shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-02 19:21:53 +03:00
Code
e0a974b471
systemd/src/shared/label.c
Lennart Poettering 2fa4092c28 util: make time formatting a bit smarter 
Instead of outputting "5h 55s 50ms 3us" we'll now output "5h
55.050003s". Also, while outputting the accuracy is configurable.

Basically we now try use "dot notation" for all time values > 1min. For
>= 1s we use 's' as unit, otherwise for >= 1ms we use 'ms' as unit, and
finally 'us'.

This should give reasonably values in most cases.
2013-04-04 02:56:56 +02:00

387 lines
9.9 KiB
C
Raw Blame History

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <errno.h>
#include <sys/stat.h>
#include <unistd.h>
#include <malloc.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "label.h"
#include "strv.h"
#include "util.h"
#include "path-util.h"
#ifdef HAVE_SELINUX
#include "selinux-util.h"
#include <selinux/selinux.h>
#include <selinux/label.h>
static struct selabel_handle *label_hnd = NULL;
#endif
int label_init(const char *prefix) {
int r = 0;
#ifdef HAVE_SELINUX
usec_t before_timestamp, after_timestamp;
struct mallinfo before_mallinfo, after_mallinfo;
if (!use_selinux())
return 0;
if (label_hnd)
return 0;
before_mallinfo = mallinfo();
before_timestamp = now(CLOCK_MONOTONIC);
if (prefix) {
struct selinux_opt options[] = {
{ .type = SELABEL_OPT_SUBSET, .value = prefix },
};
label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
} else
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd) {
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Failed to initialize SELinux context: %m");
r = security_getenforce() == 1 ? -errno : 0;
} else {
char timespan[FORMAT_TIMESPAN_MAX];
int l;
after_timestamp = now(CLOCK_MONOTONIC);
after_mallinfo = mallinfo();
l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
(l+1023)/1024);
}
#endif
return r;
}
int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
int r = 0;
#ifdef HAVE_SELINUX
struct stat st;
security_context_t fcon;
if (!use_selinux() || !label_hnd)
return 0;
r = lstat(path, &st);
if (r == 0) {
r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
/* If there's no label to set, then exit without warning */
if (r < 0 && errno == ENOENT)
return 0;
if (r == 0) {
r = lsetfilecon(path, fcon);
freecon(fcon);
/* If the FS doesn't support labels, then exit without warning */
if (r < 0 && errno == ENOTSUP)
return 0;
}
}
if (r < 0) {
/* Ignore ENOENT in some cases */
if (ignore_enoent && errno == ENOENT)
return 0;
if (ignore_erofs && errno == EROFS)
return 0;
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Unable to fix label of %s: %m", path);
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
return r;
}
void label_finish(void) {
#ifdef HAVE_SELINUX
if (use_selinux() && label_hnd)
selabel_close(label_hnd);
#endif
}
int label_get_create_label_from_exe(const char *exe, char **label) {
int r = 0;
#ifdef HAVE_SELINUX
security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
if (!use_selinux()) {
*label = NULL;
return 0;
}
r = getcon(&mycon);
if (r < 0)
goto fail;
r = getfilecon(exe, &fcon);
if (r < 0)
goto fail;
sclass = string_to_security_class("process");
r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
if (r == 0)
log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
fail:
if (r < 0 && security_getenforce() == 1)
r = -errno;
freecon(mycon);
freecon(fcon);
#endif
return r;
}
int label_context_set(const char *path, mode_t mode) {
int r = 0;
#ifdef HAVE_SELINUX
security_context_t filecon = NULL;
if (!use_selinux() || !label_hnd)
return 0;
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
if (r < 0 && errno != ENOENT)
r = -errno;
else if (r == 0) {
r = setfscreatecon(filecon);
if (r < 0) {
log_error("Failed to set SELinux file context on %s: %m", path);
r = -errno;
}
freecon(filecon);
}
if (r < 0 && security_getenforce() == 0)
r = 0;
#endif
return r;
}
int label_socket_set(const char *label) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return 0;
if (setsockcreatecon((security_context_t) label) < 0) {
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
"Failed to set SELinux context (%s) on socket: %m", label);
if (security_getenforce() == 1)
return -errno;
}
#endif
return 0;
}
void label_context_clear(void) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
setfscreatecon(NULL);
#endif
}
void label_socket_clear(void) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
setsockcreatecon(NULL);
#endif
}
void label_free(const char *label) {
#ifdef HAVE_SELINUX
if (!use_selinux())
return;
freecon((security_context_t) label);
#endif
}
int label_mkdir(const char *path, mode_t mode, bool apply) {
/* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
int r;
security_context_t fcon = NULL;
if (!apply || !use_selinux() || !label_hnd)
goto skipped;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
else {
char *newpath;
newpath = path_make_absolute_cwd(path);
if (!newpath)
return -ENOMEM;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
free(newpath);
}
if (r == 0)
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
log_error("Failed to set security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
goto finish;
}
}
r = mkdir(path, mode);
if (r < 0)
r = -errno;
finish:
setfscreatecon(NULL);
freecon(fcon);
return r;
skipped:
#endif
return mkdir(path, mode) < 0 ? -errno : 0;
}
int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
#ifdef HAVE_SELINUX
int r;
security_context_t fcon = NULL;
const struct sockaddr_un *un;
char *path = NULL;
assert(fd >= 0);
assert(addr);
assert(addrlen >= sizeof(sa_family_t));
if (!use_selinux() || !label_hnd)
goto skipped;
/* Filter out non-local sockets */
if (addr->sa_family != AF_UNIX)
goto skipped;
/* Filter out anonymous sockets */
if (addrlen < sizeof(sa_family_t) + 1)
goto skipped;
/* Filter out abstract namespace sockets */
un = (const struct sockaddr_un*) addr;
if (un->sun_path[0] == 0)
goto skipped;
path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
if (!path)
return -ENOMEM;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
char *newpath;
newpath = path_make_absolute_cwd(path);
if (!newpath) {
free(path);
return -ENOMEM;
}
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
free(newpath);
}
if (r == 0)
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
log_error("Failed to set security context %s for %s: %m", fcon, path);
if (security_getenforce() == 1) {
r = -errno;
goto finish;
}
}
r = bind(fd, addr, addrlen);
if (r < 0)
r = -errno;
finish:
setfscreatecon(NULL);
freecon(fcon);
free(path);
return r;
skipped:
#endif
return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
View Git Blame Copy Permalink