shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-25 06:03:40 +03:00
Code

Merge pull request #15010 from cgzones/selinux_reload_cache_enforce

Browse Source 
SELinux: add trigger for policy reload and cache enforced status
This commit is contained in:
Chris Down 2020-03-06 16:12:48 +00:00 committed by GitHub
commit dfb3303b6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 61 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
src/basic/selinux-util.c
View File

@ -12,6 +12,7 @@
#include <syslog.h> #include <syslog.h>
#if HAVE_SELINUX #if HAVE_SELINUX
#include <selinux/avc.h>
#include <selinux/context.h> #include <selinux/context.h>
#include <selinux/label.h> #include <selinux/label.h>
#include <selinux/selinux.h> #include <selinux/selinux.h>
@ -31,11 +32,14 @@
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
#define _cleanup_context_free_ _cleanup_(context_freep) #define _cleanup_context_free_ _cleanup_(context_freep)
static int mac_selinux_reload(int seqno);
static int cached_use = -1; static int cached_use = -1;
static int cached_enforcing = -1;
static struct selabel_handle *label_hnd = NULL; static struct selabel_handle *label_hnd = NULL;
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, __VA_ARGS__) #define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__) #define log_enforcing_errno(r, ...) log_full_errno(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__)
#endif #endif
bool mac_selinux_use(void) { bool mac_selinux_use(void) {
@ -49,12 +53,37 @@ bool mac_selinux_use(void) {
#endif #endif
} }
bool mac_selinux_enforcing(void) {
#if HAVE_SELINUX
if (cached_enforcing < 0) {
cached_enforcing = security_getenforce();
if (cached_enforcing == -1) {
log_error_errno(errno, "Failed to get SELinux enforced status: %m");
}
}
/* treat failure as enforced mode */
return (cached_enforcing != 0);
#else
return false;
#endif
}
void mac_selinux_retest(void) { void mac_selinux_retest(void) {
#if HAVE_SELINUX #if HAVE_SELINUX
cached_use = -1; cached_use = -1;
cached_enforcing = -1;
#endif #endif
} }
#if HAVE_SELINUX
static int setenforce_callback(int enforcing) {
cached_enforcing = enforcing;
return 0;
}
#endif
int mac_selinux_init(void) { int mac_selinux_init(void) {
int r = 0; int r = 0;
@ -62,6 +91,9 @@ int mac_selinux_init(void) {
usec_t before_timestamp, after_timestamp; usec_t before_timestamp, after_timestamp;
struct mallinfo before_mallinfo, after_mallinfo; struct mallinfo before_mallinfo, after_mallinfo;
selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload);
selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback);
if (label_hnd) if (label_hnd)
return 0; return 0;
@ -74,7 +106,7 @@ int mac_selinux_init(void) {
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd) { if (!label_hnd) {
log_enforcing_errno(errno, "Failed to initialize SELinux context: %m"); log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
r = security_getenforce() == 1 ? -errno : 0; r = mac_selinux_enforcing() ? -errno : 0;
} else { } else {
char timespan[FORMAT_TIMESPAN_MAX]; char timespan[FORMAT_TIMESPAN_MAX];
int l; int l;
@ -104,13 +136,12 @@ void mac_selinux_finish(void) {
#endif #endif
} }
void mac_selinux_reload(void) {
#if HAVE_SELINUX #if HAVE_SELINUX
static int mac_selinux_reload(int seqno) {
struct selabel_handle *backup_label_hnd; struct selabel_handle *backup_label_hnd;
if (!label_hnd) if (!label_hnd)
return; return 0;
backup_label_hnd = TAKE_PTR(label_hnd); backup_label_hnd = TAKE_PTR(label_hnd);
@ -121,8 +152,10 @@ void mac_selinux_reload(void) {
selabel_close(backup_label_hnd); selabel_close(backup_label_hnd);
else else
label_hnd = backup_label_hnd; label_hnd = backup_label_hnd;
#endif
return 0;
} }
#endif
int mac_selinux_fix(const char *path, LabelFixFlags flags) { int mac_selinux_fix(const char *path, LabelFixFlags flags) {
@ -151,6 +184,9 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
if (fstat(fd, &st) < 0) if (fstat(fd, &st) < 0)
return -errno; return -errno;
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
(void) avc_netlink_check_nb();
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) { if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
r = -errno; r = -errno;
@ -186,7 +222,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
fail: fail:
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path); log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
if (security_getenforce() == 1) if (mac_selinux_enforcing())
return r; return r;
#endif #endif
@ -204,7 +240,7 @@ int mac_selinux_apply(const char *path, const char *label) {
if (setfilecon(path, label) < 0) { if (setfilecon(path, label) < 0) {
log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path); log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
if (security_getenforce() > 0) if (mac_selinux_enforcing())
return -errno; return -errno;
} }
#endif #endif
@ -349,6 +385,9 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode)
assert(abspath); assert(abspath);
assert(path_is_absolute(abspath)); assert(path_is_absolute(abspath));
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
(void) avc_netlink_check_nb();
r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode); r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
if (r < 0) { if (r < 0) {
/* No context specified by the policy? Proceed without setting it. */ /* No context specified by the policy? Proceed without setting it. */
@ -363,7 +402,7 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode)
log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath); log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
} }
if (security_getenforce() > 0) if (mac_selinux_enforcing())
return -errno; return -errno;
return 0; return 0;
@ -444,7 +483,7 @@ int mac_selinux_create_socket_prepare(const char *label) {
if (setsockcreatecon(label) < 0) { if (setsockcreatecon(label) < 0) {
log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label); log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
if (security_getenforce() == 1) if (mac_selinux_enforcing())
return -errno; return -errno;
} }
#endif #endif
@ -497,6 +536,9 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path)); path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
/* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
(void) avc_netlink_check_nb();
if (path_is_absolute(path)) if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK); r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else { else {
@ -515,13 +557,13 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
goto skipped; goto skipped;
log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path); log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
if (security_getenforce() > 0) if (mac_selinux_enforcing())
return -errno; return -errno;
} else { } else {
if (setfscreatecon_raw(fcon) < 0) { if (setfscreatecon_raw(fcon) < 0) {
log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path); log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
if (security_getenforce() > 0) if (mac_selinux_enforcing())
return -errno; return -errno;
} else } else
context_changed = true; context_changed = true;

2
src/basic/selinux-util.h
View File

@ -16,11 +16,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
#endif #endif
bool mac_selinux_use(void); bool mac_selinux_use(void);
bool mac_selinux_enforcing(void);
void mac_selinux_retest(void); void mac_selinux_retest(void);
int mac_selinux_init(void); int mac_selinux_init(void);
void mac_selinux_finish(void); void mac_selinux_finish(void);
void mac_selinux_reload(void);
int mac_selinux_fix(const char *path, LabelFixFlags flags); int mac_selinux_fix(const char *path, LabelFixFlags flags);
int mac_selinux_apply(const char *path, const char *label); int mac_selinux_apply(const char *path, const char *label);

2
src/core/main.c
View File

@ -1747,8 +1747,6 @@ static int invoke_main_loop(
saved_log_level = m->log_level_overridden ? log_get_max_level() : -1; saved_log_level = m->log_level_overridden ? log_get_max_level() : -1;
saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID; saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID;
mac_selinux_reload();
(void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock); (void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock);
set_manager_defaults(m); set_manager_defaults(m);

13
src/core/selinux-access.c
View File

@ -143,16 +143,16 @@ static int access_init(sd_bus_error *error) {
return 1; return 1;
if (avc_open(NULL, 0) != 0) { if (avc_open(NULL, 0) != 0) {
int enforce, saved_errno = errno; int saved_errno = errno;
const bool enforce = mac_selinux_enforcing();
enforce = security_getenforce(); log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
/* If enforcement isn't on, then let's suppress this /* If enforcement isn't on, then let's suppress this
* error, and just don't do any AVC checks. The * error, and just don't do any AVC checks. The
* warning we printed is hence all the admin will * warning we printed is hence all the admin will
* see. */ * see. */
if (enforce == 0) if (!enforce)
return 0; return 0;
/* Return an access denied error, if we couldn't load /* Return an access denied error, if we couldn't load
@ -185,7 +185,7 @@ int mac_selinux_generic_access_check(
_cleanup_free_ char *cl = NULL; _cleanup_free_ char *cl = NULL;
_cleanup_freecon_ char *fcon = NULL; _cleanup_freecon_ char *fcon = NULL;
char **cmdline = NULL; char **cmdline = NULL;
bool enforce = false; /* Will be set to the real value later if needed */ const bool enforce = mac_selinux_enforcing();
int r = 0; int r = 0;
assert(message); assert(message);
@ -223,7 +223,6 @@ int mac_selinux_generic_access_check(
if (getfilecon_raw(path, &fcon) < 0) { if (getfilecon_raw(path, &fcon) < 0) {
r = -errno; r = -errno;
enforce = security_getenforce() > 0;
log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m", log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m",
path, path,
@ -240,7 +239,6 @@ int mac_selinux_generic_access_check(
} else { } else {
if (getcon_raw(&fcon) < 0) { if (getcon_raw(&fcon) < 0) {
r = -errno; r = -errno;
enforce = security_getenforce() > 0;
log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m", log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m",
enforce ? "" : ", ignoring", enforce ? "" : ", ignoring",
@ -266,7 +264,6 @@ int mac_selinux_generic_access_check(
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info); r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
if (r < 0) { if (r < 0) {
r = errno_or_else(EPERM); r = errno_or_else(EPERM);
enforce = security_getenforce() > 0;
if (enforce) if (enforce)
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access."); sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");