shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-11 09:18:07 +03:00
Code

label: tweak LabelOps post() hook to take "created" boolean

Browse Source 
We have two distinct implementations of the post hook.

1. For SELinux we just reset the selinux label we told the kernel
   earlier to use for new inodes.

2. For SMACK we might apply an xattr to the specified file.

The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
This commit is contained in:
Lennart Poettering 2024-10-21 22:07:56 +02:00
parent 652371a3c1
commit d49449c89b
6 changed files with 20 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/basic/fs-util.c
View File

@ -1184,7 +1184,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
made_dir = true; made_dir = true;
if (FLAGS_SET(xopen_flags, XO_LABEL)) { if (FLAGS_SET(xopen_flags, XO_LABEL)) {
r = label_ops_post(dir_fd, path); r = label_ops_post(dir_fd, path, made_dir);
if (r < 0) if (r < 0)
goto error; goto error;
} }
@ -1211,7 +1211,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
} }
if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) { if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
r = label_ops_post(dir_fd, path); r = label_ops_post(dir_fd, path, made_file || made_dir);
if (r < 0) if (r < 0)
goto error; goto error;
} }

4
src/basic/label.c
View File

@ -22,11 +22,11 @@ int label_ops_pre(int dir_fd, const char *path, mode_t mode) {
return label_ops->pre(dir_fd, path, mode); return label_ops->pre(dir_fd, path, mode);
} }
int label_ops_post(int dir_fd, const char *path) { int label_ops_post(int dir_fd, const char *path, bool created) {
if (!label_ops || !label_ops->post) if (!label_ops || !label_ops->post)
return 0; return 0;
return label_ops->post(dir_fd, path); return label_ops->post(dir_fd, path, created);
} }
void label_ops_reset(void) { void label_ops_reset(void) {

6
src/basic/label.h
View File

@ -1,15 +1,17 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */ /* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once #pragma once
#include <stdbool.h>
#include <sys/types.h> #include <sys/types.h>
typedef struct LabelOps { typedef struct LabelOps {
int (*pre)(int dir_fd, const char *path, mode_t mode); int (*pre)(int dir_fd, const char *path, mode_t mode);
int (*post)(int dir_fd, const char *path); int (*post)(int dir_fd, const char *path, bool created);
} LabelOps; } LabelOps;
int label_ops_set(const LabelOps *label_ops); int label_ops_set(const LabelOps *label_ops);
int label_ops_pre(int dir_fd, const char *path, mode_t mode); int label_ops_pre(int dir_fd, const char *path, mode_t mode);
int label_ops_post(int dir_fd, const char *path); int label_ops_post(int dir_fd, const char *path, bool created);
void label_ops_reset(void); void label_ops_reset(void);

2
src/shared/selinux-util.c
View File

@ -64,7 +64,7 @@ static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) {
return mac_selinux_create_file_prepare_at(dir_fd, path, mode); return mac_selinux_create_file_prepare_at(dir_fd, path, mode);
} }
static int mac_selinux_label_post(int dir_fd, const char *path) { static int mac_selinux_label_post(int dir_fd, const char *path, bool created) {
mac_selinux_create_file_clear(); mac_selinux_create_file_clear();
return 0; return 0;
} }

5
src/shared/smack-util.c
View File

@ -294,7 +294,10 @@ static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) {
return 0; return 0;
} }
static int mac_smack_label_post(int dir_fd, const char *path) { static int mac_smack_label_post(int dir_fd, const char *path, bool created) {
if (!created)
return 0;
return mac_smack_fix_full(dir_fd, path, NULL, 0); return mac_smack_fix_full(dir_fd, path, NULL, 0);
} }

14
src/test/test-label.c
View File

@ -43,7 +43,7 @@ static int pre_labelling_func(int dir_fd, const char *path, mode_t mode) {
return 0; return 0;
} }
static int post_labelling_func(int dir_fd, const char *path) { static int post_labelling_func(int dir_fd, const char *path, bool created) {
int r; int r;
/* assume label policies that restrict certain labels */ /* assume label policies that restrict certain labels */
@ -140,17 +140,17 @@ TEST(label_ops_post) {
text1 = "Add initial texts to file for testing label operations to file1\n"; text1 = "Add initial texts to file for testing label operations to file1\n";
assert(labelling_op(fd, text1, "file1.txt", 0644) == 0); assert(labelling_op(fd, text1, "file1.txt", 0644) == 0);
assert_se(label_ops_post(fd, "file1.txt") == 0); assert_se(label_ops_post(fd, "file1.txt", true) == 0);
assert_se(strlen(text1) == (size_t)buf.st_size); assert_se(strlen(text1) == (size_t)buf.st_size);
text2 = "Add text2 data to file2\n"; text2 = "Add text2 data to file2\n";
assert(labelling_op(fd, text2, "file2.txt", 0644) == 0); assert(labelling_op(fd, text2, "file2.txt", 0644) == 0);
assert_se(label_ops_post(fd, "file2.txt") == 0); assert_se(label_ops_post(fd, "file2.txt", true) == 0);
assert_se(strlen(text2) == (size_t)buf.st_size); assert_se(strlen(text2) == (size_t)buf.st_size);
assert_se(label_ops_post(fd, "file3.txt") == -ENOENT); assert_se(label_ops_post(fd, "file3.txt", true) == -ENOENT);
assert_se(label_ops_post(fd, "/abcd") == -ENOENT); assert_se(label_ops_post(fd, "/abcd", true) == -ENOENT);
assert_se(label_ops_post(fd, "/restricted_directory") == -EACCES); assert_se(label_ops_post(fd, "/restricted_directory", true) == -EACCES);
assert_se(label_ops_post(fd, "") == -EINVAL); assert_se(label_ops_post(fd, "", true) == -EINVAL);
} }
DEFINE_TEST_MAIN(LOG_INFO) DEFINE_TEST_MAIN(LOG_INFO)