summaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-10-23 18:58:18 +0200
committerLennart Poettering <lennart@poettering.net>2014-10-23 21:36:56 +0200
commit7f416dae9bcf1cfb63689ee9ac851adf738f072b (patch)
tree6b3435c524096f5966353b6916ce9209040b3ff2 /src/core
parent376a2980960baba22b9bee6b227c27c373215b5a (diff)
selinux: rework label query APIs
APIs that query and return something cannot silently fail, they must either return something useful, or an error. Fix that. Also, properly rollback socket unit fd creation when something goes wrong with the security framework.
Diffstat (limited to 'src/core')
-rw-r--r--src/core/socket.c40
1 files changed, 26 insertions, 14 deletions
diff --git a/src/core/socket.c b/src/core/socket.c
index 780015012f..e9cf7b3e93 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1139,22 +1139,33 @@ static int socket_open_fds(Socket *s) {
continue;
if (p->type == SOCKET_SOCKET) {
- if (!know_label && s->selinux_context_from_net) {
- r = mac_selinux_get_our_label(&label);
- if (r < 0)
- return r;
- know_label = true;
- } else if (!know_label) {
- r = socket_instantiate_service(s);
- if (r < 0)
- return r;
+ if (!know_label) {
+ /* Figure out label, if we don't it know
+ * yet. We do it once, for the first
+ * socket where we need this and
+ * remember it for the rest. */
+
+ if (s->selinux_context_from_net) {
+ /* Get it from the network label */
+
+ r = mac_selinux_get_our_label(&label);
+ if (r < 0 && r != EOPNOTSUPP)
+ goto rollback;
- if (UNIT_ISSET(s->service) &&
- SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) {
- r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label);
- if (r < 0 && r != -EPERM)
- return r;
+ } else {
+ /* Get it from the executable we are about to start */
+
+ r = socket_instantiate_service(s);
+ if (r < 0)
+ goto rollback;
+
+ if (UNIT_ISSET(s->service) &&
+ SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) {
+ r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label);
+ if (r < 0 && r != -EPERM && r != EOPNOTSUPP)
+ goto rollback;
+ }
}
know_label = true;
@@ -1219,6 +1230,7 @@ static int socket_open_fds(Socket *s) {
rollback:
socket_close_fds(s);
mac_selinux_free(label);
+
return r;
}