summaryrefslogtreecommitdiff
path: root/src/journal
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-10-10 16:35:44 +0200
committerLennart Poettering <lennart@poettering.net>2013-10-10 16:35:44 +0200
commitd682b3a7e7c7c2941a4d3e193f1e330dbc9fae89 (patch)
treef9e0c1c2af7b0756af89db0864a0708076a55144 /src/journal
parent0581dac2c146cef0f55841a4c136dc48409c8eaa (diff)
security: rework selinux, smack, ima, apparmor detection logic
Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
Diffstat (limited to 'src/journal')
-rw-r--r--src/journal/journald-native.c11
-rw-r--r--src/journal/journald-server.c22
-rw-r--r--src/journal/journald-stream.c7
-rw-r--r--src/journal/journald-syslog.c11
4 files changed, 31 insertions, 20 deletions
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index c50cf64f5c..2c91cba16d 100644
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -25,6 +25,7 @@
#include "socket-util.h"
#include "path-util.h"
+#include "selinux-util.h"
#include "journald-server.h"
#include "journald-native.h"
#include "journald-kmsg.h"
@@ -404,10 +405,12 @@ int server_open_native_socket(Server*s) {
}
#ifdef HAVE_SELINUX
- one = 1;
- r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
- if (r < 0)
- log_warning("SO_PASSSEC failed: %m");
+ if (use_selinux()) {
+ one = 1;
+ r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+ if (r < 0)
+ log_warning("SO_PASSSEC failed: %m");
+ }
#endif
one = 1;
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index e03e413aef..9732e1b25e 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -629,19 +629,21 @@ static void dispatch_message_real(
}
#ifdef HAVE_SELINUX
- if (label) {
- x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len);
+ if (use_selinux()) {
+ if (label) {
+ x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len);
- *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0;
- IOVEC_SET_STRING(iovec[n++], x);
- } else {
- security_context_t con;
+ *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0;
+ IOVEC_SET_STRING(iovec[n++], x);
+ } else {
+ security_context_t con;
- if (getpidcon(ucred->pid, &con) >= 0) {
- x = strappenda("_SELINUX_CONTEXT=", con);
+ if (getpidcon(ucred->pid, &con) >= 0) {
+ x = strappenda("_SELINUX_CONTEXT=", con);
- freecon(con);
- IOVEC_SET_STRING(iovec[n++], x);
+ freecon(con);
+ IOVEC_SET_STRING(iovec[n++], x);
+ }
}
}
#endif
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
index 9c4efec9bc..543614aead 100644
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -29,6 +29,7 @@
#endif
#include "socket-util.h"
+#include "selinux-util.h"
#include "journald-server.h"
#include "journald-stream.h"
#include "journald-syslog.h"
@@ -381,8 +382,10 @@ int stdout_stream_new(Server *s) {
}
#ifdef HAVE_SELINUX
- if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT)
- log_error("Failed to determine peer security context: %m");
+ if (use_selinux()) {
+ if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT)
+ log_error("Failed to determine peer security context: %m");
+ }
#endif
if (shutdown(fd, SHUT_WR) < 0) {
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
index c2770a53d0..dc66ba8c8f 100644
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -25,6 +25,7 @@
#include "systemd/sd-messages.h"
#include "socket-util.h"
+#include "selinux-util.h"
#include "journald-server.h"
#include "journald-syslog.h"
#include "journald-kmsg.h"
@@ -453,10 +454,12 @@ int server_open_syslog_socket(Server *s) {
}
#ifdef HAVE_SELINUX
- one = 1;
- r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
- if (r < 0)
- log_warning("SO_PASSSEC failed: %m");
+ if (use_selinux()) {
+ one = 1;
+ r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
+ if (r < 0)
+ log_warning("SO_PASSSEC failed: %m");
+ }
#endif
one = 1;