picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

selinux: figure out selinux context applied on exec() before closing all fds 

We need original socket_fd around otherwise mac_selinux_get_child_mls_label
fails with -EINVAL return code. Also don't call setexeccon twice but rather pass
context value of SELinuxContext option as an extra argument.
This commit is contained in:
Michal Sekletar 2014-11-12 13:53:27 +01:00 committed by Lennart Poettering
parent fe0b9cd3ba
commit 9008e1ac92
3 changed files with 17 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/core/execute.c
View File

@ -1238,6 +1238,7 @@ static int exec_child(ExecCommand *command,
int *error) {
_cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
_cleanup_free_ char *mac_selinux_context_net = NULL;
const char *username = NULL, *home = NULL, *shell = NULL;
unsigned n_dont_close = 0;
int dont_close[n_fds + 4];
@ -1584,6 +1585,16 @@ static int exec_child(ExecCommand *command,
}
}
#ifdef HAVE_SELINUX
if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
if (err < 0) {
*error = EXIT_SELINUX_CONTEXT;
return err;
}
}
#endif
/* We repeat the fd closing here, to make sure that
* nothing is leaked from the PAM modules. Note that
* we are more aggressive this time since socket_fd
@ -1683,24 +1694,10 @@ static int exec_child(ExecCommand *command,
#ifdef HAVE_SELINUX
if (mac_selinux_use()) {
if (context->selinux_context) {
err = setexeccon(context->selinux_context);
if (err < 0 && !context->selinux_context_ignore) {
*error = EXIT_SELINUX_CONTEXT;
return err;
}
}
char *exec_context = mac_selinux_context_net ?: context->selinux_context;
if (params->selinux_context_net && socket_fd >= 0) {
_cleanup_free_ char *label = NULL;
err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label);
if (err < 0) {
*error = EXIT_SELINUX_CONTEXT;
return err;
}
err = setexeccon(label);
if (exec_context) {
err = setexeccon(exec_context);
if (err < 0) {
*error = EXIT_SELINUX_CONTEXT;
return err;

8
src/shared/selinux-util.c
View File

@ -233,7 +233,7 @@ int mac_selinux_get_our_label(char **label) {
return r;
}
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
@ -257,11 +257,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
if (r < 0)
return -errno;
r = getexeccon(&fcon);
if (r < 0)
return -errno;
if (!fcon) {
if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon(exe, &fcon);

2
src/shared/selinux-util.h
View File

@ -36,7 +36,7 @@ int mac_selinux_apply(const char *path, const char *label);
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
int mac_selinux_get_our_label(char **label);
int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label);
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label);
void mac_selinux_free(char *label);
int mac_selinux_create_file_prepare(const char *path, mode_t mode);