bd1529
From 4f4e8bbd9ad46fc146a36f52790bc4920f42ef1f Mon Sep 17 00:00:00 2001
bd1529
From: Franck Bui <fbui@suse.com>
bd1529
Date: Mon, 2 Jul 2018 10:22:56 +0200
bd1529
Subject: [PATCH] selinux: introduce mac_selinux_create_file_prepare_at()
bd1529
bd1529
(cherry picked from commit 7e531a5265687aef5177b070c36ca4ceab42e768)
bd1529
bd1529
Related: #1888912
bd1529
---
bd1529
 src/basic/selinux-util.c | 83 ++++++++++++++++++++++++++++++----------
bd1529
 src/basic/selinux-util.h |  1 +
bd1529
 2 files changed, 63 insertions(+), 21 deletions(-)
bd1529
bd1529
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
bd1529
index f69d88eb1e..a078ce23ef 100644
bd1529
--- a/src/basic/selinux-util.c
bd1529
+++ b/src/basic/selinux-util.c
bd1529
@@ -336,48 +336,89 @@ char* mac_selinux_free(char *label) {
bd1529
         return NULL;
bd1529
 }
bd1529
 
bd1529
-int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
bd1529
-
bd1529
 #if HAVE_SELINUX
bd1529
+static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
bd1529
         _cleanup_freecon_ char *filecon = NULL;
bd1529
+        _cleanup_free_ char *path = NULL;
bd1529
         int r;
bd1529
 
bd1529
-        assert(path);
bd1529
-
bd1529
-        if (!label_hnd)
bd1529
-                return 0;
bd1529
-
bd1529
-        if (path_is_absolute(path))
bd1529
-                r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
bd1529
-        else {
bd1529
-                _cleanup_free_ char *newpath = NULL;
bd1529
-
bd1529
-                r = path_make_absolute_cwd(path, &newpath);
bd1529
-                if (r < 0)
bd1529
-                        return r;
bd1529
-
bd1529
-                r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
bd1529
-        }
bd1529
+        assert(abspath);
bd1529
+        assert(path_is_absolute(abspath));
bd1529
 
bd1529
+        r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
bd1529
         if (r < 0) {
bd1529
                 /* No context specified by the policy? Proceed without setting it. */
bd1529
                 if (errno == ENOENT)
bd1529
                         return 0;
bd1529
 
bd1529
-                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
bd1529
+                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
bd1529
         } else {
bd1529
                 if (setfscreatecon_raw(filecon) >= 0)
bd1529
                         return 0; /* Success! */
bd1529
 
bd1529
-                log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
bd1529
+                log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
bd1529
         }
bd1529
 
bd1529
         if (security_getenforce() > 0)
bd1529
                 return -errno;
bd1529
 
bd1529
-#endif
bd1529
         return 0;
bd1529
 }
bd1529
+#endif
bd1529
+
bd1529
+int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
bd1529
+        int r = 0;
bd1529
+
bd1529
+#if HAVE_SELINUX
bd1529
+        _cleanup_free_ char *abspath = NULL;
bd1529
+        _cleanup_close_ int fd = -1;
bd1529
+
bd1529
+        assert(path);
bd1529
+
bd1529
+        if (!label_hnd)
bd1529
+                return 0;
bd1529
+
bd1529
+        if (!path_is_absolute(path)) {
bd1529
+                _cleanup_free_ char *p = NULL;
bd1529
+
bd1529
+                if (dirfd == AT_FDCWD)
bd1529
+                        r = safe_getcwd(&p);
bd1529
+                else
bd1529
+                        r = fd_get_path(dirfd, &p);
bd1529
+                if (r < 0)
bd1529
+                        return r;
bd1529
+
bd1529
+                abspath = path_join(NULL, p, path);
bd1529
+                if (!abspath)
bd1529
+                        return -ENOMEM;
bd1529
+
bd1529
+                path = abspath;
bd1529
+        }
bd1529
+
bd1529
+        r = selinux_create_file_prepare_abspath(path, mode);
bd1529
+#endif
bd1529
+        return r;
bd1529
+}
bd1529
+
bd1529
+int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
bd1529
+        int r = 0;
bd1529
+
bd1529
+#if HAVE_SELINUX
bd1529
+        _cleanup_free_ char *abspath = NULL;
bd1529
+
bd1529
+        assert(path);
bd1529
+
bd1529
+        if (!label_hnd)
bd1529
+                return 0;
bd1529
+
bd1529
+        r = path_make_absolute_cwd(path, &abspath);
bd1529
+        if (r < 0)
bd1529
+                return r;
bd1529
+
bd1529
+        r = selinux_create_file_prepare_abspath(abspath, mode);
bd1529
+#endif
bd1529
+        return r;
bd1529
+}
bd1529
 
bd1529
 void mac_selinux_create_file_clear(void) {
bd1529
 
bd1529
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
bd1529
index abcfabe777..639c35b687 100644
bd1529
--- a/src/basic/selinux-util.h
bd1529
+++ b/src/basic/selinux-util.h
bd1529
@@ -24,6 +24,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
bd1529
 char* mac_selinux_free(char *label);
bd1529
 
bd1529
 int mac_selinux_create_file_prepare(const char *path, mode_t mode);
bd1529
+int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
bd1529
 void mac_selinux_create_file_clear(void);
bd1529
 
bd1529
 int mac_selinux_create_socket_prepare(const char *label);