (smack_setup(&loaded_policy) < 0)
+ if (
mac_
smack_setup(&loaded_policy) < 0)
goto finish;
dual_timestamp_get(&security_finish_timestamp);
}
goto finish;
dual_timestamp_get(&security_finish_timestamp);
}
diff --git
a/src/core/selinux-access.c
b/src/core/selinux-access.c
index 351d48f8a45cf026a55a703e5800cc47cea869d3..a4694b33f36e5a7321388981493730779e44b965 100644
(file)
--- a/
src/core/selinux-access.c
+++ b/
src/core/selinux-access.c
@@
-142,7
+142,7
@@
static int access_init(void) {
return r;
}
return r;
}
-static int selinux_access_init(sd_bus_error *error) {
+static int
mac_
selinux_access_init(sd_bus_error *error) {
int r;
if (initialized)
int r;
if (initialized)
@@
-158,14
+158,17
@@
static int selinux_access_init(sd_bus_error *error) {
initialized = true;
return 0;
}
initialized = true;
return 0;
}
+#endif
-void selinux_access_free(void) {
+void
mac_
selinux_access_free(void) {
+#ifdef HAVE_SELINUX
if (!initialized)
return;
avc_destroy();
initialized = false;
if (!initialized)
return;
avc_destroy();
initialized = false;
+#endif
}
/*
}
/*
@@
-174,12
+177,13
@@
void selinux_access_free(void) {
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
-int selinux_generic_access_check(
+int
mac_
selinux_generic_access_check(
sd_bus_message *message,
const char *path,
const char *permission,
sd_bus_error *error) {
sd_bus_message *message,
const char *path,
const char *permission,
sd_bus_error *error) {
+#ifdef HAVE_SELINUX
_cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
const char *tclass = NULL, *scon = NULL;
struct audit_info audit_info = {};
_cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
const char *tclass = NULL, *scon = NULL;
struct audit_info audit_info = {};
@@
-195,7
+199,7
@@
int selinux_generic_access_check(
if (!mac_selinux_use())
return 0;
if (!mac_selinux_use())
return 0;
- r = selinux_access_init(error);
+ r =
mac_
selinux_access_init(error);
if (r < 0)
return r;
if (r < 0)
return r;
@@
-254,13
+258,17
@@
finish:
}
return r;
}
return r;
+#else
+ return 0;
+#endif
}
}
-int selinux_unit_access_check_strv(char **units,
+int
mac_
selinux_unit_access_check_strv(char **units,
sd_bus_message *message,
Manager *m,
const char *permission,
sd_bus_error *error) {
sd_bus_message *message,
Manager *m,
const char *permission,
sd_bus_error *error) {
+#ifdef HAVE_SELINUX
char **i;
Unit *u;
int r;
char **i;
Unit *u;
int r;
@@
-268,35
+276,11
@@
int selinux_unit_access_check_strv(char **units,
STRV_FOREACH(i, units) {
u = manager_get_unit(m, *i);
if (u) {
STRV_FOREACH(i, units) {
u = manager_get_unit(m, *i);
if (u) {
- r = selinux_unit_access_check(u, message, permission, error);
+ r =
mac_
selinux_unit_access_check(u, message, permission, error);
if (r < 0)
return r;
}
}
if (r < 0)
return r;
}
}
-
- return 0;
-}
-
-#else
-
-int selinux_generic_access_check(
- sd_bus_message *message,
- const char *path,
- const char *permission,
- sd_bus_error *error) {
-
- return 0;
-}
-
-void selinux_access_free(void) {
-}
-
-int selinux_unit_access_check_strv(char **units,
- sd_bus_message *message,
- Manager *m,
- const char *permission,
- sd_bus_error *error) {
+#endif
return 0;
}
return 0;
}
-
-#endif
diff --git
a/src/core/selinux-access.h
b/src/core/selinux-access.h
index 6a4362a73c8e0922b3d92cb3e312954067182bd9..bccf0d2913a4f3ad4574e3a9e1e428f3b65de728 100644
(file)
--- a/
src/core/selinux-access.h
+++ b/
src/core/selinux-access.h
@@
-26,26
+26,26
@@
#include "bus-util.h"
#include "manager.h"
#include "bus-util.h"
#include "manager.h"
-void selinux_access_free(void);
+void
mac_
selinux_access_free(void);
-int selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
+int
mac_
selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
-int selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
+int
mac_
selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
#ifdef HAVE_SELINUX
#ifdef HAVE_SELINUX
-#define selinux_access_check(message, permission, error) \
- selinux_generic_access_check((message), NULL, (permission), (error))
+#define
mac_
selinux_access_check(message, permission, error) \
+
mac_
selinux_generic_access_check((message), NULL, (permission), (error))
-#define selinux_unit_access_check(unit, message, permission, error) \
+#define
mac_
selinux_unit_access_check(unit, message, permission, error) \
({ \
Unit *_unit = (unit); \
({ \
Unit *_unit = (unit); \
- selinux_generic_access_check((message), _unit->fragment_path ?: _unit->fragment_path, (permission), (error)); \
+
mac_
selinux_generic_access_check((message), _unit->fragment_path ?: _unit->fragment_path, (permission), (error)); \
})
#else
})
#else
-#define selinux_access_check(message, permission, error) 0
-#define selinux_unit_access_check(unit, message, permission, error) 0
+#define
mac_
selinux_access_check(message, permission, error) 0
+#define
mac_
selinux_unit_access_check(unit, message, permission, error) 0
#endif
#endif
diff --git
a/src/core/selinux-setup.c
b/src/core/selinux-setup.c
index 4e615c2b64f165a91c483d5c3b06e9540d1d2a82..25e22b6c777431f84370453935a8c5bc8ebc1f2a 100644
(file)
--- a/
src/core/selinux-setup.c
+++ b/
src/core/selinux-setup.c
@@
-43,7
+43,7
@@
static int null_log(int type, const char *fmt, ...) {
}
#endif
}
#endif
-int selinux_setup(bool *loaded_policy) {
+int
mac_
selinux_setup(bool *loaded_policy) {
#ifdef HAVE_SELINUX
int enforce = 0;
#ifdef HAVE_SELINUX
int enforce = 0;
diff --git
a/src/core/selinux-setup.h
b/src/core/selinux-setup.h
index 39e2bc25bbdd9592e63e3f6b19542fa29ac18a0d..9ac2276576e9507e0ae7d1919ee1b507ce506d99 100644
(file)
--- a/
src/core/selinux-setup.h
+++ b/
src/core/selinux-setup.h
@@
-23,4
+23,4
@@
#include <stdbool.h>
#include <stdbool.h>
-int selinux_setup(bool *loaded_policy);
+int
mac_
selinux_setup(bool *loaded_policy);
diff --git
a/src/core/smack-setup.c
b/src/core/smack-setup.c
index 5d8a26c61d910cd932cd1709bceac996ed4e26b1..d0fd1809f9a54aa879c3ccfb7c5ed9ae85b34e2e 100644
(file)
--- a/
src/core/smack-setup.c
+++ b/
src/core/smack-setup.c
@@
-116,7
+116,7
@@
static int write_rules(const char* dstpath, const char* srcdir) {
#endif
#endif
-int smack_setup(bool *loaded_policy) {
+int
mac_
smack_setup(bool *loaded_policy) {
#ifdef HAVE_SMACK
#ifdef HAVE_SMACK
diff --git
a/src/core/smack-setup.h
b/src/core/smack-setup.h
index 892709669b826e45944763a18fbb45a52a27b455..1cab7718ffd6c796dd9e81d63876bee0f046e865 100644
(file)
--- a/
src/core/smack-setup.h
+++ b/
src/core/smack-setup.h
@@
-23,4
+23,4
@@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-int smack_setup(bool *loaded_policy);
+int
mac_
smack_setup(bool *loaded_policy);