1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-31 07:51:08 +03:00
systemd-stable/udev_selinux.c
pebenito@gentoo.org b55e654026 [PATCH] udev selinux fix
Here is a fix for the SELinux part of udev.

Setfscreatecon() overrides the default labeling behavior of SELinux when
creating files, so it should only be used for as short of a time as
possible, around the mknod or symlink calls.  Without this, the files in
udev_db get the wrong label because the fscreatecon is reset after the
udev_db file creation instead of before.  I'm guessing the Redhat people
missed this because they modify udev_db to be one big file instead of a
directory of small files (at least that's what I'm told).  I created
selinux_resetfscreatecon() to reset the fscreatecon asap after the
file/node is created.

Fixed a memory leak in selinux_init.  Getfscreatecon() allocates memory
for the context, and the udev code was immediately setting the pointer
(security_context_t is actually a typedef'ed char*) to NULL after the
call regardless of success/failure.  If you're wondering about the case
where there's effectively a setfscreatecon(NULL), this is ok, as its
used to tell SELinux to do the default labeling behavior.

Renamed selinux_restore() to selinux_exit() due to the changed behavior.

Fixed a couple of dbg() messages.
2005-04-26 23:39:48 -07:00

169 lines
3.6 KiB
C

/*
* udev_selinux.h
*
* Copyright (C) 2004 Daniel Walsh
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation version 2 of the License.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 675 Mass Ave, Cambridge, MA 02139, USA.
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <stddef.h>
#include <unistd.h>
#include <string.h>
#include <fcntl.h>
#include <ctype.h>
#include <limits.h>
#include <libgen.h>
#include <errno.h>
#include <selinux/selinux.h>
#include "udev_selinux.h"
#include "logging.h"
static security_context_t prev_scontext = NULL;
static int is_selinux_running(void)
{
static int selinux_enabled = -1;
if (selinux_enabled == -1)
selinux_enabled = (is_selinux_enabled() > 0);
dbg("selinux=%i", selinux_enabled);
return selinux_enabled;
}
static char *get_media(const char *devname, int mode)
{
FILE *fp;
char procfile[PATH_MAX];
char mediabuf[256];
int size;
char *media = NULL;
if (!(mode && S_IFBLK))
return NULL;
snprintf(procfile, PATH_MAX, "/proc/ide/%s/media", devname);
procfile[PATH_MAX-1] = '\0';
fp = fopen(procfile, "r");
if (!fp)
goto out;
if (fgets(mediabuf, sizeof(mediabuf), fp) == NULL)
goto close_out;
size = strlen(mediabuf);
while (size-- > 0) {
if (isspace(mediabuf[size])) {
mediabuf[size] = '\0';
} else {
break;
}
}
media = strdup(mediabuf);
info("selinux_get_media(%s)='%s'\n", devname, media);
close_out:
fclose(fp);
out:
return media;
}
void selinux_setfilecon(const char *file, const char *devname, unsigned int mode)
{
if (is_selinux_running()) {
security_context_t scontext = NULL;
char *media;
int ret = -1;
media = get_media(devname, mode);
if (media) {
ret = matchmediacon(media, &scontext);
free(media);
}
if (ret < 0)
if (matchpathcon(file, mode, &scontext) < 0) {
dbg("matchpathcon(%s) failed\n", file);
return;
}
if (setfilecon(file, scontext) < 0)
dbg("setfilecon %s failed with error '%s'", file, strerror(errno));
freecon(scontext);
}
}
void selinux_setfscreatecon(const char *file, const char *devname, unsigned int mode)
{
if (is_selinux_running()) {
security_context_t scontext = NULL;
char *media;
int ret = -1;
media = get_media(devname, mode);
if (media) {
ret = matchmediacon(media, &scontext);
free(media);
}
if (ret < 0)
if (matchpathcon(file, mode, &scontext) < 0) {
dbg("matchpathcon(%s) failed\n", file);
return;
}
if (setfscreatecon(scontext) < 0)
dbg("setfscreatecon %s failed with error '%s'", file, strerror(errno));
freecon(scontext);
}
}
void selinux_resetfscreatecon(void)
{
if (is_selinux_running()) {
if (setfscreatecon(prev_scontext) < 0)
dbg("setfscreatecon %s failed with error '%s'", file, strerror(errno));
}
}
void selinux_init(void)
{
/*
* record the present security context, for file-creation
* restoration creation purposes.
*/
if (is_selinux_running()) {
if (getfscreatecon(&prev_scontext) < 0) {
dbg("getfscreatecon failed\n");
prev_scontext = NULL;
}
}
}
void selinux_exit(void)
{
if (is_selinux_running() && prev_scontext) {
freecon(prev_scontext);
prev_scontext = NULL;
}
}