Compare commits
3 Commits
eb163cc6d1
...
b224a05cbb
| Author | SHA1 | Date |
|---|---|---|
Timothée Ravier
|
b224a05cbb | |
|
Daan De Meyer
|
dbbe895807 | |
|
Timothée Ravier
|
b4d2e2c185 |
|
|
@ -44,6 +44,7 @@
|
|||
#include "pretty-print.h"
|
||||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "selinux-util.h"
|
||||
#include "sort-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
|
@ -1289,6 +1290,7 @@ static int mount_overlayfs_with_op(
|
|||
|
||||
int r;
|
||||
const char *top_layer = NULL;
|
||||
int atfd = -1;
|
||||
|
||||
assert(op);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1301,6 +1303,14 @@ static int mount_overlayfs_with_op(
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to make directory '%s': %m", meta_path);
|
||||
|
||||
atfd = open(meta_path, O_DIRECTORY|O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open directory '%s': %m", meta_path);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, op->hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", meta_path);
|
||||
|
||||
if (op->upper_dir && op->work_dir) {
|
||||
r = mkdir_p(op->work_dir, 0700);
|
||||
if (r < 0)
|
||||
|
|
@ -1325,9 +1335,10 @@ static int mount_overlayfs_with_op(
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path) {
|
||||
static int write_extensions_file(ImageClass image_class, char **extensions, const char *meta_path, const char* hierarchy) {
|
||||
_cleanup_free_ char *f = NULL, *buf = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(extensions);
|
||||
assert(meta_path);
|
||||
|
|
@ -1347,13 +1358,22 @@ static int write_extensions_file(ImageClass image_class, char **extensions, cons
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write extension meta file '%s': %m", f);
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path) {
|
||||
static int write_dev_file(ImageClass image_class, const char *meta_path, const char *overlay_path, const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
struct stat st;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(meta_path);
|
||||
assert(overlay_path);
|
||||
|
|
@ -1376,13 +1396,22 @@ static int write_dev_file(ImageClass image_class, const char *meta_path, const c
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write '%s': %m", f);
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir) {
|
||||
static int write_work_dir_file(ImageClass image_class, const char *meta_path, const char *work_dir, const char* hierarchy) {
|
||||
_cleanup_free_ char *escaped_work_dir_in_root = NULL, *f = NULL;
|
||||
char *work_dir_in_root = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(meta_path);
|
||||
|
||||
|
|
@ -1401,6 +1430,14 @@ static int write_work_dir_file(ImageClass image_class, const char *meta_path, co
|
|||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
/* Paths can have newlines for whatever reason, so better escape them to really get a single
|
||||
* line file. */
|
||||
escaped_work_dir_in_root = cescape(work_dir_in_root);
|
||||
|
|
@ -1418,24 +1455,42 @@ static int store_info_in_meta(
|
|||
char **extensions,
|
||||
const char *meta_path,
|
||||
const char *overlay_path,
|
||||
const char *work_dir) {
|
||||
|
||||
const char *work_dir,
|
||||
const char *hierarchy) {
|
||||
_cleanup_free_ char *f = NULL;
|
||||
int r;
|
||||
int atfd = -1;
|
||||
|
||||
assert(extensions);
|
||||
assert(meta_path);
|
||||
assert(overlay_path);
|
||||
/* work_dir may be NULL */
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path);
|
||||
f = path_join(meta_path, image_class_info[image_class].dot_directory_name);
|
||||
if (!f)
|
||||
return log_oom();
|
||||
|
||||
r = mkdir_p(f, 0755);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_dev_file(image_class, meta_path, overlay_path);
|
||||
atfd = open(f, O_CLOEXEC);
|
||||
if (atfd < 0)
|
||||
return log_error_errno(atfd, "Failed to open '%s': %m", f);
|
||||
|
||||
r = mac_selinux_fix_full(atfd, NULL, hierarchy, 0);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to fix SELinux label for '%s': %m", f);
|
||||
|
||||
r = write_extensions_file(image_class, extensions, meta_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir);
|
||||
r = write_dev_file(image_class, meta_path, overlay_path, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = write_work_dir_file(image_class, meta_path, work_dir, hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
@ -1501,6 +1556,8 @@ static int merge_hierarchy(
|
|||
assert(overlay_path);
|
||||
assert(workspace_path);
|
||||
|
||||
mac_selinux_init();
|
||||
|
||||
r = determine_used_extensions(hierarchy, paths, &used_paths, &extensions_used);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
|
@ -1528,7 +1585,7 @@ static int merge_hierarchy(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir);
|
||||
r = store_info_in_meta(image_class, extensions, meta_path, overlay_path, op->work_dir, op->hierarchy);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
|||
|
|
@ -7,24 +7,26 @@ TEST(audit_loginuid_from_pid) {
|
|||
_cleanup_(pidref_done) PidRef self = PIDREF_NULL, pid1 = PIDREF_NULL;
|
||||
int r;
|
||||
|
||||
assert_se(pidref_set_self(&self) >= 0);
|
||||
assert_se(pidref_set_pid(&pid1, 1) >= 0);
|
||||
ASSERT_OK(pidref_set_self(&self));
|
||||
ASSERT_OK(pidref_set_pid(&pid1, 1));
|
||||
|
||||
uid_t uid;
|
||||
r = audit_loginuid_from_pid(&self, &uid);
|
||||
assert_se(r >= 0 || r == -ENODATA);
|
||||
if (r != -ENODATA)
|
||||
ASSERT_OK(r);
|
||||
if (r >= 0)
|
||||
log_info("self audit login uid: " UID_FMT, uid);
|
||||
|
||||
assert_se(audit_loginuid_from_pid(&pid1, &uid) == -ENODATA);
|
||||
ASSERT_ERROR(audit_loginuid_from_pid(&pid1, &uid), ENODATA);
|
||||
|
||||
uint32_t sessionid;
|
||||
r = audit_session_from_pid(&self, &sessionid);
|
||||
assert_se(r >= 0 || r == -ENODATA);
|
||||
if (r != -ENODATA)
|
||||
ASSERT_OK(r);
|
||||
if (r >= 0)
|
||||
log_info("self audit session id: %" PRIu32, sessionid);
|
||||
|
||||
assert_se(audit_session_from_pid(&pid1, &sessionid) == -ENODATA);
|
||||
ASSERT_ERROR(audit_session_from_pid(&pid1, &sessionid), ENODATA);
|
||||
}
|
||||
|
||||
static int intro(void) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue