core: simplify selinux AVC initialization
Let's merge access_init() and mac_selinux_access_init(), and only call mac_selinux_use() once, inside the merged function, instead of multiple times, including in the caller. See comments on: https://github.com/systemd/systemd/pull/2053
This commit is contained in:
parent
37ade12837
commit
6344f3e28d
|
@ -134,52 +134,45 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
log_internalv(LOG_AUTH | callback_type_to_priority(type),
|
log_internalv(LOG_AUTH | callback_type_to_priority(type), 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
|
||||||
0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
|
|
||||||
va_end(ap);
|
va_end(ap);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
static int access_init(sd_bus_error *error) {
|
||||||
Function must be called once to initialize the SELinux AVC environment.
|
|
||||||
Sets up callbacks.
|
|
||||||
If you want to cleanup memory you should need to call selinux_access_finish.
|
|
||||||
*/
|
|
||||||
static int access_init(void) {
|
|
||||||
int r = 0;
|
|
||||||
|
|
||||||
if (avc_open(NULL, 0))
|
|
||||||
return log_error_errno(errno, "avc_open() failed: %m");
|
|
||||||
|
|
||||||
selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
|
|
||||||
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
|
|
||||||
|
|
||||||
if (security_getenforce() < 0){
|
|
||||||
r = -errno;
|
|
||||||
avc_destroy();
|
|
||||||
}
|
|
||||||
|
|
||||||
return r;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int mac_selinux_access_init(sd_bus_error *error) {
|
|
||||||
int r;
|
|
||||||
|
|
||||||
if (initialized)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
if (!mac_selinux_use())
|
if (!mac_selinux_use())
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
r = access_init();
|
if (initialized)
|
||||||
if (r < 0)
|
return 1;
|
||||||
return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
|
|
||||||
|
if (avc_open(NULL, 0) != 0) {
|
||||||
|
int enforce, saved_errno = errno;
|
||||||
|
|
||||||
|
enforce = security_getenforce();
|
||||||
|
log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
|
||||||
|
|
||||||
|
/* If enforcement isn't on, then let's suppress this
|
||||||
|
* error, and just don't do any AVC checks. The
|
||||||
|
* warning we printed is hence all the admin will
|
||||||
|
* see. */
|
||||||
|
if (enforce == 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
/* Return an access denied error, if we couldn't load
|
||||||
|
* the AVC but enforcing mode was on, or we couldn't
|
||||||
|
* determine whether it is one. */
|
||||||
|
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno));
|
||||||
|
}
|
||||||
|
|
||||||
|
selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
|
||||||
|
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
|
||||||
|
|
||||||
initialized = true;
|
initialized = true;
|
||||||
return 0;
|
return 1;
|
||||||
}
|
}
|
||||||
#endif
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
This function communicates with the kernel to check whether or not it should
|
This function communicates with the kernel to check whether or not it should
|
||||||
|
@ -193,7 +186,6 @@ int mac_selinux_generic_access_check(
|
||||||
const char *permission,
|
const char *permission,
|
||||||
sd_bus_error *error) {
|
sd_bus_error *error) {
|
||||||
|
|
||||||
#ifdef HAVE_SELINUX
|
|
||||||
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
||||||
const char *tclass = NULL, *scon = NULL;
|
const char *tclass = NULL, *scon = NULL;
|
||||||
struct audit_info audit_info = {};
|
struct audit_info audit_info = {};
|
||||||
|
@ -206,11 +198,8 @@ int mac_selinux_generic_access_check(
|
||||||
assert(permission);
|
assert(permission);
|
||||||
assert(error);
|
assert(error);
|
||||||
|
|
||||||
if (!mac_selinux_use())
|
r = access_init(error);
|
||||||
return 0;
|
if (r <= 0)
|
||||||
|
|
||||||
r = mac_selinux_access_init(error);
|
|
||||||
if (r < 0)
|
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
r = sd_bus_query_sender_creds(
|
r = sd_bus_query_sender_creds(
|
||||||
|
@ -277,7 +266,17 @@ finish:
|
||||||
}
|
}
|
||||||
|
|
||||||
return r;
|
return r;
|
||||||
#else
|
|
||||||
return 0;
|
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#else
|
||||||
|
|
||||||
|
int mac_selinux_generic_access_check(
|
||||||
|
sd_bus_message *message,
|
||||||
|
const char *path,
|
||||||
|
const char *permission,
|
||||||
|
sd_bus_error *error) {
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue