1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00

exec: Add SELinuxContext configuration item

This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
This commit is contained in:
Michael Scherer 2014-02-06 10:05:16 +01:00 committed by Lennart Poettering
parent 36e0e6311b
commit 7b52a628f8
7 changed files with 48 additions and 2 deletions

View File

@ -950,6 +950,17 @@
this service.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>SELinuxContext=</varname></term>
<listitem><para>Set the SELinux context of the
executed process. If set, this will override the
automated domain transition. However, the policy
still need to autorize the transition. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>IgnoreSIGPIPE=</varname></term>

View File

@ -419,6 +419,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SELinuxContext", "s", NULL, offsetof(ExecContext, selinux_context), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("IgnoreSIGPIPE", "b", bus_property_get_bool, offsetof(ExecContext, ignore_sigpipe), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("NoNewPrivileges", "b", bus_property_get_bool, offsetof(ExecContext, no_new_privileges), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("SystemCallFilter", "au", property_get_syscall_filter, 0, SD_BUS_VTABLE_PROPERTY_CONST),

View File

@ -47,6 +47,10 @@
#include <security/pam_appl.h>
#endif
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#endif
#include "execute.h"
#include "strv.h"
#include "macro.h"
@ -1564,6 +1568,20 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
}
#ifdef HAVE_SELINUX
if (context->selinux_context) {
err = security_check_context(context->selinux_context);
if (err < 0) {
r = EXIT_SELINUX_CONTEXT;
goto fail_child;
}
err = setexeccon(context->selinux_context);
if (err < 0) {
r = EXIT_SELINUX_CONTEXT;
goto fail_child;
}
}
#endif
}
err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@ -1722,6 +1740,9 @@ void exec_context_done(ExecContext *c) {
free(c->utmp_id);
c->utmp_id = NULL;
free(c->selinux_context);
c->selinux_context = NULL;
free(c->syscall_filter);
c->syscall_filter = NULL;
}
@ -2091,6 +2112,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
fprintf(f,
"%sUtmpIdentifier: %s\n",
prefix, c->utmp_id);
if (c->selinux_context)
fprintf(f,
"%sSELinuxContext: %s\n",
prefix, c->selinux_context);
}
void exec_status_start(ExecStatus *s, pid_t pid) {

View File

@ -133,6 +133,8 @@ struct ExecContext {
char *utmp_id;
char *selinux_context;
char **read_write_dirs, **read_only_dirs, **inaccessible_dirs;
unsigned long mount_flags;

View File

@ -76,7 +76,8 @@ $1.MountFlags, config_parse_exec_mount_flags, 0,
$1.TCPWrapName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.tcpwrap_name)
$1.PAMName, config_parse_unit_string_printf, 0, offsetof($1, exec_context.pam_name)
$1.IgnoreSIGPIPE, config_parse_bool, 0, offsetof($1, exec_context.ignore_sigpipe)
$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id)'
$1.UtmpIdentifier, config_parse_unit_string_printf, 0, offsetof($1, exec_context.utmp_id)
$1.SELinuxContext, config_parse_unit_string_printf, 0, offsetof($1, exec_context.selinux_context)'
)m4_dnl
m4_define(`KILL_CONTEXT_CONFIG_ITEMS',
`$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill)

View File

@ -130,6 +130,9 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
case EXIT_SECCOMP:
return "SECCOMP";
case EXIT_SELINUX_CONTEXT:
return "SELINUX_CONTEXT";
}
}

View File

@ -67,7 +67,8 @@ typedef enum ExitStatus {
EXIT_NETWORK,
EXIT_NAMESPACE,
EXIT_NO_NEW_PRIVILEGES,
EXIT_SECCOMP
EXIT_SECCOMP,
EXIT_SELINUX_CONTEXT
} ExitStatus;
typedef enum ExitStatusLevel {