summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--man/systemd.exec.xml3
-rw-r--r--src/basic/smack-util.c117
-rw-r--r--src/basic/smack-util.h24
-rw-r--r--src/basic/util.c70
-rw-r--r--src/basic/util.h3
-rw-r--r--src/bus-proxyd/driver.c11
-rw-r--r--src/core/execute.c10
-rw-r--r--src/core/socket.c6
-rw-r--r--src/udev/udev-node.c4
-rw-r--r--units/systemd-bus-proxyd.service.m4.in1
-rw-r--r--units/user/systemd-bus-proxyd.service.in1
11 files changed, 182 insertions, 68 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 45a4422dc3..8fd75d274e 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -263,7 +263,8 @@
<listitem><para>Similar to <varname>Environment=</varname> but
reads the environment variables from a text file. The text
file should contain new-line-separated variable assignments.
- Empty lines and lines starting with ; or # will be ignored,
+ Empty lines, lines without an <literal>=</literal> separator,
+ or lines starting with ; or # will be ignored,
which may be used for commenting. A line ending with a
backslash will be concatenated with the following one,
allowing multiline variable definitions. The parser strips
diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c
index 047aa294f4..6d5c205117 100644
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@@ -32,109 +32,93 @@
#define SMACK_FLOOR_LABEL "_"
#define SMACK_STAR_LABEL "*"
-bool mac_smack_use(void) {
#ifdef HAVE_SMACK
+bool mac_smack_use(void) {
static int cached_use = -1;
if (cached_use < 0)
cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
return cached_use;
-#else
- return false;
-#endif
}
-int mac_smack_apply(const char *path, const char *label) {
- int r = 0;
+static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
+ [SMACK_ATTR_ACCESS] = "security.SMACK64",
+ [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
+ [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
+ [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
+ [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
+ [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
+int mac_smack_read(const char *path, SmackAttr attr, char **label) {
assert(path);
+ assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
+ assert(label);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- if (label)
- r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
- else
- r = lremovexattr(path, "security.SMACK64");
- if (r < 0)
- return -errno;
-#endif
-
- return r;
+ return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
}
-int mac_smack_apply_fd(int fd, const char *label) {
- int r = 0;
-
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
assert(fd >= 0);
+ assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
+ assert(label);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
- if (label)
- r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
- else
- r = fremovexattr(fd, "security.SMACK64");
- if (r < 0)
- return -errno;
-#endif
-
- return r;
+ return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
}
-int mac_smack_apply_ip_out_fd(int fd, const char *label) {
- int r = 0;
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
+ int r;
- assert(fd >= 0);
+ assert(path);
+ assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
- r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
+ r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
else
- r = fremovexattr(fd, "security.SMACK64IPOUT");
+ r = lremovexattr(path, smack_attr_to_string(attr));
if (r < 0)
return -errno;
-#endif
- return r;
+ return 0;
}
-int mac_smack_apply_ip_in_fd(int fd, const char *label) {
- int r = 0;
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
+ int r;
assert(fd >= 0);
+ assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
- r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
+ r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
else
- r = fremovexattr(fd, "security.SMACK64IPIN");
+ r = fremovexattr(fd, smack_attr_to_string(attr));
if (r < 0)
return -errno;
-#endif
- return r;
+ return 0;
}
int mac_smack_apply_pid(pid_t pid, const char *label) {
-
-#ifdef HAVE_SMACK
const char *p;
-#endif
int r = 0;
assert(label);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -142,21 +126,16 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
r = write_string_file(p, label, 0);
if (r < 0)
return r;
-#endif
return r;
}
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
-
-#ifdef HAVE_SMACK
struct stat st;
-#endif
int r = 0;
assert(path);
-#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@@ -202,7 +181,37 @@ int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
}
-#endif
return r;
}
+
+
+#else
+bool mac_smack_use(void) {
+ return false;
+}
+
+int mac_smack_read(const char *path, SmackAttr attr, char **label) {
+ return -EOPNOTSUPP;
+}
+
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
+ return -EOPNOTSUPP;
+}
+
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
+ return 0;
+}
+
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
+ return 0;
+}
+
+int mac_smack_apply_pid(pid_t pid, const char *label) {
+ return 0;
+}
+
+int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
+ return 0;
+}
+#endif
diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h
index 50f55b1f4b..1052cecf4c 100644
--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@@ -25,12 +25,28 @@
#include <stdbool.h>
+#include "macro.h"
+
+typedef enum SmackAttr {
+ SMACK_ATTR_ACCESS = 0,
+ SMACK_ATTR_EXEC = 1,
+ SMACK_ATTR_MMAP = 2,
+ SMACK_ATTR_TRANSMUTE = 3,
+ SMACK_ATTR_IPIN = 4,
+ SMACK_ATTR_IPOUT = 5,
+ _SMACK_ATTR_MAX,
+ _SMACK_ATTR_INVALID = -1,
+} SmackAttr;
+
bool mac_smack_use(void);
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
-int mac_smack_apply(const char *path, const char *label);
-int mac_smack_apply_fd(int fd, const char *label);
+const char* smack_attr_to_string(SmackAttr i) _const_;
+SmackAttr smack_attr_from_string(const char *s) _pure_;
+int mac_smack_read(const char *path, SmackAttr attr, char **label);
+int mac_smack_read_fd(int fd, SmackAttr attr, char **label);
+int mac_smack_apply(const char *path, SmackAttr attr, const char *label);
+int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
+
int mac_smack_apply_pid(pid_t pid, const char *label);
-int mac_smack_apply_ip_in_fd(int fd, const char *label);
-int mac_smack_apply_ip_out_fd(int fd, const char *label);
diff --git a/src/basic/util.c b/src/basic/util.c
index a968e2156d..af58dc3766 100644
--- a/src/basic/util.c
+++ b/src/basic/util.c
@@ -6603,3 +6603,73 @@ int reset_uid_gid(void) {
return 0;
}
+
+int getxattr_malloc(const char *path, const char *name, char **value, bool allow_symlink) {
+ char *v;
+ size_t l;
+ ssize_t n;
+
+ assert(path);
+ assert(name);
+ assert(value);
+
+ for (l = 100; ; l = (size_t) n + 1) {
+ v = new0(char, l);
+ if (!v)
+ return -ENOMEM;
+
+ if (allow_symlink)
+ n = lgetxattr(path, name, v, l);
+ else
+ n = getxattr(path, name, v, l);
+
+ if (n >= 0 && (size_t) n < l) {
+ *value = v;
+ return n;
+ }
+
+ free(v);
+
+ if (n < 0 && errno != ERANGE)
+ return -errno;
+
+ if (allow_symlink)
+ n = lgetxattr(path, name, NULL, 0);
+ else
+ n = getxattr(path, name, NULL, 0);
+ if (n < 0)
+ return -errno;
+ }
+}
+
+int fgetxattr_malloc(int fd, const char *name, char **value) {
+ char *v;
+ size_t l;
+ ssize_t n;
+
+ assert(fd >= 0);
+ assert(name);
+ assert(value);
+
+ for (l = 100; ; l = (size_t) n + 1) {
+ v = new0(char, l);
+ if (!v)
+ return -ENOMEM;
+
+ n = fgetxattr(fd, name, v, l);
+
+ if (n >= 0 && (size_t) n < l) {
+ *value = v;
+ return n;
+ }
+
+ free(v);
+
+ if (n < 0 && errno != ERANGE)
+ return -errno;
+
+ n = fgetxattr(fd, name, NULL, 0);
+ if (n < 0)
+ return -errno;
+ }
+}
diff --git a/src/basic/util.h b/src/basic/util.h
index 88c44273d4..0a0fba9012 100644
--- a/src/basic/util.h
+++ b/src/basic/util.h
@@ -919,3 +919,6 @@ int parse_mode(const char *s, mode_t *ret);
int mount_move_root(const char *path);
int reset_uid_gid(void);
+
+int getxattr_malloc(const char *path, const char *name, char **value, bool allow_symlink);
+int fgetxattr_malloc(int fd, const char *name, char **value);
diff --git a/src/bus-proxyd/driver.c b/src/bus-proxyd/driver.c
index 951f515808..fa4aee691a 100644
--- a/src/bus-proxyd/driver.c
+++ b/src/bus-proxyd/driver.c
@@ -35,6 +35,7 @@
#include "driver.h"
#include "proxy.h"
#include "synthesize.h"
+#include "env-util.h"
static int get_creds_by_name(sd_bus *bus, const char *name, uint64_t mask, sd_bus_creds **_creds, sd_bus_error *error) {
_cleanup_bus_creds_unref_ sd_bus_creds *c = NULL;
@@ -694,9 +695,13 @@ int bus_proxy_process_driver(Proxy *p, sd_bus *a, sd_bus *b, sd_bus_message *m,
if (!s)
return synthetic_reply_method_errno(m, -ENOMEM, NULL);
- r = strv_extend(&args, s);
- if (r < 0)
- return synthetic_reply_method_errno(m, r, NULL);
+ if (!env_assignment_is_valid(s)) {
+ log_warning("UpdateActivationEnvironment() called with invalid assignment, discarding: %s", s);
+ } else {
+ r = strv_extend(&args, s);
+ if (r < 0)
+ return synthetic_reply_method_errno(m, r, NULL);
+ }
r = sd_bus_message_exit_container(m);
if (r < 0)
diff --git a/src/core/execute.c b/src/core/execute.c
index 21721dc240..f14ae4d8a6 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1719,7 +1719,15 @@ static int exec_child(
}
#ifdef SMACK_DEFAULT_PROCESS_LABEL
else {
- r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+ _cleanup_free_ char *exec_label = NULL;
+
+ r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+ if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+ *exit_status = EXIT_SMACK_PROCESS_LABEL;
+ return r;
+ }
+
+ r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
if (r < 0) {
*exit_status = EXIT_SMACK_PROCESS_LABEL;
return r;
diff --git a/src/core/socket.c b/src/core/socket.c
index 87631f8753..a387057473 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -923,13 +923,13 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
if (s->smack_ip_in) {
- r = mac_smack_apply_ip_in_fd(fd, s->smack_ip_in);
+ r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
}
if (s->smack_ip_out) {
- r = mac_smack_apply_ip_out_fd(fd, s->smack_ip_out);
+ r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
}
@@ -946,7 +946,7 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
log_unit_warning_errno(UNIT(s), errno, "F_SETPIPE_SZ: %m");
if (s->smack) {
- r = mac_smack_apply_fd(fd, s->smack);
+ r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_fd: %m");
}
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index d824172b89..e730fb45f1 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -309,7 +309,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
} else if (streq(name, "smack")) {
smack = true;
- r = mac_smack_apply(devnode, label);
+ r = mac_smack_apply(devnode, SMACK_ATTR_ACCESS, label);
if (r < 0)
log_error_errno(r, "SECLABEL: failed to set SMACK label '%s': %m", label);
else
@@ -323,7 +323,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
if (!selinux)
mac_selinux_fix(devnode, true, false);
if (!smack)
- mac_smack_apply(devnode, NULL);
+ mac_smack_apply(devnode, SMACK_ATTR_ACCESS, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */
diff --git a/units/systemd-bus-proxyd.service.m4.in b/units/systemd-bus-proxyd.service.m4.in
index ffaf0bdc87..64f5ac7d17 100644
--- a/units/systemd-bus-proxyd.service.m4.in
+++ b/units/systemd-bus-proxyd.service.m4.in
@@ -10,6 +10,7 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
[Service]
ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/0-system/bus
+ExecReload=@bindir@/busctl --address=unix:path=/run/dbus/system_bus_socket call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig
NotifyAccess=main
CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP m4_ifdef(`HAVE_SMACK', CAP_MAC_ADMIN )
PrivateTmp=yes
diff --git a/units/user/systemd-bus-proxyd.service.in b/units/user/systemd-bus-proxyd.service.in
index e1e399dc32..6f79707b46 100644
--- a/units/user/systemd-bus-proxyd.service.in
+++ b/units/user/systemd-bus-proxyd.service.in
@@ -10,4 +10,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
[Service]
ExecStart=@rootlibexecdir@/systemd-bus-proxyd --address=kernel:path=/sys/fs/kdbus/%U-user/bus
+ExecReload=@bindir@/busctl --address=unix:path=/run/user/%U/bus call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig
NotifyAccess=main