|
|
9fc0f6 |
From 1ea0879cf79412e27b8becdb2bbc7e0abd301a66 Mon Sep 17 00:00:00 2001
|
|
|
9fc0f6 |
From: Lukas Nykryn <lnykryn@redhat.com>
|
|
|
9fc0f6 |
Date: Tue, 12 Aug 2014 12:58:47 +0200
|
|
|
9fc0f6 |
Subject: [PATCH] selinux: Check access vector for enable and disable perm for
|
|
|
9fc0f6 |
each unit file
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
---
|
|
|
9fc0f6 |
src/core/dbus-manager.c | 28 ++++++++++++++++++++++++----
|
|
|
9fc0f6 |
1 file changed, 24 insertions(+), 4 deletions(-)
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
|
|
|
9fc0f6 |
index 6d16c2a..cebc730 100644
|
|
|
9fc0f6 |
--- a/src/core/dbus-manager.c
|
|
|
9fc0f6 |
+++ b/src/core/dbus-manager.c
|
|
|
9fc0f6 |
@@ -1581,6 +1581,7 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
|
|
|
9fc0f6 |
dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "SetDefaultTarget")) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
char **l = NULL;
|
|
|
9fc0f6 |
+ char **i;
|
|
|
9fc0f6 |
DBusMessageIter iter;
|
|
|
9fc0f6 |
UnitFileScope scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
|
|
|
9fc0f6 |
UnitFileChange *changes = NULL;
|
|
|
9fc0f6 |
@@ -1588,8 +1589,6 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
|
|
|
9fc0f6 |
dbus_bool_t runtime, force;
|
|
|
9fc0f6 |
int carries_install_info = -1;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- SELINUX_ACCESS_CHECK(connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
|
|
|
9fc0f6 |
-
|
|
|
9fc0f6 |
if (!dbus_message_iter_init(message, &iter))
|
|
|
9fc0f6 |
goto oom;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1601,6 +1600,17 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
|
|
|
9fc0f6 |
return bus_send_error_reply(connection, message, NULL, r);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+ STRV_FOREACH(i, l) {
|
|
|
9fc0f6 |
+ Unit *u;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = manager_load_unit(m, *i, NULL, NULL, &u);
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ dbus_set_error(&error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s does not exist.", *i);
|
|
|
9fc0f6 |
+ return bus_send_error_reply(connection, message, &error, -ENOENT);
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+ SELINUX_UNIT_ACCESS_CHECK(u, connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
if (!dbus_message_iter_next(&iter) ||
|
|
|
9fc0f6 |
bus_iter_get_basic_and_next(&iter, DBUS_TYPE_BOOLEAN, &runtime, true) < 0 ||
|
|
|
9fc0f6 |
bus_iter_get_basic_and_next(&iter, DBUS_TYPE_BOOLEAN, &force, false) < 0) {
|
|
|
9fc0f6 |
@@ -1644,14 +1654,13 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
|
|
|
9fc0f6 |
dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "UnmaskUnitFiles")) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
char **l = NULL;
|
|
|
9fc0f6 |
+ char **i;
|
|
|
9fc0f6 |
DBusMessageIter iter;
|
|
|
9fc0f6 |
UnitFileScope scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
|
|
|
9fc0f6 |
UnitFileChange *changes = NULL;
|
|
|
9fc0f6 |
unsigned n_changes = 0;
|
|
|
9fc0f6 |
dbus_bool_t runtime;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- SELINUX_ACCESS_CHECK(connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
|
|
|
9fc0f6 |
-
|
|
|
9fc0f6 |
if (!dbus_message_iter_init(message, &iter))
|
|
|
9fc0f6 |
goto oom;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1669,6 +1678,17 @@ static DBusHandlerResult bus_manager_message_handler(DBusConnection *connection,
|
|
|
9fc0f6 |
return bus_send_error_reply(connection, message, NULL, -EIO);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+ STRV_FOREACH(i, l) {
|
|
|
9fc0f6 |
+ Unit *u;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = manager_load_unit(m, *i, NULL, NULL, &u);
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ dbus_set_error(&error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s does not exist.", *i);
|
|
|
9fc0f6 |
+ return bus_send_error_reply(connection, message, &error, -ENOENT);
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+ SELINUX_UNIT_ACCESS_CHECK(u, connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
if (streq(member, "DisableUnitFiles"))
|
|
|
9fc0f6 |
r = unit_file_disable(scope, runtime, NULL, l, &changes, &n_changes);
|
|
|
9fc0f6 |
else if (streq(member, "UnmaskUnitFiles"))
|