From 81e9871e8719b498eaa005e090bb7806c2679f39 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 31 Jan 2018 19:53:43 +0100
Subject: [PATCH] selinux: make sure we never use /dev/null for making unit
 selinux access decisions

---
 src/core/selinux-access.h |  5 +----
 src/core/unit.c           | 17 +++++++++++++++++
 src/core/unit.h           |  2 ++
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index c5f5fb9..dd48d06 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -33,10 +33,7 @@ int mac_selinux_generic_access_check(sd_bus_message *message, const char *path,
         mac_selinux_generic_access_check((message), NULL, (permission), (error))
 
 #define mac_selinux_unit_access_check(unit, message, permission, error) \
-        ({                                                              \
-                const Unit *_unit = (unit);                             \
-                mac_selinux_generic_access_check((message), _unit->source_path ?: _unit->fragment_path, (permission), (error)); \
-        })
+        mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error))
 
 #else
 
diff --git a/src/core/unit.c b/src/core/unit.c
index 932f05b..54e298c 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -5375,6 +5375,23 @@ bool unit_needs_console(Unit *u) {
         return exec_context_may_touch_console(ec);
 }
 
+const char *unit_label_path(Unit *u) {
+        const char *p;
+
+        /* Returns the file system path to use for MAC access decisions, i.e. the file to read the SELinux label off
+         * when validating access checks. */
+
+        p = u->source_path ?: u->fragment_path;
+        if (!p)
+                return NULL;
+
+        /* If a unit is masked, then don't read the SELinux label of /dev/null, as that really makes no sense */
+        if (path_equal(p, "/dev/null"))
+                return NULL;
+
+        return p;
+}
+
 static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
         [COLLECT_INACTIVE] = "inactive",
         [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",
diff --git a/src/core/unit.h b/src/core/unit.h
index 8c79d4e..3210583 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -801,6 +801,8 @@ void unit_warn_leftover_processes(Unit *u);
 
 bool unit_needs_console(Unit *u);
 
+const char *unit_label_path(Unit *u);
+
 /* Macros which append UNIT= or USER_UNIT= to the message */
 
 #define log_unit_full(unit, level, error, ...)                          \
-- 
2.7.4