summaryrefslogtreecommitdiff
path: root/src/shared/label.c
diff options
context:
space:
mode:
authorMichal Sekletar <msekleta@redhat.com>2014-07-24 10:40:28 +0200
committerMichal Sekletar <msekleta@redhat.com>2014-09-19 12:32:06 +0200
commit16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch)
tree2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /src/shared/label.c
parent863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff)
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'src/shared/label.c')
-rw-r--r--src/shared/label.c113
1 files changed, 113 insertions, 0 deletions
diff --git a/src/shared/label.c b/src/shared/label.c
index 25a8b361b7..02b41f02d8 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -31,6 +31,7 @@
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/context.h>
#endif
#include "label.h"
@@ -41,6 +42,12 @@
#include "smack-util.h"
#ifdef HAVE_SELINUX
+DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
+DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
+
+#define _cleanup_security_context_free_ _cleanup_(freeconp)
+#define _cleanup_context_free_ _cleanup_(context_freep)
+
static struct selabel_handle *label_hnd = NULL;
#endif
@@ -243,6 +250,112 @@ fail:
return r;
}
+int label_get_our_label(char **label) {
+ int r = -EOPNOTSUPP;
+ char *l = NULL;
+
+#ifdef HAVE_SELINUX
+ r = getcon(&l);
+ if (r < 0)
+ return r;
+
+ *label = l;
+#endif
+
+ return r;
+}
+
+int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
+ int r = -EOPNOTSUPP;
+
+#ifdef HAVE_SELINUX
+
+ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+ _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
+ security_class_t sclass;
+
+ const char *range = NULL;
+
+ assert(socket_fd >= 0);
+ assert(exe);
+ assert(label);
+
+ r = getcon(&mycon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = getpeercon(socket_fd, &peercon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = getexeccon(&fcon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!fcon) {
+ /* If there is no context set for next exec let's use context
+ of target executable */
+ r = getfilecon(exe, &fcon);
+ if (r < 0) {
+ r = -errno;
+ goto out;
+ }
+ }
+
+ bcon = context_new(mycon);
+ if (!bcon) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ pcon = context_new(peercon);
+ if (!pcon) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ range = context_range_get(pcon);
+ if (!range) {
+ r = -errno;
+ goto out;
+ }
+
+ r = context_range_set(bcon, range);
+ if (r) {
+ r = -errno;
+ goto out;
+ }
+
+ freecon(mycon);
+ mycon = context_str(bcon);
+ if (!mycon) {
+ r = -errno;
+ goto out;
+ }
+
+ sclass = string_to_security_class("process");
+ r = security_compute_create(mycon, fcon, sclass, &ret);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ *label = ret;
+ r = 0;
+
+out:
+ if (r < 0 && security_getenforce() == 1)
+ return r;
+#endif
+ return r;
+}
+
int label_context_set(const char *path, mode_t mode) {
int r = 0;