Compare commits
7 Commits
0ae5ffe063
...
72545ae057
| Author | SHA1 | Date |
|---|---|---|
Anita Zhang
|
72545ae057 | |
|
Mario Limonciello
|
6e55b9b758 | |
|
Yu Watanabe
|
1e5e89d76d | |
|
Zbigniew Jędrzejewski-Szmek
|
cff789b746 | |
|
Zbigniew Jędrzejewski-Szmek
|
d7887449e7 | |
|
Zbigniew Jędrzejewski-Szmek
|
22cd7aabec | |
|
Zbigniew Jędrzejewski-Szmek
|
949fb07e6e |
|
|
@ -28,10 +28,7 @@
|
|||
#include "time-util.h"
|
||||
|
||||
#if HAVE_SELINUX
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
||||
|
||||
#define _cleanup_freecon_ _cleanup_(freeconp)
|
||||
#define _cleanup_context_free_ _cleanup_(context_freep)
|
||||
|
||||
static int cached_use = -1;
|
||||
|
|
|
|||
|
|
@ -8,6 +8,13 @@
|
|||
#include "macro.h"
|
||||
#include "label.h"
|
||||
|
||||
#if HAVE_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
||||
#define _cleanup_freecon_ _cleanup_(freeconp)
|
||||
#endif
|
||||
|
||||
bool mac_selinux_use(void);
|
||||
void mac_selinux_retest(void);
|
||||
|
||||
|
|
|
|||
|
|
@ -1587,6 +1587,7 @@ int bus_exec_context_set_transient_property(
|
|||
r = seccomp_parse_syscall_filter("@default",
|
||||
-1,
|
||||
c->syscall_filter,
|
||||
SECCOMP_PARSE_PERMISSIVE |
|
||||
SECCOMP_PARSE_WHITELIST | invert_flag,
|
||||
u->id,
|
||||
NULL, 0);
|
||||
|
|
@ -1606,7 +1607,9 @@ int bus_exec_context_set_transient_property(
|
|||
r = seccomp_parse_syscall_filter(n,
|
||||
e,
|
||||
c->syscall_filter,
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
|
||||
SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
|
||||
invert_flag |
|
||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
|
||||
u->id,
|
||||
NULL, 0);
|
||||
if (r < 0)
|
||||
|
|
|
|||
|
|
@ -181,11 +181,11 @@ int mac_selinux_generic_access_check(
|
|||
sd_bus_error *error) {
|
||||
|
||||
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
||||
const char *tclass = NULL, *scon = NULL;
|
||||
struct audit_info audit_info = {};
|
||||
const char *tclass, *scon;
|
||||
_cleanup_free_ char *cl = NULL;
|
||||
char *fcon = NULL;
|
||||
_cleanup_freecon_ char *fcon = NULL;
|
||||
char **cmdline = NULL;
|
||||
bool enforce = false; /* Will be set to the real value later if needed */
|
||||
int r = 0;
|
||||
|
||||
assert(message);
|
||||
|
|
@ -204,7 +204,7 @@ int mac_selinux_generic_access_check(
|
|||
SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
|
||||
&creds);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
return r;
|
||||
|
||||
/* The SELinux context is something we really should have
|
||||
* gotten directly from the message or sender, and not be an
|
||||
|
|
@ -216,25 +216,39 @@ int mac_selinux_generic_access_check(
|
|||
|
||||
r = sd_bus_creds_get_selinux_context(creds, &scon);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
return r;
|
||||
|
||||
if (path) {
|
||||
/* Get the file context of the unit file */
|
||||
|
||||
r = getfilecon_raw(path, &fcon);
|
||||
if (r < 0) {
|
||||
log_warning_errno(errno, "SELinux getfilecon_raw on '%s' failed (tclass=%s perm=%s): %m", path, tclass, permission);
|
||||
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
|
||||
goto finish;
|
||||
if (getfilecon_raw(path, &fcon) < 0) {
|
||||
r = -errno;
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m",
|
||||
path,
|
||||
enforce ? "" : ", ignoring",
|
||||
permission);
|
||||
if (!enforce)
|
||||
return 0;
|
||||
|
||||
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
|
||||
}
|
||||
|
||||
tclass = "service";
|
||||
|
||||
} else {
|
||||
r = getcon_raw(&fcon);
|
||||
if (r < 0) {
|
||||
log_warning_errno(errno, "SELinux getcon_raw failed (tclass=%s perm=%s): %m", tclass, permission);
|
||||
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
|
||||
goto finish;
|
||||
if (getcon_raw(&fcon) < 0) {
|
||||
r = -errno;
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m",
|
||||
enforce ? "" : ", ignoring",
|
||||
permission);
|
||||
if (!enforce)
|
||||
return 0;
|
||||
|
||||
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
|
||||
}
|
||||
|
||||
tclass = "system";
|
||||
|
|
@ -243,25 +257,24 @@ int mac_selinux_generic_access_check(
|
|||
sd_bus_creds_get_cmdline(creds, &cmdline);
|
||||
cl = strv_join(cmdline, " ");
|
||||
|
||||
audit_info.creds = creds;
|
||||
audit_info.path = path;
|
||||
audit_info.cmdline = cl;
|
||||
struct audit_info audit_info = {
|
||||
.creds = creds,
|
||||
.path = path,
|
||||
.cmdline = cl,
|
||||
};
|
||||
|
||||
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
|
||||
if (r < 0)
|
||||
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
|
||||
if (r < 0) {
|
||||
r = errno_or_else(EPERM);
|
||||
enforce = security_getenforce() > 0;
|
||||
|
||||
log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
|
||||
|
||||
finish:
|
||||
freecon(fcon);
|
||||
|
||||
if (r < 0 && security_getenforce() != 1) {
|
||||
sd_bus_error_free(error);
|
||||
r = 0;
|
||||
if (enforce)
|
||||
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
|
||||
}
|
||||
|
||||
return r;
|
||||
log_debug_errno(r, "SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %m",
|
||||
scon, fcon, tclass, permission, path, cl);
|
||||
return enforce ? r : 0;
|
||||
}
|
||||
|
||||
#else
|
||||
|
|
|
|||
|
|
@ -258,15 +258,15 @@ ControlledDelay.IntervalSec, config_parse_controlled_delay_usec,
|
|||
ControlledDelay.CEThresholdSec, config_parse_controlled_delay_usec, QDISC_KIND_CODEL, 0
|
||||
ControlledDelay.ECN, config_parse_controlled_delay_bool, QDISC_KIND_CODEL, 0
|
||||
FairQueueing.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ, 0
|
||||
FairQueueing.PacketLimit, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.FlowLimit, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Quantum, config_parse_fair_queue_traffic_policing_size, QDISC_KIND_FQ, 0
|
||||
FairQueueing.InitialQuantum, config_parse_fair_queue_traffic_policing_size, QDISC_KIND_FQ, 0
|
||||
FairQueueing.MaximumRate, config_parse_fair_queue_traffic_policing_max_rate, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Buckets, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.OrphanMask, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Pacing, config_parse_fair_queue_traffic_policing_bool, QDISC_KIND_FQ, 0
|
||||
FairQueueing.CEThresholdSec, config_parse_fair_queue_traffic_policing_usec, QDISC_KIND_FQ, 0
|
||||
FairQueueing.PacketLimit, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.FlowLimit, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Quantum, config_parse_fair_queueing_size, QDISC_KIND_FQ, 0
|
||||
FairQueueing.InitialQuantum, config_parse_fair_queueing_size, QDISC_KIND_FQ, 0
|
||||
FairQueueing.MaximumRate, config_parse_fair_queueing_max_rate, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Buckets, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.OrphanMask, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
||||
FairQueueing.Pacing, config_parse_fair_queueing_bool, QDISC_KIND_FQ, 0
|
||||
FairQueueing.CEThresholdSec, config_parse_fair_queueing_usec, QDISC_KIND_FQ, 0
|
||||
FairQueueingControlledDelay.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ_CODEL, 0
|
||||
FairQueueingControlledDelay.PacketLimit, config_parse_fair_queueing_controlled_delay_u32, QDISC_KIND_FQ_CODEL, 0
|
||||
FairQueueingControlledDelay.MemoryLimit, config_parse_fair_queueing_controlled_delay_size, QDISC_KIND_FQ_CODEL, 0
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@
|
|||
#include "string-util.h"
|
||||
#include "util.h"
|
||||
|
||||
static int fair_queue_traffic_policing_init(QDisc *qdisc) {
|
||||
static int fair_queueing_init(QDisc *qdisc) {
|
||||
FairQueueing *fq;
|
||||
|
||||
assert(qdisc);
|
||||
|
|
@ -24,7 +24,7 @@ static int fair_queue_traffic_policing_init(QDisc *qdisc) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int fair_queue_traffic_policing_fill_message(Link *link, QDisc *qdisc, sd_netlink_message *req) {
|
||||
static int fair_queueing_fill_message(Link *link, QDisc *qdisc, sd_netlink_message *req) {
|
||||
FairQueueing *fq;
|
||||
int r;
|
||||
|
||||
|
|
@ -102,7 +102,7 @@ static int fair_queue_traffic_policing_fill_message(Link *link, QDisc *qdisc, sd
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_fair_queue_traffic_policing_u32(
|
||||
int config_parse_fair_queueing_u32(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
@ -165,7 +165,7 @@ int config_parse_fair_queue_traffic_policing_u32(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_fair_queue_traffic_policing_size(
|
||||
int config_parse_fair_queueing_size(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
@ -232,7 +232,7 @@ int config_parse_fair_queue_traffic_policing_size(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_fair_queue_traffic_policing_bool(
|
||||
int config_parse_fair_queueing_bool(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
@ -284,7 +284,7 @@ int config_parse_fair_queue_traffic_policing_bool(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_fair_queue_traffic_policing_usec(
|
||||
int config_parse_fair_queueing_usec(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
@ -343,7 +343,7 @@ int config_parse_fair_queue_traffic_policing_usec(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_fair_queue_traffic_policing_max_rate(
|
||||
int config_parse_fair_queueing_max_rate(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
@ -403,8 +403,8 @@ int config_parse_fair_queue_traffic_policing_max_rate(
|
|||
}
|
||||
|
||||
const QDiscVTable fq_vtable = {
|
||||
.init = fair_queue_traffic_policing_init,
|
||||
.init = fair_queueing_init,
|
||||
.object_size = sizeof(FairQueueing),
|
||||
.tca_kind = "fq",
|
||||
.fill_message = fair_queue_traffic_policing_fill_message,
|
||||
.fill_message = fair_queueing_fill_message,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -22,8 +22,8 @@ typedef struct FairQueueing {
|
|||
DEFINE_QDISC_CAST(FQ, FairQueueing);
|
||||
extern const QDiscVTable fq_vtable;
|
||||
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_u32);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_size);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_bool);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_usec);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_max_rate);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_u32);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_size);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_bool);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_usec);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_max_rate);
|
||||
|
|
|
|||
|
|
@ -34,6 +34,8 @@ USB_IDS += [
|
|||
'8087:0024',
|
||||
# Genesys Logic (Internal Hub) (rambi)
|
||||
'8087:8000',
|
||||
# Microchip (Composite HID + CDC) (kefka)
|
||||
'04d8:0b28',
|
||||
]
|
||||
|
||||
# Webcams
|
||||
|
|
@ -98,6 +100,8 @@ USB_IDS += [
|
|||
'04ca:3016',
|
||||
# LiteOn (scarlet)
|
||||
'04ca:301a',
|
||||
# Realtek (blooglet)
|
||||
'0bda:b00c',
|
||||
# Atheros (stumpy, stout)
|
||||
'0cf3:3004',
|
||||
# Atheros (AR3011) (mario, alex, zgb)
|
||||
|
|
@ -236,6 +240,21 @@ PCI_IDS += [
|
|||
'8086:591c',
|
||||
# iwlwifi (atlas)
|
||||
'8086:2526',
|
||||
# i915 (kefka)
|
||||
'8086:22b1',
|
||||
# proc_thermal (kefka)
|
||||
'8086:22dc',
|
||||
# xchi_hdc (kefka)
|
||||
'8086:22b5',
|
||||
# snd_hda (kefka)
|
||||
'8086:2284',
|
||||
# pcieport (kefka)
|
||||
'8086:22c8',
|
||||
'8086:22cc',
|
||||
# lpc_ich (kefka)
|
||||
'8086:229c',
|
||||
# iosf_mbi_pci (kefka)
|
||||
'8086:2280',
|
||||
]
|
||||
|
||||
# Samsung
|
||||
|
|
@ -264,7 +283,7 @@ PCI_IDS += [
|
|||
'2646:5008',
|
||||
]
|
||||
|
||||
################################################################################
|
||||
# Do not edit below this line. #################################################
|
||||
|
||||
UDEV_RULE = """\
|
||||
ACTION!="add", GOTO="autosuspend_end"
|
||||
|
|
|
|||
Loading…
Reference in New Issue