From 4f4e8bbd9ad46fc146a36f52790bc4920f42ef1f Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Mon, 2 Jul 2018 10:22:56 +0200 Subject: [PATCH] selinux: introduce mac_selinux_create_file_prepare_at() (cherry picked from commit 7e531a5265687aef5177b070c36ca4ceab42e768) Related: #1888912 --- src/basic/selinux-util.c | 83 ++++++++++++++++++++++++++++++---------- src/basic/selinux-util.h | 1 + 2 files changed, 63 insertions(+), 21 deletions(-) diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index f69d88eb1e..a078ce23ef 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -336,48 +336,89 @@ char* mac_selinux_free(char *label) { return NULL; } -int mac_selinux_create_file_prepare(const char *path, mode_t mode) { - #if HAVE_SELINUX +static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) { _cleanup_freecon_ char *filecon = NULL; + _cleanup_free_ char *path = NULL; int r; - assert(path); - - if (!label_hnd) - return 0; - - if (path_is_absolute(path)) - r = selabel_lookup_raw(label_hnd, &filecon, path, mode); - else { - _cleanup_free_ char *newpath = NULL; - - r = path_make_absolute_cwd(path, &newpath); - if (r < 0) - return r; - - r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode); - } + assert(abspath); + assert(path_is_absolute(abspath)); + r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode); if (r < 0) { /* No context specified by the policy? Proceed without setting it. */ if (errno == ENOENT) return 0; - log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path); + log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath); } else { if (setfscreatecon_raw(filecon) >= 0) return 0; /* Success! */ - log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path); + log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath); } if (security_getenforce() > 0) return -errno; -#endif return 0; } +#endif + +int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) { + int r = 0; + +#if HAVE_SELINUX + _cleanup_free_ char *abspath = NULL; + _cleanup_close_ int fd = -1; + + assert(path); + + if (!label_hnd) + return 0; + + if (!path_is_absolute(path)) { + _cleanup_free_ char *p = NULL; + + if (dirfd == AT_FDCWD) + r = safe_getcwd(&p); + else + r = fd_get_path(dirfd, &p); + if (r < 0) + return r; + + abspath = path_join(NULL, p, path); + if (!abspath) + return -ENOMEM; + + path = abspath; + } + + r = selinux_create_file_prepare_abspath(path, mode); +#endif + return r; +} + +int mac_selinux_create_file_prepare(const char *path, mode_t mode) { + int r = 0; + +#if HAVE_SELINUX + _cleanup_free_ char *abspath = NULL; + + assert(path); + + if (!label_hnd) + return 0; + + r = path_make_absolute_cwd(path, &abspath); + if (r < 0) + return r; + + r = selinux_create_file_prepare_abspath(abspath, mode); +#endif + return r; +} void mac_selinux_create_file_clear(void) { diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h index abcfabe777..639c35b687 100644 --- a/src/basic/selinux-util.h +++ b/src/basic/selinux-util.h @@ -24,6 +24,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char * char* mac_selinux_free(char *label); int mac_selinux_create_file_prepare(const char *path, mode_t mode); +int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode); void mac_selinux_create_file_clear(void); int mac_selinux_create_socket_prepare(const char *label);