diff options
| -rw-r--r-- | src/core/ima-setup.c | 110 | ||||
| -rw-r--r-- | src/core/selinux-setup.c | 152 | 
2 files changed, 131 insertions, 131 deletions
| diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index ed65096f04..7bffd8d9dd 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -44,63 +44,63 @@  int ima_setup(void) {  #ifdef HAVE_IMA -       struct stat st; -       ssize_t policy_size = 0, written = 0; -       char *policy; -       _cleanup_close_ int policyfd = -1, imafd = -1; -       int result = 0; - -       if (stat(IMA_POLICY_PATH, &st) < 0) -               return 0; - -       policy_size = st.st_size; -       if (stat(IMA_SECFS_DIR, &st) < 0) { -               log_debug("IMA support is disabled in the kernel, ignoring."); -               return 0; -       } - -       if (stat(IMA_SECFS_POLICY, &st) < 0) { -               log_error("Another IMA custom policy has already been loaded, " -                         "ignoring."); -               return 0; -       } - -       policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); -       if (policyfd < 0) { -               log_error("Failed to open the IMA custom policy file %s (%m), " -                         "ignoring.", IMA_POLICY_PATH); -               return 0; -       } - -       imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); -       if (imafd < 0) { -               log_error("Failed to open the IMA kernel interface %s (%m), " -                         "ignoring.", IMA_SECFS_POLICY); -               goto out; -       } - -       policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); -       if (policy == MAP_FAILED) { -               log_error("mmap() failed (%m), freezing"); -               result = -errno; -               goto out; -       } - -       written = loop_write(imafd, policy, (size_t)policy_size, false); -       if (written != policy_size) { -               log_error("Failed to load the IMA custom policy file %s (%m), " -                         "ignoring.", IMA_POLICY_PATH); -               goto out_mmap; -       } - -       log_info("Successfully loaded the IMA custom policy %s.", -                IMA_POLICY_PATH); +        struct stat st; +        ssize_t policy_size = 0, written = 0; +        char *policy; +        _cleanup_close_ int policyfd = -1, imafd = -1; +        int result = 0; + +        if (stat(IMA_POLICY_PATH, &st) < 0) +                return 0; + +        policy_size = st.st_size; +        if (stat(IMA_SECFS_DIR, &st) < 0) { +                log_debug("IMA support is disabled in the kernel, ignoring."); +                return 0; +        } + +        if (stat(IMA_SECFS_POLICY, &st) < 0) { +                log_error("Another IMA custom policy has already been loaded, " +                          "ignoring."); +                return 0; +        } + +        policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); +        if (policyfd < 0) { +                log_error("Failed to open the IMA custom policy file %s (%m), " +                          "ignoring.", IMA_POLICY_PATH); +                return 0; +        } + +        imafd = open(IMA_SECFS_POLICY, O_WRONLY|O_CLOEXEC); +        if (imafd < 0) { +                log_error("Failed to open the IMA kernel interface %s (%m), " +                          "ignoring.", IMA_SECFS_POLICY); +                goto out; +        } + +        policy = mmap(NULL, policy_size, PROT_READ, MAP_PRIVATE, policyfd, 0); +        if (policy == MAP_FAILED) { +                log_error("mmap() failed (%m), freezing"); +                result = -errno; +                goto out; +        } + +        written = loop_write(imafd, policy, (size_t)policy_size, false); +        if (written != policy_size) { +                log_error("Failed to load the IMA custom policy file %s (%m), " +                          "ignoring.", IMA_POLICY_PATH); +                goto out_mmap; +        } + +        log_info("Successfully loaded the IMA custom policy %s.", +                 IMA_POLICY_PATH);  out_mmap: -       munmap(policy, policy_size); +        munmap(policy, policy_size);  out: -       if (result) -                return result; +        if (result) +                 return result;  #endif /* HAVE_IMA */ -       return 0; +        return 0;  } diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c index 9a5d6b2a9d..6d8bc89965 100644 --- a/src/core/selinux-setup.c +++ b/src/core/selinux-setup.c @@ -46,82 +46,82 @@ static int null_log(int type, const char *fmt, ...) {  int selinux_setup(bool *loaded_policy) {  #ifdef HAVE_SELINUX -       int enforce = 0; -       usec_t before_load, after_load; -       security_context_t con; -       int r; -       union selinux_callback cb; - -       assert(loaded_policy); - -       /* Turn off all of SELinux' own logging, we want to do that */ -       cb.func_log = null_log; -       selinux_set_callback(SELINUX_CB_LOG, cb); - -       /* Don't load policy in the initrd if we don't appear to have -        * it.  For the real root, we check below if we've already -        * loaded policy, and return gracefully. -        */ -       if (in_initrd() && access(selinux_path(), F_OK) < 0) -               return 0; - -       /* Already initialized by somebody else? */ -       r = getcon_raw(&con); -       if (r == 0) { -               bool initialized; - -               initialized = !streq(con, "kernel"); -               freecon(con); - -               if (initialized) -                       return 0; -       } - -       /* Make sure we have no fds open while loading the policy and -        * transitioning */ -       log_close(); - -       /* Now load the policy */ -       before_load = now(CLOCK_MONOTONIC); -       r = selinux_init_load_policy(&enforce); -       if (r == 0) { -               char timespan[FORMAT_TIMESPAN_MAX]; -               char *label; - -               retest_selinux(); - -               /* Transition to the new context */ -               r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); -               if (r < 0 || label == NULL) { -                       log_open(); -                       log_error("Failed to compute init label, ignoring."); -               } else { -                       r = setcon(label); - -                       log_open(); -                       if (r < 0) -                               log_error("Failed to transition into init label '%s', ignoring.", label); - -                       label_free(label); -               } - -               after_load = now(CLOCK_MONOTONIC); - -               log_info("Successfully loaded SELinux policy in %s.", -                        format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); - -               *loaded_policy = true; - -       } else { -               log_open(); - -               if (enforce > 0) { -                       log_error("Failed to load SELinux policy. Freezing."); -                       return -EIO; -               } else -                       log_debug("Unable to load SELinux policy. Ignoring."); -       } +        int enforce = 0; +        usec_t before_load, after_load; +        security_context_t con; +        int r; +        union selinux_callback cb; + +        assert(loaded_policy); + +        /* Turn off all of SELinux' own logging, we want to do that */ +        cb.func_log = null_log; +        selinux_set_callback(SELINUX_CB_LOG, cb); + +        /* Don't load policy in the initrd if we don't appear to have +         * it.  For the real root, we check below if we've already +         * loaded policy, and return gracefully. +         */ +        if (in_initrd() && access(selinux_path(), F_OK) < 0) +                return 0; + +        /* Already initialized by somebody else? */ +        r = getcon_raw(&con); +        if (r == 0) { +                bool initialized; + +                initialized = !streq(con, "kernel"); +                freecon(con); + +                if (initialized) +                        return 0; +        } + +        /* Make sure we have no fds open while loading the policy and +         * transitioning */ +        log_close(); + +        /* Now load the policy */ +        before_load = now(CLOCK_MONOTONIC); +        r = selinux_init_load_policy(&enforce); +        if (r == 0) { +                char timespan[FORMAT_TIMESPAN_MAX]; +                char *label; + +                retest_selinux(); + +                /* Transition to the new context */ +                r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); +                if (r < 0 || label == NULL) { +                        log_open(); +                        log_error("Failed to compute init label, ignoring."); +                } else { +                        r = setcon(label); + +                        log_open(); +                        if (r < 0) +                                log_error("Failed to transition into init label '%s', ignoring.", label); + +                        label_free(label); +                } + +                after_load = now(CLOCK_MONOTONIC); + +                log_info("Successfully loaded SELinux policy in %s.", +                         format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); + +                *loaded_policy = true; + +        } else { +                log_open(); + +                if (enforce > 0) { +                        log_error("Failed to load SELinux policy. Freezing."); +                        return -EIO; +                } else +                        log_debug("Unable to load SELinux policy. Ignoring."); +        }  #endif -       return 0; +        return 0;  } | 
