|
|
bd1529 |
From 4f4e8bbd9ad46fc146a36f52790bc4920f42ef1f Mon Sep 17 00:00:00 2001
|
|
|
bd1529 |
From: Franck Bui <fbui@suse.com>
|
|
|
bd1529 |
Date: Mon, 2 Jul 2018 10:22:56 +0200
|
|
|
bd1529 |
Subject: [PATCH] selinux: introduce mac_selinux_create_file_prepare_at()
|
|
|
bd1529 |
|
|
|
bd1529 |
(cherry picked from commit 7e531a5265687aef5177b070c36ca4ceab42e768)
|
|
|
bd1529 |
|
|
|
bd1529 |
Related: #1888912
|
|
|
bd1529 |
---
|
|
|
bd1529 |
src/basic/selinux-util.c | 83 ++++++++++++++++++++++++++++++----------
|
|
|
bd1529 |
src/basic/selinux-util.h | 1 +
|
|
|
bd1529 |
2 files changed, 63 insertions(+), 21 deletions(-)
|
|
|
bd1529 |
|
|
|
bd1529 |
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
|
|
|
bd1529 |
index f69d88eb1e..a078ce23ef 100644
|
|
|
bd1529 |
--- a/src/basic/selinux-util.c
|
|
|
bd1529 |
+++ b/src/basic/selinux-util.c
|
|
|
bd1529 |
@@ -336,48 +336,89 @@ char* mac_selinux_free(char *label) {
|
|
|
bd1529 |
return NULL;
|
|
|
bd1529 |
}
|
|
|
bd1529 |
|
|
|
bd1529 |
-int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
|
|
|
bd1529 |
-
|
|
|
bd1529 |
#if HAVE_SELINUX
|
|
|
bd1529 |
+static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
|
|
|
bd1529 |
_cleanup_freecon_ char *filecon = NULL;
|
|
|
bd1529 |
+ _cleanup_free_ char *path = NULL;
|
|
|
bd1529 |
int r;
|
|
|
bd1529 |
|
|
|
bd1529 |
- assert(path);
|
|
|
bd1529 |
-
|
|
|
bd1529 |
- if (!label_hnd)
|
|
|
bd1529 |
- return 0;
|
|
|
bd1529 |
-
|
|
|
bd1529 |
- if (path_is_absolute(path))
|
|
|
bd1529 |
- r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
|
|
|
bd1529 |
- else {
|
|
|
bd1529 |
- _cleanup_free_ char *newpath = NULL;
|
|
|
bd1529 |
-
|
|
|
bd1529 |
- r = path_make_absolute_cwd(path, &newpath);
|
|
|
bd1529 |
- if (r < 0)
|
|
|
bd1529 |
- return r;
|
|
|
bd1529 |
-
|
|
|
bd1529 |
- r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
|
|
|
bd1529 |
- }
|
|
|
bd1529 |
+ assert(abspath);
|
|
|
bd1529 |
+ assert(path_is_absolute(abspath));
|
|
|
bd1529 |
|
|
|
bd1529 |
+ r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
|
|
|
bd1529 |
if (r < 0) {
|
|
|
bd1529 |
/* No context specified by the policy? Proceed without setting it. */
|
|
|
bd1529 |
if (errno == ENOENT)
|
|
|
bd1529 |
return 0;
|
|
|
bd1529 |
|
|
|
bd1529 |
- log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
|
|
|
bd1529 |
+ log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
|
|
|
bd1529 |
} else {
|
|
|
bd1529 |
if (setfscreatecon_raw(filecon) >= 0)
|
|
|
bd1529 |
return 0; /* Success! */
|
|
|
bd1529 |
|
|
|
bd1529 |
- log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
|
|
|
bd1529 |
+ log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
|
|
|
bd1529 |
}
|
|
|
bd1529 |
|
|
|
bd1529 |
if (security_getenforce() > 0)
|
|
|
bd1529 |
return -errno;
|
|
|
bd1529 |
|
|
|
bd1529 |
-#endif
|
|
|
bd1529 |
return 0;
|
|
|
bd1529 |
}
|
|
|
bd1529 |
+#endif
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
|
|
|
bd1529 |
+ int r = 0;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+#if HAVE_SELINUX
|
|
|
bd1529 |
+ _cleanup_free_ char *abspath = NULL;
|
|
|
bd1529 |
+ _cleanup_close_ int fd = -1;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ assert(path);
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ if (!label_hnd)
|
|
|
bd1529 |
+ return 0;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ if (!path_is_absolute(path)) {
|
|
|
bd1529 |
+ _cleanup_free_ char *p = NULL;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ if (dirfd == AT_FDCWD)
|
|
|
bd1529 |
+ r = safe_getcwd(&p);
|
|
|
bd1529 |
+ else
|
|
|
bd1529 |
+ r = fd_get_path(dirfd, &p);
|
|
|
bd1529 |
+ if (r < 0)
|
|
|
bd1529 |
+ return r;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ abspath = path_join(NULL, p, path);
|
|
|
bd1529 |
+ if (!abspath)
|
|
|
bd1529 |
+ return -ENOMEM;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ path = abspath;
|
|
|
bd1529 |
+ }
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ r = selinux_create_file_prepare_abspath(path, mode);
|
|
|
bd1529 |
+#endif
|
|
|
bd1529 |
+ return r;
|
|
|
bd1529 |
+}
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
|
|
|
bd1529 |
+ int r = 0;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+#if HAVE_SELINUX
|
|
|
bd1529 |
+ _cleanup_free_ char *abspath = NULL;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ assert(path);
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ if (!label_hnd)
|
|
|
bd1529 |
+ return 0;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ r = path_make_absolute_cwd(path, &abspath);
|
|
|
bd1529 |
+ if (r < 0)
|
|
|
bd1529 |
+ return r;
|
|
|
bd1529 |
+
|
|
|
bd1529 |
+ r = selinux_create_file_prepare_abspath(abspath, mode);
|
|
|
bd1529 |
+#endif
|
|
|
bd1529 |
+ return r;
|
|
|
bd1529 |
+}
|
|
|
bd1529 |
|
|
|
bd1529 |
void mac_selinux_create_file_clear(void) {
|
|
|
bd1529 |
|
|
|
bd1529 |
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
|
|
|
bd1529 |
index abcfabe777..639c35b687 100644
|
|
|
bd1529 |
--- a/src/basic/selinux-util.h
|
|
|
bd1529 |
+++ b/src/basic/selinux-util.h
|
|
|
bd1529 |
@@ -24,6 +24,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
|
|
|
bd1529 |
char* mac_selinux_free(char *label);
|
|
|
bd1529 |
|
|
|
bd1529 |
int mac_selinux_create_file_prepare(const char *path, mode_t mode);
|
|
|
bd1529 |
+int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
|
|
|
bd1529 |
void mac_selinux_create_file_clear(void);
|
|
|
bd1529 |
|
|
|
bd1529 |
int mac_selinux_create_socket_prepare(const char *label);
|