} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ClearJobs")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
manager_clear_jobs(m);
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "ResetFailed")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
manager_reset_failed(m);
Unit *u;
const char *k;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
Iterator i;
Job *j;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
char *client;
Set *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
s = BUS_CONNECTION_SUBSCRIBED(m, connection);
if (!s) {
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Unsubscribe")) {
char *client;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
client = set_remove(BUS_CONNECTION_SUBSCRIBED(m, connection), (char*) bus_message_get_sender_with_fallback(message));
if (!client) {
char *dump = NULL;
size_t size;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
dbus_bool_t cleanup;
Snapshot *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "start");
+ SELINUX_ACCESS_CHECK(connection, message, "start");
if (!dbus_message_get_args(
message,
const char *k;
size_t size;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reload")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
assert(!m->queued_message);
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reexecute")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reload");
+ SELINUX_ACCESS_CHECK(connection, message, "reload");
/* We don't send a reply back here, the client should
* just wait for us disconnecting. */
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Exit")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as == SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Exit is only supported for user service managers.");
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Reboot")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Reboot is only supported for system managers.");
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "PowerOff")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Powering off is only supported for system managers.");
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "Halt")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "halt");
+ SELINUX_ACCESS_CHECK(connection, message, "halt");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "Halting is only supported for system managers.");
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "KExec")) {
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (m->running_as != SYSTEMD_SYSTEM) {
dbus_set_error(&error, BUS_ERROR_NOT_SUPPORTED, "kexec is only supported for system managers.");
char *u, *v;
int k;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_get_args(
message,
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "SetEnvironment")) {
char **l = NULL, **e = NULL;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
} else if (dbus_message_is_method_call(message, "org.freedesktop.systemd1.Manager", "UnsetEnvironment")) {
char **l = NULL, **e = NULL;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
r = bus_parse_strv(message, &l);
if (r == -ENOMEM)
char **l_set = NULL, **l_unset = NULL, **e = NULL, **f = NULL;
DBusMessageIter iter;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "reboot");
+ SELINUX_ACCESS_CHECK(connection, message, "reboot");
if (!dbus_message_iter_init(message, &iter))
goto oom;
Iterator i;
UnitFileList *item;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
reply = dbus_message_new_method_return(message);
if (!reply)
UnitFileState state;
const char *s;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
if (!dbus_message_get_args(
message,
dbus_bool_t runtime, force;
int carries_install_info = -1;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
+ SELINUX_ACCESS_CHECK(connection, message, streq(member, "MaskUnitFiles") ? "disable" : "enable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
unsigned n_changes = 0;
dbus_bool_t runtime;
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
+ SELINUX_ACCESS_CHECK(connection, message, streq(member, "UnmaskUnitFiles") ? "enable" : "disable");
if (!dbus_message_iter_init(message, &iter))
goto oom;
{ NULL, }
};
- SELINUX_MANAGER_ACCESS_CHECK(m, connection, message, "status");
+ SELINUX_ACCESS_CHECK(connection, message, "status");
return bus_default_message_handler(connection, message, NULL, INTERFACES_LIST, bps);
}
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include "util.h"
-#include "job.h"
-#include "manager.h"
#include "selinux-access.h"
#ifdef HAVE_SELINUX
-#include "dbus.h"
-#include "log.h"
-#include "dbus-unit.h"
-#include "bus-errors.h"
-#include "dbus-common.h"
-#include "audit.h"
-#include "selinux-util.h"
-#include "audit-fd.h"
#include <stdio.h>
#include <string.h>
#include <errno.h>
+#include <limits.h>
#include <selinux/selinux.h>
#include <selinux/avc.h>
#ifdef HAVE_AUDIT
#include <libaudit.h>
#endif
-#include <limits.h>
+#include <dbus.h>
+
+#include "util.h"
+#include "log.h"
+#include "bus-errors.h"
+#include "dbus-common.h"
+#include "audit.h"
+#include "selinux-util.h"
+#include "audit-fd.h"
static bool initialized = false;
return r;
}
-static int selinux_init(DBusError *error) {
+static int selinux_access_init(DBusError *error) {
int r;
if (initialized)
return 0;
}
+void selinux_access_free(void) {
+ if (!initialized)
+ return;
+
+ avc_destroy();
+ initialized = false;
+}
+
static int get_audit_data(
DBusConnection *connection,
DBusMessage *message,
If the machine is in permissive mode it will return ok. Audit messages will
still be generated if the access would be denied in enforcing mode.
*/
-static int selinux_access_check(
+int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
const char *path,
assert(permission);
assert(error);
- r = selinux_init(error);
- if (r < 0)
- return r;
-
if (!use_selinux())
return 0;
+ r = selinux_access_init(error);
+ if (r < 0)
+ return r;
+
log_debug("SELinux access check for path=%s permission=%s", strna(path), permission);
audit.uid = audit.loginuid = (uid_t) -1;
return r;
}
-int selinux_unit_access_check(
- Unit *u,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- assert(u);
- assert(connection);
- assert(message);
- assert(permission);
- assert(error);
-
- return selinux_access_check(connection, message, u->source_path ? u->source_path : u->fragment_path, permission, error);
-}
-
-int selinux_manager_access_check(
- Manager *m,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- assert(m);
- assert(connection);
- assert(message);
- assert(permission);
- assert(error);
-
- return selinux_access_check(connection, message, NULL, permission, error);
-}
-
-void selinux_access_finish(void) {
- if (!initialized)
- return;
-
- avc_destroy();
- initialized = false;
-}
-
#else
-int selinux_unit_access_check(
- Unit *u,
- DBusConnection *connection,
- DBusMessage *message,
- const char *permission,
- DBusError *error) {
-
- return 0;
-}
-
-int selinux_manager_access_check(
- Manager *m,
+int selinux_access_check(
DBusConnection *connection,
DBusMessage *message,
+ const char *path,
const char *permission,
DBusError *error) {
return 0;
}
-void selinux_access_finish(void) {
+void selinux_access_free(void) {
}
#endif
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-void selinux_access_finish(void);
-int selinux_manager_access_check(Manager *manager, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
-int selinux_unit_access_check(Unit *unit, DBusConnection *connection, DBusMessage *message, const char *permission, DBusError *error);
+#include <dbus.h>
+
+void selinux_access_free(void);
+
+int selinux_access_check(DBusConnection *connection, DBusMessage *message, const char *path, const char *permission, DBusError *error);
#ifdef HAVE_SELINUX
-#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) \
+#define SELINUX_ACCESS_CHECK(connection, message, permission) \
do { \
DBusError _error; \
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
dbus_error_init(&_error); \
- _r = selinux_manager_access_check((manager), _c, _m, (permission), &_error); \
+ _r = selinux_access_check(_c, _m, NULL, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
int _r; \
DBusConnection *_c = (connection); \
DBusMessage *_m = (message); \
+ Unit *_u = (unit); \
dbus_error_init(&_error); \
- _r = selinux_unit_access_check((unit), _c, _m, (permission), &_error); \
+ _r = selinux_access_check(_c, _m, _u->source_path ?: _u->fragment_path, (permission), &_error); \
if (_r < 0) \
return bus_send_error_reply(_c, _m, &_error, _r); \
} while (false)
#else
-#define SELINUX_MANAGER_ACCESS_CHECK(manager, connection, message, permission) do { } while (false)
+#define SELINUX_ACCESS_CHECK(connection, message, permission) do { } while (false)
#define SELINUX_UNIT_ACCESS_CHECK(unit, connection, message, permission) do { } while (false)
#endif