security: rework selinux, smack, ima, apparmor detection logic

Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
author: Lennart Poettering <lennart@poettering.net> 2013-10-10 16:35:44 +0200
committer: Lennart Poettering <lennart@poettering.net> 2013-10-10 16:35:44 +0200
commit: d682b3a7e7c7c2941a4d3e193f1e330dbc9fae89 (patch)
tree: f9e0c1c2af7b0756af89db0864a0708076a55144 /src/journal
parent: 0581dac2c146cef0f55841a4c136dc48409c8eaa (diff)
4 files changed, 31 insertions, 20 deletions
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index c50cf64f5c..2c91cba16d 100644
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -25,6 +25,7 @@
 
 #include "socket-util.h"
 #include "path-util.h"
+#include "selinux-util.h"
 #include "journald-server.h"
 #include "journald-native.h"
 #include "journald-kmsg.h"
@@ -404,10 +405,12 @@ int server_open_native_socket(Server*s) {
         }
 
 #ifdef HAVE_SELINUX
-        one = 1;
-        r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
-        if (r < 0)
-                log_warning("SO_PASSSEC failed: %m");
+        if (use_selinux()) {
+                one = 1;
+                r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+                if (r < 0)
+                        log_warning("SO_PASSSEC failed: %m");
+        }
 #endif
 
         one = 1;
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index e03e413aef..9732e1b25e 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -629,19 +629,21 @@ static void dispatch_message_real(
                 }
 
 #ifdef HAVE_SELINUX
-                if (label) {
-                        x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len);
+                if (use_selinux()) {
+                        if (label) {
+                                x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len);
 
-                        *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0;
-                        IOVEC_SET_STRING(iovec[n++], x);
-                } else {
-                        security_context_t con;
+                                *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0;
+                                IOVEC_SET_STRING(iovec[n++], x);
+                        } else {
+                                security_context_t con;
 
-                        if (getpidcon(ucred->pid, &con) >= 0) {
-                                x = strappenda("_SELINUX_CONTEXT=", con);
+                                if (getpidcon(ucred->pid, &con) >= 0) {
+                                        x = strappenda("_SELINUX_CONTEXT=", con);
 
-                                freecon(con);
-                                IOVEC_SET_STRING(iovec[n++], x);
+                                        freecon(con);
+                                        IOVEC_SET_STRING(iovec[n++], x);
+                                }
                         }
                 }
 #endif
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
index 9c4efec9bc..543614aead 100644
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -29,6 +29,7 @@
 #endif
 
 #include "socket-util.h"
+#include "selinux-util.h"
 #include "journald-server.h"
 #include "journald-stream.h"
 #include "journald-syslog.h"
@@ -381,8 +382,10 @@ int stdout_stream_new(Server *s) {
         }
 
 #ifdef HAVE_SELINUX
-        if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT)
-                log_error("Failed to determine peer security context: %m");
+        if (use_selinux()) {
+                if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT)
+                        log_error("Failed to determine peer security context: %m");
+        }
 #endif
 
         if (shutdown(fd, SHUT_WR) < 0) {
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
index c2770a53d0..dc66ba8c8f 100644
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -25,6 +25,7 @@
 
 #include "systemd/sd-messages.h"
 #include "socket-util.h"
+#include "selinux-util.h"
 #include "journald-server.h"
 #include "journald-syslog.h"
 #include "journald-kmsg.h"
@@ -453,10 +454,12 @@ int server_open_syslog_socket(Server *s) {
         }
 
 #ifdef HAVE_SELINUX
-        one = 1;
-        r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
-        if (r < 0)
-                log_warning("SO_PASSSEC failed: %m");
+        if (use_selinux()) {
+                one = 1;
+                r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+                if (r < 0)
+                        log_warning("SO_PASSSEC failed: %m");
+        }
 #endif
 
         one = 1;
author	Lennart Poettering <lennart@poettering.net>	2013-10-10 16:35:44 +0200
committer	Lennart Poettering <lennart@poettering.net>	2013-10-10 16:35:44 +0200
commit	d682b3a7e7c7c2941a4d3e193f1e330dbc9fae89 (patch)
tree	f9e0c1c2af7b0756af89db0864a0708076a55144 /src/journal
parent	0581dac2c146cef0f55841a4c136dc48409c8eaa (diff)