selinux: rework selinux access check logic

a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().
author: Lennart Poettering <lennart@poettering.net> 2012-10-02 17:07:00 -0400
committer: Lennart Poettering <lennart@poettering.net> 2012-10-02 17:07:00 -0400
commit: cad45ba11ec3572296361f53f5852ffb97a97fa3 (patch)
tree: 42c8e2f855d26efb8819b535dc6e86846de811a9 /src/core/selinux-access.h
parent: 71ef24d09573874c0f7bc323c07c3aec2a458707 (diff)
1 files changed, 35 insertions, 4 deletions
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index a426e0e5ca..5902b2f862 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -1,7 +1,6 @@
 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
 
-#ifndef selinuxaccesshfoo
-#define selinuxaccesshfoo
+#pragma once
 
 /***
   This file is part of systemd.
@@ -23,6 +22,38 @@
 ***/
 
 void selinux_access_finish(void);
-int selinux_manager_access_check(DBusConnection *connection, DBusMessage *message, Manager *m, DBusError *error);
-int selinux_unit_access_check(DBusConnection *connection, DBusMessage *message, Manager *m, const char *path, DBusError *error);
+int selinux_manager_access_check(Manager *manager, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
+int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
+
+#ifdef HAVE_SELINUX
+
+#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission)   \
+        do {                                                            \
+                DBusError _error;                                       \
+                int _r;                                                 \
+                DBusConnection *_c = (connection);                      \
+                DBusMessage *_m = (message);                            \
+                dbus_error_init(&_error);                               \
+                _r = selinux_manager_access_check((manager), _c, _m, (permission), &_error); \
+                if (_r < 0)                                             \
+                        return bus_send_error_reply(_c, _m, &_error, _r); \
+        } while (false)
+
+#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) \
+        do {                                                            \
+                DBusError _error;                                       \
+                int _r;                                                 \
+                DBusConnection *_c = (connection);                      \
+                DBusMessage *_m = (message);                            \
+                dbus_error_init(&_error);                               \
+                _r = selinux_unit_access_check((unit), _c, _m, (permission), &_error); \
+                if (_r < 0)                                             \
+                        return bus_send_error_reply(_c, _m, &_error, _r); \
+        } while (false)
+
+#else
+
+#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) do { } while (false)
+#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)
+
 #endif
author	Lennart Poettering <lennart@poettering.net>	2012-10-02 17:07:00 -0400
committer	Lennart Poettering <lennart@poettering.net>	2012-10-02 17:07:00 -0400
commit	cad45ba11ec3572296361f53f5852ffb97a97fa3 (patch)
tree	42c8e2f855d26efb8819b535dc6e86846de811a9 /src/core/selinux-access.h
parent	71ef24d09573874c0f7bc323c07c3aec2a458707 (diff)