diff options
| author | Michal Sekletar <msekleta@redhat.com> | 2014-07-24 10:40:28 +0200 |
|---|---|---|
| committer | Michal Sekletar <msekleta@redhat.com> | 2014-09-19 12:32:06 +0200 |
| commit | 16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch) | |
| tree | 2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /src/shared | |
| parent | 863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff) | |
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/label.c | 113 | ||||
| -rw-r--r-- | src/shared/label.h | 2 |
2 files changed, 115 insertions, 0 deletions
diff --git a/src/shared/label.c b/src/shared/label.c index 25a8b361b7..02b41f02d8 100644 --- a/src/shared/label.c +++ b/src/shared/label.c @@ -31,6 +31,7 @@ #ifdef HAVE_SELINUX #include <selinux/selinux.h> #include <selinux/label.h> +#include <selinux/context.h> #endif #include "label.h" @@ -41,6 +42,12 @@ #include "smack-util.h" #ifdef HAVE_SELINUX +DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon); +DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); + +#define _cleanup_security_context_free_ _cleanup_(freeconp) +#define _cleanup_context_free_ _cleanup_(context_freep) + static struct selabel_handle *label_hnd = NULL; #endif @@ -243,6 +250,112 @@ fail: return r; } +int label_get_our_label(char **label) { + int r = -EOPNOTSUPP; + char *l = NULL; + +#ifdef HAVE_SELINUX + r = getcon(&l); + if (r < 0) + return r; + + *label = l; +#endif + + return r; +} + +int label_get_child_mls_label(int socket_fd, const char *exe, char **label) { + int r = -EOPNOTSUPP; + +#ifdef HAVE_SELINUX + + _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL; + _cleanup_context_free_ context_t pcon = NULL, bcon = NULL; + security_class_t sclass; + + const char *range = NULL; + + assert(socket_fd >= 0); + assert(exe); + assert(label); + + r = getcon(&mycon); + if (r < 0) { + r = -EINVAL; + goto out; + } + + r = getpeercon(socket_fd, &peercon); + if (r < 0) { + r = -EINVAL; + goto out; + } + + r = getexeccon(&fcon); + if (r < 0) { + r = -EINVAL; + goto out; + } + + if (!fcon) { + /* If there is no context set for next exec let's use context + of target executable */ + r = getfilecon(exe, &fcon); + if (r < 0) { + r = -errno; + goto out; + } + } + + bcon = context_new(mycon); + if (!bcon) { + r = -ENOMEM; + goto out; + } + + pcon = context_new(peercon); + if (!pcon) { + r = -ENOMEM; + goto out; + } + + range = context_range_get(pcon); + if (!range) { + r = -errno; + goto out; + } + + r = context_range_set(bcon, range); + if (r) { + r = -errno; + goto out; + } + + freecon(mycon); + mycon = context_str(bcon); + if (!mycon) { + r = -errno; + goto out; + } + + sclass = string_to_security_class("process"); + r = security_compute_create(mycon, fcon, sclass, &ret); + if (r < 0) { + r = -EINVAL; + goto out; + } + + *label = ret; + r = 0; + +out: + if (r < 0 && security_getenforce() == 1) + return r; +#endif + return r; +} + int label_context_set(const char *path, mode_t mode) { int r = 0; diff --git a/src/shared/label.h b/src/shared/label.h index cb2ec79eea..ce1e5c3f57 100644 --- a/src/shared/label.h +++ b/src/shared/label.h @@ -40,6 +40,8 @@ void label_context_clear(void); void label_free(const char *label); int label_get_create_label_from_exe(const char *exe, char **label); +int label_get_our_label(char **label); +int label_get_child_mls_label(int socket_fd, const char *exec, char **label); int label_mkdir(const char *path, mode_t mode); |