summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorMichal Sekletar <msekleta@redhat.com>2014-07-24 10:40:28 +0200
committerMichal Sekletar <msekleta@redhat.com>2014-09-19 12:32:06 +0200
commit16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch)
tree2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /src/core
parent863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff)
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'src/core')
-rw-r--r--src/core/execute.c29
-rw-r--r--src/core/execute.h1
-rw-r--r--src/core/load-fragment-gperf.gperf.m43
-rw-r--r--src/core/service.c4
-rw-r--r--src/core/service.h3
-rw-r--r--src/core/socket.c16
-rw-r--r--src/core/socket.h2
7 files changed, 46 insertions, 12 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index db755777c1..8c9dfde00a 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -84,6 +84,7 @@
#include "mkdir.h"
#include "apparmor-util.h"
#include "bus-kernel.h"
+#include "label.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
@@ -1665,11 +1666,29 @@ static int exec_child(ExecCommand *command,
#endif
#ifdef HAVE_SELINUX
- if (context->selinux_context && use_selinux()) {
- err = setexeccon(context->selinux_context);
- if (err < 0 && !context->selinux_context_ignore) {
- *error = EXIT_SELINUX_CONTEXT;
- return err;
+ if (use_selinux()) {
+ if (context->selinux_context) {
+ err = setexeccon(context->selinux_context);
+ if (err < 0 && !context->selinux_context_ignore) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+
+ if (params->selinux_context_net && socket_fd >= 0) {
+ _cleanup_free_ char *label = NULL;
+
+ err = label_get_child_mls_label(socket_fd, command->path, &label);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+
+ err = setexeccon(label);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
}
}
#endif
diff --git a/src/core/execute.h b/src/core/execute.h
index 9c1f249cd4..6f35736eda 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -204,6 +204,7 @@ struct ExecParameters {
bool apply_chroot;
bool apply_tty_stdin;
bool confirm_spawn;
+ bool selinux_context_net;
CGroupControllerMask cgroup_supported;
const char *cgroup_path;
const char *runtime_prefix;
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index e764d68ce4..050c5d819f 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -265,6 +265,9 @@ Socket.SmackLabelIPOut, config_parse_string, 0,
`Socket.SmackLabel, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0')
+m4_ifdef(`HAVE_SELINUX',
+`Socket.SELinuxContextFromNet, config_parse_bool, 0, offsetof(Socket, selinux_context_from_net)',
+`Socket.SELinuxContextFromNet, config_parse_warn_compat, 0, 0')
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
diff --git a/src/core/service.c b/src/core/service.c
index 3f6595c5c8..395e0ca8c6 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -901,6 +901,7 @@ static int service_spawn(
.apply_chroot = apply_chroot,
.apply_tty_stdin = apply_tty_stdin,
.bus_endpoint_fd = -1,
+ .selinux_context_net = s->socket_fd_selinux_context_net
};
assert(s);
@@ -2748,7 +2749,7 @@ static void service_bus_name_owner_change(
}
}
-int service_set_socket_fd(Service *s, int fd, Socket *sock) {
+int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) {
_cleanup_free_ char *peer = NULL;
int r;
@@ -2786,6 +2787,7 @@ int service_set_socket_fd(Service *s, int fd, Socket *sock) {
}
s->socket_fd = fd;
+ s->socket_fd_selinux_context_net = selinux_context_net;
unit_ref_set(&s->accept_socket, UNIT(sock));
diff --git a/src/core/service.h b/src/core/service.h
index ad0b3b381e..0db0c4d64c 100644
--- a/src/core/service.h
+++ b/src/core/service.h
@@ -161,6 +161,7 @@ struct Service {
pid_t main_pid, control_pid;
int socket_fd;
+ bool socket_fd_selinux_context_net;
int bus_endpoint_fd;
@@ -205,7 +206,7 @@ extern const UnitVTable service_vtable;
struct Socket;
-int service_set_socket_fd(Service *s, int fd, struct Socket *socket);
+int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net);
const char* service_state_to_string(ServiceState i) _const_;
ServiceState service_state_from_string(const char *s) _pure_;
diff --git a/src/core/socket.c b/src/core/socket.c
index 68e21e60ac..00d5fd1192 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -489,7 +489,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sPassCredentials: %s\n"
"%sPassSecurity: %s\n"
"%sTCPCongestion: %s\n"
- "%sRemoveOnStop: %s\n",
+ "%sRemoveOnStop: %s\n"
+ "%sSELinuxContextFromNet: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_result_to_string(s->result),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -504,7 +505,8 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
prefix, yes_no(s->pass_cred),
prefix, yes_no(s->pass_sec),
prefix, strna(s->tcp_congestion),
- prefix, yes_no(s->remove_on_stop));
+ prefix, yes_no(s->remove_on_stop),
+ prefix, yes_no(s->selinux_context_from_net));
if (s->control_pid > 0)
fprintf(f,
@@ -1128,8 +1130,12 @@ static int socket_open_fds(Socket *s) {
continue;
if (p->type == SOCKET_SOCKET) {
-
- if (!know_label) {
+ if (!know_label && s->selinux_context_from_net) {
+ r = label_get_our_label(&label);
+ if (r < 0)
+ return r;
+ know_label = true;
+ } else if (!know_label) {
r = socket_instantiate_service(s);
if (r < 0)
@@ -1821,7 +1827,7 @@ static void socket_enter_running(Socket *s, int cfd) {
unit_choose_id(UNIT(service), name);
- r = service_set_socket_fd(service, cfd, s);
+ r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
if (r < 0)
goto fail;
diff --git a/src/core/socket.h b/src/core/socket.h
index eede70564a..a2e08998c0 100644
--- a/src/core/socket.h
+++ b/src/core/socket.h
@@ -165,6 +165,8 @@ struct Socket {
char *smack_ip_in;
char *smack_ip_out;
+ bool selinux_context_from_net;
+
char *user, *group;
};