[systemd-commits] 13 commits - src/core src/machine src/shared src/tmpfiles src/udev src/update-done
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Oct 23 12:52:26 PDT 2014
src/core/namespace.c | 4
src/core/socket.c | 79 ++++++----
src/machine/machined.c | 1
src/shared/dev-setup.c | 22 --
src/shared/fileio-label.c | 12 -
src/shared/label.c | 61 ++++++--
src/shared/label.h | 3
src/shared/mkdir-label.c | 36 ----
src/shared/mkdir.c | 14 -
src/shared/mkdir.h | 2
src/shared/selinux-util.c | 309 ++++++++++++++++--------------------------
src/shared/selinux-util.h | 21 --
src/shared/smack-util.c | 135 ++++++++++++------
src/shared/smack-util.h | 14 -
src/shared/socket-label.c | 4
src/shared/util.c | 17 +-
src/shared/util.h | 1
src/tmpfiles/tmpfiles.c | 28 +--
src/udev/udev-node.c | 23 +--
src/update-done/update-done.c | 4
20 files changed, 395 insertions(+), 395 deletions(-)
New commits:
commit be57e297acd0ae41044c99a7c41f95a8339a314c
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 21:36:38 2014 +0200
label: move is_dir() to util.c
diff --git a/src/shared/mkdir.c b/src/shared/mkdir.c
index fabd9e2..ef3f494 100644
--- a/src/shared/mkdir.c
+++ b/src/shared/mkdir.c
@@ -58,20 +58,6 @@ int mkdir_safe(const char *path, mode_t mode, uid_t uid, gid_t gid) {
return mkdir_safe_internal(path, mode, uid, gid, mkdir);
}
-int is_dir(const char* path, bool follow) {
- struct stat st;
-
- if (follow) {
- if (stat(path, &st) < 0)
- return -errno;
- } else {
- if (lstat(path, &st) < 0)
- return -errno;
- }
-
- return S_ISDIR(st.st_mode);
-}
-
int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, mkdir_func_t _mkdir) {
const char *p, *e;
int r;
diff --git a/src/shared/mkdir.h b/src/shared/mkdir.h
index d2794ea..e317df3 100644
--- a/src/shared/mkdir.h
+++ b/src/shared/mkdir.h
@@ -39,4 +39,3 @@ typedef int (*mkdir_func_t)(const char *pathname, mode_t mode);
int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, mkdir_func_t _mkdir);
int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, mkdir_func_t _mkdir);
int mkdir_p_internal(const char *prefix, const char *path, mode_t mode, mkdir_func_t _mkdir);
-int is_dir(const char *path, bool is_dir);
diff --git a/src/shared/util.c b/src/shared/util.c
index 5f6249e..bc97c67 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -6933,10 +6933,21 @@ int is_symlink(const char *path) {
if (lstat(path, &info) < 0)
return -errno;
- if (S_ISLNK(info.st_mode))
- return 1;
+ return !!S_ISLNK(info.st_mode);
+}
- return 0;
+int is_dir(const char* path, bool follow) {
+ struct stat st;
+
+ if (follow) {
+ if (stat(path, &st) < 0)
+ return -errno;
+ } else {
+ if (lstat(path, &st) < 0)
+ return -errno;
+ }
+
+ return !!S_ISDIR(st.st_mode);
}
int unquote_first_word(const char **p, char **ret) {
diff --git a/src/shared/util.h b/src/shared/util.h
index 21a90a4..887cdc4 100644
--- a/src/shared/util.h
+++ b/src/shared/util.h
@@ -991,6 +991,7 @@ bool is_localhost(const char *hostname);
int take_password_lock(const char *root);
int is_symlink(const char *path);
+int is_dir(const char *path, bool follow);
int unquote_first_word(const char **p, char **ret);
int unquote_many_words(const char **p, ...) _sentinel_;
commit c34255bdb217c2a1d3ac6348252437ab8be9ca46
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 19:58:45 2014 +0200
label: unify code to make directories, symlinks
diff --git a/src/machine/machined.c b/src/machine/machined.c
index 71c8189..966475b 100644
--- a/src/machine/machined.c
+++ b/src/machine/machined.c
@@ -35,6 +35,7 @@
#include "bus-util.h"
#include "bus-error.h"
#include "machined.h"
+#include "label.h"
Manager *manager_new(void) {
Manager *m;
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
index ae1c3d9..e8b0810 100644
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@@ -32,24 +32,6 @@
#include "util.h"
#include "label.h"
-static int symlink_and_label(const char *old_path, const char *new_path) {
- int r;
-
- assert(old_path);
- assert(new_path);
-
- r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
- if (r < 0)
- return r;
-
- if (symlink(old_path, new_path) < 0)
- r = -errno;
-
- mac_selinux_create_file_clear();
-
- return r;
-}
-
int dev_setup(const char *prefix) {
const char *j, *k;
@@ -75,9 +57,9 @@ int dev_setup(const char *prefix) {
if (!link_name)
return -ENOMEM;
- symlink_and_label(j, link_name);
+ symlink_label(j, link_name);
} else
- symlink_and_label(j, k);
+ symlink_label(j, k);
}
return 0;
diff --git a/src/shared/label.c b/src/shared/label.c
index 38992be..0af41af 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -35,3 +35,44 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
return 0;
}
+
+int mkdir_label(const char *path, mode_t mode) {
+ int r;
+
+ assert(path);
+
+ r = mac_selinux_create_file_prepare(path, S_IFDIR);
+ if (r < 0)
+ return r;
+
+ if (mkdir(path, mode) < 0)
+ r = -errno;
+
+ mac_selinux_create_file_clear();
+
+ if (r < 0)
+ return r;
+
+ return mac_smack_fix(path, false, false);
+}
+
+int symlink_label(const char *old_path, const char *new_path) {
+ int r;
+
+ assert(old_path);
+ assert(new_path);
+
+ r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
+ if (r < 0)
+ return r;
+
+ if (symlink(old_path, new_path) < 0)
+ r = -errno;
+
+ mac_selinux_create_file_clear();
+
+ if (r < 0)
+ return r;
+
+ return mac_smack_fix(new_path, false, false);
+}
diff --git a/src/shared/label.h b/src/shared/label.h
index 1859f84..3428a8b 100644
--- a/src/shared/label.h
+++ b/src/shared/label.h
@@ -25,3 +25,6 @@
#include "smack-util.h"
int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
+
+int mkdir_label(const char *path, mode_t mode);
+int symlink_label(const char *old_path, const char *new_path);
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
index 8b35386..ee11ac0 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@@ -32,39 +32,14 @@
#include "path-util.h"
#include "mkdir.h"
-static int label_mkdir(const char *path, mode_t mode) {
- int r;
-
- if (mac_selinux_use())
- return mac_selinux_mkdir(path, mode);
-
- if (mac_smack_use()) {
- r = mkdir(path, mode);
- if (r < 0)
- return -errno;
-
- return mac_smack_fix(path, false, false);
- }
-
- r = mkdir(path, mode);
- if (r < 0)
- return -errno;
-
- return 0;
-}
-
-int mkdir_label(const char *path, mode_t mode) {
- return label_mkdir(path, mode);
-}
-
int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid) {
- return mkdir_safe_internal(path, mode, uid, gid, label_mkdir);
+ return mkdir_safe_internal(path, mode, uid, gid, mkdir_label);
}
int mkdir_parents_label(const char *path, mode_t mode) {
- return mkdir_parents_internal(NULL, path, mode, label_mkdir);
+ return mkdir_parents_internal(NULL, path, mode, mkdir_label);
}
int mkdir_p_label(const char *path, mode_t mode) {
- return mkdir_p_internal(NULL, path, mode, label_mkdir);
+ return mkdir_p_internal(NULL, path, mode, mkdir_label);
}
diff --git a/src/shared/mkdir.h b/src/shared/mkdir.h
index 1586214..d2794ea 100644
--- a/src/shared/mkdir.h
+++ b/src/shared/mkdir.h
@@ -30,7 +30,6 @@ int mkdir_parents(const char *path, mode_t mode);
int mkdir_p(const char *path, mode_t mode);
/* mandatory access control(MAC) versions */
-int mkdir_label(const char *path, mode_t mode);
int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid);
int mkdir_parents_label(const char *path, mode_t mode);
int mkdir_p_label(const char *path, mode_t mode);
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 0d8c6c2..4332c91 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -319,7 +319,18 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
if (!label_hnd)
return 0;
- r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ if (path_is_absolute(path))
+ r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+ else {
+ _cleanup_free_ char *newpath;
+
+ newpath = path_make_absolute_cwd(path);
+ if (!newpath)
+ return -ENOMEM;
+
+ r = selabel_lookup_raw(label_hnd, &filecon, newpath, S_IFDIR);
+ }
+
if (r < 0 && errno != ENOENT)
r = -errno;
else if (r == 0) {
@@ -380,56 +391,6 @@ void mac_selinux_create_socket_clear(void) {
#endif
}
-int mac_selinux_mkdir(const char *path, mode_t mode) {
-
- /* Creates a directory and labels it according to the SELinux policy */
-
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t fcon = NULL;
- int r;
-
- assert(path);
-
- if (!label_hnd)
- goto skipped;
-
- if (path_is_absolute(path))
- r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
- else {
- _cleanup_free_ char *newpath;
-
- newpath = path_make_absolute_cwd(path);
- if (!newpath)
- return -ENOMEM;
-
- r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
- }
-
- if (r == 0)
- r = setfscreatecon(fcon);
-
- if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
-
- if (security_getenforce() == 1) {
- r = -errno;
- goto finish;
- }
- }
-
- r = mkdir(path, mode);
- if (r < 0)
- r = -errno;
-
-finish:
- setfscreatecon(NULL);
- return r;
-
-skipped:
-#endif
- return mkdir(path, mode) < 0 ? -errno : 0;
-}
-
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index bce9fd5..7ff8c60 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -45,5 +45,4 @@ void mac_selinux_create_file_clear(void);
int mac_selinux_create_socket_prepare(const char *label);
void mac_selinux_create_socket_clear(void);
-int mac_selinux_mkdir(const char *path, mode_t mode);
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
commit f3c80515c191b4447a2b0bc5a582dbffeca4679f
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 19:41:56 2014 +0200
label: don't try to create labelled directories more than once
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
index 81bc78c..8b35386 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@@ -35,24 +35,19 @@
static int label_mkdir(const char *path, mode_t mode) {
int r;
- if (mac_selinux_use()) {
- r = mac_selinux_mkdir(path, mode);
- if (r < 0)
- return r;
- }
+ if (mac_selinux_use())
+ return mac_selinux_mkdir(path, mode);
if (mac_smack_use()) {
r = mkdir(path, mode);
- if (r < 0 && errno != EEXIST)
+ if (r < 0)
return -errno;
- r = mac_smack_fix(path, false, false);
- if (r < 0)
- return r;
+ return mac_smack_fix(path, false, false);
}
r = mkdir(path, mode);
- if (r < 0 && errno != EEXIST)
+ if (r < 0)
return -errno;
return 0;
commit ecabcf8b6edcc856ec2fd5bd43fc675a8fe04731
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 19:41:27 2014 +0200
selinux: clean up selinux label function naming
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 6dd7a4f..4bc288d 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -225,9 +225,9 @@ static int mount_dev(BindMount *m) {
goto fail;
}
- mac_selinux_context_set(d, st.st_mode);
+ mac_selinux_create_file_prepare(d, st.st_mode);
r = mknod(dn, st.st_mode, st.st_rdev);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
if (r < 0) {
r = -errno;
diff --git a/src/core/socket.c b/src/core/socket.c
index e9cf7b3..dc16af5 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -967,7 +967,7 @@ static int fifo_address_create(
mkdir_parents_label(path, directory_mode);
- r = mac_selinux_context_set(path, S_IFIFO);
+ r = mac_selinux_create_file_prepare(path, S_IFIFO);
if (r < 0)
goto fail;
@@ -990,7 +990,7 @@ static int fifo_address_create(
goto fail;
}
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
if (fstat(fd, &st) < 0) {
r = -errno;
@@ -1010,7 +1010,7 @@ static int fifo_address_create(
return 0;
fail:
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
safe_close(fd);
return r;
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
index 96934a9..ae1c3d9 100644
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@@ -38,14 +38,14 @@ static int symlink_and_label(const char *old_path, const char *new_path) {
assert(old_path);
assert(new_path);
- r = mac_selinux_context_set(new_path, S_IFLNK);
+ r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
if (r < 0)
return r;
if (symlink(old_path, new_path) < 0)
r = -errno;
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
return r;
}
diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c
index b117c32..294c9e6 100644
--- a/src/shared/fileio-label.c
+++ b/src/shared/fileio-label.c
@@ -30,13 +30,13 @@
int write_string_file_atomic_label(const char *fn, const char *line) {
int r;
- r = mac_selinux_context_set(fn, S_IFREG);
+ r = mac_selinux_create_file_prepare(fn, S_IFREG);
if (r < 0)
return r;
r = write_string_file_atomic(fn, line);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
return r;
}
@@ -44,13 +44,13 @@ int write_string_file_atomic_label(const char *fn, const char *line) {
int write_env_file_label(const char *fname, char **l) {
int r;
- r = mac_selinux_context_set(fname, S_IFREG);
+ r = mac_selinux_create_file_prepare(fname, S_IFREG);
if (r < 0)
return r;
r = write_env_file(fname, l);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
return r;
}
@@ -59,13 +59,13 @@ int fopen_temporary_label(const char *target,
const char *path, FILE **f, char **temp_path) {
int r;
- r = mac_selinux_context_set(target, S_IFREG);
+ r = mac_selinux_create_file_prepare(target, S_IFREG);
if (r < 0)
return r;
r = fopen_temporary(path, f, temp_path);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
return r;
}
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 76d3916..0d8c6c2 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -109,11 +109,21 @@ int mac_selinux_init(const char *prefix) {
return r;
}
+void mac_selinux_finish(void) {
+
+#ifdef HAVE_SELINUX
+ if (!label_hnd)
+ return;
+
+ selabel_close(label_hnd);
+#endif
+}
+
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
- int r = 0;
#ifdef HAVE_SELINUX
struct stat st;
+ int r;
assert(path);
@@ -148,22 +158,31 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
if (ignore_erofs && errno == EROFS)
return 0;
- log_enforcing("Unable to fix SELinux label of %s: %m", path);
- r = security_getenforce() == 1 ? -errno : 0;
+ log_enforcing("Unable to fix SELinux security context of %s: %m", path);
+ if (security_getenforce() == 1)
+ return -errno;
}
#endif
- return r;
+ return 0;
}
-void mac_selinux_finish(void) {
+int mac_selinux_apply(const char *path, const char *label) {
#ifdef HAVE_SELINUX
- if (!label_hnd)
- return;
+ assert(path);
+ assert(label);
- selabel_close(label_hnd);
+ if (!mac_selinux_use())
+ return 0;
+
+ if (setfilecon(path, (security_context_t) label) < 0) {
+ log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
+ if (security_getenforce() == 1)
+ return -errno;
+ }
#endif
+ return 0;
}
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
@@ -279,12 +298,24 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
return r;
}
-int mac_selinux_context_set(const char *path, mode_t mode) {
+void mac_selinux_free(char *label) {
+
+#ifdef HAVE_SELINUX
+ if (!mac_selinux_use())
+ return;
+
+ freecon((security_context_t) label);
+#endif
+}
+
+int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
int r = 0;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t filecon = NULL;
+ assert(path);
+
if (!label_hnd)
return 0;
@@ -294,7 +325,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
else if (r == 0) {
r = setfscreatecon(filecon);
if (r < 0) {
- log_enforcing("Failed to set SELinux file context on %s: %m", path);
+ log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
r = -errno;
}
}
@@ -306,24 +337,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
return r;
}
-int mac_selinux_socket_set(const char *label) {
-
-#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
- return 0;
-
- if (setsockcreatecon((security_context_t) label) < 0) {
- log_enforcing("Failed to set SELinux context (%s) on socket: %m", label);
-
- if (security_getenforce() == 1)
- return -errno;
- }
-#endif
-
- return 0;
-}
-
-void mac_selinux_context_clear(void) {
+void mac_selinux_create_file_clear(void) {
#ifdef HAVE_SELINUX
PROTECT_ERRNO;
@@ -335,37 +349,49 @@ void mac_selinux_context_clear(void) {
#endif
}
-void mac_selinux_socket_clear(void) {
+int mac_selinux_create_socket_prepare(const char *label) {
#ifdef HAVE_SELINUX
- PROTECT_ERRNO;
-
if (!mac_selinux_use())
- return;
+ return 0;
- setsockcreatecon(NULL);
+ assert(label);
+
+ if (setsockcreatecon((security_context_t) label) < 0) {
+ log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
+
+ if (security_getenforce() == 1)
+ return -errno;
+ }
#endif
+
+ return 0;
}
-void mac_selinux_free(const char *label) {
+void mac_selinux_create_socket_clear(void) {
#ifdef HAVE_SELINUX
+ PROTECT_ERRNO;
+
if (!mac_selinux_use())
return;
- freecon((security_context_t) label);
+ setsockcreatecon(NULL);
#endif
}
int mac_selinux_mkdir(const char *path, mode_t mode) {
- int r = 0;
-#ifdef HAVE_SELINUX
/* Creates a directory and labels it according to the SELinux policy */
+
+#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t fcon = NULL;
+ int r;
+
+ assert(path);
if (!label_hnd)
- return 0;
+ goto skipped;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
@@ -383,7 +409,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
+ log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
@@ -397,9 +423,11 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
finish:
setfscreatecon(NULL);
-#endif
-
return r;
+
+skipped:
+#endif
+ return mkdir(path, mode) < 0 ? -errno : 0;
}
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
@@ -416,7 +444,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
assert(addr);
assert(addrlen >= sizeof(sa_family_t));
- if (!mac_selinux_use() || !label_hnd)
+ if (!label_hnd)
goto skipped;
/* Filter out non-local sockets */
@@ -450,7 +478,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
+ log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
@@ -470,15 +498,3 @@ skipped:
#endif
return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
-
-int mac_selinux_apply(const char *path, const char *label) {
- int r = 0;
-
-#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
- return 0;
-
- r = setfilecon(path, (char *)label);
-#endif
- return r;
-}
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index 8054698..bce9fd5 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -32,20 +32,18 @@ int mac_selinux_init(const char *prefix);
void mac_selinux_finish(void);
int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
-
-int mac_selinux_socket_set(const char *label);
-void mac_selinux_socket_clear(void);
-
-int mac_selinux_context_set(const char *path, mode_t mode);
-void mac_selinux_context_clear(void);
-
-int mac_selinux_mkdir(const char *path, mode_t mode);
+int mac_selinux_apply(const char *path, const char *label);
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
int mac_selinux_get_our_label(char **label);
int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label);
-void mac_selinux_free(const char *label);
+void mac_selinux_free(char *label);
-int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
+int mac_selinux_create_file_prepare(const char *path, mode_t mode);
+void mac_selinux_create_file_clear(void);
-int mac_selinux_apply(const char *path, const char *label);
+int mac_selinux_create_socket_prepare(const char *label);
+void mac_selinux_create_socket_clear(void);
+
+int mac_selinux_mkdir(const char *path, mode_t mode);
+int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c
index 6f9aeee..47d9488 100644
--- a/src/shared/socket-label.c
+++ b/src/shared/socket-label.c
@@ -64,7 +64,7 @@ int socket_address_listen(
return -EAFNOSUPPORT;
if (label) {
- r = mac_selinux_socket_set(label);
+ r = mac_selinux_create_socket_prepare(label);
if (r < 0)
return r;
}
@@ -73,7 +73,7 @@ int socket_address_listen(
r = fd < 0 ? -errno : 0;
if (label)
- mac_selinux_socket_clear();
+ mac_selinux_create_socket_clear();
if (r < 0)
return r;
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 28c395b..1e4675f 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -509,9 +509,9 @@ static int write_one_file(Item *i, const char *path) {
i->type == TRUNCATE_FILE ? O_CREAT|O_TRUNC|O_NOFOLLOW : 0;
RUN_WITH_UMASK(0000) {
- mac_selinux_context_set(path, S_IFREG);
+ mac_selinux_create_file_prepare(path, S_IFREG);
fd = open(path, flags|O_NDELAY|O_CLOEXEC|O_WRONLY|O_NOCTTY, i->mode);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
}
if (fd < 0) {
@@ -743,9 +743,9 @@ static int create_item(Item *i) {
case CREATE_FIFO:
RUN_WITH_UMASK(0000) {
- mac_selinux_context_set(i->path, S_IFIFO);
+ mac_selinux_create_file_prepare(i->path, S_IFIFO);
r = mkfifo(i->path, i->mode);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
}
if (r < 0) {
@@ -764,9 +764,9 @@ static int create_item(Item *i) {
if (i->force) {
RUN_WITH_UMASK(0000) {
- mac_selinux_context_set(i->path, S_IFIFO);
+ mac_selinux_create_file_prepare(i->path, S_IFIFO);
r = mkfifo_atomic(i->path, i->mode);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
}
if (r < 0) {
@@ -788,9 +788,9 @@ static int create_item(Item *i) {
case CREATE_SYMLINK:
- mac_selinux_context_set(i->path, S_IFLNK);
+ mac_selinux_create_file_prepare(i->path, S_IFLNK);
r = symlink(i->argument, i->path);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
if (r < 0) {
_cleanup_free_ char *x = NULL;
@@ -804,9 +804,9 @@ static int create_item(Item *i) {
if (r < 0 || !streq(i->argument, x)) {
if (i->force) {
- mac_selinux_context_set(i->path, S_IFLNK);
+ mac_selinux_create_file_prepare(i->path, S_IFLNK);
r = symlink_atomic(i->argument, i->path);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
if (r < 0) {
log_error("symlink(%s, %s) failed: %s", i->argument, i->path, strerror(-r));
@@ -838,9 +838,9 @@ static int create_item(Item *i) {
file_type = i->type == CREATE_BLOCK_DEVICE ? S_IFBLK : S_IFCHR;
RUN_WITH_UMASK(0000) {
- mac_selinux_context_set(i->path, file_type);
+ mac_selinux_create_file_prepare(i->path, file_type);
r = mknod(i->path, i->mode | file_type, i->major_minor);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
}
if (r < 0) {
@@ -865,9 +865,9 @@ static int create_item(Item *i) {
if (i->force) {
RUN_WITH_UMASK(0000) {
- mac_selinux_context_set(i->path, file_type);
+ mac_selinux_create_file_prepare(i->path, file_type);
r = mknod_atomic(i->path, i->mode | file_type, i->major_minor);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
}
if (r < 0) {
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 8d5bada..4ac6f71 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -88,11 +88,11 @@ static int node_symlink(struct udev_device *dev, const char *node, const char *s
err = mkdir_parents_label(slink, 0755);
if (err != 0 && err != -ENOENT)
break;
- mac_selinux_context_set(slink, S_IFLNK);
+ mac_selinux_create_file_prepare(slink, S_IFLNK);
err = symlink(target, slink);
if (err != 0)
err = -errno;
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
} while (err == -ENOENT);
if (err == 0)
goto exit;
@@ -105,11 +105,11 @@ static int node_symlink(struct udev_device *dev, const char *node, const char *s
err = mkdir_parents_label(slink_tmp, 0755);
if (err != 0 && err != -ENOENT)
break;
- mac_selinux_context_set(slink_tmp, S_IFLNK);
+ mac_selinux_create_file_prepare(slink_tmp, S_IFLNK);
err = symlink(target, slink_tmp);
if (err != 0)
err = -errno;
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
} while (err == -ENOENT);
if (err != 0) {
log_error("symlink '%s' '%s' failed: %m", target, slink_tmp);
@@ -302,7 +302,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
if (streq(name, "selinux")) {
selinux = true;
- if (mac_selinux_apply(devnode, label) < 0)
+ r = mac_selinux_apply(devnode, label);
+ if (r < 0)
log_error("SECLABEL: failed to set SELinux label '%s': %s", label, strerror(-r));
else
log_debug("SECLABEL: set SELinux label '%s'", label);
diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c
index d48e4f7..1437c30 100644
--- a/src/update-done/update-done.c
+++ b/src/update-done/update-done.c
@@ -61,7 +61,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
/* The timestamp file doesn't exist yet? Then let's create it. */
- r = mac_selinux_context_set(path, S_IFREG);
+ r = mac_selinux_create_file_prepare(path, S_IFREG);
if (r < 0) {
log_error("Failed to set SELinux context for %s: %s",
path, strerror(-r));
@@ -69,7 +69,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
}
fd = open(path, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644);
- mac_selinux_context_clear();
+ mac_selinux_create_file_clear();
if (fd < 0) {
commit 66cedb3078ebe78174efd51673632eb3bfb9be61
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 19:07:02 2014 +0200
selinux: simplify and unify logging
Normally we shouldn#t log from "library" functions, but SELinux is
weird, hence upgrade security messages uniformly to LOG_ERR when in
enforcing mode.
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index c59ad31..76d3916 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -42,6 +42,8 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
static int cached_use = -1;
static struct selabel_handle *label_hnd = NULL;
+
+#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif
bool mac_selinux_use(void) {
@@ -87,8 +89,7 @@ int mac_selinux_init(const char *prefix) {
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd) {
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
- "Failed to initialize SELinux context: %m");
+ log_enforcing("Failed to initialize SELinux context: %m");
r = security_getenforce() == 1 ? -errno : 0;
} else {
char timespan[FORMAT_TIMESPAN_MAX];
@@ -147,7 +148,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
if (ignore_erofs && errno == EROFS)
return 0;
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path);
+ log_enforcing("Unable to fix SELinux label of %s: %m", path);
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
@@ -284,7 +285,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t filecon = NULL;
- if (!mac_selinux_use() || !label_hnd)
+ if (!label_hnd)
return 0;
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
@@ -293,7 +294,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
else if (r == 0) {
r = setfscreatecon(filecon);
if (r < 0) {
- log_error("Failed to set SELinux file context on %s: %m", path);
+ log_enforcing("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
}
@@ -312,8 +313,7 @@ int mac_selinux_socket_set(const char *label) {
return 0;
if (setsockcreatecon((security_context_t) label) < 0) {
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
- "Failed to set SELinux context (%s) on socket: %m", label);
+ log_enforcing("Failed to set SELinux context (%s) on socket: %m", label);
if (security_getenforce() == 1)
return -errno;
@@ -383,7 +383,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
- log_error("Failed to set security context %s for %s: %m", fcon, path);
+ log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
@@ -450,7 +450,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
- log_error("Failed to set security context %s for %s: %m", fcon, path);
+ log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
commit 7f416dae9bcf1cfb63689ee9ac851adf738f072b
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:58:18 2014 +0200
selinux: rework label query APIs
APIs that query and return something cannot silently fail, they must
either return something useful, or an error. Fix that.
Also, properly rollback socket unit fd creation when something goes
wrong with the security framework.
diff --git a/src/core/socket.c b/src/core/socket.c
index 7800150..e9cf7b3 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1139,22 +1139,33 @@ static int socket_open_fds(Socket *s) {
continue;
if (p->type == SOCKET_SOCKET) {
- if (!know_label && s->selinux_context_from_net) {
- r = mac_selinux_get_our_label(&label);
- if (r < 0)
- return r;
- know_label = true;
- } else if (!know_label) {
- r = socket_instantiate_service(s);
- if (r < 0)
- return r;
+ if (!know_label) {
+ /* Figure out label, if we don't it know
+ * yet. We do it once, for the first
+ * socket where we need this and
+ * remember it for the rest. */
+
+ if (s->selinux_context_from_net) {
+ /* Get it from the network label */
+
+ r = mac_selinux_get_our_label(&label);
+ if (r < 0 && r != EOPNOTSUPP)
+ goto rollback;
- if (UNIT_ISSET(s->service) &&
- SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) {
- r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label);
- if (r < 0 && r != -EPERM)
- return r;
+ } else {
+ /* Get it from the executable we are about to start */
+
+ r = socket_instantiate_service(s);
+ if (r < 0)
+ goto rollback;
+
+ if (UNIT_ISSET(s->service) &&
+ SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) {
+ r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label);
+ if (r < 0 && r != -EPERM && r != EOPNOTSUPP)
+ goto rollback;
+ }
}
know_label = true;
@@ -1219,6 +1230,7 @@ static int socket_open_fds(Socket *s) {
rollback:
socket_close_fds(s);
mac_selinux_free(label);
+
return r;
}
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 9707d0c..c59ad31 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -166,34 +166,30 @@ void mac_selinux_finish(void) {
}
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
-
- int r = 0;
+ int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
- if (!mac_selinux_use()) {
- *label = NULL;
- return 0;
- }
+ assert(exe);
+ assert(label);
+
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
r = getcon(&mycon);
if (r < 0)
- goto fail;
+ return -errno;
r = getfilecon(exe, &fcon);
if (r < 0)
- goto fail;
+ return -errno;
sclass = string_to_security_class("process");
r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
- if (r == 0)
- log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
-
-fail:
- if (r < 0 && security_getenforce() == 1)
- r = -errno;
+ if (r < 0)
+ return -errno;
#endif
return r;
@@ -202,14 +198,15 @@ fail:
int mac_selinux_get_our_label(char **label) {
int r = -EOPNOTSUPP;
+ assert(label);
+
#ifdef HAVE_SELINUX
- char *l = NULL;
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
- r = getcon(&l);
+ r = getcon(label);
if (r < 0)
- return r;
-
- *label = l;
+ return -errno;
#endif
return r;
@@ -219,91 +216,65 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
-
- _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
security_class_t sclass;
-
const char *range = NULL;
assert(socket_fd >= 0);
assert(exe);
assert(label);
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
+
r = getcon(&mycon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
r = getpeercon(socket_fd, &peercon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
r = getexeccon(&fcon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
if (!fcon) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon(exe, &fcon);
- if (r < 0) {
- r = -errno;
- goto out;
- }
+ if (r < 0)
+ return -errno;
}
bcon = context_new(mycon);
- if (!bcon) {
- r = -ENOMEM;
- goto out;
- }
+ if (!bcon)
+ return -ENOMEM;
pcon = context_new(peercon);
- if (!pcon) {
- r = -ENOMEM;
- goto out;
- }
+ if (!pcon)
+ return -ENOMEM;
range = context_range_get(pcon);
- if (!range) {
- r = -errno;
- goto out;
- }
+ if (!range)
+ return -errno;
r = context_range_set(bcon, range);
- if (r) {
- r = -errno;
- goto out;
- }
+ if (r)
+ return -errno;
freecon(mycon);
mycon = strdup(context_str(bcon));
- if (!mycon) {
- r = -errno;
- goto out;
- }
+ if (!mycon)
+ return -ENOMEM;
sclass = string_to_security_class("process");
- r = security_compute_create(mycon, fcon, sclass, &ret);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
-
- *label = ret;
- ret = NULL;
- r = 0;
-
-out:
- if (r < 0 && security_getenforce() == 1)
- return r;
+ r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
+ if (r < 0)
+ return -errno;
#endif
+
return r;
}
commit 376a2980960baba22b9bee6b227c27c373215b5a
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:40:03 2014 +0200
smack: we don't need the special labels exported, hence don't
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index dd7e3be..a8dccd1 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -27,6 +27,9 @@
#include "path-util.h"
#include "smack-util.h"
+#define SMACK_FLOOR_LABEL "_"
+#define SMACK_STAR_LABEL "*"
+
bool mac_smack_use(void) {
#ifdef HAVE_SMACK
static int cached_use = -1;
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
index 3dc28dd..68778da 100644
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@@ -25,9 +25,6 @@
#include <stdbool.h>
-#define SMACK_FLOOR_LABEL "_"
-#define SMACK_STAR_LABEL "*"
-
bool mac_smack_use(void);
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
commit 29621421753991b0f10aabfbba89d4ae3c3f033a
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:38:01 2014 +0200
selinux: drop 3 unused function prototypes
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index 0ce088d..8054698 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -39,17 +39,13 @@ void mac_selinux_socket_clear(void);
int mac_selinux_context_set(const char *path, mode_t mode);
void mac_selinux_context_clear(void);
-void mac_selinux_free(const char *label);
int mac_selinux_mkdir(const char *path, mode_t mode);
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
int mac_selinux_get_our_label(char **label);
int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label);
+void mac_selinux_free(const char *label);
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
int mac_selinux_apply(const char *path, const char *label);
-
-int mac_selinux_write_one_line_file_atomic(const char *fn, const char *line);
-int mac_selinux_write_env_file(const char *fname, char **l);
-int mac_selinux_label_fopen_temporary(const char *path, FILE **_f, char **_temp_path);
commit 5dfc54615a1eacea18106383c964425cebd67c30
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:34:58 2014 +0200
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
diff --git a/src/shared/label.c b/src/shared/label.c
index eae6614..38992be 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -23,19 +23,15 @@
#include "util.h"
int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
- int r = 0;
+ int r, q;
- if (mac_selinux_use()) {
- r = mac_selinux_fix(path, ignore_enoent, ignore_erofs);
- if (r < 0)
- return r;
- }
+ r = mac_selinux_fix(path, ignore_enoent, ignore_erofs);
+ q = mac_smack_fix(path, ignore_enoent, ignore_erofs);
- if (mac_smack_use()) {
- r = mac_smack_fix(path);
- if (r < 0)
- return r;
- }
+ if (r < 0)
+ return r;
+ if (q < 0)
+ return q;
- return r;
+ return 0;
}
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
index 48941b3..81bc78c 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@@ -46,7 +46,7 @@ static int label_mkdir(const char *path, mode_t mode) {
if (r < 0 && errno != EEXIST)
return -errno;
- r = mac_smack_fix(path);
+ r = mac_smack_fix(path, false, false);
if (r < 0)
return r;
}
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index b1fdfab..9707d0c 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -113,22 +113,25 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
#ifdef HAVE_SELINUX
struct stat st;
- security_context_t fcon;
+ assert(path);
+
+ /* if mac_selinux_init() wasn't called before we are a NOOP */
if (!label_hnd)
return 0;
r = lstat(path, &st);
- if (r == 0) {
+ if (r >= 0) {
+ _cleanup_security_context_free_ security_context_t fcon = NULL;
+
r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
/* If there's no label to set, then exit without warning */
if (r < 0 && errno == ENOENT)
return 0;
- if (r == 0) {
+ if (r >= 0) {
r = lsetfilecon(path, fcon);
- freecon(fcon);
/* If the FS doesn't support labels, then exit without warning */
if (r < 0 && errno == ENOTSUP)
@@ -144,8 +147,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
if (ignore_erofs && errno == EROFS)
return 0;
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
- "Unable to fix label of %s: %m", path);
+ log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path);
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
@@ -156,11 +158,10 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
void mac_selinux_finish(void) {
#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
+ if (!label_hnd)
return;
- if (label_hnd)
- selabel_close(label_hnd);
+ selabel_close(label_hnd);
#endif
}
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index c345488..dd7e3be 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -120,17 +120,14 @@ int mac_smack_apply_ip_in_fd(int fd, const char *label) {
return r;
}
-int mac_smack_fix(const char *path) {
+int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
int r = 0;
#ifdef HAVE_SMACK
- struct stat sb;
- const char *label;
-#endif
+ struct stat st;
assert(path);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -140,28 +137,42 @@ int mac_smack_fix(const char *path) {
if (!path_startswith(path, "/dev"))
return 0;
- r = lstat(path, &sb);
- if (r < 0)
- return -errno;
+ r = lstat(path, &st);
+ if (r >= 0) {
+ const char *label;
+
+ /*
+ * Label directories and character devices "*".
+ * Label symlinks "_".
+ * Don't change anything else.
+ */
+
+ if (S_ISDIR(st.st_mode))
+ label = SMACK_STAR_LABEL;
+ else if (S_ISLNK(st.st_mode))
+ label = SMACK_FLOOR_LABEL;
+ else if (S_ISCHR(st.st_mode))
+ label = SMACK_STAR_LABEL;
+ else
+ return 0;
- /*
- * Label directories and character devices "*".
- * Label symlinks "_".
- * Don't change anything else.
- */
- if (S_ISDIR(sb.st_mode))
- label = SMACK_STAR_LABEL;
- else if (S_ISLNK(sb.st_mode))
- label = SMACK_FLOOR_LABEL;
- else if (S_ISCHR(sb.st_mode))
- label = SMACK_STAR_LABEL;
- else
- return 0;
+ r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
+
+ /* If the FS doesn't support labels, then exit without warning */
+ if (r < 0 && errno == ENOTSUP)
+ return 0;
+ }
- r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
if (r < 0) {
- log_error("Smack relabeling \"%s\" %m", path);
- return -errno;
+ /* Ignore ENOENT in some cases */
+ if (ignore_enoent && errno == ENOENT)
+ return 0;
+
+ if (ignore_erofs && errno == EROFS)
+ return 0;
+
+ log_debug("Unable to fix SMACK label of %s: %m", path);
+ r = -errno;
}
#endif
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
index fe624f5..3dc28dd 100644
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@@ -30,7 +30,7 @@
bool mac_smack_use(void);
-int mac_smack_fix(const char *path);
+int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
int mac_smack_apply(const char *path, const char *label);
int mac_smack_apply_fd(int fd, const char *label);
commit d1ce2089b4b2fb1f1d8faba9a0aa6d9f8fbb0638
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:32:22 2014 +0200
smack: never follow symlinks when relabelling
previously mac_smack_apply(path, NULL) would operate on the symlink
itself while mac_smack_apply(path, "foo") would follow the symlink.
Let's clean this up an always operate on the symlink, which appears to
be the safer option.
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 4a94922..c345488 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -50,7 +50,7 @@ int mac_smack_apply(const char *path, const char *label) {
return 0;
if (label)
- r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
else
r = lremovexattr(path, "security.SMACK64");
if (r < 0)
commit d53e386db62ee7f03e7d493ae0e6db7a31a5d811
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 18:06:51 2014 +0200
smack: rework smack APIs a bit
a) always return negative errno error codes
b) always become a noop if smack is off
c) always take a NULL label as a request to remove it
diff --git a/src/core/socket.c b/src/core/socket.c
index abe829a..7800150 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -807,6 +807,8 @@ static void socket_close_fds(Socket *s) {
}
static void socket_apply_socket_options(Socket *s, int fd) {
+ int r;
+
assert(s);
assert(fd >= 0);
@@ -894,7 +896,7 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_warning_unit(UNIT(s)->id, "IP_TOS failed: %m");
if (s->ip_ttl >= 0) {
- int r, x;
+ int x;
r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl));
@@ -920,27 +922,34 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_warning_unit(UNIT(s)->id, "SO_REUSEPORT failed: %m");
}
- if (s->smack_ip_in)
- if (mac_smack_apply_ip_in_fd(fd, s->smack_ip_in) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_in_fd: %m");
+ if (s->smack_ip_in) {
+ r = mac_smack_apply_ip_in_fd(fd, s->smack_ip_in);
+ if (r < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_in_fd: %s", strerror(-r));
+ }
- if (s->smack_ip_out)
- if (mac_smack_apply_ip_out_fd(fd, s->smack_ip_out) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_out_fd: %m");
+ if (s->smack_ip_out) {
+ r = mac_smack_apply_ip_out_fd(fd, s->smack_ip_out);
+ if (r < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_out_fd: %s", strerror(-r));
+ }
}
static void socket_apply_fifo_options(Socket *s, int fd) {
+ int r;
+
assert(s);
assert(fd >= 0);
if (s->pipe_size > 0)
if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0)
- log_warning_unit(UNIT(s)->id,
- "F_SETPIPE_SZ: %m");
+ log_warning_unit(UNIT(s)->id, "F_SETPIPE_SZ: %m");
- if (s->smack)
- if (mac_smack_apply_fd(fd, s->smack) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_apply_fd: %m");
+ if (s->smack) {
+ r = mac_smack_apply_fd(fd, s->smack);
+ if (r < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_fd: %s", strerror(-r));
+ }
}
static int fifo_address_create(
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 7726d69..4a94922 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -38,54 +38,86 @@ bool mac_smack_use(void) {
#else
return false;
#endif
-
}
int mac_smack_apply(const char *path, const char *label) {
+ int r = 0;
+
+ assert(path);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
- return setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
else
- return lremovexattr(path, "security.SMACK64");
-#else
- return 0;
+ r = lremovexattr(path, "security.SMACK64");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_ip_out_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64IPOUT");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_apply_ip_in_fd(int fd, const char *label) {
+ int r = 0;
+
+ assert(fd >= 0);
+
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
-#else
- return 0;
+ if (label)
+ r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
+ else
+ r = fremovexattr(fd, "security.SMACK64IPIN");
+ if (r < 0)
+ return -errno;
#endif
+
+ return r;
}
int mac_smack_fix(const char *path) {
@@ -94,6 +126,13 @@ int mac_smack_fix(const char *path) {
#ifdef HAVE_SMACK
struct stat sb;
const char *label;
+#endif
+
+ assert(path);
+
+#ifdef HAVE_SMACK
+ if (!mac_smack_use())
+ return 0;
/*
* Path must be in /dev and must exist
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 803d803..8d5bada 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -294,21 +294,25 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
/* apply SECLABEL{$module}=$label */
udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
const char *name, *label;
+ int r;
name = udev_list_entry_get_name(entry);
label = udev_list_entry_get_value(entry);
if (streq(name, "selinux")) {
selinux = true;
+
if (mac_selinux_apply(devnode, label) < 0)
- log_error("SECLABEL: failed to set SELinux label '%s'", label);
+ log_error("SECLABEL: failed to set SELinux label '%s': %s", label, strerror(-r));
else
log_debug("SECLABEL: set SELinux label '%s'", label);
} else if (streq(name, "smack")) {
smack = true;
- if (mac_smack_apply(devnode, label) < 0)
- log_error("SECLABEL: failed to set SMACK label '%s'", label);
+
+ r = mac_smack_apply(devnode, label);
+ if (r < 0)
+ log_error("SECLABEL: failed to set SMACK label '%s': %s", label, strerror(-r));
else
log_debug("SECLABEL: set SMACK label '%s'", label);
commit c80d766c8072dd0be311dcd31c17f9719775be44
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 17:49:29 2014 +0200
mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix()
Let's clean up the naming schemes a bit and use the same one for SMACK
and for SELINUX.
diff --git a/src/core/socket.c b/src/core/socket.c
index fce1695..abe829a 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -921,12 +921,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
}
if (s->smack_ip_in)
- if (mac_smack_set_ip_in_fd(fd, s->smack_ip_in) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_set_ip_in_fd: %m");
+ if (mac_smack_apply_ip_in_fd(fd, s->smack_ip_in) < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_in_fd: %m");
if (s->smack_ip_out)
- if (mac_smack_set_ip_out_fd(fd, s->smack_ip_out) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_set_ip_out_fd: %m");
+ if (mac_smack_apply_ip_out_fd(fd, s->smack_ip_out) < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_out_fd: %m");
}
static void socket_apply_fifo_options(Socket *s, int fd) {
@@ -939,8 +939,8 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
"F_SETPIPE_SZ: %m");
if (s->smack)
- if (mac_smack_set_fd(fd, s->smack) < 0)
- log_error_unit(UNIT(s)->id, "mac_smack_set_fd: %m");
+ if (mac_smack_apply_fd(fd, s->smack) < 0)
+ log_error_unit(UNIT(s)->id, "mac_smack_apply_fd: %m");
}
static int fifo_address_create(
diff --git a/src/shared/label.c b/src/shared/label.c
index fe7fd83..eae6614 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -32,7 +32,7 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
}
if (mac_smack_use()) {
- r = mac_smack_relabel_in_dev(path);
+ r = mac_smack_fix(path);
if (r < 0)
return r;
}
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
index 2b9cb16..48941b3 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@@ -46,7 +46,7 @@ static int label_mkdir(const char *path, mode_t mode) {
if (r < 0 && errno != EEXIST)
return -errno;
- r = mac_smack_relabel_in_dev(path);
+ r = mac_smack_fix(path);
if (r < 0)
return r;
}
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 0bedd75..7726d69 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -41,7 +41,7 @@ bool mac_smack_use(void) {
}
-int mac_smack_set_path(const char *path, const char *label) {
+int mac_smack_apply(const char *path, const char *label) {
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -55,7 +55,7 @@ int mac_smack_set_path(const char *path, const char *label) {
#endif
}
-int mac_smack_set_fd(int fd, const char *label) {
+int mac_smack_apply_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -66,7 +66,7 @@ int mac_smack_set_fd(int fd, const char *label) {
#endif
}
-int mac_smack_set_ip_out_fd(int fd, const char *label) {
+int mac_smack_apply_ip_out_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -77,7 +77,7 @@ int mac_smack_set_ip_out_fd(int fd, const char *label) {
#endif
}
-int mac_smack_set_ip_in_fd(int fd, const char *label) {
+int mac_smack_apply_ip_in_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -88,7 +88,7 @@ int mac_smack_set_ip_in_fd(int fd, const char *label) {
#endif
}
-int mac_smack_relabel_in_dev(const char *path) {
+int mac_smack_fix(const char *path) {
int r = 0;
#ifdef HAVE_SMACK
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
index 50cb79a..fe624f5 100644
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@@ -30,8 +30,9 @@
bool mac_smack_use(void);
-int mac_smack_set_path(const char *path, const char *label);
-int mac_smack_set_fd(int fd, const char *label);
-int mac_smack_set_ip_in_fd(int fd, const char *label);
-int mac_smack_set_ip_out_fd(int fd, const char *label);
-int mac_smack_relabel_in_dev(const char *path);
+int mac_smack_fix(const char *path);
+
+int mac_smack_apply(const char *path, const char *label);
+int mac_smack_apply_fd(int fd, const char *label);
+int mac_smack_apply_ip_in_fd(int fd, const char *label);
+int mac_smack_apply_ip_out_fd(int fd, const char *label);
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 3982ef9..803d803 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -307,7 +307,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
} else if (streq(name, "smack")) {
smack = true;
- if (mac_smack_set_path(devnode, label) < 0)
+ if (mac_smack_apply(devnode, label) < 0)
log_error("SECLABEL: failed to set SMACK label '%s'", label);
else
log_debug("SECLABEL: set SMACK label '%s'", label);
@@ -320,7 +320,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
if (!selinux)
label_fix(devnode, true, false);
if (!smack)
- mac_smack_set_path(devnode, NULL);
+ mac_smack_apply(devnode, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */
commit 1ec220bcda127b63c88f71c4de083d03a547cc53
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Oct 23 17:40:11 2014 +0200
selinux: make use of cleanup gcc magic
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 5a5bfbd..b1fdfab 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -169,7 +169,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
int r = 0;
#ifdef HAVE_SELINUX
- security_context_t mycon = NULL, fcon = NULL;
+ _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
if (!mac_selinux_use()) {
@@ -193,9 +193,6 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
fail:
if (r < 0 && security_getenforce() == 1)
r = -errno;
-
- freecon(mycon);
- freecon(fcon);
#endif
return r;
@@ -313,7 +310,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
int r = 0;
#ifdef HAVE_SELINUX
- security_context_t filecon = NULL;
+ _cleanup_security_context_free_ security_context_t filecon = NULL;
if (!mac_selinux_use() || !label_hnd)
return 0;
@@ -327,8 +324,6 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
log_error("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
-
- freecon(filecon);
}
if (r < 0 && security_getenforce() == 0)
@@ -395,7 +390,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
#ifdef HAVE_SELINUX
/* Creates a directory and labels it according to the SELinux policy */
- security_context_t fcon = NULL;
+ _cleanup_security_context_free_ security_context_t fcon = NULL;
if (!label_hnd)
return 0;
@@ -430,7 +425,6 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
finish:
setfscreatecon(NULL);
- freecon(fcon);
#endif
return r;
@@ -441,7 +435,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
#ifdef HAVE_SELINUX
- security_context_t fcon = NULL;
+ _cleanup_security_context_free_ security_context_t fcon = NULL;
const struct sockaddr_un *un;
char *path;
int r;
@@ -498,8 +492,6 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
finish:
setfscreatecon(NULL);
- freecon(fcon);
-
return r;
skipped:
More information about the systemd-commits
mailing list