From 8faae625dc9b6322db452937f54176e56e65265a Mon Sep 17 00:00:00 2001 From: David Herrmann Date: Thu, 27 Aug 2015 16:23:47 +0200 Subject: selinux: drop mac_selinux_unit_access_check_strv() It is not acceptable to load unit files during enable/disable operations just to figure out the selinux labels. systemd implements lazy loading for units, so the selinux hooks need to follow it. This drops the mac_selinux_unit_access_check_strv() helper which implements a non-acceptable policy check. If anyone cares for that functionality, you really should pass a callback+userdata to the helpers in src/shared/install.c which does policy checks on each touched file. See #1050 on github for more. --- src/core/dbus-manager.c | 16 ---------------- src/core/selinux-access.c | 27 --------------------------- src/core/selinux-access.h | 2 -- 3 files changed, 45 deletions(-) (limited to 'src') diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 5722e3c2bb..0b365391ec 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -1650,10 +1650,6 @@ static int method_enable_unit_files_generic( if (r < 0) return r; - r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); - if (r < 0) - return r; - r = bus_verify_manage_unit_files_async(m, message, error); if (r < 0) return r; @@ -1723,10 +1719,6 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use return -EINVAL; } - r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); - if (r < 0) - return r; - r = bus_verify_manage_unit_files_async(m, message, error); if (r < 0) return r; @@ -1766,10 +1758,6 @@ static int method_disable_unit_files_generic( if (r < 0) return r; - r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); - if (r < 0) - return r; - scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; r = bus_verify_manage_unit_files_async(m, message, error); @@ -1902,10 +1890,6 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd if (dep < 0) return -EINVAL; - r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); - if (r < 0) - return r; - scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 2ecfa40974..f920c2e2cd 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -289,30 +289,3 @@ finish: return 0; #endif } - -int mac_selinux_unit_access_check_strv( - char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { - -#ifdef HAVE_SELINUX - char **i; - Unit *u; - int r; - - STRV_FOREACH(i, units) { - if (is_path(*i)) - r = manager_load_unit(m, NULL, *i, error, &u); - else - r = manager_load_unit(m, *i, NULL, error, &u); - if (r < 0) - return r; - r = mac_selinux_unit_access_check(u, message, permission, error); - if (r < 0) - return r; - } -#endif - return 0; -} diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index b5758e2e42..e6b4dd7fee 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -29,8 +29,6 @@ void mac_selinux_access_free(void); int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error); -int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error); - #ifdef HAVE_SELINUX #define mac_selinux_access_check(message, permission, error) \ -- cgit v1.2.3-54-g00ecf