diff options
author | Michal Sekletar <msekleta@redhat.com> | 2014-07-24 10:40:28 +0200 |
---|---|---|
committer | Michal Sekletar <msekleta@redhat.com> | 2014-09-19 12:32:06 +0200 |
commit | 16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch) | |
tree | 2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /src/core | |
parent | 863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff) |
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/execute.c | 29 | ||||
-rw-r--r-- | src/core/execute.h | 1 | ||||
-rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 3 | ||||
-rw-r--r-- | src/core/service.c | 4 | ||||
-rw-r--r-- | src/core/service.h | 3 | ||||
-rw-r--r-- | src/core/socket.c | 16 | ||||
-rw-r--r-- | src/core/socket.h | 2 |
7 files changed, 46 insertions, 12 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index db755777c1..8c9dfde00a 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -84,6 +84,7 @@ #include "mkdir.h" #include "apparmor-util.h" #include "bus-kernel.h" +#include "label.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -1665,11 +1666,29 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX - if (context->selinux_context && use_selinux()) { - err = setexeccon(context->selinux_context); - if (err < 0 && !context->selinux_context_ignore) { - *error = EXIT_SELINUX_CONTEXT; - return err; + if (use_selinux()) { + if (context->selinux_context) { + err = setexeccon(context->selinux_context); + if (err < 0 && !context->selinux_context_ignore) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + } + + if (params->selinux_context_net && socket_fd >= 0) { + _cleanup_free_ char *label = NULL; + + err = label_get_child_mls_label(socket_fd, command->path, &label); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + + err = setexeccon(label); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } } } #endif diff --git a/src/core/execute.h b/src/core/execute.h index 9c1f249cd4..6f35736eda 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -204,6 +204,7 @@ struct ExecParameters { bool apply_chroot; bool apply_tty_stdin; bool confirm_spawn; + bool selinux_context_net; CGroupControllerMask cgroup_supported; const char *cgroup_path; const char *runtime_prefix; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index e764d68ce4..050c5d819f 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -265,6 +265,9 @@ Socket.SmackLabelIPOut, config_parse_string, 0, `Socket.SmackLabel, config_parse_warn_compat, 0, 0 Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0 Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0') +m4_ifdef(`HAVE_SELINUX', +`Socket.SELinuxContextFromNet, config_parse_bool, 0, offsetof(Socket, selinux_context_from_net)', +`Socket.SELinuxContextFromNet, config_parse_warn_compat, 0, 0') EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl diff --git a/src/core/service.c b/src/core/service.c index 3f6595c5c8..395e0ca8c6 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -901,6 +901,7 @@ static int service_spawn( .apply_chroot = apply_chroot, .apply_tty_stdin = apply_tty_stdin, .bus_endpoint_fd = -1, + .selinux_context_net = s->socket_fd_selinux_context_net }; assert(s); @@ -2748,7 +2749,7 @@ static void service_bus_name_owner_change( } } -int service_set_socket_fd(Service *s, int fd, Socket *sock) { +int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) { _cleanup_free_ char *peer = NULL; int r; @@ -2786,6 +2787,7 @@ int service_set_socket_fd(Service *s, int fd, Socket *sock) { } s->socket_fd = fd; + s->socket_fd_selinux_context_net = selinux_context_net; unit_ref_set(&s->accept_socket, UNIT(sock)); diff --git a/src/core/service.h b/src/core/service.h index ad0b3b381e..0db0c4d64c 100644 --- a/src/core/service.h +++ b/src/core/service.h @@ -161,6 +161,7 @@ struct Service { pid_t main_pid, control_pid; int socket_fd; + bool socket_fd_selinux_context_net; int bus_endpoint_fd; @@ -205,7 +206,7 @@ extern const UnitVTable service_vtable; struct Socket; -int service_set_socket_fd(Service *s, int fd, struct Socket *socket); +int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net); const char* service_state_to_string(ServiceState i) _const_; ServiceState service_state_from_string(const char *s) _pure_; diff --git a/src/core/socket.c b/src/core/socket.c index 68e21e60ac..00d5fd1192 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -489,7 +489,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { "%sPassCredentials: %s\n" "%sPassSecurity: %s\n" "%sTCPCongestion: %s\n" - "%sRemoveOnStop: %s\n", + "%sRemoveOnStop: %s\n" + "%sSELinuxContextFromNet: %s\n", prefix, socket_state_to_string(s->state), prefix, socket_result_to_string(s->result), prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only), @@ -504,7 +505,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { prefix, yes_no(s->pass_cred), prefix, yes_no(s->pass_sec), prefix, strna(s->tcp_congestion), - prefix, yes_no(s->remove_on_stop)); + prefix, yes_no(s->remove_on_stop), + prefix, yes_no(s->selinux_context_from_net)); if (s->control_pid > 0) fprintf(f, @@ -1128,8 +1130,12 @@ static int socket_open_fds(Socket *s) { continue; if (p->type == SOCKET_SOCKET) { - - if (!know_label) { + if (!know_label && s->selinux_context_from_net) { + r = label_get_our_label(&label); + if (r < 0) + return r; + know_label = true; + } else if (!know_label) { r = socket_instantiate_service(s); if (r < 0) @@ -1821,7 +1827,7 @@ static void socket_enter_running(Socket *s, int cfd) { unit_choose_id(UNIT(service), name); - r = service_set_socket_fd(service, cfd, s); + r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net); if (r < 0) goto fail; diff --git a/src/core/socket.h b/src/core/socket.h index eede70564a..a2e08998c0 100644 --- a/src/core/socket.h +++ b/src/core/socket.h @@ -165,6 +165,8 @@ struct Socket { char *smack_ip_in; char *smack_ip_out; + bool selinux_context_from_net; + char *user, *group; }; |