mac_selinux_generic_access_check((message), NULL, (permission), (error))
#define mac_selinux_unit_access_check(unit, message, permission, error) \
- ({ \
- const Unit *_unit = (unit); \
- mac_selinux_generic_access_check((message), _unit->source_path ?: _unit->fragment_path, (permission), (error)); \
- })
+ mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error))
#else
return exec_context_may_touch_console(ec);
}
+const char *unit_label_path(Unit *u) {
+ const char *p;
+
+ /* Returns the file system path to use for MAC access decisions, i.e. the file to read the SELinux label off
+ * when validating access checks. */
+
+ p = u->source_path ?: u->fragment_path;
+ if (!p)
+ return NULL;
+
+ /* If a unit is masked, then don't read the SELinux label of /dev/null, as that really makes no sense */
+ if (path_equal(p, "/dev/null"))
+ return NULL;
+
+ return p;
+}
+
static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
[COLLECT_INACTIVE] = "inactive",
[COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",
bool unit_needs_console(Unit *u);
+const char *unit_label_path(Unit *u);
+
/* Macros which append UNIT= or USER_UNIT= to the message */
#define log_unit_full(unit, level, error, ...) \