diff options
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/dbus-manager.c | 83 | ||||
| -rw-r--r-- | src/core/org.freedesktop.systemd1.conf | 4 | ||||
| -rw-r--r-- | src/core/selinux-access.c | 29 | ||||
| -rw-r--r-- | src/core/selinux-access.h | 3 |
4 files changed, 89 insertions, 30 deletions
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 533ce439a7..57db1c9f6a 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -1562,9 +1562,6 @@ static int method_enable_unit_files_generic( sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; -#ifdef HAVE_SELINUX - char **i; -#endif UnitFileChange *changes = NULL; unsigned n_changes = 0; UnitFileScope scope; @@ -1588,18 +1585,9 @@ static int method_enable_unit_files_generic( if (r < 0) return r; -#ifdef HAVE_SELINUX - STRV_FOREACH(i, l) { - Unit *u; - - u = manager_get_unit(m, *i); - if (u) { - r = selinux_unit_access_check(u, message, verb, error); - if (r < 0) - return r; - } - } -#endif + r = selinux_unit_access_check_strv(l, message, m, verb, error); + if (r < 0) + return r; scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; @@ -1637,9 +1625,6 @@ static int method_mask_unit_files(sd_bus *bus, sd_bus_message *message, void *us static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; -#ifdef HAVE_SELINUX - char **i; -#endif UnitFileChange *changes = NULL; unsigned n_changes = 0; Manager *m = userdata; @@ -1674,18 +1659,9 @@ static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *messa return -EINVAL; } -#ifdef HAVE_SELINUX - STRV_FOREACH(i, l) { - Unit *u; - - u = manager_get_unit(m, *i); - if (u) { - r = selinux_unit_access_check(u, message, "enable", error); - if (r < 0) - return r; - } - } -#endif + r = selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; @@ -1828,6 +1804,52 @@ static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, vo return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); } +static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_strv_free_ char **l = NULL; + Manager *m = userdata; + UnitFileChange *changes = NULL; + unsigned n_changes = 0; + UnitFileScope scope; + int runtime, force, r; + char *target; + char *type; + UnitDependency dep; + + assert(bus); + assert(message); + assert(m); + + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "ssbb", &target, &type, &runtime, &force); + if (r < 0) + return r; + + dep = unit_dependency_from_string(type); + if (dep < 0) + return -EINVAL; + + r = selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; + + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; + + r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); + if (r < 0) + return r; + + return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); +} + const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_VTABLE_START(0), @@ -1918,6 +1940,7 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetDefaultTarget", NULL, "s", method_get_default_target, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_SIGNAL("UnitNew", "so", 0), SD_BUS_SIGNAL("UnitRemoved", "so", 0), diff --git a/src/core/org.freedesktop.systemd1.conf b/src/core/org.freedesktop.systemd1.conf index 3e1382524a..6a7a37ee92 100644 --- a/src/core/org.freedesktop.systemd1.conf +++ b/src/core/org.freedesktop.systemd1.conf @@ -199,6 +199,10 @@ send_member="PresetAllUnitFiles"/> <allow send_destination="org.freedesktop.systemd1" + send_interface="org.freedesktop.systemd1.Manager" + send_member="AddDependencyUnitFiles"/> + + <allow send_destination="org.freedesktop.systemd1" send_interface="org.freedesktop.systemd1.Job" send_member="Cancel"/> diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index cdbfb83a1a..184f202c1e 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -250,6 +250,27 @@ finish: return r; } +int selinux_unit_access_check_strv(char **units, + sd_bus_message *message, + Manager *m, + const char *permission, + sd_bus_error *error) { + char **i; + Unit *u; + int r; + + STRV_FOREACH(i, units) { + u = manager_get_unit(m, *i); + if (u) { + r = selinux_unit_access_check(u, message, permission, error); + if (r < 0) + return r; + } + } + + return 0; +} + #else int selinux_generic_access_check( @@ -264,4 +285,12 @@ int selinux_generic_access_check( void selinux_access_free(void) { } +int selinux_unit_access_check_strv(char **units, + sd_bus_message *message, + Manager *m, + const char *permission, + sd_bus_error *error) { + return 0; +} + #endif diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index 27d9e14591..6a4362a73c 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -24,11 +24,14 @@ #include "sd-bus.h" #include "bus-error.h" #include "bus-util.h" +#include "manager.h" void selinux_access_free(void); int selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); +int selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error); + #ifdef HAVE_SELINUX #define selinux_access_check(message, permission, error) \ |