[systemd-commits] 2 commits - Makefile.am src/core src/shared
Lennart Poettering
lennart at kemper.freedesktop.org
Tue Oct 2 14:57:21 PDT 2012
Makefile.am | 4 +
src/core/audit-fd.c | 73 +++++++++++++++++++++++++++++++
src/core/audit-fd.h | 25 ++++++++++
src/core/dbus-job.c | 2
src/core/dbus-manager.c | 50 ++++++++++-----------
src/core/dbus-unit.c | 2
src/core/manager.c | 27 ++---------
src/core/manager.h | 5 --
src/core/selinux-access.c | 107 ++++++++++++----------------------------------
src/core/selinux-access.h | 17 ++++---
src/shared/audit.h | 3 +
11 files changed, 176 insertions(+), 139 deletions(-)
New commits:
commit ffc227c9568eb0a12dc750761d1e5d68ea125aad
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Oct 2 17:56:54 2012 -0400
selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind
diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c
index 0a8626f..5955bd8 100644
--- a/src/core/audit-fd.c
+++ b/src/core/audit-fd.c
@@ -19,16 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <stdbool.h>
-#include <errno.h>
+#include <errno.h>
#include "audit-fd.h"
-#include "log.h"
#ifdef HAVE_AUDIT
+#include <stdbool.h>
#include <libaudit.h>
+#include "log.h"
+#include "util.h"
+
static bool initialized = false;
static int audit_fd;
diff --git a/src/core/dbus-job.c b/src/core/dbus-job.c
index 5a74684..fdc1dce 100644
--- a/src/core/dbus-job.c
+++ b/src/core/dbus-job.c
@@ -143,7 +143,7 @@ static DBusHandlerResult bus_job_message_handler(DBusConnection *connection, DBu
Iterator i;
size_t size;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b1b9078..9cdecfc 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -755,7 +755,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ClearJobs")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
manager_clear_jobs(m);
@@ -765,7 +765,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ResetFailed")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
manager_reset_failed(m);
@@ -804,7 +804,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Unit *u;
const char *k;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@@ -887,7 +887,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Iterator i;
Job *j;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@@ -946,7 +946,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *client;
Set *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
s = BUS_CONNECTION_SUBSCRIBED(m, connection);
if (!s) {
@@ -977,7 +977,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Unsubscribe")) {
char *client;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
client = set_remove(BUS_CONNECTION_SUBSCRIBED(m, connection), (char*) bus_message_get_sender_with_fallback(message));
if (!client) {
@@ -996,7 +996,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *dump = NULL;
size_t size;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@@ -1028,7 +1028,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
dbus_bool_t cleanup;
Snapshot *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "start");
+ SELINUX_ACCESS_CHECK(connection, message, "start");
if (!dbus_message_get_args(
message,
@@ -1068,7 +1068,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
const char *k;
size_t size;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@@ -1127,7 +1127,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reload")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
assert(!m->queued_message);
@@ -1145,7 +1145,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reexecute")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
/* We don't send a reply back here, the client should
* just wait for us disconnecting. */
@@ -1154,7 +1154,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Exit")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as == SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Exit is only supported for user service managers.");
@@ -1169,7 +1169,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reboot")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Reboot is only supported for system managers.");
@@ -1184,7 +1184,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "PowerOff")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Powering off is only supported for system managers.");
@@ -1199,7 +1199,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Halt")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Halting is only supported for system managers.");
@@ -1214,7 +1214,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "KExec")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "kexec is only supported for system managers.");
@@ -1232,7 +1232,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *u, *v;
int k;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_get_args(
message,
@@ -1296,7 +1296,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "SetEnvironment")) {
char **l = NULL, **e = NULL;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
@@ -1321,7 +1321,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "UnsetEnvironment")) {
char **l = NULL, **e = NULL;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
@@ -1347,7 +1347,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char **l_set = NULL, **l_unset = NULL, **e = NULL, **f = NULL;
DBusMessageIter iter;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@@ -1400,7 +1400,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Iterator i;
UnitFileList *item;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@@ -1449,7 +1449,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
UnitFileState state;
const char *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
if (!dbus_message_get_args(
message,
@@ -1488,7 +1488,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
dbus_bool_t runtime, force;
int carries_install_info = -1;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
+ SELINUX_ACCESS_CHECK(connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@@ -1548,7 +1548,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
unsigned n_changes = 0;
dbus_bool_t runtime;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
+ SELINUX_ACCESS_CHECK(connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@@ -1595,7 +1595,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
{ NULL, }
};
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
return bus_default_message_handler(connection, message, NULL, INTERFACES_LIST, bps);
}
diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 6bf331e..83ee018 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -526,7 +526,7 @@ static DBusHandlerResult bus_unit_message_handler(DBusConnection *connection, DB
if (streq(dbus_message_get_path(message), "/org/freedesktop/systemd1/unit")) {
/* Be nice to gdbus and return introspection data for our mid-level paths */
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
if (dbus_message_is_method_call(message, "org.freedesktop.DBus.Introspectable", "Introspect")) {
char *introspection = NULL;
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 9ddc042..4b1dc74 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -19,30 +19,28 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include "util.h"
-#include "job.h"
-#include "manager.h"
#include "selinux-access.h"
#ifdef HAVE_SELINUX
-#include "dbus.h"
-#include "log.h"
-#include "dbus-unit.h"
-#include "bus-errors.h"
-#include "dbus-common.h"
-#include "audit.h"
-#include "selinux-util.h"
-#include "audit-fd.h"
#include <stdio.h>
#include <string.h>
#include <errno.h>
+#include <limits.h>
#include <selinux/selinux.h>
#include <selinux/avc.h>
#ifdef HAVE_AUDIT
#include <libaudit.h>
#endif
-#include <limits.h>
+#include <dbus.h>
+
+#include "util.h"
+#include "log.h"
+#include "bus-errors.h"
+#include "dbus-common.h"
+#include "audit.h"
+#include "selinux-util.h"
+#include "audit-fd.h"
static bool initialized = false;
@@ -210,7 +208,7 @@ static int access_init(void) {
return r;
}
-static int selinux_init(DBusError *error) {
+static int selinux_access_init(DBusError *error) {
int r;
if (initialized)
@@ -228,6 +226,14 @@ static int selinux_init(DBusError *error) {
return 0;
}
+void selinux_access_free(void) {
+ if (!initialized)
+ return;
+
+ avc_destroy();
+ initialized = false;
+}
+
static int get_audit_data(
DBusConnection *connection,
DBusMessage *message,
@@ -314,7 +320,7 @@ static int get_calling_context(
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
-static int selinux_access_check(
+int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
const char *path,
@@ -331,13 +337,13 @@ static int selinux_access_check(
assert(permission);
assert(error);
- r = selinux_init(error);
- if (r < 0)
- return r;
-
if (!use_selinux())
return 0;
+ r = selinux_access_init(error);
+ if (r < 0)
+ return r;
+
log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
audit.uid = audit.loginuid = (uid_t) -1;
@@ -398,69 +404,19 @@ finish:
return r;
}
-int selinux_unit_access_check(
- Unit *u,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- assert(u);
- assert(connection);
- assert(message);
- assert(permission);
- assert(error);
-
- return selinux_access_check(connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
-}
-
-int selinux_manager_access_check(
- Manager *m,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- assert(m);
- assert(connection);
- assert(message);
- assert(permission);
- assert(error);
-
- return selinux_access_check(connection, message, NULL, permission, error);
-}
-
-void selinux_access_finish(void) {
- if (!initialized)
- return;
-
- avc_destroy();
- initialized = false;
-}
-
#else
-int selinux_unit_access_check(
- Unit *u,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- return 0;
-}
-
-int selinux_manager_access_check(
- Manager *m,
+int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
+ const char *path,
const char *permission,
DBusError *error) {
return 0;
}
-void selinux_access_finish(void) {
+void selinux_access_free(void) {
}
#endif
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index 5902b2f..9183cbc 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -21,20 +21,22 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-void selinux_access_finish(void);
-int selinux_manager_access_check(Manager *manager, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
-int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
+#include <dbus.h>
+
+void selinux_access_free(void);
+
+int selinux_access_check(DBusConnection *connection, DBusMessage *message, const char *path, const char *permission, DBusError *error);
#ifdef HAVE_SELINUX
-#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) \
+#define SELINUX_ACCESS_CHECK(connection, message, permission) \
do { \
DBusError _error; \
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
dbus_error_init(&_error); \
- _r = selinux_manager_access_check((manager), _c, _m, (permission), &_error); \
+ _r = selinux_access_check(_c, _m, NULL, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
@@ -45,15 +47,16 @@ int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessag
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
+ Unit *_u = (unit); \
dbus_error_init(&_error); \
- _r = selinux_unit_access_check((unit), _c, _m, (permission), &_error); \
+ _r = selinux_access_check(_c, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
#else
-#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) do { } while (false)
+#define SELINUX_ACCESS_CHECK(connection, message, permission) do { } while (false)
#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)
#endif
commit c1165f822cd9f8c3467b5f825ce933ab8374b361
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Oct 2 17:40:09 2012 -0400
audit: turn the audit fd into a static variable
As audit is pretty much just a special kind of logging we should treat
it similar, and manage the audit fd in a static variable.
This simplifies the audit fd sharing with the SELinux access checking
code quite a bit.
diff --git a/Makefile.am b/Makefile.am
index 031e1ac..6836851 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1020,7 +1020,9 @@ libsystemd_core_la_SOURCES = \
src/core/killall.h \
src/core/killall.c \
src/core/syscall-list.c \
- src/core/syscall-list.h
+ src/core/syscall-list.h \
+ src/core/audit-fd.c \
+ src/core/audit-fd.h
nodist_libsystemd_core_la_SOURCES = \
src/core/load-fragment-gperf.c \
diff --git a/src/core/audit-fd.c b/src/core/audit-fd.c
new file mode 100644
index 0000000..0a8626f
--- /dev/null
+++ b/src/core/audit-fd.c
@@ -0,0 +1,71 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2012 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+#include <errno.h>
+
+#include "audit-fd.h"
+#include "log.h"
+
+#ifdef HAVE_AUDIT
+
+#include <libaudit.h>
+
+static bool initialized = false;
+static int audit_fd;
+
+int get_audit_fd(void) {
+
+ if (!initialized) {
+ audit_fd = audit_open();
+
+ if (audit_fd < 0) {
+ if (errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT)
+ log_error("Failed to connect to audit log: %m");
+
+ audit_fd = errno ? -errno : -EINVAL;
+ }
+
+ initialized = true;
+ }
+
+ return audit_fd;
+}
+
+void close_audit_fd(void) {
+
+ if (initialized && audit_fd >= 0)
+ close_nointr_nofail(audit_fd);
+
+ initialized = true;
+ audit_fd = -ECONNRESET;
+}
+
+#else
+
+int get_audit_fd(void) {
+ return -EAFNOSUPPORT;
+}
+
+void close_audit_fd(void) {
+}
+
+#endif
diff --git a/src/core/audit-fd.h b/src/core/audit-fd.h
new file mode 100644
index 0000000..8b58289
--- /dev/null
+++ b/src/core/audit-fd.h
@@ -0,0 +1,25 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2012 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int get_audit_fd(void);
+void close_audit_fd(void);
diff --git a/src/core/manager.c b/src/core/manager.c
index 3cd9915..6fecbc3 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -68,6 +68,7 @@
#include "watchdog.h"
#include "cgroup-util.h"
#include "path-util.h"
+#include "audit-fd.h"
/* As soon as 16 units are in our GC queue, make sure to run a gc sweep */
#define GC_QUEUE_ENTRIES_MAX 16
@@ -257,10 +258,6 @@ int manager_new(SystemdRunningAs running_as, Manager **_m) {
m->pin_cgroupfs_fd = -1;
m->idle_pipe[0] = m->idle_pipe[1] = -1;
-#ifdef HAVE_AUDIT
- m->audit_fd = -1;
-#endif
-
m->signal_watch.fd = m->mount_watch.fd = m->udev_watch.fd = m->epoll_fd = m->dev_autofs_fd = m->swap_watch.fd = -1;
m->current_job_id = 1; /* start as id #1, so that we can leave #0 around as "null-like" value */
@@ -307,14 +304,6 @@ int manager_new(SystemdRunningAs running_as, Manager **_m) {
if ((r = bus_init(m, running_as != SYSTEMD_SYSTEM)) < 0)
goto fail;
-#ifdef HAVE_AUDIT
- if ((m->audit_fd = audit_open()) < 0 &&
- /* If the kernel lacks netlink or audit support,
- * don't worry about it. */
- errno != EAFNOSUPPORT && errno != EPROTONOSUPPORT)
- log_error("Failed to connect to audit log: %m");
-#endif
-
m->taint_usr = dir_is_empty("/usr") > 0;
*_m = m;
@@ -498,11 +487,6 @@ void manager_free(Manager *m) {
if (m->notify_watch.fd >= 0)
close_nointr_nofail(m->notify_watch.fd);
-#ifdef HAVE_AUDIT
- if (m->audit_fd >= 0)
- audit_close(m->audit_fd);
-#endif
-
free(m->notify_socket);
lookup_paths_free(&m->lookup_paths);
@@ -1553,8 +1537,10 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
#ifdef HAVE_AUDIT
char *p;
+ int audit_fd;
- if (m->audit_fd < 0)
+ audit_fd = get_audit_fd();
+ if (audit_fd < 0)
return;
/* Don't generate audit events if the service was already
@@ -1573,12 +1559,11 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
return;
}
- if (audit_log_user_comm_message(m->audit_fd, type, "", p, NULL, NULL, NULL, success) < 0) {
+ if (audit_log_user_comm_message(audit_fd, type, "", p, NULL, NULL, NULL, success) < 0) {
if (errno == EPERM) {
/* We aren't allowed to send audit messages?
* Then let's not retry again. */
- audit_close(m->audit_fd);
- m->audit_fd = -1;
+ close_audit_fd();
} else
log_warning("Failed to send audit message: %m");
}
diff --git a/src/core/manager.h b/src/core/manager.h
index 913752f..2214502 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -200,11 +200,6 @@ struct Manager {
* file system */
int pin_cgroupfs_fd;
- /* Audit fd */
-#ifdef HAVE_AUDIT
- int audit_fd;
-#endif
-
/* Flags */
SystemdRunningAs running_as;
ManagerExitCode exit_code:5;
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 3a244ad..9ddc042 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -32,6 +32,7 @@
#include "dbus-common.h"
#include "audit.h"
#include "selinux-util.h"
+#include "audit-fd.h"
#include <stdio.h>
#include <string.h>
@@ -44,7 +45,6 @@
#include <limits.h>
static bool initialized = false;
-static int audit_fd = -1;
struct auditstruct {
const char *path;
@@ -169,11 +169,11 @@ static int log_callback(int type, const char *fmt, ...) {
va_start(ap, fmt);
#ifdef HAVE_AUDIT
- if (audit_fd >= 0) {
+ if (get_audit_fd() >= 0) {
char buf[LINE_MAX];
vsnprintf(buf, sizeof(buf), fmt, ap);
- audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+ audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
va_end(ap);
return 0;
@@ -210,12 +210,9 @@ static int access_init(void) {
return r;
}
-static int selinux_init(Manager *m, DBusError *error) {
+static int selinux_init(DBusError *error) {
int r;
-#ifdef HAVE_AUDIT
- audit_fd = m->audit_fd;
-#endif
if (initialized)
return 0;
@@ -318,7 +315,6 @@ static int get_calling_context(
still be generated if the access would be denied in enforcing mode.
*/
static int selinux_access_check(
- Manager *m,
DBusConnection *connection,
DBusMessage *message,
const char *path,
@@ -330,13 +326,12 @@ static int selinux_access_check(
const char *tclass = NULL;
struct auditstruct audit;
- assert(m);
assert(connection);
assert(message);
assert(permission);
assert(error);
- r = selinux_init(m, error);
+ r = selinux_init(error);
if (r < 0)
return r;
@@ -416,7 +411,7 @@ int selinux_unit_access_check(
assert(permission);
assert(error);
- return selinux_access_check(u->manager, connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
+ return selinux_access_check(connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
}
int selinux_manager_access_check(
@@ -432,7 +427,7 @@ int selinux_manager_access_check(
assert(permission);
assert(error);
- return selinux_access_check(m, connection, message, NULL, permission, error);
+ return selinux_access_check(connection, message, NULL, permission, error);
}
void selinux_access_finish(void) {
diff --git a/src/shared/audit.h b/src/shared/audit.h
index f2740bc..490a0b0 100644
--- a/src/shared/audit.h
+++ b/src/shared/audit.h
@@ -22,8 +22,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <sys/types.h>
+
#include "capability.h"
int audit_session_from_pid(pid_t pid, uint32_t *id);
int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
+
#endif
More information about the systemd-commits
mailing list