mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-24 02:03:54 +03:00
Merge pull request #15010 from cgzones/selinux_reload_cache_enforce
SELinux: add trigger for policy reload and cache enforced status
This commit is contained in:
Chris Down
GitHub
commit
dfb3303b6c
@ -12,6 +12,7 @@
|
||||
#include <syslog.h>
|
||||
|
||||
#if HAVE_SELINUX
|
||||
#include <selinux/avc.h>
|
||||
#include <selinux/context.h>
|
||||
#include <selinux/label.h>
|
||||
#include <selinux/selinux.h>
|
||||
@ -31,11 +32,14 @@
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
||||
#define _cleanup_context_free_ _cleanup_(context_freep)
|
||||
|
||||
static int mac_selinux_reload(int seqno);
|
||||
|
||||
static int cached_use = -1;
|
||||
static int cached_enforcing = -1;
|
||||
static struct selabel_handle *label_hnd = NULL;
|
||||
|
||||
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
|
||||
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__)
|
||||
#define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
|
||||
#define log_enforcing_errno(r, ...) log_full_errno(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__)
|
||||
#endif
|
||||
|
||||
bool mac_selinux_use(void) {
|
||||
@ -49,12 +53,37 @@ bool mac_selinux_use(void) {
|
||||
#endif
|
||||
}
|
||||
|
||||
bool mac_selinux_enforcing(void) {
|
||||
#if HAVE_SELINUX
|
||||
if (cached_enforcing < 0) {
|
||||
cached_enforcing = security_getenforce();
|
||||
if (cached_enforcing == -1) {
|
||||
log_error_errno(errno, "Failed to get SELinux enforced status: %m");
|
||||
}
|
||||
}
|
||||
|
||||
/* treat failure as enforced mode */
|
||||
return (cached_enforcing != 0);
|
||||
#else
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
|
||||
void mac_selinux_retest(void) {
|
||||
#if HAVE_SELINUX
|
||||
cached_use = -1;
|
||||
cached_enforcing = -1;
|
||||
#endif
|
||||
}
|
||||
|
||||
#if HAVE_SELINUX
|
||||
static int setenforce_callback(int enforcing) {
|
||||
cached_enforcing = enforcing;
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
int mac_selinux_init(void) {
|
||||
int r = 0;
|
||||
|
||||
@ -62,6 +91,9 @@ int mac_selinux_init(void) {
|
||||
usec_t before_timestamp, after_timestamp;
|
||||
struct mallinfo before_mallinfo, after_mallinfo;
|
||||
|
||||
selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload);
|
||||
selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback);
|
||||
|
||||
if (label_hnd)
|
||||
return 0;
|
||||
|
||||
@ -74,7 +106,7 @@ int mac_selinux_init(void) {
|
||||
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
if (!label_hnd) {
|
||||
log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
|
||||
r = security_getenforce() == 1 ? -errno : 0;
|
||||
r = mac_selinux_enforcing() ? -errno : 0;
|
||||
} else {
|
||||
char timespan[FORMAT_TIMESPAN_MAX];
|
||||
int l;
|
||||
@ -104,13 +136,12 @@ void mac_selinux_finish(void) {
|
||||
#endif
|
||||
}
|
||||
|
||||
void mac_selinux_reload(void) {
|
||||
|
||||
#if HAVE_SELINUX
|
||||
static int mac_selinux_reload(int seqno) {
|
||||
struct selabel_handle *backup_label_hnd;
|
||||
|
||||
if (!label_hnd)
|
||||
return;
|
||||
return 0;
|
||||
|
||||
backup_label_hnd = TAKE_PTR(label_hnd);
|
||||
|
||||
@ -121,8 +152,10 @@ void mac_selinux_reload(void) {
|
||||
selabel_close(backup_label_hnd);
|
||||
else
|
||||
label_hnd = backup_label_hnd;
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||
|
||||
@ -151,6 +184,9 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||
if (fstat(fd, &st) < 0)
|
||||
return -errno;
|
||||
|
||||
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
|
||||
(void) avc_netlink_check_nb();
|
||||
|
||||
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
|
||||
r = -errno;
|
||||
|
||||
@ -186,7 +222,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||
|
||||
fail:
|
||||
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
|
||||
if (security_getenforce() == 1)
|
||||
if (mac_selinux_enforcing())
|
||||
return r;
|
||||
#endif
|
||||
|
||||
@ -204,7 +240,7 @@ int mac_selinux_apply(const char *path, const char *label) {
|
||||
|
||||
if (setfilecon(path, label) < 0) {
|
||||
log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
|
||||
if (security_getenforce() > 0)
|
||||
if (mac_selinux_enforcing())
|
||||
return -errno;
|
||||
}
|
||||
#endif
|
||||
@ -349,6 +385,9 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode)
|
||||
assert(abspath);
|
||||
assert(path_is_absolute(abspath));
|
||||
|
||||
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
|
||||
(void) avc_netlink_check_nb();
|
||||
|
||||
r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
|
||||
if (r < 0) {
|
||||
/* No context specified by the policy? Proceed without setting it. */
|
||||
@ -363,7 +402,7 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode)
|
||||
log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
|
||||
}
|
||||
|
||||
if (security_getenforce() > 0)
|
||||
if (mac_selinux_enforcing())
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
@ -444,7 +483,7 @@ int mac_selinux_create_socket_prepare(const char *label) {
|
||||
if (setsockcreatecon(label) < 0) {
|
||||
log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
|
||||
|
||||
if (security_getenforce() == 1)
|
||||
if (mac_selinux_enforcing())
|
||||
return -errno;
|
||||
}
|
||||
#endif
|
||||
@ -497,6 +536,9 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
|
||||
|
||||
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
|
||||
|
||||
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
|
||||
(void) avc_netlink_check_nb();
|
||||
|
||||
if (path_is_absolute(path))
|
||||
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
|
||||
else {
|
||||
@ -515,13 +557,13 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
|
||||
goto skipped;
|
||||
|
||||
log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
|
||||
if (security_getenforce() > 0)
|
||||
if (mac_selinux_enforcing())
|
||||
return -errno;
|
||||
|
||||
} else {
|
||||
if (setfscreatecon_raw(fcon) < 0) {
|
||||
log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
|
||||
if (security_getenforce() > 0)
|
||||
if (mac_selinux_enforcing())
|
||||
return -errno;
|
||||
} else
|
||||
context_changed = true;
|
||||
|
||||
@ -16,11 +16,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
||||
#endif
|
||||
|
||||
bool mac_selinux_use(void);
|
||||
bool mac_selinux_enforcing(void);
|
||||
void mac_selinux_retest(void);
|
||||
|
||||
int mac_selinux_init(void);
|
||||
void mac_selinux_finish(void);
|
||||
void mac_selinux_reload(void);
|
||||
|
||||
int mac_selinux_fix(const char *path, LabelFixFlags flags);
|
||||
int mac_selinux_apply(const char *path, const char *label);
|
||||
|
||||
@ -1747,8 +1747,6 @@ static int invoke_main_loop(
|
||||
saved_log_level = m->log_level_overridden ? log_get_max_level() : -1;
|
||||
saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID;
|
||||
|
||||
mac_selinux_reload();
|
||||
|
||||
(void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock);
|
||||
|
||||
set_manager_defaults(m);
|
||||
|
||||
@ -143,16 +143,16 @@ static int access_init(sd_bus_error *error) {
|
||||
return 1;
|
||||
|
||||
if (avc_open(NULL, 0) != 0) {
|
||||
int enforce, saved_errno = errno;
|
||||
int saved_errno = errno;
|
||||
const bool enforce = mac_selinux_enforcing();
|
||||
|
||||
enforce = security_getenforce();
|
||||
log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
|
||||
log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
|
||||
|
||||
/* If enforcement isn't on, then let's suppress this
|
||||
* error, and just don't do any AVC checks. The
|
||||
* warning we printed is hence all the admin will
|
||||
* see. */
|
||||
if (enforce == 0)
|
||||
if (!enforce)
|
||||
return 0;
|
||||
|
||||
/* Return an access denied error, if we couldn't load
|
||||
@ -185,7 +185,7 @@ int mac_selinux_generic_access_check(
|
||||
_cleanup_free_ char *cl = NULL;
|
||||
_cleanup_freecon_ char *fcon = NULL;
|
||||
char **cmdline = NULL;
|
||||
bool enforce = false; /* Will be set to the real value later if needed */
|
||||
const bool enforce = mac_selinux_enforcing();
|
||||
int r = 0;
|
||||
|
||||
assert(message);
|
||||
@ -223,7 +223,6 @@ int mac_selinux_generic_access_check(
|
||||
|
||||
if (getfilecon_raw(path, &fcon) < 0) {
|
||||
r = -errno;
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m",
|
||||
path,
|
||||
@ -240,7 +239,6 @@ int mac_selinux_generic_access_check(
|
||||
} else {
|
||||
if (getcon_raw(&fcon) < 0) {
|
||||
r = -errno;
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m",
|
||||
enforce ? "" : ", ignoring",
|
||||
@ -266,7 +264,6 @@ int mac_selinux_generic_access_check(
|
||||
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
|
||||
if (r < 0) {
|
||||
r = errno_or_else(EPERM);
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
if (enforce)
|
||||
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user