summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/shared/selinux-util.c113
1 files changed, 42 insertions, 71 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 0e4b6c00e0..7887482bd3 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -164,34 +164,30 @@ void mac_selinux_finish(void) {
}
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
-
- int r = 0;
+ int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
_cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
security_class_t sclass;
- if (!mac_selinux_use()) {
- *label = NULL;
- return 0;
- }
+ assert(exe);
+ assert(label);
+
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
r = getcon(&mycon);
if (r < 0)
- goto fail;
+ return -errno;
r = getfilecon(exe, &fcon);
if (r < 0)
- goto fail;
+ return -errno;
sclass = string_to_security_class("process");
r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
- if (r == 0)
- log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
-
-fail:
- if (r < 0 && security_getenforce() == 1)
- r = -errno;
+ if (r < 0)
+ return -errno;
#endif
return r;
@@ -200,14 +196,15 @@ fail:
int mac_selinux_get_our_label(char **label) {
int r = -EOPNOTSUPP;
+ assert(label);
+
#ifdef HAVE_SELINUX
- char *l = NULL;
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
- r = getcon(&l);
+ r = getcon(label);
if (r < 0)
- return r;
-
- *label = l;
+ return -errno;
#endif
return r;
@@ -217,91 +214,65 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
-
- _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
security_class_t sclass;
-
const char *range = NULL;
assert(socket_fd >= 0);
assert(exe);
assert(label);
+ if (!mac_selinux_use())
+ return -EOPNOTSUPP;
+
r = getcon(&mycon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
r = getpeercon(socket_fd, &peercon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
r = getexeccon(&fcon);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
+ if (r < 0)
+ return -errno;
if (!fcon) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon(exe, &fcon);
- if (r < 0) {
- r = -errno;
- goto out;
- }
+ if (r < 0)
+ return -errno;
}
bcon = context_new(mycon);
- if (!bcon) {
- r = -ENOMEM;
- goto out;
- }
+ if (!bcon)
+ return -ENOMEM;
pcon = context_new(peercon);
- if (!pcon) {
- r = -ENOMEM;
- goto out;
- }
+ if (!pcon)
+ return -ENOMEM;
range = context_range_get(pcon);
- if (!range) {
- r = -errno;
- goto out;
- }
+ if (!range)
+ return -errno;
r = context_range_set(bcon, range);
- if (r) {
- r = -errno;
- goto out;
- }
+ if (r)
+ return -errno;
freecon(mycon);
mycon = strdup(context_str(bcon));
- if (!mycon) {
- r = -errno;
- goto out;
- }
+ if (!mycon)
+ return -ENOMEM;
sclass = string_to_security_class("process");
- r = security_compute_create(mycon, fcon, sclass, &ret);
- if (r < 0) {
- r = -EINVAL;
- goto out;
- }
-
- *label = ret;
- ret = NULL;
- r = 0;
-
-out:
- if (r < 0 && security_getenforce() == 1)
- return r;
+ r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
+ if (r < 0)
+ return -errno;
#endif
+
return r;
}