summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Sekletar <msekleta@redhat.com>2014-07-24 10:40:28 +0200
committerMichal Sekletar <msekleta@redhat.com>2014-08-19 18:57:12 +0200
commitcf8bd44339b00330fdbc91041d6731ba8aba9fec (patch)
tree50131a58cdb8e65adc849c0971ff832ec208d6ec
parent6c3e68e7c1adc6176526e69769bf2eba86cdd257 (diff)
socket: introduce SELinuxLabelViaNet option
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
-rw-r--r--man/systemd.socket.xml11
-rw-r--r--src/core/execute.c23
-rw-r--r--src/core/execute.h1
-rw-r--r--src/core/load-fragment-gperf.gperf.m43
-rw-r--r--src/core/socket.c22
-rw-r--r--src/core/socket.h2
-rw-r--r--src/shared/label.c69
-rw-r--r--src/shared/label.h1
8 files changed, 127 insertions, 5 deletions
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 4483905832..f376f725c9 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -676,6 +676,17 @@
</varlistentry>
<varlistentry>
+ <term><varname>SELinuxLabelViaNet=</varname></term>
+ <listitem><para>Takes a boolean
+ value. Controls whether systemd attempts to figure out
+ SELinux label used for instantiated service from
+ information handed by peer over the
+ network. Configuration option has effect only
+ on sockets with <literal>Accept=</literal>
+ mode set to <literal>yes</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>PipeSize=</varname></term>
<listitem><para>Takes a size in
bytes. Controls the pipe buffer size
diff --git a/src/core/execute.c b/src/core/execute.c
index d8452a666c..129791294e 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -83,6 +83,7 @@
#include "af-list.h"
#include "mkdir.h"
#include "apparmor-util.h"
+#include "label.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
@@ -1729,6 +1730,22 @@ int exec_spawn(ExecCommand *command,
goto fail_child;
}
}
+
+ if (context->selinux_label_via_net && use_selinux()) {
+ _cleanup_free_ char *label = NULL;
+
+ err = label_get_child_label(socket_fd, command->path, &label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+
+ err = setexeccon(label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+ }
#endif
#ifdef HAVE_APPARMOR
@@ -2112,7 +2129,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
"%sPrivateDevices: %s\n"
"%sProtectHome: %s\n"
"%sProtectSystem: %s\n"
- "%sIgnoreSIGPIPE: %s\n",
+ "%sIgnoreSIGPIPE: %s\n"
+ "%sSELinuxLabelViaNet: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
prefix, c->root_directory ? c->root_directory : "/",
@@ -2122,7 +2140,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
prefix, yes_no(c->private_devices),
prefix, protect_home_to_string(c->protect_home),
prefix, protect_system_to_string(c->protect_system),
- prefix, yes_no(c->ignore_sigpipe));
+ prefix, yes_no(c->ignore_sigpipe),
+ prefix, yes_no(c->selinux_label_via_net));
STRV_FOREACH(e, c->environment)
fprintf(f, "%sEnvironment: %s\n", prefix, *e);
diff --git a/src/core/execute.h b/src/core/execute.h
index 9d05d3a9de..d23a98097a 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -136,6 +136,7 @@ struct ExecContext {
bool selinux_context_ignore;
char *selinux_context;
+ bool selinux_label_via_net;
bool apparmor_profile_ignore;
char *apparmor_profile;
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index b4e2b25743..d5ff848c33 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -262,6 +262,9 @@ Socket.SmackLabelIPOut, config_parse_string, 0,
`Socket.SmackLabel, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0')
+m4_ifdef(`HAVE_SELINUX',
+`Socket.SELinuxLabelViaNet, config_parse_bool, 0, offsetof(Socket, selinux_label_via_net)',
+`Socket.SELinuxLabelViaNet, config_parse_warn_compat, 0, 0')
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
diff --git a/src/core/socket.c b/src/core/socket.c
index a16b20d739..34ce1b1ffd 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -31,6 +31,10 @@
#include <mqueue.h>
#include <sys/xattr.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "sd-event.h"
#include "log.h"
#include "load-dropin.h"
@@ -488,7 +492,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sPassCredentials: %s\n"
"%sPassSecurity: %s\n"
"%sTCPCongestion: %s\n"
- "%sRemoveOnStop: %s\n",
+ "%sRemoveOnStop: %s\n"
+ "%sSELinuxLabelViaNet: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_result_to_string(s->result),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -503,7 +508,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
prefix, yes_no(s->pass_cred),
prefix, yes_no(s->pass_sec),
prefix, strna(s->tcp_congestion),
- prefix, yes_no(s->remove_on_stop));
+ prefix, yes_no(s->remove_on_stop),
+ prefix, yes_no(s->selinux_label_via_net));
if (s->control_pid > 0)
fprintf(f,
@@ -1130,7 +1136,14 @@ static int socket_open_fds(Socket *s) {
continue;
if (p->type == SOCKET_SOCKET) {
-
+#ifdef HAVE_SELINUX
+ if (!know_label && s->selinux_label_via_net) {
+ r = getcon(&label);
+ if (r < 0)
+ return r;
+ know_label = true;
+ }
+#endif
if (!know_label) {
r = socket_instantiate_service(s);
@@ -1829,6 +1842,9 @@ static void socket_enter_running(Socket *s, int cfd) {
cfd = -1;
s->n_connections ++;
+ if (s->selinux_label_via_net)
+ service->exec_context.selinux_label_via_net = true;
+
r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, true, &error, NULL);
if (r < 0)
goto fail;
diff --git a/src/core/socket.h b/src/core/socket.h
index eede70564a..ab342c34e8 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -165,6 +165,8 @@ struct Socket {
char *smack_ip_in;
char *smack_ip_out;
+ bool selinux_label_via_net;
+
char *user, *group;
};
diff --git a/src/shared/label.c b/src/shared/label.c
index 25a8b361b7..dd89bec6e8 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -31,6 +31,7 @@
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/context.h>
#endif
#include "label.h"
@@ -243,6 +244,74 @@ fail:
return r;
}
+int label_get_child_label(int socket_fd, const char *exe, char **label) {
+ int r = 0;
+
+#ifdef HAVE_SELINUX
+
+ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+ security_class_t sclass;
+ context_t pcon = NULL, bcon = NULL;
+ const char *range = NULL;
+
+ assert(socket_fd >= 0);
+ assert(exe);
+ assert(label);
+
+ r = getcon(&mycon);
+ if (r < 0)
+ goto out;
+
+ r = getpeercon(socket_fd, &peercon);
+ if (r < 0)
+ goto out;
+
+ r = getfilecon(exe, &fcon);
+ if (r < 0)
+ goto out;
+
+ bcon = context_new(mycon);
+ if (!bcon)
+ goto out;
+
+ pcon = context_new(peercon);
+ if (!pcon)
+ goto out;
+
+ range = context_range_get(pcon);
+ if (!range)
+ goto out;
+
+ r = context_range_set(bcon, range);
+ if (r)
+ goto out;
+
+ freecon(mycon);
+ mycon = context_str(bcon);
+ if (!mycon)
+ goto out;
+
+ sclass = string_to_security_class("process");
+ r = security_compute_create(mycon, fcon, sclass, &ret);
+ if (r < 0)
+ goto out;
+
+ *label = ret;
+
+out:
+ if (r && security_getenforce() == 1)
+ r = -errno;
+
+ freecon(mycon);
+ freecon(peercon);
+ freecon(fcon);
+ context_free(pcon);
+ context_free(bcon);
+
+#endif
+ return r;
+}
+
int label_context_set(const char *path, mode_t mode) {
int r = 0;
diff --git a/src/shared/label.h b/src/shared/label.h
index 72948205f6..4163f7f98c 100644
--- a/src/shared/label.h
+++ b/src/shared/label.h
@@ -39,6 +39,7 @@ void label_context_clear(void);
void label_free(const char *label);
int label_get_create_label_from_exe(const char *exe, char **label);
+int label_get_child_label(int socket_fd, const char *exec, char **label);
int label_mkdir(const char *path, mode_t mode);