shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-11 05:17:44 +03:00
Code

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind

Browse Source
This commit is contained in:
Lennart Poettering 2012-10-02 17:56:54 -04:00
parent c1165f822c
commit ffc227c956
6 changed files with 69 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/core/audit-fd.c
View File

@ -19,16 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <stdbool.h>
#include <errno.h>
#include <errno.h>
#include "audit-fd.h"
#include "log.h"
#ifdef HAVE_AUDIT
#include <stdbool.h>
#include <libaudit.h>
#include "log.h"
#include "util.h"
static bool initialized = false;
static int audit_fd;

2
src/core/dbus-job.c
View File

@ -143,7 +143,7 @@ static DBusHandlerResult bus_job_message_handler(DBusConnection *connection, DBu
Iterator i;
size_t size;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)

50
src/core/dbus-manager.c
View File

@ -755,7 +755,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ClearJobs")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
manager_clear_jobs(m);
@ -765,7 +765,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ResetFailed")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
SELINUX_ACCESS_CHECK(connection, message, "reload");
manager_reset_failed(m);
@ -804,7 +804,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Unit *u;
const char *k;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@ -887,7 +887,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Iterator i;
Job *j;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@ -946,7 +946,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *client;
Set *s;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
s = BUS_CONNECTION_SUBSCRIBED(m, connection);
if (!s) {
@ -977,7 +977,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Unsubscribe")) {
char *client;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
client = set_remove(BUS_CONNECTION_SUBSCRIBED(m, connection), (char*) bus_message_get_sender_with_fallback(message));
if (!client) {
@ -996,7 +996,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *dump = NULL;
size_t size;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@ -1028,7 +1028,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
dbus_bool_t cleanup;
Snapshot *s;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "start");
SELINUX_ACCESS_CHECK(connection, message, "start");
if (!dbus_message_get_args(
message,
@ -1068,7 +1068,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
const char *k;
size_t size;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@ -1127,7 +1127,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reload")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
SELINUX_ACCESS_CHECK(connection, message, "reload");
assert(!m->queued_message);
@ -1145,7 +1145,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reexecute")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
SELINUX_ACCESS_CHECK(connection, message, "reload");
/* We don't send a reply back here, the client should
* just wait for us disconnecting. */
@ -1154,7 +1154,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Exit")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as == SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Exit is only supported for user service managers.");
@ -1169,7 +1169,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reboot")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Reboot is only supported for system managers.");
@ -1184,7 +1184,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "PowerOff")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Powering off is only supported for system managers.");
@ -1199,7 +1199,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Halt")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Halting is only supported for system managers.");
@ -1214,7 +1214,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "KExec")) {
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "kexec is only supported for system managers.");
@ -1232,7 +1232,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char *u, *v;
int k;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_get_args(
message,
@ -1296,7 +1296,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "SetEnvironment")) {
char **l = NULL, **e = NULL;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
@ -1321,7 +1321,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "UnsetEnvironment")) {
char **l = NULL, **e = NULL;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
@ -1347,7 +1347,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
char **l_set = NULL, **l_unset = NULL, **e = NULL, **f = NULL;
DBusMessageIter iter;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@ -1400,7 +1400,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
Iterator i;
UnitFileList *item;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
@ -1449,7 +1449,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
UnitFileState state;
const char *s;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
if (!dbus_message_get_args(
message,
@ -1488,7 +1488,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
dbus_bool_t runtime, force;
int carries_install_info = -1;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
SELINUX_ACCESS_CHECK(connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@ -1548,7 +1548,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
unsigned n_changes = 0;
dbus_bool_t runtime;
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
SELINUX_ACCESS_CHECK(connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
@ -1595,7 +1595,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
{ NULL, }
};
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
return bus_default_message_handler(connection, message, NULL, INTERFACES_LIST, bps);
}

2
src/core/dbus-unit.c
View File

@ -526,7 +526,7 @@ static DBusHandlerResult bus_unit_message_handler(DBusConnection *connection, DB
if (streq(dbus_message_get_path(message), "/org/freedesktop/systemd1/unit")) {
/* Be nice to gdbus and return introspection data for our mid-level paths */
SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
SELINUX_ACCESS_CHECK(connection, message, "status");
if (dbus_message_is_method_call(message, "org.freedesktop.DBus.Introspectable", "Introspect")) {
char *introspection = NULL;

98
src/core/selinux-access.c
View File

@ -19,30 +19,28 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include "util.h"
#include "job.h"
#include "manager.h"
#include "selinux-access.h"
#ifdef HAVE_SELINUX
#include "dbus.h"
#include "log.h"
#include "dbus-unit.h"
#include "bus-errors.h"
#include "dbus-common.h"
#include "audit.h"
#include "selinux-util.h"
#include "audit-fd.h"
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <limits.h>
#include <selinux/selinux.h>
#include <selinux/avc.h>
#ifdef HAVE_AUDIT
#include <libaudit.h>
#endif
#include <limits.h>
#include <dbus.h>
#include "util.h"
#include "log.h"
#include "bus-errors.h"
#include "dbus-common.h"
#include "audit.h"
#include "selinux-util.h"
#include "audit-fd.h"
static bool initialized = false;
@ -210,7 +208,7 @@ static int access_init(void) {
return r;
}
static int selinux_init(DBusError *error) {
static int selinux_access_init(DBusError *error) {
int r;
if (initialized)
@ -228,6 +226,14 @@ static int selinux_init(DBusError *error) {
return 0;
}
void selinux_access_free(void) {
if (!initialized)
return;
avc_destroy();
initialized = false;
}
static int get_audit_data(
DBusConnection *connection,
DBusMessage *message,
@ -314,7 +320,7 @@ static int get_calling_context(
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
static int selinux_access_check(
int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
const char *path,
@ -331,13 +337,13 @@ static int selinux_access_check(
assert(permission);
assert(error);
r = selinux_init(error);
if (r < 0)
return r;
if (!use_selinux())
return 0;
r = selinux_access_init(error);
if (r < 0)
return r;
log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
audit.uid = audit.loginuid = (uid_t) -1;
@ -398,69 +404,19 @@ finish:
return r;
}
int selinux_unit_access_check(
Unit *u,
DBusConnection *connection,
DBusMessage *message,
const char *permission,
DBusError *error) {
assert(u);
assert(connection);
assert(message);
assert(permission);
assert(error);
return selinux_access_check(connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
}
int selinux_manager_access_check(
Manager *m,
DBusConnection *connection,
DBusMessage *message,
const char *permission,
DBusError *error) {
assert(m);
assert(connection);
assert(message);
assert(permission);
assert(error);
return selinux_access_check(connection, message, NULL, permission, error);
}
void selinux_access_finish(void) {
if (!initialized)
return;
avc_destroy();
initialized = false;
}
#else
int selinux_unit_access_check(
Unit *u,
int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
const char *path,
const char *permission,
DBusError *error) {
return 0;
}
int selinux_manager_access_check(
Manager *m,
DBusConnection *connection,
DBusMessage *message,
const char *permission,
DBusError *error) {
return 0;
}
void selinux_access_finish(void) {
void selinux_access_free(void) {
}
#endif

17
src/core/selinux-access.h
View File

@ -21,20 +21,22 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
void selinux_access_finish(void);
int selinux_manager_access_check(Manager *manager, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
#include <dbus.h>
void selinux_access_free(void);
int selinux_access_check(DBusConnection *connection, DBusMessage *message, const char *path, const char *permission, DBusError *error);
#ifdef HAVE_SELINUX
#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) \
#define SELINUX_ACCESS_CHECK(connection, message, permission) \
do { \
DBusError _error; \
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
dbus_error_init(&_error); \
_r = selinux_manager_access_check((manager), _c, _m, (permission), &_error); \
_r = selinux_access_check(_c, _m, NULL, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
@ -45,15 +47,16 @@ int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessag
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
Unit *_u = (unit); \
dbus_error_init(&_error); \
_r = selinux_unit_access_check((unit), _c, _m, (permission), &_error); \
_r = selinux_access_check(_c, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
#else
#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) do { } while (false)
#define SELINUX_ACCESS_CHECK(connection, message, permission) do { } while (false)
#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)
#endif