[systemd-devel] [PATCH v4] socket: introduce SELinuxContextFromNet option

Michal Sekletar msekleta at redhat.com
Tue Sep 2 06:17:31 PDT 2014


This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.

Implementation of label_get_child_mls_label derived from xinetd.

Reviewed-by: Paul Moore <pmoore at redhat.com>
---

Changes in v4:
        * fixes in man page suggested by Zbyszek
        * cleanup macros definitions for security context moved to label.c
        * label_get_our_label now returns -EOPNOTSUPP if SELinux support is disabled
        * more robust error checking in label_get_child_mls_label

 man/systemd.socket.xml                |  26 ++++++++
 src/core/execute.c                    |  30 +++++++--
 src/core/execute.h                    |   1 +
 src/core/load-fragment-gperf.gperf.m4 |   3 +
 src/core/mount.c                      |   1 +
 src/core/service.c                    |   5 +-
 src/core/service.h                    |   3 +-
 src/core/socket.c                     |  21 +++++--
 src/core/socket.h                     |   2 +
 src/core/swap.c                       |   1 +
 src/shared/label.c                    | 113 ++++++++++++++++++++++++++++++++++
 src/shared/label.h                    |   2 +
 12 files changed, 196 insertions(+), 12 deletions(-)

diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 8394fa8..60f5c48 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -676,6 +676,32 @@
                         </varlistentry>
 
                         <varlistentry>
+                          <term><varname>SELinuxContextFromNet=</varname></term>
+                                 <listitem><para>Takes a boolean
+                                 argument. When true systemd will attempt
+                                 to figure out the SELinux label used
+                                 for the instantiated service from the
+                                 information handed by the peer over the
+                                 network. Note that only the security
+                                 level is used from the information
+                                 provided by the peer. Other parts of
+                                 the resulting SELinux context originate
+                                 from either the target binary that is
+                                 effectively triggered by socket unit
+                                 are taken from the value of the
+                                 <varname>SELinuxContext=</varname>
+                                 option.This configuration option only
+                                 affects sockets with
+                                 <varname>Accept=</varname> mode set to
+                                 <literal>true</literal>. Also note that
+                                 this option is useful only when
+                                 MLS/MCS SELinux policy is
+                                 deployed. Defaults to
+                                 <literal>false</literal>.
+                                 </para></listitem>
+                        </varlistentry>
+
+                        <varlistentry>
                                 <term><varname>PipeSize=</varname></term>
                                 <listitem><para>Takes a size in
                                 bytes. Controls the pipe buffer size
diff --git a/src/core/execute.c b/src/core/execute.c
index 066efd6..84d6bec 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -83,6 +83,7 @@
 #include "af-list.h"
 #include "mkdir.h"
 #include "apparmor-util.h"
+#include "label.h"
 
 #ifdef HAVE_SECCOMP
 #include "seccomp-util.h"
@@ -1232,6 +1233,7 @@ int exec_spawn(ExecCommand *command,
                bool apply_chroot,
                bool apply_tty_stdin,
                bool confirm_spawn,
+               bool selinux_context_net,
                CGroupControllerMask cgroup_supported,
                const char *cgroup_path,
                const char *runtime_prefix,
@@ -1722,11 +1724,29 @@ int exec_spawn(ExecCommand *command,
 #endif
 
 #ifdef HAVE_SELINUX
-                        if (context->selinux_context && use_selinux()) {
-                                err = setexeccon(context->selinux_context);
-                                if (err < 0 && !context->selinux_context_ignore) {
-                                        r = EXIT_SELINUX_CONTEXT;
-                                        goto fail_child;
+                        if (use_selinux()) {
+                                if (context->selinux_context) {
+                                        err = setexeccon(context->selinux_context);
+                                        if (err < 0 && !context->selinux_context_ignore) {
+                                                r = EXIT_SELINUX_CONTEXT;
+                                                goto fail_child;
+                                        }
+                                }
+
+                                if (selinux_context_net && socket_fd >= 0) {
+                                        _cleanup_free_ char *label = NULL;
+
+                                        err = label_get_child_mls_label(socket_fd, command->path, &label);
+                                        if (err < 0) {
+                                                r = EXIT_SELINUX_CONTEXT;
+                                                goto fail_child;
+                                        }
+
+                                        err = setexeccon(label);
+                                        if (err < 0) {
+                                                r = EXIT_SELINUX_CONTEXT;
+                                                goto fail_child;
+                                        }
                                 }
                         }
 #endif
diff --git a/src/core/execute.h b/src/core/execute.h
index 9d05d3a..23a466c 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -200,6 +200,7 @@ int exec_spawn(ExecCommand *command,
                bool apply_chroot,
                bool apply_tty_stdin,
                bool confirm_spawn,
+               bool selinux_context_net,
                CGroupControllerMask cgroup_mask,
                const char *cgroup_path,
                const char *runtime_prefix,
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 24aa80d..8e68145 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -262,6 +262,9 @@ Socket.SmackLabelIPOut,          config_parse_string,                0,
 `Socket.SmackLabel,              config_parse_warn_compat,           0,                             0
 Socket.SmackLabelIPIn,           config_parse_warn_compat,           0,                             0
 Socket.SmackLabelIPOut,          config_parse_warn_compat,           0,                             0')
+m4_ifdef(`HAVE_SELINUX',
+`Socket.SELinuxContextFromNet,    config_parse_bool,                 0,                             offsetof(Socket, selinux_context_from_net)',
+`Socket.SELinuxContextFromNet,    config_parse_warn_compat,          0,                             0')
 EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
 CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
 KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
diff --git a/src/core/mount.c b/src/core/mount.c
index ec90b0a..223b9f7 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -715,6 +715,7 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {
                        true,
                        true,
                        UNIT(m)->manager->confirm_spawn,
+                       false,
                        UNIT(m)->manager->cgroup_supported,
                        UNIT(m)->cgroup_path,
                        manager_get_runtime_prefix(UNIT(m)->manager),
diff --git a/src/core/service.c b/src/core/service.c
index 223e4b3..0fa1c6c 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -976,6 +976,7 @@ static int service_spawn(
                        apply_chroot,
                        apply_tty_stdin,
                        UNIT(s)->manager->confirm_spawn,
+                       s->socket_fd_selinux_context_net,
                        UNIT(s)->manager->cgroup_supported,
                        path,
                        manager_get_runtime_prefix(UNIT(s)->manager),
@@ -2705,7 +2706,7 @@ static void service_bus_name_owner_change(
         }
 }
 
-int service_set_socket_fd(Service *s, int fd, Socket *sock) {
+int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) {
         _cleanup_free_ char *peer = NULL;
         int r;
 
@@ -2743,6 +2744,8 @@ int service_set_socket_fd(Service *s, int fd, Socket *sock) {
         }
 
         s->socket_fd = fd;
+        s->socket_fd_selinux_context_net = selinux_context_net;
+
 
         unit_ref_set(&s->accept_socket, UNIT(sock));
 
diff --git a/src/core/service.h b/src/core/service.h
index 5bcfd14..f9ec6dc 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -161,6 +161,7 @@ struct Service {
 
         pid_t main_pid, control_pid;
         int socket_fd;
+        bool socket_fd_selinux_context_net;
 
         bool permissions_start_only;
         bool root_directory_start_only;
@@ -203,7 +204,7 @@ extern const UnitVTable service_vtable;
 
 struct Socket;
 
-int service_set_socket_fd(Service *s, int fd, struct Socket *socket);
+int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net);
 
 const char* service_state_to_string(ServiceState i) _const_;
 ServiceState service_state_from_string(const char *s) _pure_;
diff --git a/src/core/socket.c b/src/core/socket.c
index 7ca8edb..eba17c0 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -31,6 +31,10 @@
 #include <mqueue.h>
 #include <sys/xattr.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "sd-event.h"
 #include "log.h"
 #include "load-dropin.h"
@@ -489,7 +493,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 "%sPassCredentials: %s\n"
                 "%sPassSecurity: %s\n"
                 "%sTCPCongestion: %s\n"
-                "%sRemoveOnStop: %s\n",
+                "%sRemoveOnStop: %s\n"
+                "%sSELinuxContextFromNet: %s\n",
                 prefix, socket_state_to_string(s->state),
                 prefix, socket_result_to_string(s->result),
                 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -504,7 +509,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                 prefix, yes_no(s->pass_cred),
                 prefix, yes_no(s->pass_sec),
                 prefix, strna(s->tcp_congestion),
-                prefix, yes_no(s->remove_on_stop));
+                prefix, yes_no(s->remove_on_stop),
+                prefix, yes_no(s->selinux_context_from_net));
 
         if (s->control_pid > 0)
                 fprintf(f,
@@ -1128,8 +1134,12 @@ static int socket_open_fds(Socket *s) {
                         continue;
 
                 if (p->type == SOCKET_SOCKET) {
-
-                        if (!know_label) {
+                        if (!know_label && s->selinux_context_from_net) {
+                                r = label_get_our_label(&label);
+                                if (r < 0)
+                                        return r;
+                                know_label = true;
+                        } else if (!know_label) {
 
                                 r = socket_instantiate_service(s);
                                 if (r < 0)
@@ -1386,6 +1396,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
                        true,
                        true,
                        UNIT(s)->manager->confirm_spawn,
+                       false,
                        UNIT(s)->manager->cgroup_supported,
                        UNIT(s)->cgroup_path,
                        manager_get_runtime_prefix(UNIT(s)->manager),
@@ -1820,7 +1831,7 @@ static void socket_enter_running(Socket *s, int cfd) {
 
                 unit_choose_id(UNIT(service), name);
 
-                r = service_set_socket_fd(service, cfd, s);
+                r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
                 if (r < 0)
                         goto fail;
 
diff --git a/src/core/socket.h b/src/core/socket.h
index eede705..a2e0899 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -165,6 +165,8 @@ struct Socket {
         char *smack_ip_in;
         char *smack_ip_out;
 
+        bool selinux_context_from_net;
+
         char *user, *group;
 };
 
diff --git a/src/core/swap.c b/src/core/swap.c
index 9f353af..00a33d1 100644
--- a/src/core/swap.c
+++ b/src/core/swap.c
@@ -643,6 +643,7 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {
                        true,
                        true,
                        UNIT(s)->manager->confirm_spawn,
+                       false,
                        UNIT(s)->manager->cgroup_supported,
                        UNIT(s)->cgroup_path,
                        manager_get_runtime_prefix(UNIT(s)->manager),
diff --git a/src/shared/label.c b/src/shared/label.c
index 25a8b36..02b41f0 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -31,6 +31,7 @@
 #ifdef HAVE_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/label.h>
+#include <selinux/context.h>
 #endif
 
 #include "label.h"
@@ -41,6 +42,12 @@
 #include "smack-util.h"
 
 #ifdef HAVE_SELINUX
+DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
+DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
+
+#define _cleanup_security_context_free_ _cleanup_(freeconp)
+#define _cleanup_context_free_ _cleanup_(context_freep)
+
 static struct selabel_handle *label_hnd = NULL;
 #endif
 
@@ -243,6 +250,112 @@ fail:
         return r;
 }
 
+int label_get_our_label(char **label) {
+        int r = -EOPNOTSUPP;
+        char *l = NULL;
+
+#ifdef HAVE_SELINUX
+        r = getcon(&l);
+        if (r < 0)
+                return r;
+
+        *label = l;
+#endif
+
+        return r;
+}
+
+int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
+        int r = -EOPNOTSUPP;
+
+#ifdef HAVE_SELINUX
+
+        _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+        _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
+        security_class_t sclass;
+
+        const char *range = NULL;
+
+        assert(socket_fd >= 0);
+        assert(exe);
+        assert(label);
+
+        r = getcon(&mycon);
+        if (r < 0) {
+                r = -EINVAL;
+                goto out;
+        }
+
+        r = getpeercon(socket_fd, &peercon);
+        if (r < 0) {
+                r = -EINVAL;
+                goto out;
+        }
+
+        r = getexeccon(&fcon);
+        if (r < 0) {
+                r = -EINVAL;
+                goto out;
+        }
+
+        if (!fcon) {
+                /* If there is no context set for next exec let's use context
+                   of target executable */
+                r = getfilecon(exe, &fcon);
+                if (r < 0) {
+                        r = -errno;
+                        goto out;
+                }
+        }
+
+        bcon = context_new(mycon);
+        if (!bcon) {
+                r = -ENOMEM;
+                goto out;
+        }
+
+        pcon = context_new(peercon);
+        if (!pcon) {
+                r = -ENOMEM;
+                goto out;
+        }
+
+        range = context_range_get(pcon);
+        if (!range) {
+                r = -errno;
+                goto out;
+        }
+
+        r = context_range_set(bcon, range);
+        if (r) {
+                r = -errno;
+                goto out;
+        }
+
+        freecon(mycon);
+        mycon = context_str(bcon);
+        if (!mycon) {
+                r = -errno;
+                goto out;
+        }
+
+        sclass = string_to_security_class("process");
+        r = security_compute_create(mycon, fcon, sclass, &ret);
+        if (r < 0) {
+                r = -EINVAL;
+                goto out;
+        }
+
+        *label = ret;
+        r = 0;
+
+out:
+        if (r < 0 && security_getenforce() == 1)
+                return r;
+#endif
+        return r;
+}
+
 int label_context_set(const char *path, mode_t mode) {
         int r = 0;
 
diff --git a/src/shared/label.h b/src/shared/label.h
index 7294820..068a7ac 100644
--- a/src/shared/label.h
+++ b/src/shared/label.h
@@ -39,6 +39,8 @@ void label_context_clear(void);
 void label_free(const char *label);
 
 int label_get_create_label_from_exe(const char *exe, char **label);
+int label_get_our_label(char **label);
+int label_get_child_mls_label(int socket_fd, const char *exec, char **label);
 
 int label_mkdir(const char *path, mode_t mode);
 
-- 
2.0.1



More information about the systemd-devel mailing list