diff options
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/execute.c | 15 | ||||
| -rw-r--r-- | src/core/ima-setup.c | 39 | ||||
| -rw-r--r-- | src/core/loopback-setup.c | 20 | ||||
| -rw-r--r-- | src/core/selinux-access.c | 28 | ||||
| -rw-r--r-- | src/core/umount.c | 2 |
5 files changed, 55 insertions, 49 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index f13c6936e0..a6ff5ac56e 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -771,7 +771,7 @@ static int setup_pam( }; pam_handle_t *handle = NULL; - sigset_t ss, old_ss; + sigset_t old_ss; int pam_code = PAM_SUCCESS; int err; char **e = NULL; @@ -824,10 +824,7 @@ static int setup_pam( /* Block SIGTERM, so that we know that it won't get lost in * the child */ - if (sigemptyset(&ss) < 0 || - sigaddset(&ss, SIGTERM) < 0 || - sigprocmask(SIG_BLOCK, &ss, &old_ss) < 0) - goto fail; + assert_se(sigprocmask_many(SIG_BLOCK, &old_ss, SIGTERM, -1) >= 0); parent_pid = getpid(); @@ -871,6 +868,11 @@ static int setup_pam( /* Check if our parent process might already have * died? */ if (getppid() == parent_pid) { + sigset_t ss; + + assert_se(sigemptyset(&ss) >= 0); + assert_se(sigaddset(&ss, SIGTERM) >= 0); + for (;;) { if (sigwait(&ss, &sig) < 0) { if (errno == EINTR) @@ -903,8 +905,7 @@ static int setup_pam( handle = NULL; /* Unblock SIGTERM again in the parent */ - if (sigprocmask(SIG_SETMASK, &old_ss, NULL) < 0) - goto fail; + assert_se(sigprocmask(SIG_SETMASK, &old_ss, NULL) >= 0); /* We close the log explicitly here, since the PAM modules * might have opened it, but we don't want this fd around. */ diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c index 4d8b638115..42a3e97459 100644 --- a/src/core/ima-setup.c +++ b/src/core/ima-setup.c @@ -23,9 +23,6 @@ #include <unistd.h> #include <errno.h> -#include <fcntl.h> -#include <sys/stat.h> -#include <sys/mman.h> #include "ima-setup.h" #include "util.h" @@ -36,20 +33,19 @@ #define IMA_POLICY_PATH "/etc/ima/ima-policy" int ima_setup(void) { - int r = 0; - #ifdef HAVE_IMA - _cleanup_close_ int policyfd = -1, imafd = -1; - struct stat st; - char *policy; + _cleanup_fclose_ FILE *input = NULL; + _cleanup_close_ int imafd = -1; + unsigned lineno = 0; + char line[page_size()]; if (access(IMA_SECFS_DIR, F_OK) < 0) { log_debug("IMA support is disabled in the kernel, ignoring."); return 0; } - policyfd = open(IMA_POLICY_PATH, O_RDONLY|O_CLOEXEC); - if (policyfd < 0) { + input = fopen(IMA_POLICY_PATH, "re"); + if (!input) { log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, errno, "Failed to open the IMA custom policy file "IMA_POLICY_PATH", ignoring: %m"); return 0; @@ -66,20 +62,19 @@ int ima_setup(void) { return 0; } - if (fstat(policyfd, &st) < 0) - return log_error_errno(errno, "Failed to fstat "IMA_POLICY_PATH": %m"); + FOREACH_LINE(line, input, + return log_error_errno(errno, "Failed to read the IMA custom policy file "IMA_POLICY_PATH": %m")) { + size_t len; - policy = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, policyfd, 0); - if (policy == MAP_FAILED) - return log_error_errno(errno, "Failed to mmap "IMA_POLICY_PATH": %m"); + len = strlen(line); + lineno++; - r = loop_write(imafd, policy, (size_t) st.st_size, false); - if (r < 0) - log_error_errno(r, "Failed to load the IMA custom policy file "IMA_POLICY_PATH": %m"); - else - log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH"."); + if (len > 0 && write(imafd, line, len) < 0) + return log_error_errno(errno, "Failed to load the IMA custom policy file "IMA_POLICY_PATH"%u: %m", + lineno); + } - munmap(policy, st.st_size); + log_info("Successfully loaded the IMA custom policy "IMA_POLICY_PATH"."); #endif /* HAVE_IMA */ - return r; + return 0; } diff --git a/src/core/loopback-setup.c b/src/core/loopback-setup.c index 938f3ab068..4503fc9dcc 100644 --- a/src/core/loopback-setup.c +++ b/src/core/loopback-setup.c @@ -22,13 +22,13 @@ #include <net/if.h> #include <stdlib.h> -#include "sd-rtnl.h" -#include "rtnl-util.h" +#include "sd-netlink.h" +#include "netlink-util.h" #include "missing.h" #include "loopback-setup.h" -static int start_loopback(sd_rtnl *rtnl) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *req = NULL; +static int start_loopback(sd_netlink *rtnl) { + _cleanup_netlink_message_unref_ sd_netlink_message *req = NULL; int r; r = sd_rtnl_message_new_link(rtnl, &req, RTM_SETLINK, LOOPBACK_IFINDEX); @@ -39,15 +39,15 @@ static int start_loopback(sd_rtnl *rtnl) { if (r < 0) return r; - r = sd_rtnl_call(rtnl, req, 0, NULL); + r = sd_netlink_call(rtnl, req, 0, NULL); if (r < 0) return r; return 0; } -static bool check_loopback(sd_rtnl *rtnl) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *req = NULL, *reply = NULL; +static bool check_loopback(sd_netlink *rtnl) { + _cleanup_netlink_message_unref_ sd_netlink_message *req = NULL, *reply = NULL; unsigned flags; int r; @@ -55,7 +55,7 @@ static bool check_loopback(sd_rtnl *rtnl) { if (r < 0) return false; - r = sd_rtnl_call(rtnl, req, 0, &reply); + r = sd_netlink_call(rtnl, req, 0, &reply); if (r < 0) return false; @@ -67,10 +67,10 @@ static bool check_loopback(sd_rtnl *rtnl) { } int loopback_setup(void) { - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; int r; - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return r; diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index decd42f95a..e9a9a020de 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -82,11 +82,19 @@ static int audit_callback( static int callback_type_to_priority(int type) { switch(type) { - case SELINUX_ERROR: return LOG_ERR; - case SELINUX_WARNING: return LOG_WARNING; - case SELINUX_INFO: return LOG_INFO; + + case SELINUX_ERROR: + return LOG_ERR; + + case SELINUX_WARNING: + return LOG_WARNING; + + case SELINUX_INFO: + return LOG_INFO; + case SELINUX_AVC: - default: return LOG_NOTICE; + default: + return LOG_NOTICE; } } @@ -281,11 +289,13 @@ finish: #endif } -int mac_selinux_unit_access_check_strv(char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { +int mac_selinux_unit_access_check_strv( + char **units, + sd_bus_message *message, + Manager *m, + const char *permission, + sd_bus_error *error) { + #ifdef HAVE_SELINUX char **i; Unit *u; diff --git a/src/core/umount.c b/src/core/umount.c index bee267a5ad..d59b5d0ffb 100644 --- a/src/core/umount.c +++ b/src/core/umount.c @@ -385,7 +385,7 @@ static int mount_points_list_umount(MountPoint **head, bool *changed, bool log_e * alias read-only we hence should be * relatively safe regarding keeping the fs we * can otherwise not see dirty. */ - mount(NULL, m->path, NULL, MS_REMOUNT|MS_RDONLY, NULL); + (void) mount(NULL, m->path, NULL, MS_REMOUNT|MS_RDONLY, NULL); } /* Skip / and /usr since we cannot unmount that |