Compare commits
No commits in common. "72545ae05745f99e194eb83e3fa865f276601378" and "0ae5ffe0630aecd91b00af0ddd90c32c2d9c663b" have entirely different histories.
72545ae057
...
0ae5ffe063
|
|
@ -28,7 +28,10 @@
|
||||||
#include "time-util.h"
|
#include "time-util.h"
|
||||||
|
|
||||||
#if HAVE_SELINUX
|
#if HAVE_SELINUX
|
||||||
|
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
||||||
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
||||||
|
|
||||||
|
#define _cleanup_freecon_ _cleanup_(freeconp)
|
||||||
#define _cleanup_context_free_ _cleanup_(context_freep)
|
#define _cleanup_context_free_ _cleanup_(context_freep)
|
||||||
|
|
||||||
static int cached_use = -1;
|
static int cached_use = -1;
|
||||||
|
|
|
||||||
|
|
@ -8,13 +8,6 @@
|
||||||
#include "macro.h"
|
#include "macro.h"
|
||||||
#include "label.h"
|
#include "label.h"
|
||||||
|
|
||||||
#if HAVE_SELINUX
|
|
||||||
#include <selinux/selinux.h>
|
|
||||||
|
|
||||||
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
|
||||||
#define _cleanup_freecon_ _cleanup_(freeconp)
|
|
||||||
#endif
|
|
||||||
|
|
||||||
bool mac_selinux_use(void);
|
bool mac_selinux_use(void);
|
||||||
void mac_selinux_retest(void);
|
void mac_selinux_retest(void);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1587,7 +1587,6 @@ int bus_exec_context_set_transient_property(
|
||||||
r = seccomp_parse_syscall_filter("@default",
|
r = seccomp_parse_syscall_filter("@default",
|
||||||
-1,
|
-1,
|
||||||
c->syscall_filter,
|
c->syscall_filter,
|
||||||
SECCOMP_PARSE_PERMISSIVE |
|
|
||||||
SECCOMP_PARSE_WHITELIST | invert_flag,
|
SECCOMP_PARSE_WHITELIST | invert_flag,
|
||||||
u->id,
|
u->id,
|
||||||
NULL, 0);
|
NULL, 0);
|
||||||
|
|
@ -1607,9 +1606,7 @@ int bus_exec_context_set_transient_property(
|
||||||
r = seccomp_parse_syscall_filter(n,
|
r = seccomp_parse_syscall_filter(n,
|
||||||
e,
|
e,
|
||||||
c->syscall_filter,
|
c->syscall_filter,
|
||||||
SECCOMP_PARSE_LOG | SECCOMP_PARSE_PERMISSIVE |
|
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0) | invert_flag,
|
||||||
invert_flag |
|
|
||||||
(c->syscall_whitelist ? SECCOMP_PARSE_WHITELIST : 0),
|
|
||||||
u->id,
|
u->id,
|
||||||
NULL, 0);
|
NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
||||||
|
|
@ -181,11 +181,11 @@ int mac_selinux_generic_access_check(
|
||||||
sd_bus_error *error) {
|
sd_bus_error *error) {
|
||||||
|
|
||||||
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
|
||||||
const char *tclass, *scon;
|
const char *tclass = NULL, *scon = NULL;
|
||||||
|
struct audit_info audit_info = {};
|
||||||
_cleanup_free_ char *cl = NULL;
|
_cleanup_free_ char *cl = NULL;
|
||||||
_cleanup_freecon_ char *fcon = NULL;
|
char *fcon = NULL;
|
||||||
char **cmdline = NULL;
|
char **cmdline = NULL;
|
||||||
bool enforce = false; /* Will be set to the real value later if needed */
|
|
||||||
int r = 0;
|
int r = 0;
|
||||||
|
|
||||||
assert(message);
|
assert(message);
|
||||||
|
|
@ -204,7 +204,7 @@ int mac_selinux_generic_access_check(
|
||||||
SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
|
SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
|
||||||
&creds);
|
&creds);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
goto finish;
|
||||||
|
|
||||||
/* The SELinux context is something we really should have
|
/* The SELinux context is something we really should have
|
||||||
* gotten directly from the message or sender, and not be an
|
* gotten directly from the message or sender, and not be an
|
||||||
|
|
@ -216,39 +216,25 @@ int mac_selinux_generic_access_check(
|
||||||
|
|
||||||
r = sd_bus_creds_get_selinux_context(creds, &scon);
|
r = sd_bus_creds_get_selinux_context(creds, &scon);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
goto finish;
|
||||||
|
|
||||||
if (path) {
|
if (path) {
|
||||||
/* Get the file context of the unit file */
|
/* Get the file context of the unit file */
|
||||||
|
|
||||||
if (getfilecon_raw(path, &fcon) < 0) {
|
r = getfilecon_raw(path, &fcon);
|
||||||
r = -errno;
|
if (r < 0) {
|
||||||
enforce = security_getenforce() > 0;
|
log_warning_errno(errno, "SELinux getfilecon_raw on '%s' failed (tclass=%s perm=%s): %m", path, tclass, permission);
|
||||||
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
|
||||||
log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m",
|
goto finish;
|
||||||
path,
|
|
||||||
enforce ? "" : ", ignoring",
|
|
||||||
permission);
|
|
||||||
if (!enforce)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tclass = "service";
|
tclass = "service";
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
if (getcon_raw(&fcon) < 0) {
|
r = getcon_raw(&fcon);
|
||||||
r = -errno;
|
if (r < 0) {
|
||||||
enforce = security_getenforce() > 0;
|
log_warning_errno(errno, "SELinux getcon_raw failed (tclass=%s perm=%s): %m", tclass, permission);
|
||||||
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
|
||||||
log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m",
|
goto finish;
|
||||||
enforce ? "" : ", ignoring",
|
|
||||||
permission);
|
|
||||||
if (!enforce)
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
tclass = "system";
|
tclass = "system";
|
||||||
|
|
@ -257,24 +243,25 @@ int mac_selinux_generic_access_check(
|
||||||
sd_bus_creds_get_cmdline(creds, &cmdline);
|
sd_bus_creds_get_cmdline(creds, &cmdline);
|
||||||
cl = strv_join(cmdline, " ");
|
cl = strv_join(cmdline, " ");
|
||||||
|
|
||||||
struct audit_info audit_info = {
|
audit_info.creds = creds;
|
||||||
.creds = creds,
|
audit_info.path = path;
|
||||||
.path = path,
|
audit_info.cmdline = cl;
|
||||||
.cmdline = cl,
|
|
||||||
};
|
|
||||||
|
|
||||||
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
|
r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
|
||||||
if (r < 0) {
|
if (r < 0)
|
||||||
r = errno_or_else(EPERM);
|
r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
|
||||||
enforce = security_getenforce() > 0;
|
|
||||||
|
|
||||||
if (enforce)
|
log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
|
||||||
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
|
|
||||||
|
finish:
|
||||||
|
freecon(fcon);
|
||||||
|
|
||||||
|
if (r < 0 && security_getenforce() != 1) {
|
||||||
|
sd_bus_error_free(error);
|
||||||
|
r = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
log_debug_errno(r, "SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %m",
|
return r;
|
||||||
scon, fcon, tclass, permission, path, cl);
|
|
||||||
return enforce ? r : 0;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else
|
#else
|
||||||
|
|
|
||||||
|
|
@ -258,15 +258,15 @@ ControlledDelay.IntervalSec, config_parse_controlled_delay_usec,
|
||||||
ControlledDelay.CEThresholdSec, config_parse_controlled_delay_usec, QDISC_KIND_CODEL, 0
|
ControlledDelay.CEThresholdSec, config_parse_controlled_delay_usec, QDISC_KIND_CODEL, 0
|
||||||
ControlledDelay.ECN, config_parse_controlled_delay_bool, QDISC_KIND_CODEL, 0
|
ControlledDelay.ECN, config_parse_controlled_delay_bool, QDISC_KIND_CODEL, 0
|
||||||
FairQueueing.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ, 0
|
FairQueueing.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.PacketLimit, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
FairQueueing.PacketLimit, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.FlowLimit, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
FairQueueing.FlowLimit, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.Quantum, config_parse_fair_queueing_size, QDISC_KIND_FQ, 0
|
FairQueueing.Quantum, config_parse_fair_queue_traffic_policing_size, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.InitialQuantum, config_parse_fair_queueing_size, QDISC_KIND_FQ, 0
|
FairQueueing.InitialQuantum, config_parse_fair_queue_traffic_policing_size, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.MaximumRate, config_parse_fair_queueing_max_rate, QDISC_KIND_FQ, 0
|
FairQueueing.MaximumRate, config_parse_fair_queue_traffic_policing_max_rate, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.Buckets, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
FairQueueing.Buckets, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.OrphanMask, config_parse_fair_queueing_u32, QDISC_KIND_FQ, 0
|
FairQueueing.OrphanMask, config_parse_fair_queue_traffic_policing_u32, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.Pacing, config_parse_fair_queueing_bool, QDISC_KIND_FQ, 0
|
FairQueueing.Pacing, config_parse_fair_queue_traffic_policing_bool, QDISC_KIND_FQ, 0
|
||||||
FairQueueing.CEThresholdSec, config_parse_fair_queueing_usec, QDISC_KIND_FQ, 0
|
FairQueueing.CEThresholdSec, config_parse_fair_queue_traffic_policing_usec, QDISC_KIND_FQ, 0
|
||||||
FairQueueingControlledDelay.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ_CODEL, 0
|
FairQueueingControlledDelay.Parent, config_parse_qdisc_parent, QDISC_KIND_FQ_CODEL, 0
|
||||||
FairQueueingControlledDelay.PacketLimit, config_parse_fair_queueing_controlled_delay_u32, QDISC_KIND_FQ_CODEL, 0
|
FairQueueingControlledDelay.PacketLimit, config_parse_fair_queueing_controlled_delay_u32, QDISC_KIND_FQ_CODEL, 0
|
||||||
FairQueueingControlledDelay.MemoryLimit, config_parse_fair_queueing_controlled_delay_size, QDISC_KIND_FQ_CODEL, 0
|
FairQueueingControlledDelay.MemoryLimit, config_parse_fair_queueing_controlled_delay_size, QDISC_KIND_FQ_CODEL, 0
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@
|
||||||
#include "string-util.h"
|
#include "string-util.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
static int fair_queueing_init(QDisc *qdisc) {
|
static int fair_queue_traffic_policing_init(QDisc *qdisc) {
|
||||||
FairQueueing *fq;
|
FairQueueing *fq;
|
||||||
|
|
||||||
assert(qdisc);
|
assert(qdisc);
|
||||||
|
|
@ -24,7 +24,7 @@ static int fair_queueing_init(QDisc *qdisc) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int fair_queueing_fill_message(Link *link, QDisc *qdisc, sd_netlink_message *req) {
|
static int fair_queue_traffic_policing_fill_message(Link *link, QDisc *qdisc, sd_netlink_message *req) {
|
||||||
FairQueueing *fq;
|
FairQueueing *fq;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
|
@ -102,7 +102,7 @@ static int fair_queueing_fill_message(Link *link, QDisc *qdisc, sd_netlink_messa
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int config_parse_fair_queueing_u32(
|
int config_parse_fair_queue_traffic_policing_u32(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line,
|
unsigned line,
|
||||||
|
|
@ -165,7 +165,7 @@ int config_parse_fair_queueing_u32(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int config_parse_fair_queueing_size(
|
int config_parse_fair_queue_traffic_policing_size(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line,
|
unsigned line,
|
||||||
|
|
@ -232,7 +232,7 @@ int config_parse_fair_queueing_size(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int config_parse_fair_queueing_bool(
|
int config_parse_fair_queue_traffic_policing_bool(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line,
|
unsigned line,
|
||||||
|
|
@ -284,7 +284,7 @@ int config_parse_fair_queueing_bool(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int config_parse_fair_queueing_usec(
|
int config_parse_fair_queue_traffic_policing_usec(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line,
|
unsigned line,
|
||||||
|
|
@ -343,7 +343,7 @@ int config_parse_fair_queueing_usec(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int config_parse_fair_queueing_max_rate(
|
int config_parse_fair_queue_traffic_policing_max_rate(
|
||||||
const char *unit,
|
const char *unit,
|
||||||
const char *filename,
|
const char *filename,
|
||||||
unsigned line,
|
unsigned line,
|
||||||
|
|
@ -403,8 +403,8 @@ int config_parse_fair_queueing_max_rate(
|
||||||
}
|
}
|
||||||
|
|
||||||
const QDiscVTable fq_vtable = {
|
const QDiscVTable fq_vtable = {
|
||||||
.init = fair_queueing_init,
|
.init = fair_queue_traffic_policing_init,
|
||||||
.object_size = sizeof(FairQueueing),
|
.object_size = sizeof(FairQueueing),
|
||||||
.tca_kind = "fq",
|
.tca_kind = "fq",
|
||||||
.fill_message = fair_queueing_fill_message,
|
.fill_message = fair_queue_traffic_policing_fill_message,
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -22,8 +22,8 @@ typedef struct FairQueueing {
|
||||||
DEFINE_QDISC_CAST(FQ, FairQueueing);
|
DEFINE_QDISC_CAST(FQ, FairQueueing);
|
||||||
extern const QDiscVTable fq_vtable;
|
extern const QDiscVTable fq_vtable;
|
||||||
|
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_u32);
|
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_u32);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_size);
|
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_size);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_bool);
|
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_bool);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_usec);
|
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_usec);
|
||||||
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queueing_max_rate);
|
CONFIG_PARSER_PROTOTYPE(config_parse_fair_queue_traffic_policing_max_rate);
|
||||||
|
|
|
||||||
|
|
@ -34,8 +34,6 @@ USB_IDS += [
|
||||||
'8087:0024',
|
'8087:0024',
|
||||||
# Genesys Logic (Internal Hub) (rambi)
|
# Genesys Logic (Internal Hub) (rambi)
|
||||||
'8087:8000',
|
'8087:8000',
|
||||||
# Microchip (Composite HID + CDC) (kefka)
|
|
||||||
'04d8:0b28',
|
|
||||||
]
|
]
|
||||||
|
|
||||||
# Webcams
|
# Webcams
|
||||||
|
|
@ -100,8 +98,6 @@ USB_IDS += [
|
||||||
'04ca:3016',
|
'04ca:3016',
|
||||||
# LiteOn (scarlet)
|
# LiteOn (scarlet)
|
||||||
'04ca:301a',
|
'04ca:301a',
|
||||||
# Realtek (blooglet)
|
|
||||||
'0bda:b00c',
|
|
||||||
# Atheros (stumpy, stout)
|
# Atheros (stumpy, stout)
|
||||||
'0cf3:3004',
|
'0cf3:3004',
|
||||||
# Atheros (AR3011) (mario, alex, zgb)
|
# Atheros (AR3011) (mario, alex, zgb)
|
||||||
|
|
@ -240,21 +236,6 @@ PCI_IDS += [
|
||||||
'8086:591c',
|
'8086:591c',
|
||||||
# iwlwifi (atlas)
|
# iwlwifi (atlas)
|
||||||
'8086:2526',
|
'8086:2526',
|
||||||
# i915 (kefka)
|
|
||||||
'8086:22b1',
|
|
||||||
# proc_thermal (kefka)
|
|
||||||
'8086:22dc',
|
|
||||||
# xchi_hdc (kefka)
|
|
||||||
'8086:22b5',
|
|
||||||
# snd_hda (kefka)
|
|
||||||
'8086:2284',
|
|
||||||
# pcieport (kefka)
|
|
||||||
'8086:22c8',
|
|
||||||
'8086:22cc',
|
|
||||||
# lpc_ich (kefka)
|
|
||||||
'8086:229c',
|
|
||||||
# iosf_mbi_pci (kefka)
|
|
||||||
'8086:2280',
|
|
||||||
]
|
]
|
||||||
|
|
||||||
# Samsung
|
# Samsung
|
||||||
|
|
@ -283,7 +264,7 @@ PCI_IDS += [
|
||||||
'2646:5008',
|
'2646:5008',
|
||||||
]
|
]
|
||||||
|
|
||||||
# Do not edit below this line. #################################################
|
################################################################################
|
||||||
|
|
||||||
UDEV_RULE = """\
|
UDEV_RULE = """\
|
||||||
ACTION!="add", GOTO="autosuspend_end"
|
ACTION!="add", GOTO="autosuspend_end"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue