summaryrefslogtreecommitdiff
path: root/src/core/selinux-access.h
Commit message (Collapse)AuthorAgeFilesLines
* core: cache unit file selinux label, and make decisions based on thatLennart Poettering2022-07-201-7/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not go back to disk on each selinux access, but instead cache the label off the inode we are actually reading. That way unit file contents and unit file label we use for access checks are always in sync. Based on discussions here: https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586 Replaces: https://github.com/systemd/systemd/pull/23910 This changes behaviour a bit, because we'll reach and cache the label at the moment of loading the unit (i.e. usually on boot and reload), but not after relabelling. Thus, users must refresh the cache explicitly via a "systemctl daemon-reload" if they relabelled things. This makes the SELinux story a bit more debuggable, as it adds an AccessSELinuxContext bus property to units that will report the label we are using for a unit (or the empty string if not known). This also drops using the "source" path of a unit as label source. if there's value in it, then generators should manually copy the selinux label from the source files onto the generated unit files, so that the rule that "access labels are read when we read the definition files" is upheld. But I am not convinced this is really a necessary, good idea.
* selinux: name mac_selinux_generic_access_check as internal functionChristian Göttsche2021-11-201-7/+7
| | | | | | `mac_selinux_generic_access_check()` should not be called directly, only via the wrapper macros `mac_selinux_access_check` and `mac_selinux_unit_access_check`.
* selinux: add function name to audit dataChristian Göttsche2021-11-201-3/+7
| | | | | | Include the systemd C function name in the audit message to improve the debug ability on denials. Similar like kernel denial messages include the syscall name.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* selinux: do preprocessor check only in selinux-access.cMichal Sekletár2020-04-291-9/+0
| | | | | | | This has the advantage that mac_selinux_access_check() can be used as a function in all contexts. For example, parameters passed to it won't be reported as unused if the "function" call is replaced with 0 on SELinux disabled builds.
* core: move bus-util include out of selinux-access headerChristian Göttsche2020-02-041-1/+0
|
* tree-wide: drop double newlineYu Watanabe2018-06-291-1/+0
|
* tree-wide: drop copyright lines for more authorsZbigniew Jędrzejewski-Szmek2018-06-221-3/+0
| | | | Acks in https://github.com/systemd/systemd/issues/9320.
* tree-wide: beautify remaining copyright statementsLennart Poettering2018-06-141-1/+1
| | | | | | Let's unify an beautify our remaining copyright statements, with a unicode ©. This means our copyright statements are now always formatted the same way. Yay.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* selinux: make sure we never use /dev/null for making unit selinux access ↵Lennart Poettering2018-01-311-4/+1
| | | | decisions
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* build-sys: use #if Y instead of #ifdef Y everywhereZbigniew Jędrzejewski-Szmek2017-10-041-1/+1
| | | | | | | | | | | | | | | The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
* core,network: Use const qualifiers for block-local variables in macro ↵Felipe Sateler2016-08-231-1/+1
| | | | | functions (#4019) Prevents discard-qualifiers warnings when the passed variable was const
* tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen2015-11-181-0/+1
| | | | | This is a continuation of the previous include sort patch, which only sorted for .c files.
* tree-wide: remove unused functionsThomas Hindoe Paaboel Andersen2015-10-191-2/+0
|
* selinux: drop mac_selinux_unit_access_check_strv()David Herrmann2015-08-271-2/+0
| | | | | | | | | | | | | It is not acceptable to load unit files during enable/disable operations just to figure out the selinux labels. systemd implements lazy loading for units, so the selinux hooks need to follow it. This drops the mac_selinux_unit_access_check_strv() helper which implements a non-acceptable policy check. If anyone cares for that functionality, you really should pass a callback+userdata to the helpers in src/shared/install.c which does policy checks on each touched file. See #1050 on github for more.
* remove unused includesThomas Hindoe Paaboel Andersen2015-02-231-1/+0
| | | | | | This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
* selinux-access: fix broken ternary operatorLukas Nykryn2014-11-211-1/+1
| | | | | | it seems to be a typo introduced by ebcf1f97de4f6b1580ae55eb56b1a3939fe6b602 - _r = selinux_access_check(_b, _m, _u->source_path ?:_u->fragment_path, (permission), &_error); \ + ({ Unit *_unit = (unit); selinux_generic_access_check(bus,message, _unit->fragment_path ?: _unit->fragment_path, permission,error); })
* mac: add mac_ prefix to distinguish origin security apisWaLyong Cho2014-10-281-9/+9
|
* systemctl: add add-wants and add-requires verbsLukas Nykryn2014-10-081-0/+3
|
* core: no need to pass bus object to selinux access check calls anymoreLennart Poettering2014-05-141-7/+11
|
* bus: rework message handlers to always take an error argumentLennart Poettering2013-11-211-25/+7
| | | | | | | | | | | | | | | | | | | | Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.
* bus: let's simplify things by getting rid of unnecessary bus parametersLennart Poettering2013-11-211-2/+2
|
* core: convert PID 1 to libsystemd-busLennart Poettering2013-11-201-19/+19
| | | | | | | | | | | | | | | | | | | | | | This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
* selinux-access: move GPL to LGPL licenceKay Sievers2013-08-141-4/+4
| | | | | | | | | | | | | On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote: > On 08/14/2013 04:17 PM, Kay Sievers wrote: > > > > this patch added GPL code to systemd, which otherwise is all LGPL. We need > > to make sure we can always split out any code to a separate shared library > > ... > > > > Mind if I switch your src/core/selinux-access.[ch] files to LGPL? > I have no problem with it. Should be LGPL anyways.
* selinux: remove anything PID1-specific from selinux-access.[ch] so that we ↵Lennart Poettering2012-10-021-7/+10
| | | | can reuse it in logind
* selinux: rework selinux access check logicLennart Poettering2012-10-021-4/+35
| | | | | | | | | | | | | | a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
* selinux: add bus service access controlDaniel J Walsh2012-09-181-0/+28
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----
View Lorry Controller Status