label: unify code to make directories, symlinks

2014-10-23 19:58:45 +02:00 · 2014-10-23 19:58:45 +02:00 · c34255bdb2
parent f3c80515c1
commit c34255bdb2
8 changed files with 62 additions and 101 deletions
--- a/src/machine/machined.c
+++ b/src/machine/machined.c
@ -35,6 +35,7 @@
 #include "bus-util.h"
 #include "bus-error.h"
 #include "machined.h"
+#include "label.h"

 Manager *manager_new(void) {
        Manager *m;
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@ -32,24 +32,6 @@
 #include "util.h"
 #include "label.h"

-static int symlink_and_label(const char *old_path, const char *new_path) {
-        int r;
-
-        assert(old_path);
-        assert(new_path);
-
-        r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
-        if (r < 0)
-                return r;
-
-        if (symlink(old_path, new_path) < 0)
-                r = -errno;
-
-        mac_selinux_create_file_clear();
-
-        return r;
-}
-
 int dev_setup(const char *prefix) {
        const char *j, *k;

@ -75,9 +57,9 @@ int dev_setup(const char *prefix) {
                        if (!link_name)
                                return -ENOMEM;

-                        symlink_and_label(j, link_name);
+                        symlink_label(j, link_name);
                } else
-                        symlink_and_label(j, k);
+                        symlink_label(j, k);
        }

        return 0;
--- a/src/shared/label.c
+++ b/src/shared/label.c
@ -35,3 +35,44 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {

        return 0;
 }
+
+int mkdir_label(const char *path, mode_t mode) {
+        int r;
+
+        assert(path);
+
+        r = mac_selinux_create_file_prepare(path, S_IFDIR);
+        if (r < 0)
+                return r;
+
+        if (mkdir(path, mode) < 0)
+                r = -errno;
+
+        mac_selinux_create_file_clear();
+
+        if (r < 0)
+                return r;
+
+        return mac_smack_fix(path, false, false);
+}
+
+int symlink_label(const char *old_path, const char *new_path) {
+        int r;
+
+        assert(old_path);
+        assert(new_path);
+
+        r = mac_selinux_create_file_prepare(new_path, S_IFLNK);
+        if (r < 0)
+                return r;
+
+        if (symlink(old_path, new_path) < 0)
+                r = -errno;
+
+        mac_selinux_create_file_clear();
+
+        if (r < 0)
+                return r;
+
+        return mac_smack_fix(new_path, false, false);
+}
--- a/src/shared/label.h
+++ b/src/shared/label.h
@ -25,3 +25,6 @@
 #include "smack-util.h"

 int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
+
+int mkdir_label(const char *path, mode_t mode);
+int symlink_label(const char *old_path, const char *new_path);
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
@ -32,39 +32,14 @@
 #include "path-util.h"
 #include "mkdir.h"

-static int label_mkdir(const char *path, mode_t mode) {
-        int r;
-
-        if (mac_selinux_use())
-                return mac_selinux_mkdir(path, mode);
-
-        if (mac_smack_use()) {
-                r = mkdir(path, mode);
-                if (r < 0)
-                        return -errno;
-
-                return mac_smack_fix(path, false, false);
-        }
-
-        r = mkdir(path, mode);
-        if (r < 0)
-                return -errno;
-
-        return 0;
-}
-
-int mkdir_label(const char *path, mode_t mode) {
-        return label_mkdir(path, mode);
-}
-
 int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid) {
-        return mkdir_safe_internal(path, mode, uid, gid, label_mkdir);
+        return mkdir_safe_internal(path, mode, uid, gid, mkdir_label);
 }

 int mkdir_parents_label(const char *path, mode_t mode) {
-        return mkdir_parents_internal(NULL, path, mode, label_mkdir);
+        return mkdir_parents_internal(NULL, path, mode, mkdir_label);
 }

 int mkdir_p_label(const char *path, mode_t mode) {
-        return mkdir_p_internal(NULL, path, mode, label_mkdir);
+        return mkdir_p_internal(NULL, path, mode, mkdir_label);
 }
--- a/src/shared/mkdir.h
+++ b/src/shared/mkdir.h
@ -30,7 +30,6 @@ int mkdir_parents(const char *path, mode_t mode);
 int mkdir_p(const char *path, mode_t mode);

 /* mandatory access control(MAC) versions */
-int mkdir_label(const char *path, mode_t mode);
 int mkdir_safe_label(const char *path, mode_t mode, uid_t uid, gid_t gid);
 int mkdir_parents_label(const char *path, mode_t mode);
 int mkdir_p_label(const char *path, mode_t mode);
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@ -319,7 +319,18 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
        if (!label_hnd)
                return 0;

-        r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+        if (path_is_absolute(path))
+                r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
+        else {
+                _cleanup_free_ char *newpath;
+
+                newpath = path_make_absolute_cwd(path);
+                if (!newpath)
+                        return -ENOMEM;
+
+                r = selabel_lookup_raw(label_hnd, &filecon, newpath, S_IFDIR);
+        }
+
        if (r < 0 && errno != ENOENT)
                r = -errno;
        else if (r == 0) {
@ -380,56 +391,6 @@ void mac_selinux_create_socket_clear(void) {
 #endif
 }

-int mac_selinux_mkdir(const char *path, mode_t mode) {
-
-        /* Creates a directory and labels it according to the SELinux policy */
-
-#ifdef HAVE_SELINUX
-        _cleanup_security_context_free_ security_context_t fcon = NULL;
-        int r;
-
-        assert(path);
-
-        if (!label_hnd)
-                goto skipped;
-
-        if (path_is_absolute(path))
-                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
-        else {
-                _cleanup_free_ char *newpath;
-
-                newpath = path_make_absolute_cwd(path);
-                if (!newpath)
-                        return -ENOMEM;
-
-                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
-        }
-
-        if (r == 0)
-                r = setfscreatecon(fcon);
-
-        if (r < 0 && errno != ENOENT) {
-                log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
-
-                if (security_getenforce() == 1) {
-                        r = -errno;
-                        goto finish;
-                }
-        }
-
-        r = mkdir(path, mode);
-        if (r < 0)
-                r = -errno;
-
-finish:
-        setfscreatecon(NULL);
-        return r;
-
-skipped:
-#endif
-        return mkdir(path, mode) < 0 ? -errno : 0;
-}
-
 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@ -45,5 +45,4 @@ void mac_selinux_create_file_clear(void);
 int mac_selinux_create_socket_prepare(const char *label);
 void mac_selinux_create_socket_clear(void);

-int mac_selinux_mkdir(const char *path, mode_t mode);
 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);