[systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check

Tue Jun 9 22:40:33 PDT 2015

I found an oversight in the previous v1 patch, found at
http://lists.freedesktop.org/archives/systemd-devel/2015-June/032796.html,
that u->load_state == UNIT_ERROR in the error path of unit_load(),
that is:

int unit_load(Unit *u) {
        int r;
...<cut>...
fail:
        u->load_state = u->load_state == UNIT_STUB ? UNIT_NOT_FOUND : UNIT_ERROR;
        u->load_error = r;
        unit_add_to_dbus_queue(u);
        unit_add_to_gc_queue(u);

        log_unit_debug_errno(u, r, "Failed to load configuration: %m");

        return r;
}

To fix this, this v2 version looks at u->load_error to check error
status instead of u->load_state.

How to reproduce
================

Assume that test.service has not been loaded (even tried to get
loaded) in this boot. Then,

  ~]# cat ./foo.sh
  #! /bin/sh
  
  mv test.service /etc/systemd/system
  systemctl daemon-reload
  systemctl enable test.service
  ~]# ./foo.sh

Test
====

I used selinux-context branch of
https://github.com/keszybz/systemd.git in this test to avoid the issue
in https://bugzilla.redhat.com/show_bug.cgi?id=1224211.

--
Thanks.
HATAYAMA, Daisuke

>From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001
From: HATAYAMA Daisuke <d.hatayama at jp.fujitsu.com>
Date: Wed, 10 Jun 2015 14:10:31 +0900
Subject: [PATCH] selinux: fix missing SELinux unit access check

Currently, SELinux unit access check is not performed if a given unit
file has not been registered in a hash table. This is because function
manager_get_unit() only tries to pick up a Unit object from a Unit
hash table. Instead, we use function manager_load_unit() searching
Unit file pathes for the given Unit file.
---
 src/core/selinux-access.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

v2:
- checking an error status by u->load_error to cover UNIT_ERROR case.

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index decd42f..ac52906 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units,
         int r;
 
         STRV_FOREACH(i, units) {
-                u = manager_get_unit(m, *i);
+                r = manager_load_unit(m, *i, NULL, error, &u);
+                if (r < 0)
+                        return r;
                 if (u) {
+                        if (u->load_error != 0)
+                                return u->load_error;
                         r = mac_selinux_unit_access_check(u, message, permission, error);
                         if (r < 0)
                                 return r;
-- 
2.1.0


