From: WaLyong Cho Date: Fri, 24 Oct 2014 12:15:25 +0000 (+0900) Subject: mac: add mac_ prefix to distinguish origin security apis X-Git-Tag: v217~21 X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=8a188de9e0ea41509beda12084126d7a75ebe86e mac: add mac_ prefix to distinguish origin security apis --- diff --git a/src/core/dbus-job.c b/src/core/dbus-job.c index 3f7a28a73..09f573931 100644 --- a/src/core/dbus-job.c +++ b/src/core/dbus-job.c @@ -80,7 +80,7 @@ int bus_job_method_cancel(sd_bus *bus, sd_bus_message *message, void *userdata, if (r < 0) return r; - r = selinux_unit_access_check(j->unit, message, "stop", error); + r = mac_selinux_unit_access_check(j->unit, message, "stop", error); if (r < 0) return r; diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 57db1c9f6..c54abd3b4 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -363,7 +363,7 @@ static int method_get_unit(sd_bus *bus, sd_bus_message *message, void *userdata, if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -409,7 +409,7 @@ static int method_get_unit_by_pid(sd_bus *bus, sd_bus_message *message, void *us if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -441,7 +441,7 @@ static int method_load_unit(sd_bus *bus, sd_bus_message *message, void *userdata if (r < 0) return r; - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -648,7 +648,7 @@ static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi if (mode < 0) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode); - r = selinux_access_check(message, "start", error); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; @@ -702,7 +702,7 @@ static int method_get_job(sd_bus *bus, sd_bus_message *message, void *userdata, if (!j) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id); - r = selinux_unit_access_check(j->unit, message, "status", error); + r = mac_selinux_unit_access_check(j->unit, message, "status", error); if (r < 0) return r; @@ -742,7 +742,7 @@ static int method_clear_jobs(sd_bus *bus, sd_bus_message *message, void *userdat assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -759,7 +759,7 @@ static int method_reset_failed(sd_bus *bus, sd_bus_message *message, void *userd assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -782,7 +782,7 @@ static int list_units_filtered(sd_bus *bus, sd_bus_message *message, void *userd /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -870,7 +870,7 @@ static int method_list_jobs(sd_bus *bus, sd_bus_message *message, void *userdata /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -922,7 +922,7 @@ static int method_subscribe(sd_bus *bus, sd_bus_message *message, void *userdata /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -957,7 +957,7 @@ static int method_unsubscribe(sd_bus *bus, sd_bus_message *message, void *userda /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -985,7 +985,7 @@ static int method_dump(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1016,7 +1016,7 @@ static int method_create_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "start", error); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; @@ -1048,7 +1048,7 @@ static int method_remove_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "stop", error); + r = mac_selinux_access_check(message, "stop", error); if (r < 0) return r; @@ -1080,7 +1080,7 @@ static int method_reload(sd_bus *bus, sd_bus_message *message, void *userdata, s if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1114,7 +1114,7 @@ static int method_reexecute(sd_bus *bus, sd_bus_message *message, void *userdata if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1133,7 +1133,7 @@ static int method_exit(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1153,7 +1153,7 @@ static int method_reboot(sd_bus *bus, sd_bus_message *message, void *userdata, s assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1174,7 +1174,7 @@ static int method_poweroff(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1194,7 +1194,7 @@ static int method_halt(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1214,7 +1214,7 @@ static int method_kexec(sd_bus *bus, sd_bus_message *message, void *userdata, sd assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1236,7 +1236,7 @@ static int method_switch_root(sd_bus *bus, sd_bus_message *message, void *userda assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1300,7 +1300,7 @@ static int method_set_environment(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1326,7 +1326,7 @@ static int method_unset_environment(sd_bus *bus, sd_bus_message *message, void * assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1353,7 +1353,7 @@ static int method_unset_and_set_environment(sd_bus *bus, sd_bus_message *message assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1391,7 +1391,7 @@ static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1444,7 +1444,7 @@ static int method_get_unit_file_state(sd_bus *bus, sd_bus_message *message, void /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1473,7 +1473,7 @@ static int method_get_default_target(sd_bus *bus, sd_bus_message *message, void /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1585,7 +1585,7 @@ static int method_enable_unit_files_generic( if (r < 0) return r; - r = selinux_unit_access_check_strv(l, message, m, verb, error); + r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); if (r < 0) return r; @@ -1659,7 +1659,7 @@ static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *messa return -EINVAL; } - r = selinux_unit_access_check_strv(l, message, m, "enable", error); + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); if (r < 0) return r; @@ -1696,7 +1696,7 @@ static int method_disable_unit_files_generic( if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, verb, error); + r = mac_selinux_access_check(message, verb, error); if (r < 0) return r; @@ -1743,7 +1743,7 @@ static int method_set_default_target(sd_bus *bus, sd_bus_message *message, void if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "enable", error); + r = mac_selinux_access_check(message, "enable", error); if (r < 0) return r; @@ -1779,7 +1779,7 @@ static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, vo if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "enable", error); + r = mac_selinux_access_check(message, "enable", error); if (r < 0) return r; @@ -1837,7 +1837,7 @@ static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message if (dep < 0) return -EINVAL; - r = selinux_unit_access_check_strv(l, message, m, "enable", error); + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); if (r < 0) return r; diff --git a/src/core/dbus-snapshot.c b/src/core/dbus-snapshot.c index 2a5ef448c..06a58e429 100644 --- a/src/core/dbus-snapshot.c +++ b/src/core/dbus-snapshot.c @@ -33,7 +33,7 @@ int bus_snapshot_method_remove(sd_bus *bus, sd_bus_message *message, void *userd assert(message); assert(s); - r = selinux_unit_access_check(UNIT(s), message, "stop", error); + r = mac_selinux_unit_access_check(UNIT(s), message, "stop", error); if (r < 0) return r; diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c index 5f2276af9..9b13c6ed1 100644 --- a/src/core/dbus-unit.c +++ b/src/core/dbus-unit.c @@ -443,7 +443,7 @@ int bus_unit_method_kill(sd_bus *bus, sd_bus_message *message, void *userdata, s if (signo <= 0 || signo >= _NSIG) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Signal number out of range."); - r = selinux_unit_access_check(u, message, "stop", error); + r = mac_selinux_unit_access_check(u, message, "stop", error); if (r < 0) return r; @@ -468,7 +468,7 @@ int bus_unit_method_reset_failed(sd_bus *bus, sd_bus_message *message, void *use if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_unit_access_check(u, message, "reload", error); + r = mac_selinux_unit_access_check(u, message, "reload", error); if (r < 0) return r; @@ -495,7 +495,7 @@ int bus_unit_method_set_properties(sd_bus *bus, sd_bus_message *message, void *u if (r < 0) return r; - r = selinux_unit_access_check(u, message, "start", error); + r = mac_selinux_unit_access_check(u, message, "start", error); if (r < 0) return r; @@ -757,7 +757,7 @@ int bus_unit_queue_job( type = JOB_RELOAD; } - r = selinux_unit_access_check( + r = mac_selinux_unit_access_check( u, message, (type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" : type == JOB_STOP ? "stop" : "reload", error); diff --git a/src/core/dbus.c b/src/core/dbus.c index 09b4a4ac6..185057b62 100644 --- a/src/core/dbus.c +++ b/src/core/dbus.c @@ -211,7 +211,7 @@ failed: } #ifdef HAVE_SELINUX -static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { +static int mac_selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { Manager *m = userdata; const char *verb, *path; Unit *u = NULL; @@ -239,7 +239,7 @@ static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, if (object_path_startswith("/org/freedesktop/systemd1", path)) { - r = selinux_access_check(message, verb, error); + r = mac_selinux_access_check(message, verb, error); if (r < 0) return r; @@ -270,7 +270,7 @@ static int selinux_filter(sd_bus *bus, sd_bus_message *message, void *userdata, if (!u) return 0; - r = selinux_unit_access_check(u, message, verb, error); + r = mac_selinux_unit_access_check(u, message, verb, error); if (r < 0) return r; @@ -536,7 +536,7 @@ static int bus_setup_api_vtables(Manager *m, sd_bus *bus) { assert(bus); #ifdef HAVE_SELINUX - r = sd_bus_add_filter(bus, NULL, selinux_filter, m); + r = sd_bus_add_filter(bus, NULL, mac_selinux_filter, m); if (r < 0) { log_error("Failed to add SELinux access filter: %s", strerror(-r)); return r; diff --git a/src/core/main.c b/src/core/main.c index a0a6ae1f0..d48604e67 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1293,11 +1293,11 @@ int main(int argc, char *argv[]) { if (!skip_setup) { mount_setup_early(); dual_timestamp_get(&security_start_timestamp); - if (selinux_setup(&loaded_policy) < 0) + if (mac_selinux_setup(&loaded_policy) < 0) goto finish; if (ima_setup() < 0) goto finish; - if (smack_setup(&loaded_policy) < 0) + if (mac_smack_setup(&loaded_policy) < 0) goto finish; dual_timestamp_get(&security_finish_timestamp); } diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 351d48f8a..a4694b33f 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -142,7 +142,7 @@ static int access_init(void) { return r; } -static int selinux_access_init(sd_bus_error *error) { +static int mac_selinux_access_init(sd_bus_error *error) { int r; if (initialized) @@ -158,14 +158,17 @@ static int selinux_access_init(sd_bus_error *error) { initialized = true; return 0; } +#endif -void selinux_access_free(void) { +void mac_selinux_access_free(void) { +#ifdef HAVE_SELINUX if (!initialized) return; avc_destroy(); initialized = false; +#endif } /* @@ -174,12 +177,13 @@ void selinux_access_free(void) { If the machine is in permissive mode it will return ok. Audit messages will still be generated if the access would be denied in enforcing mode. */ -int selinux_generic_access_check( +int mac_selinux_generic_access_check( sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL; const char *tclass = NULL, *scon = NULL; struct audit_info audit_info = {}; @@ -195,7 +199,7 @@ int selinux_generic_access_check( if (!mac_selinux_use()) return 0; - r = selinux_access_init(error); + r = mac_selinux_access_init(error); if (r < 0) return r; @@ -254,13 +258,17 @@ finish: } return r; +#else + return 0; +#endif } -int selinux_unit_access_check_strv(char **units, +int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error) { +#ifdef HAVE_SELINUX char **i; Unit *u; int r; @@ -268,35 +276,11 @@ int selinux_unit_access_check_strv(char **units, STRV_FOREACH(i, units) { u = manager_get_unit(m, *i); if (u) { - r = selinux_unit_access_check(u, message, permission, error); + r = mac_selinux_unit_access_check(u, message, permission, error); if (r < 0) return r; } } - - return 0; -} - -#else - -int selinux_generic_access_check( - sd_bus_message *message, - const char *path, - const char *permission, - sd_bus_error *error) { - - return 0; -} - -void selinux_access_free(void) { -} - -int selinux_unit_access_check_strv(char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { +#endif return 0; } - -#endif diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index 6a4362a73..bccf0d291 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -26,26 +26,26 @@ #include "bus-util.h" #include "manager.h" -void selinux_access_free(void); +void mac_selinux_access_free(void); -int selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); +int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); -int selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error); +int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error); #ifdef HAVE_SELINUX -#define selinux_access_check(message, permission, error) \ - selinux_generic_access_check((message), NULL, (permission), (error)) +#define mac_selinux_access_check(message, permission, error) \ + mac_selinux_generic_access_check((message), NULL, (permission), (error)) -#define selinux_unit_access_check(unit, message, permission, error) \ +#define mac_selinux_unit_access_check(unit, message, permission, error) \ ({ \ Unit *_unit = (unit); \ - selinux_generic_access_check((message), _unit->fragment_path ?: _unit->fragment_path, (permission), (error)); \ + mac_selinux_generic_access_check((message), _unit->fragment_path ?: _unit->fragment_path, (permission), (error)); \ }) #else -#define selinux_access_check(message, permission, error) 0 -#define selinux_unit_access_check(unit, message, permission, error) 0 +#define mac_selinux_access_check(message, permission, error) 0 +#define mac_selinux_unit_access_check(unit, message, permission, error) 0 #endif diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c index 4e615c2b6..25e22b6c7 100644 --- a/src/core/selinux-setup.c +++ b/src/core/selinux-setup.c @@ -43,7 +43,7 @@ static int null_log(int type, const char *fmt, ...) { } #endif -int selinux_setup(bool *loaded_policy) { +int mac_selinux_setup(bool *loaded_policy) { #ifdef HAVE_SELINUX int enforce = 0; diff --git a/src/core/selinux-setup.h b/src/core/selinux-setup.h index 39e2bc25b..9ac227657 100644 --- a/src/core/selinux-setup.h +++ b/src/core/selinux-setup.h @@ -23,4 +23,4 @@ #include -int selinux_setup(bool *loaded_policy); +int mac_selinux_setup(bool *loaded_policy); diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index 5d8a26c61..d0fd1809f 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -116,7 +116,7 @@ static int write_rules(const char* dstpath, const char* srcdir) { #endif -int smack_setup(bool *loaded_policy) { +int mac_smack_setup(bool *loaded_policy) { #ifdef HAVE_SMACK diff --git a/src/core/smack-setup.h b/src/core/smack-setup.h index 892709669..1cab7718f 100644 --- a/src/core/smack-setup.h +++ b/src/core/smack-setup.h @@ -23,4 +23,4 @@ along with systemd; If not, see . ***/ -int smack_setup(bool *loaded_policy); +int mac_smack_setup(bool *loaded_policy);