summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-09-23 19:55:49 +0200
committerLennart Poettering <lennart@poettering.net>2015-09-29 21:55:51 +0200
commit710a6b5017ba23fde6713f55340db5390ea27cec (patch)
tree34d5c96acc0439f898624a47a9dbfb12d21e957c
parente8da24a642c78d55f5287011db70d7cd95bf3b2b (diff)
selinux: add _cleanup_ concepts to SELinux label allocation
-rw-r--r--src/basic/selinux-util.c10
-rw-r--r--src/basic/selinux-util.h6
-rw-r--r--src/core/selinux-setup.c6
-rw-r--r--src/core/socket.c7
4 files changed, 17 insertions, 12 deletions
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index a39a0f775a..747e6f4dbb 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -295,14 +295,20 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
return r;
}
-void mac_selinux_free(char *label) {
+char* mac_selinux_free(char *label) {
#ifdef HAVE_SELINUX
+ if (!label)
+ return NULL;
+
if (!mac_selinux_use())
- return;
+ return NULL;
+
freecon((security_context_t) label);
#endif
+
+ return NULL;
}
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index 8467185291..2afcaec183 100644
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -24,6 +24,8 @@
#include <sys/socket.h>
#include <stdbool.h>
+#include "macro.h"
+
bool mac_selinux_use(void);
void mac_selinux_retest(void);
@@ -36,7 +38,7 @@ int mac_selinux_apply(const char *path, const char *label);
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
int mac_selinux_get_our_label(char **label);
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label);
-void mac_selinux_free(char *label);
+char* mac_selinux_free(char *label);
int mac_selinux_create_file_prepare(const char *path, mode_t mode);
void mac_selinux_create_file_clear(void);
@@ -45,3 +47,5 @@ int mac_selinux_create_socket_prepare(const char *label);
void mac_selinux_create_socket_clear(void);
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(char*, mac_selinux_free);
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index e5b457643b..ff1ea23528 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -78,14 +78,14 @@ int mac_selinux_setup(bool *loaded_policy) {
before_load = now(CLOCK_MONOTONIC);
r = selinux_init_load_policy(&enforce);
if (r == 0) {
+ _cleanup_(mac_selinux_freep) char *label = NULL;
char timespan[FORMAT_TIMESPAN_MAX];
- char *label;
mac_selinux_retest();
/* Transition to the new context */
r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
- if (r < 0 || label == NULL) {
+ if (r < 0 || !label) {
log_open();
log_error("Failed to compute init label, ignoring.");
} else {
@@ -94,8 +94,6 @@ int mac_selinux_setup(bool *loaded_policy) {
log_open();
if (r < 0)
log_error("Failed to transition into init label '%s', ignoring.", label);
-
- mac_selinux_free(label);
}
after_load = now(CLOCK_MONOTONIC);
diff --git a/src/core/socket.c b/src/core/socket.c
index c0c11e4f6a..55ecada5ee 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1210,10 +1210,10 @@ fail:
}
static int socket_open_fds(Socket *s) {
+ _cleanup_(mac_selinux_freep) char *label = NULL;
+ bool know_label = false;
SocketPort *p;
int r;
- char *label = NULL;
- bool know_label = false;
assert(s);
@@ -1327,13 +1327,10 @@ static int socket_open_fds(Socket *s) {
assert_not_reached("Unknown port type");
}
- mac_selinux_free(label);
return 0;
rollback:
socket_close_fds(s);
- mac_selinux_free(label);
-
return r;
}