diff options
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/btrfs-util.c | 2 | ||||
-rw-r--r-- | src/shared/creds-util.c | 3 | ||||
-rw-r--r-- | src/shared/dev-setup.c | 2 | ||||
-rw-r--r-- | src/shared/find-esp.c | 64 | ||||
-rw-r--r-- | src/shared/find-esp.h | 8 | ||||
-rw-r--r-- | src/shared/hwdb-util.c | 2 | ||||
-rw-r--r-- | src/shared/label-util.c (renamed from src/shared/label.c) | 13 | ||||
-rw-r--r-- | src/shared/label-util.h (renamed from src/shared/label.h) | 2 | ||||
-rw-r--r-- | src/shared/loop-util.c | 11 | ||||
-rw-r--r-- | src/shared/loopback-setup.c | 49 | ||||
-rw-r--r-- | src/shared/machine-pool.c | 2 | ||||
-rw-r--r-- | src/shared/meson.build | 2 | ||||
-rw-r--r-- | src/shared/mount-setup.c | 2 | ||||
-rw-r--r-- | src/shared/mount-util.c | 2 | ||||
-rw-r--r-- | src/shared/selinux-util.c | 18 | ||||
-rw-r--r-- | src/shared/selinux-util.h | 2 | ||||
-rw-r--r-- | src/shared/smack-util.c | 21 | ||||
-rw-r--r-- | src/shared/smack-util.h | 3 |
18 files changed, 149 insertions, 59 deletions
diff --git a/src/shared/btrfs-util.c b/src/shared/btrfs-util.c index 7909184f2d..16295a5823 100644 --- a/src/shared/btrfs-util.c +++ b/src/shared/btrfs-util.c @@ -223,7 +223,7 @@ int btrfs_get_block_device_at(int dir_fd, const char *path, dev_t *ret) { assert(path); assert(ret); - fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY, 0); + fd = xopenat(dir_fd, path, O_RDONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY, /* xopen_flags = */ 0, /* mode = */ 0); if (fd < 0) return fd; diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c index 59f580775d..efc36e2d6d 100644 --- a/src/shared/creds-util.c +++ b/src/shared/creds-util.c @@ -342,6 +342,9 @@ int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t * filename = "credential.secret"; } + assert(dirname); + assert(filename); + mkdir_parents(dirname, 0755); dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755); if (dfd < 0) diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c index e0db777c96..7dca6ad7d4 100644 --- a/src/shared/dev-setup.c +++ b/src/shared/dev-setup.c @@ -6,7 +6,7 @@ #include "alloc-util.h" #include "dev-setup.h" -#include "label.h" +#include "label-util.h" #include "log.h" #include "mkdir-label.h" #include "nulstr-util.h" diff --git a/src/shared/find-esp.c b/src/shared/find-esp.c index c4cf508517..d9336f4431 100644 --- a/src/shared/find-esp.c +++ b/src/shared/find-esp.c @@ -31,7 +31,7 @@ typedef enum VerifyESPFlags { static int verify_esp_blkid( dev_t devid, - bool searching, + VerifyESPFlags flags, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, @@ -44,6 +44,7 @@ static int verify_esp_blkid( #if HAVE_BLKID _cleanup_(blkid_free_probep) blkid_probe b = NULL; _cleanup_free_ char *node = NULL; + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING); const char *v; int r; @@ -65,9 +66,9 @@ static int verify_esp_blkid( r = blkid_do_safeprobe(b); if (r == -2) return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "File system \"%s\" is ambiguous.", node); - else if (r == 1) + if (r == 1) return log_error_errno(SYNTHETIC_ERRNO(ENODEV), "File system \"%s\" does not contain a label.", node); - else if (r != 0) + if (r != 0) return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "Failed to probe file system \"%s\": %m", node); r = blkid_probe_lookup_value(b, "TYPE", &v, NULL); @@ -146,12 +147,13 @@ static int verify_esp_blkid( static int verify_esp_udev( dev_t devid, - bool searching, + VerifyESPFlags flags, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid) { + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING); _cleanup_(sd_device_unrefp) sd_device *d = NULL; sd_id128_t uuid = SD_ID128_NULL; uint64_t pstart = 0, psize = 0; @@ -240,10 +242,11 @@ static int verify_esp_udev( static int verify_fsroot_dir( int dir_fd, const char *path, - bool searching, - bool unprivileged_mode, + VerifyESPFlags flags, dev_t *ret_dev) { + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING), + unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE); _cleanup_free_ char *f = NULL; STRUCT_NEW_STATX_DEFINE(sxa); STRUCT_NEW_STATX_DEFINE(sxb); @@ -377,7 +380,7 @@ static int verify_esp( relax_checks || detect_container() > 0; - r = verify_fsroot_dir(pfd, p, searching, unprivileged_mode, relax_checks ? NULL : &devid); + r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid); if (r < 0) return r; @@ -392,9 +395,9 @@ static int verify_esp( * however blkid can't work if we have no privileges to access block devices directly, which is why * we use udev in that case. */ if (unprivileged_mode) - r = verify_esp_udev(devid, searching, ret_part, ret_pstart, ret_psize, ret_uuid); + r = verify_esp_udev(devid, flags, ret_part, ret_pstart, ret_psize, ret_uuid); else - r = verify_esp_blkid(devid, searching, ret_part, ret_pstart, ret_psize, ret_uuid); + r = verify_esp_blkid(devid, flags, ret_part, ret_pstart, ret_psize, ret_uuid); if (r < 0) return r; @@ -425,7 +428,7 @@ finish: int find_esp_and_warn_at( int rfd, const char *path, - bool unprivileged_mode, + int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, @@ -433,7 +436,7 @@ int find_esp_and_warn_at( sd_id128_t *ret_uuid, dev_t *ret_devid) { - VerifyESPFlags flags = (unprivileged_mode ? VERIFY_ESP_UNPRIVILEGED_MODE : 0); + VerifyESPFlags flags; int r; /* This logs about all errors except: @@ -444,6 +447,10 @@ int find_esp_and_warn_at( assert(rfd >= 0 || rfd == AT_FDCWD); + if (unprivileged_mode < 0) + unprivileged_mode = geteuid() != 0; + flags = unprivileged_mode > 0 ? VERIFY_ESP_UNPRIVILEGED_MODE : 0; + r = dir_fd_is_root_or_cwd(rfd); if (r < 0) return log_error_errno(r, "Failed to check if directory file descriptor is root: %m"); @@ -509,7 +516,7 @@ int find_esp_and_warn_at( int find_esp_and_warn( const char *root, const char *path, - bool unprivileged_mode, + int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, @@ -560,12 +567,13 @@ int find_esp_and_warn( static int verify_xbootldr_blkid( dev_t devid, - bool searching, + VerifyESPFlags flags, sd_id128_t *ret_uuid) { sd_id128_t uuid = SD_ID128_NULL; #if HAVE_BLKID + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING); _cleanup_(blkid_free_probep) blkid_probe b = NULL; _cleanup_free_ char *node = NULL; const char *type, *v; @@ -644,9 +652,10 @@ static int verify_xbootldr_blkid( static int verify_xbootldr_udev( dev_t devid, - bool searching, + VerifyESPFlags flags, sd_id128_t *ret_uuid) { + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING); _cleanup_(sd_device_unrefp) sd_device *d = NULL; sd_id128_t uuid = SD_ID128_NULL; const char *node, *type, *v; @@ -718,15 +727,16 @@ static int verify_xbootldr_udev( static int verify_xbootldr( int rfd, const char *path, - bool searching, - bool unprivileged_mode, + VerifyESPFlags flags, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid) { _cleanup_free_ char *p = NULL; _cleanup_close_ int pfd = -EBADF; - bool relax_checks; + bool searching = FLAGS_SET(flags, VERIFY_ESP_SEARCHING), + unprivileged_mode = FLAGS_SET(flags, VERIFY_ESP_UNPRIVILEGED_MODE), + relax_checks; dev_t devid = 0; int r; @@ -743,7 +753,7 @@ static int verify_xbootldr( getenv_bool("SYSTEMD_RELAX_XBOOTLDR_CHECKS") > 0 || detect_container() > 0; - r = verify_fsroot_dir(pfd, p, searching, unprivileged_mode, relax_checks ? NULL : &devid); + r = verify_fsroot_dir(pfd, p, flags, relax_checks ? NULL : &devid); if (r < 0) return r; @@ -751,9 +761,9 @@ static int verify_xbootldr( goto finish; if (unprivileged_mode) - r = verify_xbootldr_udev(devid, searching, ret_uuid); + r = verify_xbootldr_udev(devid, flags, ret_uuid); else - r = verify_xbootldr_blkid(devid, searching, ret_uuid); + r = verify_xbootldr_blkid(devid, flags, ret_uuid); if (r < 0) return r; @@ -778,19 +788,25 @@ finish: int find_xbootldr_and_warn_at( int rfd, const char *path, - bool unprivileged_mode, + int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid) { + VerifyESPFlags flags = 0; int r; /* Similar to find_esp_and_warn(), but finds the XBOOTLDR partition. Returns the same errors. */ assert(rfd >= 0 || rfd == AT_FDCWD); + if (unprivileged_mode < 0) + unprivileged_mode = geteuid() != 0; + if (unprivileged_mode) + flags |= VERIFY_ESP_UNPRIVILEGED_MODE; + if (path) - return verify_xbootldr(rfd, path, /* searching= */ false, unprivileged_mode, ret_path, ret_uuid, ret_devid); + return verify_xbootldr(rfd, path, flags, ret_path, ret_uuid, ret_devid); path = getenv("SYSTEMD_XBOOTLDR_PATH"); if (path) { @@ -822,7 +838,7 @@ int find_xbootldr_and_warn_at( return 0; } - r = verify_xbootldr(rfd, "/boot", /* searching= */ true, unprivileged_mode, ret_path, ret_uuid, ret_devid); + r = verify_xbootldr(rfd, "/boot", flags | VERIFY_ESP_SEARCHING, ret_path, ret_uuid, ret_devid); if (r < 0) { if (!IN_SET(r, -ENOENT, -EADDRNOTAVAIL, -ENOTDIR)) /* This one is not it */ return r; @@ -836,7 +852,7 @@ int find_xbootldr_and_warn_at( int find_xbootldr_and_warn( const char *root, const char *path, - bool unprivileged_mode, + int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid) { diff --git a/src/shared/find-esp.h b/src/shared/find-esp.h index 94f320195b..2e132a74aa 100644 --- a/src/shared/find-esp.h +++ b/src/shared/find-esp.h @@ -8,8 +8,8 @@ #include "sd-id128.h" -int find_esp_and_warn_at(int rfd, const char *path, bool unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid); -int find_esp_and_warn(const char *root, const char *path, bool unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid); +int find_esp_and_warn_at(int rfd, const char *path, int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid); +int find_esp_and_warn(const char *root, const char *path, int unprivileged_mode, char **ret_path, uint32_t *ret_part, uint64_t *ret_pstart, uint64_t *ret_psize, sd_id128_t *ret_uuid, dev_t *ret_devid); -int find_xbootldr_and_warn_at(int rfd, const char *path, bool unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid); -int find_xbootldr_and_warn(const char *root, const char *path, bool unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid); +int find_xbootldr_and_warn_at(int rfd, const char *path, int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid); +int find_xbootldr_and_warn(const char *root, const char *path, int unprivileged_mode, char **ret_path, sd_id128_t *ret_uuid, dev_t *ret_devid); diff --git a/src/shared/hwdb-util.c b/src/shared/hwdb-util.c index 785611f8c4..a2fbcd7078 100644 --- a/src/shared/hwdb-util.c +++ b/src/shared/hwdb-util.c @@ -11,7 +11,7 @@ #include "fs-util.h" #include "hwdb-internal.h" #include "hwdb-util.h" -#include "label.h" +#include "label-util.h" #include "mkdir-label.h" #include "nulstr-util.h" #include "path-util.h" diff --git a/src/shared/label.c b/src/shared/label-util.c index 66fcc0a31f..3316c9ed37 100644 --- a/src/shared/label.c +++ b/src/shared/label-util.c @@ -7,6 +7,7 @@ #include "btrfs-util.h" #include "fs-util.h" #include "label.h" +#include "label-util.h" #include "macro.h" #include "selinux-util.h" #include "smack-util.h" @@ -115,3 +116,15 @@ int btrfs_subvol_make_label(const char *path) { return mac_smack_fix(path, 0); } + +int mac_init(void) { + int r; + + assert(!(mac_selinux_use() && mac_smack_use())); + + r = mac_selinux_init(); + if (r < 0) + return r; + + return mac_smack_init(); +} diff --git a/src/shared/label.h b/src/shared/label-util.h index 2f899e2bdd..2f8c539618 100644 --- a/src/shared/label.h +++ b/src/shared/label-util.h @@ -24,3 +24,5 @@ static inline int symlink_atomic_label(const char *from, const char *to) { int mknod_label(const char *pathname, mode_t mode, dev_t dev); int btrfs_subvol_make_label(const char *path); + +int mac_init(void); diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c index 5418871093..3e51c93ede 100644 --- a/src/shared/loop-util.c +++ b/src/shared/loop-util.c @@ -677,9 +677,9 @@ int loop_device_make_by_path_at( direct_flags = FLAGS_SET(loop_flags, LO_FLAGS_DIRECT_IO) ? O_DIRECT : 0; rdwr_flags = open_flags >= 0 ? open_flags : O_RDWR; - fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags, 0); + fd = xopenat(dir_fd, path, basic_flags|direct_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0); if (fd < 0 && direct_flags != 0) /* If we had O_DIRECT on, and things failed with that, let's immediately try again without */ - fd = xopenat(dir_fd, path, basic_flags|rdwr_flags, 0); + fd = xopenat(dir_fd, path, basic_flags|rdwr_flags, /* xopen_flags = */ 0, /* mode = */ 0); else direct = direct_flags != 0; if (fd < 0) { @@ -689,9 +689,9 @@ int loop_device_make_by_path_at( if (open_flags >= 0 || !(ERRNO_IS_PRIVILEGE(r) || r == -EROFS)) return r; - fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY, 0); + fd = xopenat(dir_fd, path, basic_flags|direct_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0); if (fd < 0 && direct_flags != 0) /* as above */ - fd = xopenat(dir_fd, path, basic_flags|O_RDONLY, 0); + fd = xopenat(dir_fd, path, basic_flags|O_RDONLY, /* xopen_flags = */ 0, /* mode = */ 0); else direct = direct_flags != 0; if (fd < 0) @@ -818,7 +818,8 @@ static LoopDevice* loop_device_free(LoopDevice *d) { /* Now that the block device is released, let's also try to remove it */ if (control >= 0) { - useconds_t delay = 5 * USEC_PER_MSEC; + useconds_t delay = 5 * USEC_PER_MSEC; /* A total delay of 5090 ms between 39 attempts, + * (4*5 + 5*10 + 5*20 + … + 3*640) = 5090. */ for (unsigned attempt = 1;; attempt++) { if (ioctl(control, LOOP_CTL_REMOVE, d->nr) >= 0) diff --git a/src/shared/loopback-setup.c b/src/shared/loopback-setup.c index 5dbc4b1af2..a02baf8399 100644 --- a/src/shared/loopback-setup.c +++ b/src/shared/loopback-setup.c @@ -114,9 +114,15 @@ static int add_ipv6_address(sd_netlink *rtnl, struct state *s) { if (r < 0) return r; - r = sd_rtnl_message_addr_set_flags(req, IFA_F_PERMANENT); + uint32_t flags = IFA_F_PERMANENT|IFA_F_NOPREFIXROUTE; + r = sd_rtnl_message_addr_set_flags(req, flags & 0xffu); /* rtnetlink wants low 8 bit of flags via regular flags field… */ if (r < 0) return r; + if ((flags & ~0xffu) != 0) { + r = sd_netlink_message_append_u32(req, IFA_FLAGS, flags); /* …and the rest of the flags via IFA_FLAGS */ + if (r < 0) + return r; + } r = sd_rtnl_message_addr_set_scope(req, RT_SCOPE_HOST); if (r < 0) @@ -134,22 +140,22 @@ static int add_ipv6_address(sd_netlink *rtnl, struct state *s) { return 0; } -static bool check_loopback(sd_netlink *rtnl) { +static int check_loopback(sd_netlink *rtnl) { _cleanup_(sd_netlink_message_unrefp) sd_netlink_message *req = NULL, *reply = NULL; unsigned flags; int r; r = sd_rtnl_message_new_link(rtnl, &req, RTM_GETLINK, LOOPBACK_IFINDEX); if (r < 0) - return false; + return r; r = sd_netlink_call(rtnl, req, USEC_INFINITY, &reply); if (r < 0) - return false; + return r; r = sd_rtnl_message_link_get_flags(reply, &flags); if (r < 0) - return false; + return r; return flags & IFF_UP; } @@ -170,9 +176,11 @@ int loopback_setup(void) { }; int r; + /* Note, we, generally assume callers ignore the return code here (except test cases), hence only log add LOG_WARN level. */ + r = sd_netlink_open(&rtnl); if (r < 0) - return log_error_errno(r, "Failed to open netlink: %m"); + return log_warning_errno(r, "Failed to open netlink, ignoring: %m"); /* Note that we add the IP addresses here explicitly even though the kernel does that too implicitly when * setting up the loopback device. The reason we do this here a second time (and possibly race against the @@ -182,35 +190,42 @@ int loopback_setup(void) { r = add_ipv4_address(rtnl, &state_4); if (r < 0) - return log_error_errno(r, "Failed to enqueue IPv4 loopback address add request: %m"); + return log_warning_errno(r, "Failed to enqueue IPv4 loopback address add request, ignoring: %m"); r = add_ipv6_address(rtnl, &state_6); if (r < 0) - return log_error_errno(r, "Failed to enqueue IPv6 loopback address add request: %m"); + return log_warning_errno(r, "Failed to enqueue IPv6 loopback address add request, ignoring: %m"); r = start_loopback(rtnl, &state_up); if (r < 0) - return log_error_errno(r, "Failed to enqueue loopback interface start request: %m"); + return log_warning_errno(r, "Failed to enqueue loopback interface start request, ignoring: %m"); while (state_4.n_messages + state_6.n_messages + state_up.n_messages > 0) { r = sd_netlink_wait(rtnl, LOOPBACK_SETUP_TIMEOUT_USEC); if (r < 0) - return log_error_errno(r, "Failed to wait for netlink event: %m"); + return log_warning_errno(r, "Failed to wait for netlink event, ignoring: %m"); r = sd_netlink_process(rtnl, NULL); if (r < 0) - return log_warning_errno(r, "Failed to process netlink event: %m"); + return log_warning_errno(r, "Failed to process netlink event, ignoring: %m"); } /* Note that we don't really care whether the addresses could be added or not */ if (state_up.rcode != 0) { - /* If we lack the permissions to configure the loopback device, - * but we find it to be already configured, let's exit cleanly, - * in order to supported unprivileged containers. */ - if (ERRNO_IS_PRIVILEGE(state_up.rcode) && check_loopback(rtnl)) - return 0; - return log_warning_errno(state_up.rcode, "Failed to configure loopback network device: %m"); + /* If we lack the permissions to configure the loopback device, but we find it to be already + * configured, let's exit cleanly, in order to supported unprivileged containers. */ + if (ERRNO_IS_PRIVILEGE(state_up.rcode)) { + r = check_loopback(rtnl); + if (r < 0) + log_debug_errno(r, "Failed to check if loopback device might already be up, ignoring: %m"); + else if (r > 0) { + log_debug("Configuring loopback failed, but device is already up, suppressing failure."); + return 0; + } + } + + return log_warning_errno(state_up.rcode, "Failed to configure loopback network device, ignoring: %m"); } return 0; diff --git a/src/shared/machine-pool.c b/src/shared/machine-pool.c index fb0b2f5adc..b372de40a3 100644 --- a/src/shared/machine-pool.c +++ b/src/shared/machine-pool.c @@ -3,7 +3,7 @@ #include <errno.h> #include "btrfs-util.h" -#include "label.h" +#include "label-util.h" #include "machine-pool.h" #include "missing_magic.h" #include "stat-util.h" diff --git a/src/shared/meson.build b/src/shared/meson.build index 021ba517f8..31241bc08d 100644 --- a/src/shared/meson.build +++ b/src/shared/meson.build @@ -96,7 +96,7 @@ shared_sources = files( 'kernel-image.c', 'keyring-util.c', 'killall.c', - 'label.c', + 'label-util.c', 'libcrypt-util.c', 'libfido2-util.c', 'libmount-util.c', diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c index 6162a58d9a..fd14cd8598 100644 --- a/src/shared/mount-setup.c +++ b/src/shared/mount-setup.c @@ -17,7 +17,7 @@ #include "fd-util.h" #include "fileio.h" #include "fs-util.h" -#include "label.h" +#include "label-util.h" #include "log.h" #include "macro.h" #include "mkdir-label.h" diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index 7a06cc75ae..81b681afa7 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -22,7 +22,7 @@ #include "glyph-util.h" #include "hashmap.h" #include "initrd-util.h" -#include "label.h" +#include "label-util.h" #include "libmount-util.h" #include "missing_mount.h" #include "missing_syscall.h" diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index cc00a85952..a38a56f434 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -20,6 +20,7 @@ #include "alloc-util.h" #include "errno-util.h" #include "fd-util.h" +#include "label.h" #include "log.h" #include "macro.h" #include "mallinfo-util.h" @@ -54,6 +55,15 @@ static bool have_status_page = false; : -ERRNO_VALUE(_e); \ _enforcing ? _r : 0; \ }) + +static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) { + return mac_selinux_create_file_prepare_at(dir_fd, path, mode); +} + +static int mac_selinux_label_post(int dir_fd, const char *path) { + mac_selinux_create_file_clear(); + return 0; +} #endif bool mac_selinux_use(void) { @@ -128,6 +138,10 @@ static int open_label_db(void) { int mac_selinux_init(void) { #if HAVE_SELINUX + static const LabelOps label_ops = { + .pre = mac_selinux_label_pre, + .post = mac_selinux_label_post, + }; int r; if (initialized) @@ -152,6 +166,10 @@ int mac_selinux_init(void) { return r; } + r = label_ops_set(&label_ops); + if (r < 0) + return r; + /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on * first call without any actual change. */ last_policyload = selinux_status_policyload(); diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h index e9771a28fe..238550ef52 100644 --- a/src/shared/selinux-util.h +++ b/src/shared/selinux-util.h @@ -7,7 +7,7 @@ #include <sys/types.h> #include "macro.h" -#include "label.h" +#include "label-util.h" #if HAVE_SELINUX #include <selinux/selinux.h> diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index 8c28dd91d7..1f88e724d0 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -15,6 +15,7 @@ #include "errno-util.h" #include "fd-util.h" #include "fileio.h" +#include "label.h" #include "log.h" #include "macro.h" #include "path-util.h" @@ -288,3 +289,23 @@ int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, con return 0; #endif } + +static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) { + return 0; +} + +static int mac_smack_label_post(int dir_fd, const char *path) { + return mac_smack_fix_full(dir_fd, path, NULL, 0); +} + +int mac_smack_init(void) { + static const LabelOps label_ops = { + .pre = mac_smack_label_pre, + .post = mac_smack_label_post, + }; + + if (!mac_smack_use()) + return 0; + + return label_ops_set(&label_ops); +} diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h index 17b31c6c25..f6ed2ece38 100644 --- a/src/shared/smack-util.h +++ b/src/shared/smack-util.h @@ -10,7 +10,7 @@ #include <stdbool.h> #include <sys/types.h> -#include "label.h" +#include "label-util.h" #include "macro.h" #define SMACK_FLOOR_LABEL "_" @@ -28,6 +28,7 @@ typedef enum SmackAttr { } SmackAttr; bool mac_smack_use(void); +int mac_smack_init(void); int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags); static inline int mac_smack_fix(const char *path, LabelFixFlags flags) { |