diff options
-rw-r--r-- | src/core/ima-setup.c | 110 | ||||
-rw-r--r-- | src/core/selinux-setup.c | 152 |
2 files changed, 131 insertions, 131 deletions
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index ed65096f04..7bffd8d9dd 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -44,63 +44,63 @@ int ima_setup(void) { #ifdef HAVE_IMA - struct stat st; - ssize_t policy_size = 0, written = 0; - char *policy; - _cleanup_close_ int policyfd = -1, imafd = -1; - int result = 0; - - if (stat(IMA_POLICY_PATH, &st) < 0) - return 0; - - policy_size = st.st_size; - if (stat(IMA_SECFS_DIR, &st) < 0) { - log_debug("IMA support is disabled in the kernel, ignoring."); - return 0; - } - - if (stat(IMA_SECFS_POLICY, &st) < 0) { - log_error("Another IMA custom policy has already been loaded, " - "ignoring."); - return 0; - } - - policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); - if (policyfd < 0) { - log_error("Failed to open the IMA custom policy file %s (%m), " - "ignoring.", IMA_POLICY_PATH); - return 0; - } - - imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); - if (imafd < 0) { - log_error("Failed to open the IMA kernel interface %s (%m), " - "ignoring.", IMA_SECFS_POLICY); - goto out; - } - - policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); - if (policy == MAP_FAILED) { - log_error("mmap() failed (%m), freezing"); - result = -errno; - goto out; - } - - written = loop_write(imafd, policy, (size_t)policy_size, false); - if (written != policy_size) { - log_error("Failed to load the IMA custom policy file %s (%m), " - "ignoring.", IMA_POLICY_PATH); - goto out_mmap; - } - - log_info("Successfully loaded the IMA custom policy %s.", - IMA_POLICY_PATH); + struct stat st; + ssize_t policy_size = 0, written = 0; + char *policy; + _cleanup_close_ int policyfd = -1, imafd = -1; + int result = 0; + + if (stat(IMA_POLICY_PATH, &st) < 0) + return 0; + + policy_size = st.st_size; + if (stat(IMA_SECFS_DIR, &st) < 0) { + log_debug("IMA support is disabled in the kernel, ignoring."); + return 0; + } + + if (stat(IMA_SECFS_POLICY, &st) < 0) { + log_error("Another IMA custom policy has already been loaded, " + "ignoring."); + return 0; + } + + policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); + if (policyfd < 0) { + log_error("Failed to open the IMA custom policy file %s (%m), " + "ignoring.", IMA_POLICY_PATH); + return 0; + } + + imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); + if (imafd < 0) { + log_error("Failed to open the IMA kernel interface %s (%m), " + "ignoring.", IMA_SECFS_POLICY); + goto out; + } + + policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); + if (policy == MAP_FAILED) { + log_error("mmap() failed (%m), freezing"); + result = -errno; + goto out; + } + + written = loop_write(imafd, policy, (size_t)policy_size, false); + if (written != policy_size) { + log_error("Failed to load the IMA custom policy file %s (%m), " + "ignoring.", IMA_POLICY_PATH); + goto out_mmap; + } + + log_info("Successfully loaded the IMA custom policy %s.", + IMA_POLICY_PATH); out_mmap: - munmap(policy, policy_size); + munmap(policy, policy_size); out: - if (result) - return result; + if (result) + return result; #endif /* HAVE_IMA */ - return 0; + return 0; } diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c index 9a5d6b2a9d..6d8bc89965 100644 --- a/src/core/selinux-setup.c +++ b/src/core/selinux-setup.c @@ -46,82 +46,82 @@ static int null_log(int type, const char *fmt, ...) { int selinux_setup(bool *loaded_policy) { #ifdef HAVE_SELINUX - int enforce = 0; - usec_t before_load, after_load; - security_context_t con; - int r; - union selinux_callback cb; - - assert(loaded_policy); - - /* Turn off all of SELinux' own logging, we want to do that */ - cb.func_log = null_log; - selinux_set_callback(SELINUX_CB_LOG, cb); - - /* Don't load policy in the initrd if we don't appear to have - * it. For the real root, we check below if we've already - * loaded policy, and return gracefully. - */ - if (in_initrd() && access(selinux_path(), F_OK) < 0) - return 0; - - /* Already initialized by somebody else? */ - r = getcon_raw(&con); - if (r == 0) { - bool initialized; - - initialized = !streq(con, "kernel"); - freecon(con); - - if (initialized) - return 0; - } - - /* Make sure we have no fds open while loading the policy and - * transitioning */ - log_close(); - - /* Now load the policy */ - before_load = now(CLOCK_MONOTONIC); - r = selinux_init_load_policy(&enforce); - if (r == 0) { - char timespan[FORMAT_TIMESPAN_MAX]; - char *label; - - retest_selinux(); - - /* Transition to the new context */ - r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); - if (r < 0 || label == NULL) { - log_open(); - log_error("Failed to compute init label, ignoring."); - } else { - r = setcon(label); - - log_open(); - if (r < 0) - log_error("Failed to transition into init label '%s', ignoring.", label); - - label_free(label); - } - - after_load = now(CLOCK_MONOTONIC); - - log_info("Successfully loaded SELinux policy in %s.", - format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); - - *loaded_policy = true; - - } else { - log_open(); - - if (enforce > 0) { - log_error("Failed to load SELinux policy. Freezing."); - return -EIO; - } else - log_debug("Unable to load SELinux policy. Ignoring."); - } + int enforce = 0; + usec_t before_load, after_load; + security_context_t con; + int r; + union selinux_callback cb; + + assert(loaded_policy); + + /* Turn off all of SELinux' own logging, we want to do that */ + cb.func_log = null_log; + selinux_set_callback(SELINUX_CB_LOG, cb); + + /* Don't load policy in the initrd if we don't appear to have + * it. For the real root, we check below if we've already + * loaded policy, and return gracefully. + */ + if (in_initrd() && access(selinux_path(), F_OK) < 0) + return 0; + + /* Already initialized by somebody else? */ + r = getcon_raw(&con); + if (r == 0) { + bool initialized; + + initialized = !streq(con, "kernel"); + freecon(con); + + if (initialized) + return 0; + } + + /* Make sure we have no fds open while loading the policy and + * transitioning */ + log_close(); + + /* Now load the policy */ + before_load = now(CLOCK_MONOTONIC); + r = selinux_init_load_policy(&enforce); + if (r == 0) { + char timespan[FORMAT_TIMESPAN_MAX]; + char *label; + + retest_selinux(); + + /* Transition to the new context */ + r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); + if (r < 0 || label == NULL) { + log_open(); + log_error("Failed to compute init label, ignoring."); + } else { + r = setcon(label); + + log_open(); + if (r < 0) + log_error("Failed to transition into init label '%s', ignoring.", label); + + label_free(label); + } + + after_load = now(CLOCK_MONOTONIC); + + log_info("Successfully loaded SELinux policy in %s.", + format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); + + *loaded_policy = true; + + } else { + log_open(); + + if (enforce > 0) { + log_error("Failed to load SELinux policy. Freezing."); + return -EIO; + } else + log_debug("Unable to load SELinux policy. Ignoring."); + } #endif - return 0; + return 0; } |