diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-06-22 10:32:30 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-06-24 10:20:29 +0200 |
commit | c3b8bacd7bdf5ca3fcd5d4df6b3f2987e9e820c9 (patch) | |
tree | 725a585778140609fe2b3d759ac80b73b993c044 /src/shared/selinux-util.c | |
parent | cd503dbb6b4a6a6d505ce3ba2d449e418e5c415c (diff) | |
download | systemd-c3b8bacd7bdf5ca3fcd5d4df6b3f2987e9e820c9.tar.gz |
shared/selinux-util: rework switching of the getenforce() function
The approach with function pointer was neat, but it gets in the way
when we want to resolve the symbol dynamically: static initialization
is not possible. It also makes the code more complicated than necessary.
In this case, a simple boolean is sufficient.
Diffstat (limited to 'src/shared/selinux-util.c')
-rw-r--r-- | src/shared/selinux-util.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 30229509b3..03cee76f64 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -36,9 +36,9 @@ static int mac_selinux_reload(int seqno); static int cached_use = -1; static bool initialized = false; -static int (*enforcing_status_func)(void) = security_getenforce; static int last_policyload = 0; static struct selabel_handle *label_hnd = NULL; +static bool have_status_page = false; #define log_enforcing(...) \ log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__) @@ -70,11 +70,19 @@ bool mac_selinux_use(void) { } bool mac_selinux_enforcing(void) { + int r = 0; #if HAVE_SELINUX - return enforcing_status_func() != 0; -#else - return false; + + /* If the SELinux status page has been successfully opened, retrieve the enforcing + * status over it to avoid system calls in security_getenforce(). */ + + if (have_status_page) + r = selinux_status_getenforce(); + else + r = security_getenforce(); + #endif + return r != 0; } void mac_selinux_retest(void) { @@ -142,7 +150,6 @@ static int open_label_db(void) { int mac_selinux_init(void) { #if HAVE_SELINUX int r; - bool have_status_page = false; if (initialized) return 0; @@ -170,11 +177,6 @@ int mac_selinux_init(void) { * first call without any actual change. */ last_policyload = selinux_status_policyload(); - if (have_status_page) - /* Now that the SELinux status page has been successfully opened, retrieve the enforcing - * status over it (to avoid system calls in security_getenforce()). */ - enforcing_status_func = selinux_status_getenforce; - initialized = true; #endif return 0; @@ -215,9 +217,8 @@ void mac_selinux_finish(void) { label_hnd = NULL; } - enforcing_status_func = security_getenforce; - selinux_status_close(); + have_status_page = false; initialized = false; #endif |