Age | Commit message (Collapse) | Author |
|
Normally we shouldn#t log from "library" functions, but SELinux is
weird, hence upgrade security messages uniformly to LOG_ERR when in
enforcing mode.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
APIs that query and return something cannot silently fail, they must
either return something useful, or an error. Fix that.
Also, properly rollback socket unit fd creation when something goes
wrong with the security framework.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
of the matching selinux code
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
previously mac_smack_apply(path, NULL) would operate on the symlink
itself while mac_smack_apply(path, "foo") would follow the symlink.
Let's clean this up an always operate on the symlink, which appears to
be the safer option.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
a) always return negative errno error codes
b) always become a noop if smack is off
c) always take a NULL label as a request to remove it
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
and all that reset it to defaults mac_{selinux|smack}_fix()
Let's clean up the naming schemes a bit and use the same one for SMACK
and for SELINUX.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
With the current hashmap implementation that uses chaining, placing a
reservation can serve two purposes:
- To optimize putting of entries if the number of entries to put is
known. The reservation allocates buckets, so later resizing can be
avoided.
- To avoid having very long bucket chains after using
hashmap_move(_one).
In an alternative hashmap implementation it will serve an additional
purpose:
- To guarantee a subsequent hashmap_move(_one) will not fail with
-ENOMEM (this never happens in the current implementation).
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Return 0 if no resize was needed, 1 if successfully resized and
negative on error.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
new mac_{smack,selinux,apparmor}_xyz() convention
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
move label apis to selinux-util.ch or smack-util.ch appropriately.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Repetetive messages can be annoying when running with
SYSTEMD_LOG_LEVEL=debug, but they are sometimes very useful
when debugging problems. Add log_trace which is like log_debug
but becomes a noop unless LOG_TRACE is defined during compilation.
This makes it easy to enable very verbose logging for a subset
of programs when compiling from source.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Evidently some people had trouble finding it in the documentation.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
The compaq ku 0133 keyboard has 8 special keys at the top:
http://lackof.org/taggart/hacking/keyboard/cpqwireless.jpg
3 of these use standard HID usage codes from the consumer page, the 5
others use part of the reserved 0x07 - 0x1f range.
This commit adds mapping for this keyboard for these reserved codes, making
the other 5 keys work.
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=76745
This also adds:
strv: use realloc_multiply() to check for multiplication overflow
by Michal Schmidt <mschmidt@redhat.com>
This could overflow on 32bit, where size_t is the same as unsigned.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
https://launchpad.net/bugs/1377352
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Just like everywhere else we use KEY_F21 instead of KEY_TOUCHPAD_TOGGLE for X
friendliness.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=84437
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
systemctl would print 'CPUQuotaPerSecUSec=(null)' for no limit. This
does not look right.
Since USEC_INFINITY is one of the valid values, format_timespan()
could return NULL, and we should wrap every use of it in strna() or
similar. But most callers didn't do that, and it seems more robust to
return a string ("infinity") that makes sense most of the time, even
if in some places the result will not be grammatically correct.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
We now verify the existence of uid's before applying them to devicenodes, so change the
test accordingly. We assume that both uid/gid 1 and 2 exist on the test system.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Spotted by Andreas Henriksson.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
No functional change.
Found by Coverity. Fixes CID #1237533.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
eudev has had this error handling for a while. upstream finally
added it with the following commit
543afdc63c02a5af3cf6bd2a264162f23474346a
by Tom Gundersen <teg@jklm.no>. Both methods are equivalent, but
we adopt upstreams for easier maintenance.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Fonud by Coverity. Fixes CID #996255.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
One reported by Coverity. Fixes CID #996252.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Found by Coverity. Fixes CID #1238780.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
If a device does not have a major/minor number attached, we use different
database names than if it does. On "change" events, we didn't copy the
devnum over, therefore, we used different paths than on 'add' or 'remove'
events (where devnum was properly copied).
Fix this by always copying the devnum into the udev-device.
(David: added commit-log from email)
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
The function still succeeds, so there is no functional change. This fixes CID #996288.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
This fixes CID #1237641.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
If the file is found to be empty, we exit early without closing the file first.
Found by coverity. Fixes CID #1237759.
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|