From f71db1f834f639a16a38e7314ba7ca0dd0d060d8 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 17 Feb 2014 16:52:52 +0100 Subject: [PATCH] core: store and expose SELinuxContext field normalized as bool + string Conflicts: src/core/dbus-execute.c src/core/execute.c src/core/load-fragment.h (cherry picked from commit 5f8640fb628cb034981e02d741fd9ddf26fdf38d) Related: #1113790 --- src/core/dbus-execute.c | 26 ++++++++++++++++++- src/core/execute.c | 18 +++---------- src/core/execute.h | 1 + src/core/load-fragment-gperf.gperf.m4 | 2 +- src/core/load-fragment.c | 48 +++++++++++++++++++++++++++++++++++ src/core/load-fragment.h | 1 + 6 files changed, 80 insertions(+), 16 deletions(-) diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 97d75fa..8162f1c 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -372,6 +372,30 @@ static int bus_execute_append_syscall_filter(DBusMessageIter *i, const char *pro return 0; } +static int bus_execute_append_selinux_context(DBusMessageIter *i, const char *property, void *data) { + ExecContext *c = data; + dbus_bool_t selinux_context_ignore; + const char *selinux_context = NULL; + + assert(i); + assert(property); + assert(c); + + selinux_context = c->selinux_context; + if (!selinux_context) + selinux_context = ""; + + selinux_context_ignore = c->selinux_context_ignore; + + if (!dbus_message_iter_append_basic(i, DBUS_TYPE_BOOLEAN, &selinux_context_ignore)) + return -ENOMEM; + + if (!dbus_message_iter_append_basic(i, DBUS_TYPE_STRING, &selinux_context)) + return -ENOMEM; + + return 0; +} + const BusProperty bus_exec_context_properties[] = { { "Environment", bus_property_append_strv, "as", offsetof(ExecContext, environment), true }, { "EnvironmentFiles", bus_execute_append_env_files, "a(sb)", offsetof(ExecContext, environment_files), true }, @@ -429,7 +453,7 @@ const BusProperty bus_exec_context_properties[] = { { "PrivateNetwork", bus_property_append_bool, "b", offsetof(ExecContext, private_network) }, { "SameProcessGroup", bus_property_append_bool, "b", offsetof(ExecContext, same_pgrp) }, { "UtmpIdentifier", bus_property_append_string, "s", offsetof(ExecContext, utmp_id), true }, - { "SELinuxContext", bus_property_append_string, "s", offsetof(ExecContext, selinux_context), true }, + { "SELinuxContext", bus_execute_append_selinux_context, "(bs)", 0 }, { "IgnoreSIGPIPE", bus_property_append_bool, "b", offsetof(ExecContext, ignore_sigpipe) }, { "NoNewPrivileges", bus_property_append_bool, "b", offsetof(ExecContext, no_new_privileges) }, { "SystemCallFilter", bus_execute_append_syscall_filter, "au", 0 }, diff --git a/src/core/execute.c b/src/core/execute.c index 9fc5090..a20301d 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1474,18 +1474,8 @@ int exec_spawn(ExecCommand *command, } #ifdef HAVE_SELINUX if (context->selinux_context && use_selinux()) { - bool ignore; - char* c; - - c = context->selinux_context; - if (c[0] == '-') { - c++; - ignore = true; - } else - ignore = false; - - err = setexeccon(c); - if (err < 0 && !ignore) { + err = setexeccon(context->selinux_context); + if (err < 0 && !context->selinux_context_ignore) { r = EXIT_SELINUX_CONTEXT; goto fail_child; } @@ -2097,8 +2087,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { if (c->selinux_context) fprintf(f, - "%sSELinuxContext: %s\n", - prefix, c->selinux_context); + "%sSELinuxContext: %s%s\n", + prefix, c->selinux_context_ignore ? "-" : "", c->selinux_context); } diff --git a/src/core/execute.h b/src/core/execute.h index 92ac8dd..2452126 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -124,6 +124,7 @@ struct ExecContext { char *utmp_id; + bool selinux_context_ignore; char *selinux_context; char **read_write_dirs, **read_only_dirs, **inaccessible_dirs; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 935f04e..759fbd8 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -76,7 +76,7 @@ $1.TCPWrapName, config_parse_unit_string_printf, 0, $1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name) $1.IgnoreSIGPIPE, config_parse_bool, 0, offsetof($1, exec_context.ignore_sigpipe) $1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id) -$1.SELinuxContext, config_parse_unit_string_printf, 0, offsetof($1, exec_context.selinux_context)' +$1.SELinuxContext, config_parse_exec_selinux_context, 0, offsetof($1, exec_context)' )m4_dnl m4_define(`KILL_CONTEXT_CONFIG_ITEMS', `$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index f01843d..8e6e428 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -1139,6 +1139,54 @@ int config_parse_exec_mount_flags(const char *unit, return 0; } +int config_parse_exec_selinux_context( + const char *unit, + const char *filename, + unsigned line, + const char *section, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + Unit *u = userdata; + bool ignore; + char *k; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + if (isempty(rvalue)) { + free(c->selinux_context); + c->selinux_context = NULL; + c->selinux_context_ignore = false; + return 0; + } + + if (rvalue[0] == '-') { + ignore = true; + rvalue++; + } else + ignore = false; + + r = unit_name_printf(u, rvalue, &k); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, -r, "Failed to resolve specifiers, ignoring: %s", strerror(-r)); + return 0; + } + + free(c->selinux_context); + c->selinux_context = k; + c->selinux_context_ignore = ignore; + + return 0; +} + int config_parse_timer(const char *unit, const char *filename, unsigned line, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index 90e5e3a..de48436 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -83,6 +83,7 @@ int config_parse_device_allow(const char *unit, const char *filename, unsigned l int config_parse_blockio_weight(const char *unit, const char *filename, unsigned line, const char *section, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_blockio_device_weight(const char *unit, const char *filename, unsigned line, const char *section, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_blockio_bandwidth(const char *unit, const char *filename, unsigned line, const char *section, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_exec_selinux_context(const char *unit, const char *filename, unsigned line, const char *section, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); /* gperf prototypes */ const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);