diff options
| -rw-r--r-- | src/shared/selinux-util.c | 113 | 
1 files changed, 42 insertions, 71 deletions
| diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 0e4b6c00e0..7887482bd3 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -164,34 +164,30 @@ void mac_selinux_finish(void) {  }  int mac_selinux_get_create_label_from_exe(const char *exe, char **label) { - -        int r = 0; +        int r = -EOPNOTSUPP;  #ifdef HAVE_SELINUX          _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;          security_class_t sclass; -        if (!mac_selinux_use()) { -                *label = NULL; -                return 0; -        } +        assert(exe); +        assert(label); + +        if (!mac_selinux_use()) +                return -EOPNOTSUPP;          r = getcon(&mycon);          if (r < 0) -                goto fail; +                return -errno;          r = getfilecon(exe, &fcon);          if (r < 0) -                goto fail; +                return -errno;          sclass = string_to_security_class("process");          r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); -        if (r == 0) -                log_debug("SELinux Socket context for %s will be set to %s", exe, *label); - -fail: -        if (r < 0 && security_getenforce() == 1) -                r = -errno; +        if (r < 0) +                return -errno;  #endif          return r; @@ -200,14 +196,15 @@ fail:  int mac_selinux_get_our_label(char **label) {          int r = -EOPNOTSUPP; +        assert(label); +  #ifdef HAVE_SELINUX -        char *l = NULL; +        if (!mac_selinux_use()) +                return -EOPNOTSUPP; -        r = getcon(&l); +        r = getcon(label);          if (r < 0) -                return r; - -        *label = l; +                return -errno;  #endif          return r; @@ -217,91 +214,65 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label          int r = -EOPNOTSUPP;  #ifdef HAVE_SELINUX - -        _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL; +        _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;          _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;          security_class_t sclass; -          const char *range = NULL;          assert(socket_fd >= 0);          assert(exe);          assert(label); +        if (!mac_selinux_use()) +                return -EOPNOTSUPP; +          r = getcon(&mycon); -        if (r < 0) { -                r = -EINVAL; -                goto out; -        } +        if (r < 0) +                return -errno;          r = getpeercon(socket_fd, &peercon); -        if (r < 0) { -                r = -EINVAL; -                goto out; -        } +        if (r < 0) +                return -errno;          r = getexeccon(&fcon); -        if (r < 0) { -                r = -EINVAL; -                goto out; -        } +        if (r < 0) +                return -errno;          if (!fcon) {                  /* If there is no context set for next exec let's use context                     of target executable */                  r = getfilecon(exe, &fcon); -                if (r < 0) { -                        r = -errno; -                        goto out; -                } +                if (r < 0) +                        return -errno;          }          bcon = context_new(mycon); -        if (!bcon) { -                r = -ENOMEM; -                goto out; -        } +        if (!bcon) +                return -ENOMEM;          pcon = context_new(peercon); -        if (!pcon) { -                r = -ENOMEM; -                goto out; -        } +        if (!pcon) +                return -ENOMEM;          range = context_range_get(pcon); -        if (!range) { -                r = -errno; -                goto out; -        } +        if (!range) +                return -errno;          r = context_range_set(bcon, range); -        if (r) { -                r = -errno; -                goto out; -        } +        if (r) +                return -errno;          freecon(mycon);          mycon = strdup(context_str(bcon)); -        if (!mycon) { -                r = -errno; -                goto out; -        } +        if (!mycon) +                return -ENOMEM;          sclass = string_to_security_class("process"); -        r = security_compute_create(mycon, fcon, sclass, &ret); -        if (r < 0) { -                r = -EINVAL; -                goto out; -        } - -        *label = ret; -        ret = NULL; -        r = 0; - -out: -        if (r < 0 && security_getenforce() == 1) -                return r; +        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); +        if (r < 0) +                return -errno;  #endif +          return r;  } | 
