richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
Source Code
GIT

Blame SOURCES/0289-socket-introduce-SELinuxContextFromNet-option.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   d18144a73bec7a6976a63623f3b2fca34677a3c0
  2.   SOURCES
  3.   0289-socket-introduce-SELinuxContextFromNet-option.patch
Blob History Raw
84b277 
From 98bb285648a68c89820fe7415737ee97da74ec69 Mon Sep 17 00:00:00 2001
84b277 
From: Michal Sekletar <msekleta@redhat.com>
84b277 
Date: Thu, 24 Jul 2014 10:40:28 +0200
84b277 
Subject: [PATCH] socket: introduce SELinuxContextFromNet option
84b277
84b277 
This makes possible to spawn service instances triggered by socket with
84b277 
MLS/MCS SELinux labels which are created based on information provided by
84b277 
connected peer.
84b277
84b277 
Implementation of label_get_child_mls_label derived from xinetd.
84b277
84b277 
Reviewed-by: Paul Moore <pmoore@redhat.com>
84b277
84b277 
Resolves: #1113790
84b277 
---
84b277 
 man/systemd.socket.xml                |  26 ++++++++
84b277 
 src/core/execute.c                    |  30 +++++++--
84b277 
 src/core/execute.h                    |   1 +
84b277 
 src/core/load-fragment-gperf.gperf.m4 |   1 +
84b277 
 src/core/mount.c                      |   1 +
84b277 
 src/core/service.c                    |   4 +-
84b277 
 src/core/service.h                    |   3 +-
84b277 
 src/core/socket.c                     |  16 +++--
84b277 
 src/core/socket.h                     |   2 +
84b277 
 src/core/swap.c                       |   1 +
84b277 
 src/shared/label.c                    | 113 ++++++++++++++++++++++++++++++++++
84b277 
 src/shared/label.h                    |   2 +
84b277 
 12 files changed, 189 insertions(+), 11 deletions(-)
84b277
84b277 
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
84b277 
index d146b3b..75ba15f 100644
84b277 
--- a/man/systemd.socket.xml
84b277 
+++ b/man/systemd.socket.xml
84b277 
@@ -585,6 +585,32 @@
84b277 
                         </varlistentry>
84b277
84b277 
                         <varlistentry>
84b277 
+                          <term><varname>SELinuxContextFromNet=</varname></term>
84b277 
+                                 <listitem><para>Takes a boolean
84b277 
+                                 argument. When true systemd will attempt
84b277 
+                                 to figure out the SELinux label used
84b277 
+                                 for the instantiated service from the
84b277 
+                                 information handed by the peer over the
84b277 
+                                 network. Note that only the security
84b277 
+                                 level is used from the information
84b277 
+                                 provided by the peer. Other parts of
84b277 
+                                 the resulting SELinux context originate
84b277 
+                                 from either the target binary that is
84b277 
+                                 effectively triggered by socket unit
84b277 
+                                 are taken from the value of the
84b277 
+                                 <varname>SELinuxContext=</varname>
84b277 
+                                 option.This configuration option only
84b277 
+                                 affects sockets with
84b277 
+                                 <varname>Accept=</varname> mode set to
84b277 
+                                 <literal>true</literal>. Also note that
84b277 
+                                 this option is useful only when
84b277 
+                                 MLS/MCS SELinux policy is
84b277 
+                                 deployed. Defaults to
84b277 
+                                 <literal>false</literal>.
84b277 
+                                 </para></listitem>
84b277 
+                        </varlistentry>
84b277 
+
84b277 
+                        <varlistentry>
84b277 
                                 <term><varname>PipeSize=</varname></term>
84b277 
                                 <listitem><para>Takes an integer
84b277 
                                 value. Controls the pipe buffer size
84b277 
diff --git a/src/core/execute.c b/src/core/execute.c
84b277 
index a20301d..0894156 100644
84b277 
--- a/src/core/execute.c
84b277 
+++ b/src/core/execute.c
84b277 
@@ -73,6 +73,7 @@
84b277 
 #include "unit.h"
84b277 
 #include "async.h"
84b277 
 #include "selinux-util.h"
84b277 
+#include "label.h"
84b277
84b277 
 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
84b277 
 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
84b277 
@@ -1038,6 +1039,7 @@ int exec_spawn(ExecCommand *command,
84b277 
                bool apply_chroot,
84b277 
                bool apply_tty_stdin,
84b277 
                bool confirm_spawn,
84b277 
+               bool selinux_context_net,
84b277 
                CGroupControllerMask cgroup_supported,
84b277 
                const char *cgroup_path,
84b277 
                const char *unit_id,
84b277 
@@ -1473,11 +1475,29 @@ int exec_spawn(ExecCommand *command,
84b277 
                                 }
84b277 
                         }
84b277 
 #ifdef HAVE_SELINUX
84b277 
-                        if (context->selinux_context && use_selinux()) {
84b277 
-                                err = setexeccon(context->selinux_context);
84b277 
-                                if (err < 0 && !context->selinux_context_ignore) {
84b277 
-                                        r = EXIT_SELINUX_CONTEXT;
84b277 
-                                        goto fail_child;
84b277 
+                        if (use_selinux()) {
84b277 
+                                if (context->selinux_context) {
84b277 
+                                        err = setexeccon(context->selinux_context);
84b277 
+                                        if (err < 0 && !context->selinux_context_ignore) {
84b277 
+                                                r = EXIT_SELINUX_CONTEXT;
84b277 
+                                                goto fail_child;
84b277 
+                                        }
84b277 
+                                }
84b277 
+
84b277 
+                                if (selinux_context_net && socket_fd >= 0) {
84b277 
+                                        _cleanup_free_ char *label = NULL;
84b277 
+
84b277 
+                                        err = label_get_child_mls_label(socket_fd, command->path, &label);
84b277 
+                                        if (err < 0) {
84b277 
+                                                r = EXIT_SELINUX_CONTEXT;
84b277 
+                                                goto fail_child;
84b277 
+                                        }
84b277 
+
84b277 
+                                        err = setexeccon(label);
84b277 
+                                        if (err < 0) {
84b277 
+                                                r = EXIT_SELINUX_CONTEXT;
84b277 
+                                                goto fail_child;
84b277 
+                                        }
84b277 
                                 }
84b277 
                         }
84b277 
 #endif
84b277 
diff --git a/src/core/execute.h b/src/core/execute.h
84b277 
index 2452126..5055890 100644
84b277 
--- a/src/core/execute.h
84b277 
+++ b/src/core/execute.h
84b277 
@@ -174,6 +174,7 @@ int exec_spawn(ExecCommand *command,
84b277 
                bool apply_chroot,
84b277 
                bool apply_tty_stdin,
84b277 
                bool confirm_spawn,
84b277 
+               bool selinux_context_net,
84b277 
                CGroupControllerMask cgroup_mask,
84b277 
                const char *cgroup_path,
84b277 
                const char *unit_id,
84b277 
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
84b277 
index 759fbd8..ee7cd5d 100644
84b277 
--- a/src/core/load-fragment-gperf.gperf.m4
84b277 
+++ b/src/core/load-fragment-gperf.gperf.m4
84b277 
@@ -221,6 +221,7 @@ Socket.Service,                  config_parse_socket_service,        0,
84b277 
 Socket.SmackLabel,               config_parse_string,                0,                             offsetof(Socket, smack)
84b277 
 Socket.SmackLabelIPIn,           config_parse_string,                0,                             offsetof(Socket, smack_ip_in)
84b277 
 Socket.SmackLabelIPOut,          config_parse_string,                0,                             offsetof(Socket, smack_ip_out)
84b277 
+Socket.SELinuxContextFromNet,    config_parse_bool,                  0,                             offsetof(Socket, selinux_context_from_net),
84b277 
 EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
84b277 
 CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
84b277 
 KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
84b277 
diff --git a/src/core/mount.c b/src/core/mount.c
84b277 
index 3672338..bbceb92 100644
84b277 
--- a/src/core/mount.c
84b277 
+++ b/src/core/mount.c
84b277 
@@ -791,6 +791,7 @@ static int mount_spawn(Mount *m, ExecCommand *c, pid_t *_pid) {
84b277 
                        true,
84b277 
                        true,
84b277 
                        UNIT(m)->manager->confirm_spawn,
84b277 
+                       false,
84b277 
                        UNIT(m)->manager->cgroup_supported,
84b277 
                        UNIT(m)->cgroup_path,
84b277 
                        UNIT(m)->id,
84b277 
diff --git a/src/core/service.c b/src/core/service.c
84b277 
index 4366e1b..7ef2b3a 100644
84b277 
--- a/src/core/service.c
84b277 
+++ b/src/core/service.c
84b277 
@@ -1867,6 +1867,7 @@ static int service_spawn(
84b277 
                        apply_chroot,
84b277 
                        apply_tty_stdin,
84b277 
                        UNIT(s)->manager->confirm_spawn,
84b277 
+                       false,
84b277 
                        UNIT(s)->manager->cgroup_supported,
84b277 
                        path,
84b277 
                        UNIT(s)->id,
84b277 
@@ -3806,7 +3807,7 @@ static void service_bus_query_pid_done(
84b277 
         }
84b277 
 }
84b277
84b277 
-int service_set_socket_fd(Service *s, int fd, Socket *sock) {
84b277 
+int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) {
84b277
84b277 
         assert(s);
84b277 
         assert(fd >= 0);
84b277 
@@ -3825,6 +3826,7 @@ int service_set_socket_fd(Service *s, int fd, Socket *sock) {
84b277 
                 return -EAGAIN;
84b277
84b277 
         s->socket_fd = fd;
84b277 
+        s->socket_fd_selinux_context_net = selinux_context_net;
84b277 
         s->got_socket_fd = true;
84b277
84b277 
         unit_ref_set(&s->accept_socket, UNIT(sock));
84b277 
diff --git a/src/core/service.h b/src/core/service.h
84b277 
index fa4ef2b..24e6b4e 100644
84b277 
--- a/src/core/service.h
84b277 
+++ b/src/core/service.h
84b277 
@@ -156,6 +156,7 @@ struct Service {
84b277
84b277 
         pid_t main_pid, control_pid;
84b277 
         int socket_fd;
84b277 
+        bool socket_fd_selinux_context_net;
84b277
84b277 
         int fsck_passno;
84b277
84b277 
@@ -204,7 +205,7 @@ extern const UnitVTable service_vtable;
84b277
84b277 
 struct Socket;
84b277
84b277 
-int service_set_socket_fd(Service *s, int fd, struct Socket *socket);
84b277 
+int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net);
84b277
84b277 
 const char* service_state_to_string(ServiceState i) _const_;
84b277 
 ServiceState service_state_from_string(const char *s) _pure_;
84b277 
diff --git a/src/core/socket.c b/src/core/socket.c
84b277 
index 32e0d35..35fc204 100644
84b277 
--- a/src/core/socket.c
84b277 
+++ b/src/core/socket.c
84b277 
@@ -431,7 +431,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
84b277 
                 "%sBroadcast: %s\n"
84b277 
                 "%sPassCredentials: %s\n"
84b277 
                 "%sPassSecurity: %s\n"
84b277 
-                "%sTCPCongestion: %s\n",
84b277 
+                "%sTCPCongestion: %s\n"
84b277 
+                "%sSELinuxContextFromNet: %s\n",
84b277 
                 prefix, socket_state_to_string(s->state),
84b277 
                 prefix, socket_result_to_string(s->result),
84b277 
                 prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
84b277 
@@ -444,7 +445,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
84b277 
                 prefix, yes_no(s->broadcast),
84b277 
                 prefix, yes_no(s->pass_cred),
84b277 
                 prefix, yes_no(s->pass_sec),
84b277 
-                prefix, strna(s->tcp_congestion));
84b277 
+                prefix, strna(s->tcp_congestion),
84b277 
+                prefix, yes_no(s->selinux_context_from_net));
84b277
84b277 
         if (s->control_pid > 0)
84b277 
                 fprintf(f,
84b277 
@@ -994,7 +996,12 @@ static int socket_open_fds(Socket *s) {
84b277
84b277 
                 if (p->type == SOCKET_SOCKET) {
84b277
84b277 
-                        if (!know_label) {
84b277 
+                        if (!know_label && s->selinux_context_from_net) {
84b277 
+                                r = label_get_our_label(&label);
84b277 
+                                if (r < 0)
84b277 
+                                        return r;
84b277 
+                                know_label = true;
84b277 
+                        } else if (!know_label) {
84b277
84b277 
                                 if ((r = socket_instantiate_service(s)) < 0)
84b277 
                                         return r;
84b277 
@@ -1227,6 +1234,7 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
84b277 
                        true,
84b277 
                        true,
84b277 
                        UNIT(s)->manager->confirm_spawn,
84b277 
+                       s->selinux_context_from_net,
84b277 
                        UNIT(s)->manager->cgroup_supported,
84b277 
                        UNIT(s)->cgroup_path,
84b277 
                        UNIT(s)->id,
84b277 
@@ -1666,7 +1674,7 @@ static void socket_enter_running(Socket *s, int cfd) {
84b277 
                 unit_choose_id(UNIT(service), name);
84b277 
                 free(name);
84b277
84b277 
-                r = service_set_socket_fd(service, cfd, s);
84b277 
+                r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
84b277 
                 if (r < 0)
84b277 
                         goto fail;
84b277
84b277 
diff --git a/src/core/socket.h b/src/core/socket.h
84b277 
index 6a24883..ddddf4c 100644
84b277 
--- a/src/core/socket.h
84b277 
+++ b/src/core/socket.h
84b277 
@@ -154,6 +154,8 @@ struct Socket {
84b277 
         char *smack_ip_in;
84b277 
         char *smack_ip_out;
84b277
84b277 
+        bool selinux_context_from_net;
84b277 
+
84b277 
         char *user;
84b277 
         char *group;
84b277 
 };
84b277 
diff --git a/src/core/swap.c b/src/core/swap.c
84b277 
index 727bb95..b72034f 100644
84b277 
--- a/src/core/swap.c
84b277 
+++ b/src/core/swap.c
84b277 
@@ -589,6 +589,7 @@ static int swap_spawn(Swap *s, ExecCommand *c, pid_t *_pid) {
84b277 
                        true,
84b277 
                        true,
84b277 
                        UNIT(s)->manager->confirm_spawn,
84b277 
+                       false,
84b277 
                        UNIT(s)->manager->cgroup_supported,
84b277 
                        UNIT(s)->cgroup_path,
84b277 
                        UNIT(s)->id,
84b277 
diff --git a/src/shared/label.c b/src/shared/label.c
84b277 
index fde39f2..4dab93e 100644
84b277 
--- a/src/shared/label.c
84b277 
+++ b/src/shared/label.c
84b277 
@@ -38,6 +38,13 @@
84b277 
 #include "selinux-util.h"
84b277 
 #include <selinux/selinux.h>
84b277 
 #include <selinux/label.h>
84b277 
+#include <selinux/context.h>
84b277 
+
84b277 
+define_trivial_cleanup_func(security_context_t, freecon);
84b277 
+define_trivial_cleanup_func(context_t, context_free);
84b277 
+
84b277 
+#define _cleanup_security_context_free_ _cleanup_(freeconp)
84b277 
+#define _cleanup_context_free_ _cleanup_(context_freep)
84b277
84b277 
 static struct selabel_handle *label_hnd = NULL;
84b277
84b277 
@@ -180,6 +187,112 @@ fail:
84b277 
         return r;
84b277 
 }
84b277
84b277 
+int label_get_our_label(char **label) {
84b277 
+        int r = -EOPNOTSUPP;
84b277 
+        char *l = NULL;
84b277 
+
84b277 
+#ifdef HAVE_SELINUX
84b277 
+        r = getcon(&l);
84b277 
+        if (r < 0)
84b277 
+                return r;
84b277 
+
84b277 
+        *label = l;
84b277 
+#endif
84b277 
+
84b277 
+        return r;
84b277 
+}
84b277 
+
84b277 
+int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
84b277 
+        int r = -EOPNOTSUPP;
84b277 
+
84b277 
+#ifdef HAVE_SELINUX
84b277 
+
84b277 
+        _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
84b277 
+        _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
84b277 
+        security_class_t sclass;
84b277 
+
84b277 
+        const char *range = NULL;
84b277 
+
84b277 
+        assert(socket_fd >= 0);
84b277 
+        assert(exe);
84b277 
+        assert(label);
84b277 
+
84b277 
+        r = getcon(&mycon);
84b277 
+        if (r < 0) {
84b277 
+                r = -EINVAL;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        r = getpeercon(socket_fd, &peercon);
84b277 
+        if (r < 0) {
84b277 
+                r = -EINVAL;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        r = getexeccon(&fcon);
84b277 
+        if (r < 0) {
84b277 
+                r = -EINVAL;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        if (!fcon) {
84b277 
+                /* If there is no context set for next exec let's use context
84b277 
+                   of target executable */
84b277 
+                r = getfilecon(exe, &fcon);
84b277 
+                if (r < 0) {
84b277 
+                        r = -errno;
84b277 
+                        goto out;
84b277 
+                }
84b277 
+        }
84b277 
+
84b277 
+        bcon = context_new(mycon);
84b277 
+        if (!bcon) {
84b277 
+                r = -ENOMEM;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        pcon = context_new(peercon);
84b277 
+        if (!pcon) {
84b277 
+                r = -ENOMEM;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        range = context_range_get(pcon);
84b277 
+        if (!range) {
84b277 
+                r = -errno;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        r = context_range_set(bcon, range);
84b277 
+        if (r) {
84b277 
+                r = -errno;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        freecon(mycon);
84b277 
+        mycon = context_str(bcon);
84b277 
+        if (!mycon) {
84b277 
+                r = -errno;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        sclass = string_to_security_class("process");
84b277 
+        r = security_compute_create(mycon, fcon, sclass, &ret;;
84b277 
+        if (r < 0) {
84b277 
+                r = -EINVAL;
84b277 
+                goto out;
84b277 
+        }
84b277 
+
84b277 
+        *label = ret;
84b277 
+        r = 0;
84b277 
+
84b277 
+out:
84b277 
+        if (r < 0 && security_getenforce() == 1)
84b277 
+                return r;
84b277 
+#endif
84b277 
+        return r;
84b277 
+}
84b277 
+
84b277 
 int label_context_set(const char *path, mode_t mode) {
84b277 
         int r = 0;
84b277
84b277 
diff --git a/src/shared/label.h b/src/shared/label.h
84b277 
index 09e15e3..d8a281c 100644
84b277 
--- a/src/shared/label.h
84b277 
+++ b/src/shared/label.h
84b277 
@@ -39,6 +39,8 @@ void label_context_clear(void);
84b277 
 void label_free(const char *label);
84b277
84b277 
 int label_get_create_label_from_exe(const char *exe, char **label);
84b277 
+int label_get_our_label(char **label);
84b277 
+int label_get_child_mls_label(int socket_fd, const char *exec, char **label);
84b277
84b277 
 int label_mkdir(const char *path, mode_t mode);
84b277

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation