| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Inspired by #25664: let's check explicitly for NULL everywhere we do one
of those getXYZcon() calls.
We usually turn this into EOPNOTSUPP, as when selinux is off (which is
supposed to be the only case this can happen according to selinux docs)
we otherwise return EOPNOTSUPP in that case.
Note that in most cases we have an explicit mac_selinux_use() call
beforehand, hence this should mostly not be triggerable codepaths.
|
| |
|
|
|
| |
util.h is now about logarithms only, so we can rename it. Many files included
util.h for no apparent reason… Those includes are dropped.
|
| |
|
|
|
| |
Pass getuid() instead of literal `0` as auid, since user session
managers also issue audit messages on SELinux denials.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
errno + %m
strerror() is not thread safe and calling it just isn't worth the effort
required to justify why it would be safe in those cases. It's easier to just
use %m which is thread-safe out of the box. I don't think that any of the
changes in the patch cause any functional difference. This is just about
getting rid of calls to strerror() in general.
When we print an error message and fail to format the string, using something
like "(null)" is good enough. This is very very unlikely to happen anyway.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not go back to disk on each selinux access, but instead cache the
label off the inode we are actually reading. That way unit file contents
and unit file label we use for access checks are always in sync.
Based on discussions here:
https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586
Replaces:
https://github.com/systemd/systemd/pull/23910
This changes behaviour a bit, because we'll reach and cache the label at
the moment of loading the unit (i.e. usually on boot and reload), but
not after relabelling. Thus, users must refresh the cache explicitly via
a "systemctl daemon-reload" if they relabelled things.
This makes the SELinux story a bit more debuggable, as it adds an
AccessSELinuxContext bus property to units that will report the label we are
using for a unit (or the empty string if not known).
This also drops using the "source" path of a unit as label source. if
there's value in it, then generators should manually copy the selinux
label from the source files onto the generated unit files, so that the
rule that "access labels are read when we read the definition files" is
upheld. But I am not convinced this is really a necessary, good idea.
|
| | |
|
| |
|
|
|
|
| |
`mac_selinux_generic_access_check()` should not be called directly, only
via the wrapper macros `mac_selinux_access_check` and
`mac_selinux_unit_access_check`.
|
| |
|
|
|
|
|
|
| |
path might be NULL when checking against the system permissions, so wrap
with strna().
The command line might not be available over D-Bus and thus cl might be
empty. Print "n/a" instead of the empty string.
|
| |
|
|
|
|
| |
Include the systemd C function name in the audit message to improve the
debug ability on denials.
Similar like kernel denial messages include the syscall name.
|
| |
|
|
|
| |
We use __func__ almost everywhere, but there are some holdouts. Fix
that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to Coverity, 194 ouf of 227 times we check for snprintf return code.
Voidify the rest.
CID#1461512
CID#1461513
CID#1461514
CID#1461515
CID#1461516
CID#1461518
CID#1461519
CID#1461520
CID#1461522
|
| | |
|
| |
|
|
| |
https://github.com/systemd/systemd/pull/19317#issuecomment-820245680
|
| |
|
|
| |
strdup() is more efficient than asprintf().
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Switch from security_getenforce() and netlink notifications to the
SELinux status page.
This usage saves system calls and will also be the default in
libselinux > 3.1 [1].
[1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
|
| |
|
|
|
|
| |
enforced mode"
This reverts commit 257188f80ce1a083e3a88b679b898a73fecab53b.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
enabled
Calling `mac_selinux_enforcing()`, which calls `security_getenforce()`, on a SELinux disabled system causes the following error message to be printed:
Failed to get SELinux enforced status: No such file or directory
Fixes: 257188f80ce1a083e3a88b679b898a73fecab53b ("selinux: cache enforced status and treat retrieve failure as enforced mode")
Supersedes: #15145
|
| | |
|
| |
|
|
|
|
| |
Instead of setting the bus error structure and then freeing it, let's only set
it if used. If we will ignore the selinux denial, say ", ignore" to make this
clear. Also, use _cleanup_ to avoid gotos.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
../src/core/selinux-access.c: In function ‘mac_selinux_generic_access_check’:
../src/basic/log.h:223:27: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
../src/core/selinux-access.c:235:85: note: format string is defined here
235 | log_warning_errno(errno, "SELinux getcon_raw failed (tclass=%s perm=%s): %m", tclass, permission);
| ^~
I wonder why nobody ever noticed this.
Fixes #14691 (other issues listed in that ticket have already been fixed).
|
| |
|
|
| |
Fixes CID#1417440 and CID#1417438.
|
| |
|
|
|
| |
Relevant when testing in permissive mode, where the function does not return a failure to the client.
This helps to configure a system in permissive mode, without getting surprising failures when switching to enforced mode.
|
| | |
|
| |\
| |
| | |
Urlify CONFIG_FILE and improve SYSTEMD_LOG_LOCATION
|
| | |
| |
| |
| | |
This replaces the internal uses of __FILE__ with the new macro.
|
| |/ |
|
| |
|
|
|
| |
This means we need to include many more headers in various files that simply
included util.h before, but it seems cleaner to do it this way.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we logged even info message from libselinux as USER_AVC's to
audit. For example, setting SELinux to permissive mode generated
following audit message,
time->Tue Feb 26 11:29:29 2019
type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
This is unnecessary and wrong at the same time. First, kernel already
records audit event that SELinux was switched to permissive mode, also
the type of the message really shouldn't be USER_AVC.
Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
USER_AVC's and errors as these two libselinux message types have clear
mapping to audit message types.
|
| |
|
|
| |
Acks in https://github.com/systemd/systemd/issues/9320.
|
| |
|
|
|
|
| |
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This part of the copyright blurb stems from the GPL use recommendations:
https://www.gnu.org/licenses/gpl-howto.en.html
The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.
hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
|
| |
|
|
|
|
|
|
|
|
| |
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.
I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
|
| |
|
|
|
| |
This follows what the kernel is doing, c.f.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The advantage is that is the name is mispellt, cpp will warn us.
$ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/"
$ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;'
$ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g'
$ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g'
+ manual changes to meson.build
squash! build-sys: use #if Y instead of #ifdef Y everywhere
v2:
- fix incorrect setting of HAVE_LIBIDN2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixup for 4b58153dd22172d817055d2a09a0cdf3f4bd9db3.
I saw this because of a clang warning. With gcc the -Wformat-nonliteral warning
doesn't seem to work as expected.
In two places, a string constructed with strjoina is used as the pattern. This
is safe, because we're taking a pattern which was already marked with _printf_
and prepending a known value to it. Those places are marked with #pragma to
silence the warning.
|
| |
|
|
|
|
| |
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
deprecated selinux_context_t. Replace with a simple char* everywhere.
Alternative fix for #3719.
|
| |
|
|
|
|
| |
SELinux outputs semi-random messages like "Unknown permission start for class
system", and the user has to dig into message metadata to find out where
they are comming from. Add a prefix to give a hint.
|
| |
|
|
|
| |
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file.
|
| |
|
|
|
|
|
|
|
|
| |
Let's merge access_init() and mac_selinux_access_init(), and only call
mac_selinux_use() once, inside the merged function, instead of multiple
times, including in the caller.
See comments on:
https://github.com/systemd/systemd/pull/2053
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
|
| |
|
|
| |
Sort the includes accoding to the new coding style.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When mcstransd* is running non-raw functions will return translated SELinux
context. Problem is that libselinux will cache this information and in the
future it will return same context even though mcstransd maybe not running at
that time. If you then check with such context against SELinux policy then
selinux_check_access may fail depending on whether mcstransd is running or not.
To workaround this problem/bug in libselinux, we should always get raw context
instead. Most users will not notice because result of access check is logged
only in debug mode.
* SELinux context translation service, which will translates labels to human
readable form
|
