From d682b3a7e7c7c2941a4d3e193f1e330dbc9fae89 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 10 Oct 2013 16:35:44 +0200 Subject: security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled. --- src/journal/journald-native.c | 11 +++++++---- src/journal/journald-server.c | 22 ++++++++++++---------- src/journal/journald-stream.c | 7 +++++-- src/journal/journald-syslog.c | 11 +++++++---- 4 files changed, 31 insertions(+), 20 deletions(-) (limited to 'src/journal') diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index c50cf64f5c..2c91cba16d 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -25,6 +25,7 @@ #include "socket-util.h" #include "path-util.h" +#include "selinux-util.h" #include "journald-server.h" #include "journald-native.h" #include "journald-kmsg.h" @@ -404,10 +405,12 @@ int server_open_native_socket(Server*s) { } #ifdef HAVE_SELINUX - one = 1; - r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); - if (r < 0) - log_warning("SO_PASSSEC failed: %m"); + if (use_selinux()) { + one = 1; + r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); + if (r < 0) + log_warning("SO_PASSSEC failed: %m"); + } #endif one = 1; diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index e03e413aef..9732e1b25e 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -629,19 +629,21 @@ static void dispatch_message_real( } #ifdef HAVE_SELINUX - if (label) { - x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len); + if (use_selinux()) { + if (label) { + x = alloca(sizeof("_SELINUX_CONTEXT=") + label_len); - *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0; - IOVEC_SET_STRING(iovec[n++], x); - } else { - security_context_t con; + *((char*) mempcpy(stpcpy(x, "_SELINUX_CONTEXT="), label, label_len)) = 0; + IOVEC_SET_STRING(iovec[n++], x); + } else { + security_context_t con; - if (getpidcon(ucred->pid, &con) >= 0) { - x = strappenda("_SELINUX_CONTEXT=", con); + if (getpidcon(ucred->pid, &con) >= 0) { + x = strappenda("_SELINUX_CONTEXT=", con); - freecon(con); - IOVEC_SET_STRING(iovec[n++], x); + freecon(con); + IOVEC_SET_STRING(iovec[n++], x); + } } } #endif diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c index 9c4efec9bc..543614aead 100644 --- a/src/journal/journald-stream.c +++ b/src/journal/journald-stream.c @@ -29,6 +29,7 @@ #endif #include "socket-util.h" +#include "selinux-util.h" #include "journald-server.h" #include "journald-stream.h" #include "journald-syslog.h" @@ -381,8 +382,10 @@ int stdout_stream_new(Server *s) { } #ifdef HAVE_SELINUX - if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT) - log_error("Failed to determine peer security context: %m"); + if (use_selinux()) { + if (getpeercon(fd, &stream->security_context) < 0 && errno != ENOPROTOOPT) + log_error("Failed to determine peer security context: %m"); + } #endif if (shutdown(fd, SHUT_WR) < 0) { diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c index c2770a53d0..dc66ba8c8f 100644 --- a/src/journal/journald-syslog.c +++ b/src/journal/journald-syslog.c @@ -25,6 +25,7 @@ #include "systemd/sd-messages.h" #include "socket-util.h" +#include "selinux-util.h" #include "journald-server.h" #include "journald-syslog.h" #include "journald-kmsg.h" @@ -453,10 +454,12 @@ int server_open_syslog_socket(Server *s) { } #ifdef HAVE_SELINUX - one = 1; - r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); - if (r < 0) - log_warning("SO_PASSSEC failed: %m"); + if (use_selinux()) { + one = 1; + r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); + if (r < 0) + log_warning("SO_PASSSEC failed: %m"); + } #endif one = 1; -- cgit v1.2.3-54-g00ecf