Compare commits
2 Commits
07336a0672
...
8956caf333
Author | SHA1 | Date |
---|---|---|
Yu Watanabe | 8956caf333 | |
Topi Miettinen | e6e81ec0a5 |
|
@ -10,11 +10,11 @@
|
||||||
#include "selinux-util.h"
|
#include "selinux-util.h"
|
||||||
#include "smack-util.h"
|
#include "smack-util.h"
|
||||||
|
|
||||||
int label_fix(const char *path, LabelFixFlags flags) {
|
int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
|
||||||
int r, q;
|
int r, q;
|
||||||
|
|
||||||
r = mac_selinux_fix(path, flags);
|
r = mac_selinux_fix_container(path, inside_path, flags);
|
||||||
q = mac_smack_fix(path, flags);
|
q = mac_smack_fix_container(path, inside_path, flags);
|
||||||
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
|
@ -9,7 +9,10 @@ typedef enum LabelFixFlags {
|
||||||
LABEL_IGNORE_EROFS = 1 << 1,
|
LABEL_IGNORE_EROFS = 1 << 1,
|
||||||
} LabelFixFlags;
|
} LabelFixFlags;
|
||||||
|
|
||||||
int label_fix(const char *path, LabelFixFlags flags);
|
int label_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
|
||||||
|
static inline int label_fix(const char *path, LabelFixFlags flags) {
|
||||||
|
return label_fix_container(path, path, flags);
|
||||||
|
}
|
||||||
|
|
||||||
int mkdir_label(const char *path, mode_t mode);
|
int mkdir_label(const char *path, mode_t mode);
|
||||||
int mkdirat_label(int dirfd, const char *path, mode_t mode);
|
int mkdirat_label(int dirfd, const char *path, mode_t mode);
|
||||||
|
|
|
@ -124,7 +124,7 @@ void mac_selinux_reload(void) {
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
|
||||||
|
|
||||||
#if HAVE_SELINUX
|
#if HAVE_SELINUX
|
||||||
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
|
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
|
||||||
|
@ -151,7 +151,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||||
if (fstat(fd, &st) < 0)
|
if (fstat(fd, &st) < 0)
|
||||||
return -errno;
|
return -errno;
|
||||||
|
|
||||||
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
|
if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode) < 0) {
|
||||||
r = -errno;
|
r = -errno;
|
||||||
|
|
||||||
/* If there's no label to set, then exit without warning */
|
/* If there's no label to set, then exit without warning */
|
||||||
|
@ -185,7 +185,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
|
log_enforcing_errno(r, "Unable to fix SELinux security context of %s (%s): %m", path, inside_path);
|
||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return r;
|
return r;
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -22,7 +22,11 @@ int mac_selinux_init(void);
|
||||||
void mac_selinux_finish(void);
|
void mac_selinux_finish(void);
|
||||||
void mac_selinux_reload(void);
|
void mac_selinux_reload(void);
|
||||||
|
|
||||||
int mac_selinux_fix(const char *path, LabelFixFlags flags);
|
int mac_selinux_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
|
||||||
|
static inline int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
||||||
|
return mac_selinux_fix_container(path, path, flags);
|
||||||
|
}
|
||||||
|
|
||||||
int mac_selinux_apply(const char *path, const char *label);
|
int mac_selinux_apply(const char *path, const char *label);
|
||||||
|
|
||||||
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
|
int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
|
||||||
|
|
|
@ -206,7 +206,7 @@ int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags) {
|
||||||
return smack_fix_fd(fd, path, flags);
|
return smack_fix_fd(fd, path, flags);
|
||||||
}
|
}
|
||||||
|
|
||||||
int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
|
||||||
_cleanup_free_ char *abspath = NULL;
|
_cleanup_free_ char *abspath = NULL;
|
||||||
_cleanup_close_ int fd = -1;
|
_cleanup_close_ int fd = -1;
|
||||||
int r;
|
int r;
|
||||||
|
@ -228,7 +228,7 @@ int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
||||||
return -errno;
|
return -errno;
|
||||||
}
|
}
|
||||||
|
|
||||||
return smack_fix_fd(fd, abspath, flags);
|
return smack_fix_fd(fd, inside_path, flags);
|
||||||
}
|
}
|
||||||
|
|
||||||
int mac_smack_copy(const char *dest, const char *src) {
|
int mac_smack_copy(const char *dest, const char *src) {
|
||||||
|
@ -274,7 +274,7 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -29,7 +29,11 @@ typedef enum SmackAttr {
|
||||||
|
|
||||||
bool mac_smack_use(void);
|
bool mac_smack_use(void);
|
||||||
|
|
||||||
int mac_smack_fix(const char *path, LabelFixFlags flags);
|
int mac_smack_fix_container(const char *path, const char *inside_path, LabelFixFlags flags);
|
||||||
|
static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
||||||
|
return mac_smack_fix_container(path, path, flags);
|
||||||
|
}
|
||||||
|
|
||||||
int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags);
|
int mac_smack_fix_at(int dirfd, const char *path, LabelFixFlags flags);
|
||||||
|
|
||||||
const char* smack_attr_to_string(SmackAttr i) _const_;
|
const char* smack_attr_to_string(SmackAttr i) _const_;
|
||||||
|
|
|
@ -34,6 +34,7 @@
|
||||||
#include "tmpfile-util.h"
|
#include "tmpfile-util.h"
|
||||||
#include "umask-util.h"
|
#include "umask-util.h"
|
||||||
#include "user-util.h"
|
#include "user-util.h"
|
||||||
|
#include "virt.h"
|
||||||
|
|
||||||
#define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
|
#define DEV_MOUNT_OPTIONS (MS_NOSUID|MS_STRICTATIME|MS_NOEXEC)
|
||||||
|
|
||||||
|
@ -690,6 +691,22 @@ static int mount_private_dev(MountEntry *m) {
|
||||||
r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
|
r = log_debug_errno(errno, "Failed to mount tmpfs on '%s': %m", dev);
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
#if HAVE_SELINUX || ENABLE_SMACK
|
||||||
|
if (detect_container() <= 0) {
|
||||||
|
/* these could fail if inside container */
|
||||||
|
r = mac_selinux_init();
|
||||||
|
if (r < 0) {
|
||||||
|
log_debug("Failed to reinitialize SELinux policy");
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
r = label_fix_container(dev, "/dev", 0);
|
||||||
|
if (r < 0) {
|
||||||
|
log_debug_errno(errno, "Failed to fix label of '%s' as /dev: %m", dev);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
mac_selinux_finish();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
devpts = strjoina(temporary_mount, "/dev/pts");
|
devpts = strjoina(temporary_mount, "/dev/pts");
|
||||||
(void) mkdir(devpts, 0755);
|
(void) mkdir(devpts, 0755);
|
||||||
|
|
|
@ -1652,7 +1652,7 @@ static int link_configure_addrgen_mode(Link *link) {
|
||||||
if (!link_ipv6ll_enabled(link))
|
if (!link_ipv6ll_enabled(link))
|
||||||
ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
|
ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
|
||||||
else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
|
else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
|
||||||
/* The file may not exist. And event if it exists, when stable_secret is unset,
|
/* The file may not exist. And even if it exists, when stable_secret is unset,
|
||||||
* reading the file fails with EIO. */
|
* reading the file fails with EIO. */
|
||||||
ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
|
ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue