summaryrefslogtreecommitdiffstats
path: root/src/shared
diff options
context:
space:
mode:
Diffstat (limited to 'src/shared')
-rw-r--r--src/shared/btrfs-util.c2
-rw-r--r--src/shared/creds-util.c3
-rw-r--r--src/shared/dev-setup.c2
-rw-r--r--src/shared/find-esp.c64
-rw-r--r--src/shared/find-esp.h8
-rw-r--r--src/shared/hwdb-util.c2
-rw-r--r--src/shared/label-util.c (renamed from src/shared/label.c)13
-rw-r--r--src/shared/label-util.h (renamed from src/shared/label.h)2
-rw-r--r--src/shared/loop-util.c11
-rw-r--r--src/shared/loopback-setup.c49
-rw-r--r--src/shared/machine-pool.c2
-rw-r--r--src/shared/meson.build2
-rw-r--r--src/shared/mount-setup.c2
-rw-r--r--src/shared/mount-util.c2
-rw-r--r--src/shared/selinux-util.c18
-rw-r--r--src/shared/selinux-util.h2
-rw-r--r--src/shared/smack-util.c21
-rw-r--r--src/shared/smack-util.h3
18 files changed, 149 insertions, 59 deletions
diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c
index 7909184f2d..16295a5823 100644
--- a/src/shared/btrfs-util.c
+++ b/src/shared/btrfs-util.c
@@ -223,7 +223,7 @@ int btrfs_get_block_device_at(int dir_fd, const char *path, dev_t *ret) {
assert(path);
assert(ret);
- fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY, 0);
+ fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY, /* xopen_flags = */ 0, /* mode = */ 0);
if (fd < 0)
return fd;
diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c
index 59f580775d..efc36e2d6d 100644
--- a/src/shared/creds-util.c
+++ b/src/shared/creds-util.c
@@ -342,6 +342,9 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *
filename = "credential.secret";
}
+ assert(dirname);
+ assert(filename);
+
mkdir_parents(dirname, 0755);
dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755);
if (dfd < 0)
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
index e0db777c96..7dca6ad7d4 100644
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@@ -6,7 +6,7 @@
#include "alloc-util.h"
#include "dev-setup.h"
-#include "label.h"
+#include "label-util.h"
#include "log.h"
#include "mkdir-label.h"
#include "nulstr-util.h"
diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c
index c4cf508517..d9336f4431 100644
--- a/src/shared/find-esp.c
+++ b/src/shared/find-esp.c
@@ -31,7 +31,7 @@ typedef enum VerifyESPFlags {
static int verify_esp_blkid(
dev_t devid,
- bool searching,
+ VerifyESPFlags flags,
uint32_t *ret_part,
uint64_t *ret_pstart,
uint64_t *ret_psize,
@@ -44,6 +44,7 @@ static int verify_esp_blkid(
#if HAVE_BLKID
_cleanup_(blkid_free_probep) blkid_probe b = NULL;
_cleanup_free_ char *node = NULL;
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING);
const char *v;
int r;
@@ -65,9 +66,9 @@ static int verify_esp_blkid(
r = blkid_do_safeprobe(b);
if (r == -2)
return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "File system \"%s\" is ambiguous.", node);
- else if (r == 1)
+ if (r == 1)
return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "File system \"%s\" does not contain a label.", node);
- else if (r != 0)
+ if (r != 0)
return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "Failed to probe file system \"%s\": %m", node);
r = blkid_probe_lookup_value(b, "TYPE", &v, NULL);
@@ -146,12 +147,13 @@ static int verify_esp_blkid(
static int verify_esp_udev(
dev_t devid,
- bool searching,
+ VerifyESPFlags flags,
uint32_t *ret_part,
uint64_t *ret_pstart,
uint64_t *ret_psize,
sd_id128_t *ret_uuid) {
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING);
_cleanup_(sd_device_unrefp) sd_device *d = NULL;
sd_id128_t uuid = SD_ID128_NULL;
uint64_t pstart = 0, psize = 0;
@@ -240,10 +242,11 @@ static int verify_esp_udev(
static int verify_fsroot_dir(
int dir_fd,
const char *path,
- bool searching,
- bool unprivileged_mode,
+ VerifyESPFlags flags,
dev_t *ret_dev) {
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING),
+ unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE);
_cleanup_free_ char *f = NULL;
STRUCT_NEW_STATX_DEFINE(sxa);
STRUCT_NEW_STATX_DEFINE(sxb);
@@ -377,7 +380,7 @@ static int verify_esp(
relax_checks ||
detect_container() > 0;
- r = verify_fsroot_dir(pfd, p, searching, unprivileged_mode, relax_checks ? NULL : &devid);
+ r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid);
if (r < 0)
return r;
@@ -392,9 +395,9 @@ static int verify_esp(
* however blkid can't work if we have no privileges to access block devices directly, which is why
* we use udev in that case. */
if (unprivileged_mode)
- r = verify_esp_udev(devid, searching, ret_part, ret_pstart, ret_psize, ret_uuid);
+ r = verify_esp_udev(devid, flags, ret_part, ret_pstart, ret_psize, ret_uuid);
else
- r = verify_esp_blkid(devid, searching, ret_part, ret_pstart, ret_psize, ret_uuid);
+ r = verify_esp_blkid(devid, flags, ret_part, ret_pstart, ret_psize, ret_uuid);
if (r < 0)
return r;
@@ -425,7 +428,7 @@ finish:
int find_esp_and_warn_at(
int rfd,
const char *path,
- bool unprivileged_mode,
+ int unprivileged_mode,
char **ret_path,
uint32_t *ret_part,
uint64_t *ret_pstart,
@@ -433,7 +436,7 @@ int find_esp_and_warn_at(
sd_id128_t *ret_uuid,
dev_t *ret_devid) {
- VerifyESPFlags flags = (unprivileged_mode ? VERIFY_ESP_UNPRIVILEGED_MODE : 0);
+ VerifyESPFlags flags;
int r;
/* This logs about all errors except:
@@ -444,6 +447,10 @@ int find_esp_and_warn_at(
assert(rfd >= 0 || rfd == AT_FDCWD);
+ if (unprivileged_mode < 0)
+ unprivileged_mode = geteuid() != 0;
+ flags = unprivileged_mode > 0 ? VERIFY_ESP_UNPRIVILEGED_MODE : 0;
+
r = dir_fd_is_root_or_cwd(rfd);
if (r < 0)
return log_error_errno(r, "Failed to check if directory file descriptor is root: %m");
@@ -509,7 +516,7 @@ int find_esp_and_warn_at(
int find_esp_and_warn(
const char *root,
const char *path,
- bool unprivileged_mode,
+ int unprivileged_mode,
char **ret_path,
uint32_t *ret_part,
uint64_t *ret_pstart,
@@ -560,12 +567,13 @@ int find_esp_and_warn(
static int verify_xbootldr_blkid(
dev_t devid,
- bool searching,
+ VerifyESPFlags flags,
sd_id128_t *ret_uuid) {
sd_id128_t uuid = SD_ID128_NULL;
#if HAVE_BLKID
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING);
_cleanup_(blkid_free_probep) blkid_probe b = NULL;
_cleanup_free_ char *node = NULL;
const char *type, *v;
@@ -644,9 +652,10 @@ static int verify_xbootldr_blkid(
static int verify_xbootldr_udev(
dev_t devid,
- bool searching,
+ VerifyESPFlags flags,
sd_id128_t *ret_uuid) {
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING);
_cleanup_(sd_device_unrefp) sd_device *d = NULL;
sd_id128_t uuid = SD_ID128_NULL;
const char *node, *type, *v;
@@ -718,15 +727,16 @@ static int verify_xbootldr_udev(
static int verify_xbootldr(
int rfd,
const char *path,
- bool searching,
- bool unprivileged_mode,
+ VerifyESPFlags flags,
char **ret_path,
sd_id128_t *ret_uuid,
dev_t *ret_devid) {
_cleanup_free_ char *p = NULL;
_cleanup_close_ int pfd = -EBADF;
- bool relax_checks;
+ bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING),
+ unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE),
+ relax_checks;
dev_t devid = 0;
int r;
@@ -743,7 +753,7 @@ static int verify_xbootldr(
getenv_bool("SYSTEMD_RELAX_XBOOTLDR_CHECKS") > 0 ||
detect_container() > 0;
- r = verify_fsroot_dir(pfd, p, searching, unprivileged_mode, relax_checks ? NULL : &devid);
+ r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid);
if (r < 0)
return r;
@@ -751,9 +761,9 @@ static int verify_xbootldr(
goto finish;
if (unprivileged_mode)
- r = verify_xbootldr_udev(devid, searching, ret_uuid);
+ r = verify_xbootldr_udev(devid, flags, ret_uuid);
else
- r = verify_xbootldr_blkid(devid, searching, ret_uuid);
+ r = verify_xbootldr_blkid(devid, flags, ret_uuid);
if (r < 0)
return r;
@@ -778,19 +788,25 @@ finish:
int find_xbootldr_and_warn_at(
int rfd,
const char *path,
- bool unprivileged_mode,
+ int unprivileged_mode,
char **ret_path,
sd_id128_t *ret_uuid,
dev_t *ret_devid) {
+ VerifyESPFlags flags = 0;
int r;
/* Similar to find_esp_and_warn(), but finds the XBOOTLDR partition. Returns the same errors. */
assert(rfd >= 0 || rfd == AT_FDCWD);
+ if (unprivileged_mode < 0)
+ unprivileged_mode = geteuid() != 0;
+ if (unprivileged_mode)
+ flags |= VERIFY_ESP_UNPRIVILEGED_MODE;
+
if (path)
- return verify_xbootldr(rfd, path, /* searching= */ false, unprivileged_mode, ret_path, ret_uuid, ret_devid);
+ return verify_xbootldr(rfd, path, flags, ret_path, ret_uuid, ret_devid);
path = getenv("SYSTEMD_XBOOTLDR_PATH");
if (path) {
@@ -822,7 +838,7 @@ int find_xbootldr_and_warn_at(
return 0;
}
- r = verify_xbootldr(rfd, "/boot", /* searching= */ true, unprivileged_mode, ret_path, ret_uuid, ret_devid);
+ r = verify_xbootldr(rfd, "/boot", flags | VERIFY_ESP_SEARCHING, ret_path, ret_uuid, ret_devid);
if (r < 0) {
if (!IN_SET(r, -ENOENT, -EADDRNOTAVAIL, -ENOTDIR)) /* This one is not it */
return r;
@@ -836,7 +852,7 @@ int find_xbootldr_and_warn_at(
int find_xbootldr_and_warn(
const char *root,
const char *path,
- bool unprivileged_mode,
+ int unprivileged_mode,
char **ret_path,
sd_id128_t *ret_uuid,
dev_t *ret_devid) {
diff --git a/src/shared/find-esp.h b/src/shared/find-esp.h
index 94f320195b..2e132a74aa 100644
--- a/src/shared/find-esp.h
+++ b/src/shared/find-esp.h
@@ -8,8 +8,8 @@
#include "sd-id128.h"
-int find_esp_and_warn_at(int rfd, const char *path, bool unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid);
-int find_esp_and_warn(const char *root, const char *path, bool unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid);
+int find_esp_and_warn_at(int rfd, const char *path, int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid);
+int find_esp_and_warn(const char *root, const char *path, int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid);
-int find_xbootldr_and_warn_at(int rfd, const char *path, bool unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid);
-int find_xbootldr_and_warn(const char *root, const char *path, bool unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid);
+int find_xbootldr_and_warn_at(int rfd, const char *path, int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid);
+int find_xbootldr_and_warn(const char *root, const char *path, int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid);
diff --git a/src/shared/hwdb-util.c b/src/shared/hwdb-util.c
index 785611f8c4..a2fbcd7078 100644
--- a/src/shared/hwdb-util.c
+++ b/src/shared/hwdb-util.c
@@ -11,7 +11,7 @@
#include "fs-util.h"
#include "hwdb-internal.h"
#include "hwdb-util.h"
-#include "label.h"
+#include "label-util.h"
#include "mkdir-label.h"
#include "nulstr-util.h"
#include "path-util.h"
diff --git a/src/shared/label.c b/src/shared/label-util.c
index 66fcc0a31f..3316c9ed37 100644
--- a/src/shared/label.c
+++ b/src/shared/label-util.c
@@ -7,6 +7,7 @@
#include "btrfs-util.h"
#include "fs-util.h"
#include "label.h"
+#include "label-util.h"
#include "macro.h"
#include "selinux-util.h"
#include "smack-util.h"
@@ -115,3 +116,15 @@ int btrfs_subvol_make_label(const char *path) {
return mac_smack_fix(path, 0);
}
+
+int mac_init(void) {
+ int r;
+
+ assert(!(mac_selinux_use() && mac_smack_use()));
+
+ r = mac_selinux_init();
+ if (r < 0)
+ return r;
+
+ return mac_smack_init();
+}
diff --git a/src/shared/label.h b/src/shared/label-util.h
index 2f899e2bdd..2f8c539618 100644
--- a/src/shared/label.h
+++ b/src/shared/label-util.h
@@ -24,3 +24,5 @@ static inline int symlink_atomic_label(const char *from, const char *to) {
int mknod_label(const char *pathname, mode_t mode, dev_t dev);
int btrfs_subvol_make_label(const char *path);
+
+int mac_init(void);
diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
index 5418871093..3e51c93ede 100644
--- a/src/shared/loop-util.c
+++ b/src/shared/loop-util.c
@@ -677,9 +677,9 @@ int loop_device_make_by_path_at(
direct_flags = FLAGS_SET(loop_flags, LO_FLAGS_DIRECT_IO) ? O_DIRECT : 0;
rdwr_flags = open_flags >= 0 ? open_flags : O_RDWR;
- fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags, 0);
+ fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0);
if (fd < 0 && direct_flags != 0) /* If we had O_DIRECT on, and things failed with that, let's immediately try again without */
- fd = xopenat(dir_fd, path, basic_flags|rdwr_flags, 0);
+ fd = xopenat(dir_fd, path, basic_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0);
else
direct = direct_flags != 0;
if (fd < 0) {
@@ -689,9 +689,9 @@ int loop_device_make_by_path_at(
if (open_flags >= 0 || !(ERRNO_IS_PRIVILEGE(r) || r == -EROFS))
return r;
- fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY, 0);
+ fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0);
if (fd < 0 && direct_flags != 0) /* as above */
- fd = xopenat(dir_fd, path, basic_flags|O_RDONLY, 0);
+ fd = xopenat(dir_fd, path, basic_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0);
else
direct = direct_flags != 0;
if (fd < 0)
@@ -818,7 +818,8 @@ static LoopDevice* loop_device_free(LoopDevice *d) {
/* Now that the block device is released, let's also try to remove it */
if (control >= 0) {
- useconds_t delay = 5 * USEC_PER_MSEC;
+ useconds_t delay = 5 * USEC_PER_MSEC; /* A total delay of 5090 ms between 39 attempts,
+ * (4*5 + 5*10 + 5*20 + … + 3*640) = 5090. */
for (unsigned attempt = 1;; attempt++) {
if (ioctl(control, LOOP_CTL_REMOVE, d->nr) >= 0)
diff --git a/src/shared/loopback-setup.c b/src/shared/loopback-setup.c
index 5dbc4b1af2..a02baf8399 100644
--- a/src/shared/loopback-setup.c
+++ b/src/shared/loopback-setup.c
@@ -114,9 +114,15 @@ static int add_ipv6_address(sd_netlink *rtnl, struct state *s) {
if (r < 0)
return r;
- r = sd_rtnl_message_addr_set_flags(req, IFA_F_PERMANENT);
+ uint32_t flags = IFA_F_PERMANENT|IFA_F_NOPREFIXROUTE;
+ r = sd_rtnl_message_addr_set_flags(req, flags & 0xffu); /* rtnetlink wants low 8 bit of flags via regular flags field… */
if (r < 0)
return r;
+ if ((flags & ~0xffu) != 0) {
+ r = sd_netlink_message_append_u32(req, IFA_FLAGS, flags); /* …and the rest of the flags via IFA_FLAGS */
+ if (r < 0)
+ return r;
+ }
r = sd_rtnl_message_addr_set_scope(req, RT_SCOPE_HOST);
if (r < 0)
@@ -134,22 +140,22 @@ static int add_ipv6_address(sd_netlink *rtnl, struct state *s) {
return 0;
}
-static bool check_loopback(sd_netlink *rtnl) {
+static int check_loopback(sd_netlink *rtnl) {
_cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL;
unsigned flags;
int r;
r = sd_rtnl_message_new_link(rtnl, &req, RTM_GETLINK, LOOPBACK_IFINDEX);
if (r < 0)
- return false;
+ return r;
r = sd_netlink_call(rtnl, req, USEC_INFINITY, &reply);
if (r < 0)
- return false;
+ return r;
r = sd_rtnl_message_link_get_flags(reply, &flags);
if (r < 0)
- return false;
+ return r;
return flags & IFF_UP;
}
@@ -170,9 +176,11 @@ int loopback_setup(void) {
};
int r;
+ /* Note, we, generally assume callers ignore the return code here (except test cases), hence only log add LOG_WARN level. */
+
r = sd_netlink_open(&rtnl);
if (r < 0)
- return log_error_errno(r, "Failed to open netlink: %m");
+ return log_warning_errno(r, "Failed to open netlink, ignoring: %m");
/* Note that we add the IP addresses here explicitly even though the kernel does that too implicitly when
* setting up the loopback device. The reason we do this here a second time (and possibly race against the
@@ -182,35 +190,42 @@ int loopback_setup(void) {
r = add_ipv4_address(rtnl, &state_4);
if (r < 0)
- return log_error_errno(r, "Failed to enqueue IPv4 loopback address add request: %m");
+ return log_warning_errno(r, "Failed to enqueue IPv4 loopback address add request, ignoring: %m");
r = add_ipv6_address(rtnl, &state_6);
if (r < 0)
- return log_error_errno(r, "Failed to enqueue IPv6 loopback address add request: %m");
+ return log_warning_errno(r, "Failed to enqueue IPv6 loopback address add request, ignoring: %m");
r = start_loopback(rtnl, &state_up);
if (r < 0)
- return log_error_errno(r, "Failed to enqueue loopback interface start request: %m");
+ return log_warning_errno(r, "Failed to enqueue loopback interface start request, ignoring: %m");
while (state_4.n_messages + state_6.n_messages + state_up.n_messages > 0) {
r = sd_netlink_wait(rtnl, LOOPBACK_SETUP_TIMEOUT_USEC);
if (r < 0)
- return log_error_errno(r, "Failed to wait for netlink event: %m");
+ return log_warning_errno(r, "Failed to wait for netlink event, ignoring: %m");
r = sd_netlink_process(rtnl, NULL);
if (r < 0)
- return log_warning_errno(r, "Failed to process netlink event: %m");
+ return log_warning_errno(r, "Failed to process netlink event, ignoring: %m");
}
/* Note that we don't really care whether the addresses could be added or not */
if (state_up.rcode != 0) {
- /* If we lack the permissions to configure the loopback device,
- * but we find it to be already configured, let's exit cleanly,
- * in order to supported unprivileged containers. */
- if (ERRNO_IS_PRIVILEGE(state_up.rcode) && check_loopback(rtnl))
- return 0;
- return log_warning_errno(state_up.rcode, "Failed to configure loopback network device: %m");
+ /* If we lack the permissions to configure the loopback device, but we find it to be already
+ * configured, let's exit cleanly, in order to supported unprivileged containers. */
+ if (ERRNO_IS_PRIVILEGE(state_up.rcode)) {
+ r = check_loopback(rtnl);
+ if (r < 0)
+ log_debug_errno(r, "Failed to check if loopback device might already be up, ignoring: %m");
+ else if (r > 0) {
+ log_debug("Configuring loopback failed, but device is already up, suppressing failure.");
+ return 0;
+ }
+ }
+
+ return log_warning_errno(state_up.rcode, "Failed to configure loopback network device, ignoring: %m");
}
return 0;
diff --git a/src/shared/machine-pool.c b/src/shared/machine-pool.c
index fb0b2f5adc..b372de40a3 100644
--- a/src/shared/machine-pool.c
+++ b/src/shared/machine-pool.c
@@ -3,7 +3,7 @@
#include <errno.h>
#include "btrfs-util.h"
-#include "label.h"
+#include "label-util.h"
#include "machine-pool.h"
#include "missing_magic.h"
#include "stat-util.h"
diff --git a/src/shared/meson.build b/src/shared/meson.build
index 021ba517f8..31241bc08d 100644
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -96,7 +96,7 @@ shared_sources = files(
'kernel-image.c',
'keyring-util.c',
'killall.c',
- 'label.c',
+ 'label-util.c',
'libcrypt-util.c',
'libfido2-util.c',
'libmount-util.c',
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
index 6162a58d9a..fd14cd8598 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -17,7 +17,7 @@
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
-#include "label.h"
+#include "label-util.h"
#include "log.h"
#include "macro.h"
#include "mkdir-label.h"
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index 7a06cc75ae..81b681afa7 100644
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -22,7 +22,7 @@
#include "glyph-util.h"
#include "hashmap.h"
#include "initrd-util.h"
-#include "label.h"
+#include "label-util.h"
#include "libmount-util.h"
#include "missing_mount.h"
#include "missing_syscall.h"
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index cc00a85952..a38a56f434 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -20,6 +20,7 @@
#include "alloc-util.h"
#include "errno-util.h"
#include "fd-util.h"
+#include "label.h"
#include "log.h"
#include "macro.h"
#include "mallinfo-util.h"
@@ -54,6 +55,15 @@ static bool have_status_page = false;
: -ERRNO_VALUE(_e); \
_enforcing ? _r : 0; \
})
+
+static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) {
+ return mac_selinux_create_file_prepare_at(dir_fd, path, mode);
+}
+
+static int mac_selinux_label_post(int dir_fd, const char *path) {
+ mac_selinux_create_file_clear();
+ return 0;
+}
#endif
bool mac_selinux_use(void) {
@@ -128,6 +138,10 @@ static int open_label_db(void) {
int mac_selinux_init(void) {
#if HAVE_SELINUX
+ static const LabelOps label_ops = {
+ .pre = mac_selinux_label_pre,
+ .post = mac_selinux_label_post,
+ };
int r;
if (initialized)
@@ -152,6 +166,10 @@ int mac_selinux_init(void) {
return r;
}
+ r = label_ops_set(&label_ops);
+ if (r < 0)
+ return r;
+
/* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
* first call without any actual change. */
last_policyload = selinux_status_policyload();
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index e9771a28fe..238550ef52 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -7,7 +7,7 @@
#include <sys/types.h>
#include "macro.h"
-#include "label.h"
+#include "label-util.h"
#if HAVE_SELINUX
#include <selinux/selinux.h>
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 8c28dd91d7..1f88e724d0 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -15,6 +15,7 @@
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
+#include "label.h"
#include "log.h"
#include "macro.h"
#include "path-util.h"
@@ -288,3 +289,23 @@ int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, con
return 0;
#endif
}
+
+static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) {
+ return 0;
+}
+
+static int mac_smack_label_post(int dir_fd, const char *path) {
+ return mac_smack_fix_full(dir_fd, path, NULL, 0);
+}
+
+int mac_smack_init(void) {
+ static const LabelOps label_ops = {
+ .pre = mac_smack_label_pre,
+ .post = mac_smack_label_post,
+ };
+
+ if (!mac_smack_use())
+ return 0;
+
+ return label_ops_set(&label_ops);
+}
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
index 17b31c6c25..f6ed2ece38 100644
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@@ -10,7 +10,7 @@
#include <stdbool.h>
#include <sys/types.h>
-#include "label.h"
+#include "label-util.h"
#include "macro.h"
#define SMACK_FLOOR_LABEL "_"
@@ -28,6 +28,7 @@ typedef enum SmackAttr {
} SmackAttr;
bool mac_smack_use(void);
+int mac_smack_init(void);
int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {