Revert "selinux: cache enforced status and treat retrieve failure as enforced mode"

This reverts commit 257188f80c.
dhcp4: only renewing lease when the client already has a lease
2020-07-16 08:49:35 +02:00 · 2020-07-16 14:58:54 +09:00 · 2020-07-16 14:58:05 +09:00 · 2020-07-16 14:56:40 +09:00 · 2020-07-16 09:13:04 +09:00 · 2020-07-16 08:45:42 +09:00
8 changed files with 15 additions and 43 deletions
--- a/src/basic/mountpoint-util.c
+++ b/src/basic/mountpoint-util.c
@ -272,7 +272,7 @@ int path_is_mount_point(const char *t, const char *root, int flags) {
        fd = open_parent(t, O_PATH|O_CLOEXEC, 0);
        if (fd < 0)
-                return -errno;
+                return fd;
        return fd_is_mount_point(fd, last_path_component(t), flags);
 }
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@ -35,14 +35,14 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
 static int mac_selinux_reload(int seqno);
 static int cached_use = -1;
 static int cached_enforcing = -1;
 static struct selabel_handle *label_hnd = NULL;
-#define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
+#define log_enforcing(...)                                              \
        log_full(security_getenforce() != 0 ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
 #define log_enforcing_errno(error, ...)                                 \
        ({                                                              \
-                bool _enforcing = mac_selinux_enforcing();              \
+                bool _enforcing = security_getenforce() != 0;           \
                int _level = _enforcing ? LOG_ERR : LOG_WARNING;        \
                int _e = (error);                                       \
                                                                        \
@ -66,41 +66,12 @@ bool mac_selinux_use(void) {
 #endif
 }
 bool mac_selinux_enforcing(void) {
 #if HAVE_SELINUX
        if (_unlikely_(cached_enforcing < 0)) {
                cached_enforcing = security_getenforce();
                if (cached_enforcing < 0) {
                        log_debug_errno(errno, "Failed to get SELinux enforced status, continuing in enforcing mode: %m");
                        return true; /* treat failure as enforcing mode */
                }
                log_debug("SELinux enforcing state cached to: %s", cached_enforcing ? "enforcing" : "permissive");
        }
        return cached_enforcing > 0;
 #else
        return false;
 #endif
 }
 void mac_selinux_retest(void) {
 #if HAVE_SELINUX
        cached_use = -1;
        cached_enforcing = -1;
 #endif
 }
 #if HAVE_SELINUX
 static int setenforce_callback(int enforcing) {
        cached_enforcing = enforcing;
        log_debug("SELinux enforcing state updated to: %s", cached_enforcing ? "enforcing" : "permissive");
        return 0;
 }
 #endif
 int mac_selinux_init(void) {
 #if HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
@ -109,7 +80,6 @@ int mac_selinux_init(void) {
        int l;
        selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload);
        selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback);
        if (label_hnd)
                return 0;
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@ -16,7 +16,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
 #endif
 bool mac_selinux_use(void);
 bool mac_selinux_enforcing(void);
 void mac_selinux_retest(void);
 int mac_selinux_init(void);
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -1725,7 +1725,8 @@ static int build_environment(
        assert(p);
        assert(ret);
-        our_env = new0(char*, 15 + _EXEC_DIRECTORY_TYPE_MAX);
+#define N_ENV_VARS 15
        our_env = new0(char*, N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
        if (!our_env)
                return -ENOMEM;
@ -1873,7 +1874,8 @@ static int build_environment(
        }
        our_env[n_env++] = NULL;
-        assert(n_env <= 14 + _EXEC_DIRECTORY_TYPE_MAX);
+        assert(n_env <= N_ENV_VARS + _EXEC_DIRECTORY_TYPE_MAX);
 #undef N_ENV_VARS
        *ret = TAKE_PTR(our_env);
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -4218,7 +4218,7 @@ int config_parse_exec_directories(
                r = unit_full_printf(u, word, &k);
                if (r < 0) {
-                        log_syntax(unit, LOG_ERR, filename, line, r,
+                        log_syntax(unit, LOG_WARNING, filename, line, r,
                                   "Failed to resolve unit specifiers in \"%s\", ignoring: %m", word);
                        continue;
                }
@ -4228,7 +4228,7 @@ int config_parse_exec_directories(
                        continue;
                if (path_startswith(k, "private")) {
-                        log_syntax(unit, LOG_ERR, filename, line, 0,
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
                                   "%s= path can't be 'private', ignoring assignment: %s", lvalue, word);
                        continue;
                }
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@ -144,8 +144,9 @@ static int access_init(sd_bus_error *error) {
        if (avc_open(NULL, 0) != 0) {
                int saved_errno = errno;
-                const bool enforce = mac_selinux_enforcing();
+                bool enforce;
                enforce = security_getenforce() != 0;
                log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
                /* If enforcement isn't on, then let's suppress this
@ -197,7 +198,7 @@ int mac_selinux_generic_access_check(
                return r;
        /* delay call until we checked in `access_init()` if SELinux is actually enabled */
-        enforce = mac_selinux_enforcing();
+        enforce = security_getenforce() != 0;
        r = sd_bus_query_sender_creds(
                        message,
--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
@ -2015,7 +2015,7 @@ int sd_dhcp_client_send_renew(sd_dhcp_client *client) {
        assert_return(client, -EINVAL);
        assert_return(client->fd >= 0, -EINVAL);
-        if (IN_SET(client->state, DHCP_STATE_INIT, DHCP_STATE_INIT_REBOOT, DHCP_STATE_STOPPED))
+        if (!client->lease)
                return 0;
        client->start_delay = 0;
--- a/src/network/networkd-dhcp6.c
+++ b/src/network/networkd-dhcp6.c
@ -489,7 +489,7 @@ int dhcp6_request_prefix_delegation(Link *link) {
                if (enabled == 0) {
                        r = sd_dhcp6_client_set_prefix_delegation(l->dhcp6_client, 1);
                        if (r < 0) {
-                                log_link_warning_errno(l, r, "Cannot enable prefix delegation when adding new link: 5m");
+                                log_link_warning_errno(l, r, "Cannot enable prefix delegation when adding new link: %m");
                                continue;
                        }
                }
Author	SHA1	Message	Date
Lennart Poettering	3cd4459003	Revert "selinux: cache enforced status and treat retrieve failure as enforced mode" This reverts commit `257188f80c`.	2020-07-16 08:49:35 +02:00
Yu Watanabe	0ded0e40ab	dhcp4: only renewing lease when the client already has a lease Follow-up for `ceaec54a3c`. Hopefully fixes #16299.	2020-07-16 14:58:54 +09:00
Lennart Poettering	330f899079	load-fragment: downgrade log messages we ignore to LOG_WARNING We typically don't log above LOG_WARNING about issues we then go on to ignore. Do so here, too	2020-07-16 14:58:05 +09:00
Lennart Poettering	89a5385fb7	mountpoint-util: fix error handling	2020-07-16 14:56:40 +09:00
Lennart Poettering	8d5bb13d78	core: fix invalid assertion We miscounted here, and would hit an assert once too early.	2020-07-16 09:13:04 +09:00
Christian Göttsche	aeba8dd523	network: fix typo	2020-07-16 08:45:42 +09:00