Permalink
Browse files

selinux: introduce mac_selinux_create_file_prepare_at()

  • Loading branch information...
fbuihuu committed Jul 2, 2018
1 parent 2c3d5ad commit 7e531a5265687aef5177b070c36ca4ceab42e768
Showing with 63 additions and 21 deletions.
  1. +62 −21 src/basic/selinux-util.c
  2. +1 −0 src/basic/selinux-util.h
@@ -316,48 +316,89 @@ char* mac_selinux_free(char *label) {
return NULL;
}

int mac_selinux_create_file_prepare(const char *path, mode_t mode) {

#if HAVE_SELINUX
static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
_cleanup_freecon_ char *filecon = NULL;
_cleanup_free_ char *path = NULL;
int r;

assert(path);

if (!label_hnd)
return 0;

if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
else {
_cleanup_free_ char *newpath = NULL;

r = path_make_absolute_cwd(path, &newpath);
if (r < 0)
return r;

r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
assert(abspath);
assert(path_is_absolute(abspath));

r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
if (r < 0) {
/* No context specified by the policy? Proceed without setting it. */
if (errno == ENOENT)
return 0;

log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
} else {
if (setfscreatecon_raw(filecon) >= 0)
return 0; /* Success! */

log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
}

if (security_getenforce() > 0)
return -errno;

#endif
return 0;
}
#endif

int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
int r = 0;

#if HAVE_SELINUX
_cleanup_free_ char *abspath = NULL;
_cleanup_close_ int fd = -1;

assert(path);

if (!label_hnd)
return 0;

if (!path_is_absolute(path)) {
_cleanup_free_ char *p = NULL;

if (dirfd == AT_FDCWD)
r = safe_getcwd(&p);
else
r = fd_get_path(dirfd, &p);
if (r < 0)
return r;

abspath = path_join(NULL, p, path);
if (!abspath)
return -ENOMEM;

path = abspath;
}

r = selinux_create_file_prepare_abspath(path, mode);
#endif
return r;
}

int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
int r = 0;

#if HAVE_SELINUX
_cleanup_free_ char *abspath = NULL;

assert(path);

if (!label_hnd)
return 0;

r = path_make_absolute_cwd(path, &abspath);
if (r < 0)
return r;

r = selinux_create_file_prepare_abspath(abspath, mode);
#endif
return r;
}

void mac_selinux_create_file_clear(void) {

@@ -23,6 +23,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
char* mac_selinux_free(char *label);

int mac_selinux_create_file_prepare(const char *path, mode_t mode);
int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
void mac_selinux_create_file_clear(void);

int mac_selinux_create_socket_prepare(const char *label);

0 comments on commit 7e531a5

Please sign in to comment.