diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-02-18 13:18:39 +0200 |
|---|---|---|
| committer | Topi Miettinen <topimiettinen@users.noreply.github.com> | 2020-02-28 14:17:48 +0000 |
| commit | e6e81ec0a56861b905db975fc32c83e2f2faca7d (patch) | |
| tree | 2ad9e5a48981cd6ffa9c22f4cd5e80d8f6e21002 /src/basic | |
| parent | 07336a067216f3e5d7551b090c5972c120805d0e (diff) | |
| download | systemd-e6e81ec0a56861b905db975fc32c83e2f2faca7d.tar.gz | |
namespace: fix MAC labels of /dev when PrivateDevices=yes
Without changing the SELinux label for private /dev of a service, it will take
a generic file system label:
system_u:object_r:tmpfs_t:s0
After this change it is the same as without `PrivateDevices=yes`:
system_u:object_r:device_t:s0
This helps writing SELinux policies, as the same rules for `/dev` will apply
despite any `PrivateDevices=yes` setting.
Diffstat (limited to 'src/basic')
| -rw-r--r-- | src/basic/label.c | 6 | ||||
| -rw-r--r-- | src/basic/label.h | 5 | ||||
| -rw-r--r-- | src/basic/selinux-util.c | 6 | ||||
| -rw-r--r-- | src/basic/selinux-util.h | 6 | ||||
| -rw-r--r-- | src/basic/smack-util.c | 6 | ||||
| -rw-r--r-- | src/basic/smack-util.h | 6 |
6 files changed, 23 insertions, 12 deletions
diff --git a/src/basic/label.c b/src/basic/label.c index 12a7fb0945..1fce7718d4 100644 --- a/src/basic/label.c +++ b/src/basic/label.c @@ -10,11 +10,11 @@ #include "selinux-util.h" #include "smack-util.h" -int label_fix(const char *path, LabelFixFlags flags) { +int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { int r, q; - r = mac_selinux_fix(path, flags); - q = mac_smack_fix(path, flags); + r = mac_selinux_fix_container(path, inside_path, flags); + q = mac_smack_fix_container(path, inside_path, flags); if (r < 0) return r; diff --git a/src/basic/label.h b/src/basic/label.h index 594fd65974..a6f9074b28 100644 --- a/src/basic/label.h +++ b/src/basic/label.h @@ -9,7 +9,10 @@ typedef enum LabelFixFlags { LABEL_IGNORE_EROFS = 1 << 1, } LabelFixFlags; -int label_fix(const char *path, LabelFixFlags flags); +int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); +static inline int label_fix(const char *path, LabelFixFlags flags) { + return label_fix_container(path, path, flags); +} int mkdir_label(const char *path, mode_t mode); int mkdirat_label(int dirfd, const char *path, mode_t mode); diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index 90bb93ed0b..fd78ce200e 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -124,7 +124,7 @@ void mac_selinux_reload(void) { #endif } -int mac_selinux_fix(const char *path, LabelFixFlags flags) { +int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { #if HAVE_SELINUX char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; @@ -151,7 +151,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) { if (fstat(fd, &st) < 0) return -errno; - if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) { + if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) < 0) { r = -errno; /* If there's no label to set, then exit without warning */ @@ -185,7 +185,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) { return 0; fail: - log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path); + log_enforcing_errno(r, "Unable to fix SELinux security context of %s (%s): %m", path, inside_path); if (security_getenforce() == 1) return r; #endif diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h index b73b7c50e0..6d9e050781 100644 --- a/src/basic/selinux-util.h +++ b/src/basic/selinux-util.h @@ -22,7 +22,11 @@ int mac_selinux_init(void); void mac_selinux_finish(void); void mac_selinux_reload(void); -int mac_selinux_fix(const char *path, LabelFixFlags flags); +int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); +static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) { + return mac_selinux_fix_container(path, path, flags); +} + int mac_selinux_apply(const char *path, const char *label); int mac_selinux_get_create_label_from_exe(const char *exe, char **label); diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c index da9a2139d3..8043a97c35 100644 --- a/src/basic/smack-util.c +++ b/src/basic/smack-util.c @@ -206,7 +206,7 @@ int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags) { return smack_fix_fd(fd, path, flags); } -int mac_smack_fix(const char *path, LabelFixFlags flags) { +int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { _cleanup_free_ char *abspath = NULL; _cleanup_close_ int fd = -1; int r; @@ -228,7 +228,7 @@ int mac_smack_fix(const char *path, LabelFixFlags flags) { return -errno; } - return smack_fix_fd(fd, abspath, flags); + return smack_fix_fd(fd, inside_path, flags); } int mac_smack_copy(const char *dest, const char *src) { @@ -274,7 +274,7 @@ int mac_smack_apply_pid(pid_t pid, const char *label) { return 0; } -int mac_smack_fix(const char *path, LabelFixFlags flags) { +int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) { return 0; } diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h index 395ec07b57..df2ce37071 100644 --- a/src/basic/smack-util.h +++ b/src/basic/smack-util.h @@ -29,7 +29,11 @@ typedef enum SmackAttr { bool mac_smack_use(void); -int mac_smack_fix(const char *path, LabelFixFlags flags); +int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags); +static inline int mac_smack_fix(const char *path, LabelFixFlags flags) { + return mac_smack_fix_container(path, path, flags); +} + int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags); const char* smack_attr_to_string(SmackAttr i) _const_; |