Revert "socket: introduce SELinuxLabelViaNet option"
This reverts commit cf8bd44339
.
Needs more discussion on the mailing list.
This commit is contained in:
parent
8530dc4467
commit
3bb07b7680
|
@ -675,17 +675,6 @@
|
|||
for details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>SELinuxLabelViaNet=</varname></term>
|
||||
<listitem><para>Takes a boolean
|
||||
value. Controls whether systemd attempts to figure out
|
||||
SELinux label used for instantiated service from
|
||||
information handed by peer over the
|
||||
network. Configuration option has effect only
|
||||
on sockets with <literal>Accept=</literal>
|
||||
mode set to <literal>yes</literal>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>PipeSize=</varname></term>
|
||||
<listitem><para>Takes a size in
|
||||
|
|
|
@ -83,7 +83,6 @@
|
|||
#include "af-list.h"
|
||||
#include "mkdir.h"
|
||||
#include "apparmor-util.h"
|
||||
#include "label.h"
|
||||
|
||||
#ifdef HAVE_SECCOMP
|
||||
#include "seccomp-util.h"
|
||||
|
@ -1730,22 +1729,6 @@ int exec_spawn(ExecCommand *command,
|
|||
goto fail_child;
|
||||
}
|
||||
}
|
||||
|
||||
if (context->selinux_label_via_net && use_selinux()) {
|
||||
_cleanup_free_ char *label = NULL;
|
||||
|
||||
err = label_get_child_label(socket_fd, command->path, &label);
|
||||
if (err < 0) {
|
||||
r = EXIT_SELINUX_CONTEXT;
|
||||
goto fail_child;
|
||||
}
|
||||
|
||||
err = setexeccon(label);
|
||||
if (err < 0) {
|
||||
r = EXIT_SELINUX_CONTEXT;
|
||||
goto fail_child;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_APPARMOR
|
||||
|
@ -2129,8 +2112,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
|||
"%sPrivateDevices: %s\n"
|
||||
"%sProtectHome: %s\n"
|
||||
"%sProtectSystem: %s\n"
|
||||
"%sIgnoreSIGPIPE: %s\n"
|
||||
"%sSELinuxLabelViaNet: %s\n",
|
||||
"%sIgnoreSIGPIPE: %s\n",
|
||||
prefix, c->umask,
|
||||
prefix, c->working_directory ? c->working_directory : "/",
|
||||
prefix, c->root_directory ? c->root_directory : "/",
|
||||
|
@ -2140,8 +2122,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
|
|||
prefix, yes_no(c->private_devices),
|
||||
prefix, protect_home_to_string(c->protect_home),
|
||||
prefix, protect_system_to_string(c->protect_system),
|
||||
prefix, yes_no(c->ignore_sigpipe),
|
||||
prefix, yes_no(c->selinux_label_via_net));
|
||||
prefix, yes_no(c->ignore_sigpipe));
|
||||
|
||||
STRV_FOREACH(e, c->environment)
|
||||
fprintf(f, "%sEnvironment: %s\n", prefix, *e);
|
||||
|
|
|
@ -136,7 +136,6 @@ struct ExecContext {
|
|||
|
||||
bool selinux_context_ignore;
|
||||
char *selinux_context;
|
||||
bool selinux_label_via_net;
|
||||
|
||||
bool apparmor_profile_ignore;
|
||||
char *apparmor_profile;
|
||||
|
|
|
@ -262,9 +262,6 @@ Socket.SmackLabelIPOut, config_parse_string, 0,
|
|||
`Socket.SmackLabel, config_parse_warn_compat, 0, 0
|
||||
Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0
|
||||
Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0')
|
||||
m4_ifdef(`HAVE_SELINUX',
|
||||
`Socket.SELinuxLabelViaNet, config_parse_bool, 0, offsetof(Socket, selinux_label_via_net)',
|
||||
`Socket.SELinuxLabelViaNet, config_parse_warn_compat, 0, 0')
|
||||
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
|
|
|
@ -31,10 +31,6 @@
|
|||
#include <mqueue.h>
|
||||
#include <sys/xattr.h>
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#endif
|
||||
|
||||
#include "sd-event.h"
|
||||
#include "log.h"
|
||||
#include "load-dropin.h"
|
||||
|
@ -492,8 +488,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
|
|||
"%sPassCredentials: %s\n"
|
||||
"%sPassSecurity: %s\n"
|
||||
"%sTCPCongestion: %s\n"
|
||||
"%sRemoveOnStop: %s\n"
|
||||
"%sSELinuxLabelViaNet: %s\n",
|
||||
"%sRemoveOnStop: %s\n",
|
||||
prefix, socket_state_to_string(s->state),
|
||||
prefix, socket_result_to_string(s->result),
|
||||
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
|
||||
|
@ -508,8 +503,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
|
|||
prefix, yes_no(s->pass_cred),
|
||||
prefix, yes_no(s->pass_sec),
|
||||
prefix, strna(s->tcp_congestion),
|
||||
prefix, yes_no(s->remove_on_stop),
|
||||
prefix, yes_no(s->selinux_label_via_net));
|
||||
prefix, yes_no(s->remove_on_stop));
|
||||
|
||||
if (s->control_pid > 0)
|
||||
fprintf(f,
|
||||
|
@ -1136,14 +1130,7 @@ static int socket_open_fds(Socket *s) {
|
|||
continue;
|
||||
|
||||
if (p->type == SOCKET_SOCKET) {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (!know_label && s->selinux_label_via_net) {
|
||||
r = getcon(&label);
|
||||
if (r < 0)
|
||||
return r;
|
||||
know_label = true;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!know_label) {
|
||||
|
||||
r = socket_instantiate_service(s);
|
||||
|
@ -1842,9 +1829,6 @@ static void socket_enter_running(Socket *s, int cfd) {
|
|||
cfd = -1;
|
||||
s->n_connections ++;
|
||||
|
||||
if (s->selinux_label_via_net)
|
||||
service->exec_context.selinux_label_via_net = true;
|
||||
|
||||
r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, true, &error, NULL);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
|
|
@ -165,8 +165,6 @@ struct Socket {
|
|||
char *smack_ip_in;
|
||||
char *smack_ip_out;
|
||||
|
||||
bool selinux_label_via_net;
|
||||
|
||||
char *user, *group;
|
||||
};
|
||||
|
||||
|
|
|
@ -31,7 +31,6 @@
|
|||
#ifdef HAVE_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/label.h>
|
||||
#include <selinux/context.h>
|
||||
#endif
|
||||
|
||||
#include "label.h"
|
||||
|
@ -244,74 +243,6 @@ fail:
|
|||
return r;
|
||||
}
|
||||
|
||||
int label_get_child_label(int socket_fd, const char *exe, char **label) {
|
||||
int r = 0;
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
|
||||
security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
|
||||
security_class_t sclass;
|
||||
context_t pcon = NULL, bcon = NULL;
|
||||
const char *range = NULL;
|
||||
|
||||
assert(socket_fd >= 0);
|
||||
assert(exe);
|
||||
assert(label);
|
||||
|
||||
r = getcon(&mycon);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
r = getpeercon(socket_fd, &peercon);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
r = getfilecon(exe, &fcon);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
bcon = context_new(mycon);
|
||||
if (!bcon)
|
||||
goto out;
|
||||
|
||||
pcon = context_new(peercon);
|
||||
if (!pcon)
|
||||
goto out;
|
||||
|
||||
range = context_range_get(pcon);
|
||||
if (!range)
|
||||
goto out;
|
||||
|
||||
r = context_range_set(bcon, range);
|
||||
if (r)
|
||||
goto out;
|
||||
|
||||
freecon(mycon);
|
||||
mycon = context_str(bcon);
|
||||
if (!mycon)
|
||||
goto out;
|
||||
|
||||
sclass = string_to_security_class("process");
|
||||
r = security_compute_create(mycon, fcon, sclass, &ret);
|
||||
if (r < 0)
|
||||
goto out;
|
||||
|
||||
*label = ret;
|
||||
|
||||
out:
|
||||
if (r && security_getenforce() == 1)
|
||||
r = -errno;
|
||||
|
||||
freecon(mycon);
|
||||
freecon(peercon);
|
||||
freecon(fcon);
|
||||
context_free(pcon);
|
||||
context_free(bcon);
|
||||
|
||||
#endif
|
||||
return r;
|
||||
}
|
||||
|
||||
int label_context_set(const char *path, mode_t mode) {
|
||||
int r = 0;
|
||||
|
||||
|
|
|
@ -39,7 +39,6 @@ void label_context_clear(void);
|
|||
void label_free(const char *label);
|
||||
|
||||
int label_get_create_label_from_exe(const char *exe, char **label);
|
||||
int label_get_child_label(int socket_fd, const char *exec, char **label);
|
||||
|
||||
int label_mkdir(const char *path, mode_t mode);
|
||||
|
||||
|
|
Loading…
Reference in New Issue