diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2021-12-22 11:13:22 -0700 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2021-12-22 11:13:22 -0700 |
commit | 61da0231c62b8d087395d96a82b306ba53ec480a (patch) | |
tree | 0439502374aefe213872ccf37089351cf7c6a84d /src/selinux.c | |
parent | aad47a8afee4ffe944e9b5bff75ce76967e0ebf3 (diff) | |
download | sudo-61da0231c62b8d087395d96a82b306ba53ec480a.tar.gz |
Back out changes to enable SELinux by default.
This may return in a future release in a different form.
Diffstat (limited to 'src/selinux.c')
-rw-r--r-- | src/selinux.c | 53 |
1 files changed, 19 insertions, 34 deletions
diff --git a/src/selinux.c b/src/selinux.c index 1dad781d8..8cce2eb33 100644 --- a/src/selinux.c +++ b/src/selinux.c @@ -308,37 +308,21 @@ bad: /* * Determine the new security context based on the old context and the * specified role and type. - * Returns 0 on success, 1 if SELinux is not needed, and -1 on failure. + * Returns 0 on success, and -1 on failure. */ static int get_exec_context(const char *role, const char *type) { - char *rolebuf = NULL, *typebuf = NULL; char *new_context = NULL; context_t context = NULL; + char *typebuf = NULL; int ret = -1; debug_decl(get_exec_context, SUDO_DEBUG_SELINUX); - /* - * Expand old_context into a context_t so that we can extract and modify - * its components easily. - */ - if ((context = context_new(se_state.old_context)) == NULL) { - sudo_warn("%s", U_("failed to get new context")); - goto done; - } - if (role == NULL) { - rolebuf = strdup(context_role_get(context)); - if (rolebuf == NULL) - goto done; - role = rolebuf; - - /* Skip SELinux role change for unconfined_r. */ - if (strcmp(rolebuf, "unconfined_r") == 0 && type == NULL) { - ret = 1; - goto done; - } + sudo_warnx(U_("you must specify a role for type %s"), type); + errno = EINVAL; + goto done; } if (type == NULL) { if (get_default_type(role, &typebuf)) { @@ -350,6 +334,15 @@ get_exec_context(const char *role, const char *type) } /* + * Expand old_context into a context_t so that we can extract and modify + * its components easily. + */ + if ((context = context_new(se_state.old_context)) == NULL) { + sudo_warn("%s", U_("failed to get new context")); + goto done; + } + + /* * Replace the role and type in "context" with the role and * type we will be running the command as. */ @@ -380,7 +373,6 @@ get_exec_context(const char *role, const char *type) ret = 0; done: - free(rolebuf); free(typebuf); context_free(context); freecon(new_context); @@ -389,7 +381,7 @@ done: /* * Determine the exec and tty contexts the command will run in. - * Returns 0 on success, 1 if SELinux is not needed, and -1 on failure. + * Returns 0 on success and -1 on failure. */ int selinux_getexeccon(const char *role, const char *type) @@ -412,20 +404,13 @@ selinux_getexeccon(const char *role, const char *type) sudo_debug_printf(SUDO_DEBUG_INFO, "%s: old context %s", __func__, se_state.old_context); ret = get_exec_context(role, type); - switch (ret) { - case 0: - sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__, - se_state.new_context); - break; - case 1: - sudo_debug_printf(SUDO_DEBUG_INFO, "%s: no context change required", - __func__); - break; - default: + if (ret == -1) { /* Audit role change failure (success is logged later). */ selinux_audit_role_change(); - break; + goto done; } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__, + se_state.new_context); done: debug_return_int(ret); |