packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib/sepolicy: Convert to new code style 

I have a fix I want to make here and it's really hard to write
the old style code now.

Closes: #815
Approved by: jlebon
This commit is contained in:
Colin Walters 2017-04-26 16:22:32 -04:00 committed by Atomic Bot
parent 20b0836ec8
commit ceb8851806
1 changed files with 46 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

155
src/libostree/ostree-sepolicy.c
View File

@ -198,24 +198,21 @@ get_policy_checksum (char **out_csum,
GCancellable *cancellable, GCancellable *cancellable,
GError **error) GError **error)
{ {
gboolean ret = FALSE;
const char *binary_policy_path = selinux_binary_policy_path (); const char *binary_policy_path = selinux_binary_policy_path ();
const char *binfile_prefix = glnx_basename (binary_policy_path); const char *binfile_prefix = glnx_basename (binary_policy_path);
g_autofree char *bindir_path = g_path_get_dirname (binary_policy_path); g_autofree char *bindir_path = g_path_get_dirname (binary_policy_path);
glnx_fd_close int bindir_dfd = -1;
g_autofree char *best_policy = NULL; g_autofree char *best_policy = NULL;
int best_version = 0; int best_version = 0;
g_auto(GLnxDirFdIterator) dfd_iter = { 0,}; glnx_fd_close int bindir_dfd = -1;
if (!glnx_opendirat (AT_FDCWD, bindir_path, TRUE, &bindir_dfd, error)) if (!glnx_opendirat (AT_FDCWD, bindir_path, TRUE, &bindir_dfd, error))
goto out; return FALSE;
g_auto(GLnxDirFdIterator) dfd_iter = { 0,};
if (!glnx_dirfd_iterator_init_at (bindir_dfd, ".", FALSE, &dfd_iter, error)) if (!glnx_dirfd_iterator_init_at (bindir_dfd, ".", FALSE, &dfd_iter, error))
goto out; return FALSE;
while (TRUE) while (TRUE)
{ {
@ -223,8 +220,7 @@ get_policy_checksum (char **out_csum,
if (!glnx_dirfd_iterator_next_dent_ensure_dtype (&dfd_iter, &dent, if (!glnx_dirfd_iterator_next_dent_ensure_dtype (&dfd_iter, &dent,
cancellable, error)) cancellable, error))
goto out; return FALSE;
if (dent == NULL) if (dent == NULL)
break; break;
@ -259,20 +255,14 @@ get_policy_checksum (char **out_csum,
} }
if (!best_policy) if (!best_policy)
{ return glnx_throw (error, "Could not find binary policy file");
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"Could not find binary policy file");
goto out;
}
*out_csum = ot_checksum_file_at (bindir_dfd, best_policy, G_CHECKSUM_SHA256, *out_csum = ot_checksum_file_at (bindir_dfd, best_policy, G_CHECKSUM_SHA256,
cancellable, error); cancellable, error);
if (*out_csum == NULL) if (*out_csum == NULL)
goto out; return FALSE;
ret = TRUE; return TRUE;
out:
return ret;
} }
#endif #endif
@ -283,20 +273,14 @@ initable_init (GInitable *initable,
GError **error) GError **error)
{ {
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
gboolean ret = FALSE;
OstreeSePolicy *self = OSTREE_SEPOLICY (initable); OstreeSePolicy *self = OSTREE_SEPOLICY (initable);
g_autoptr(GFile) path = NULL;
g_autoptr(GFile) etc_selinux_dir = NULL;
g_autoptr(GFile) policy_config_path = NULL;
g_autoptr(GFile) policy_root = NULL;
g_autoptr(GFileInputStream) filein = NULL;
g_autoptr(GDataInputStream) datain = NULL;
gboolean enabled = FALSE; gboolean enabled = FALSE;
g_autofree char *policytype = NULL; g_autofree char *policytype = NULL;
const char *selinux_prefix = "SELINUX="; const char *selinux_prefix = "SELINUX=";
const char *selinuxtype_prefix = "SELINUXTYPE="; const char *selinuxtype_prefix = "SELINUXTYPE=";
/* TODO - use this below */ /* TODO - use this below */
g_autoptr(GFile) path = NULL;
if (self->rootfs_dfd != -1) if (self->rootfs_dfd != -1)
path = ot_fdrel_to_gfile (self->rootfs_dfd, "."); path = ot_fdrel_to_gfile (self->rootfs_dfd, ".");
else if (self->path) else if (self->path)
@ -306,45 +290,44 @@ initable_init (GInitable *initable,
/* TODO - use this below */ /* TODO - use this below */
if (!glnx_opendirat (AT_FDCWD, gs_file_get_path_cached (self->path), TRUE, if (!glnx_opendirat (AT_FDCWD, gs_file_get_path_cached (self->path), TRUE,
&self->rootfs_dfd_owned, error)) &self->rootfs_dfd_owned, error))
goto out; return FALSE;
self->rootfs_dfd = self->rootfs_dfd_owned; self->rootfs_dfd = self->rootfs_dfd_owned;
#endif #endif
} }
else else
g_assert_not_reached (); g_assert_not_reached ();
etc_selinux_dir = g_file_resolve_relative_path (path, "etc/selinux"); g_autoptr(GFile) etc_selinux_dir = g_file_resolve_relative_path (path, "etc/selinux");
if (!g_file_query_exists (etc_selinux_dir, NULL)) if (!g_file_query_exists (etc_selinux_dir, NULL))
{ {
g_object_unref (etc_selinux_dir); g_object_unref (etc_selinux_dir);
etc_selinux_dir = g_file_resolve_relative_path (path, "usr/etc/selinux"); etc_selinux_dir = g_file_resolve_relative_path (path, "usr/etc/selinux");
} }
policy_config_path = g_file_get_child (etc_selinux_dir, "config");
g_autoptr(GFile) policy_config_path = g_file_get_child (etc_selinux_dir, "config");
g_autoptr(GFile) policy_root = NULL;
if (g_file_query_exists (policy_config_path, NULL)) if (g_file_query_exists (policy_config_path, NULL))
{ {
filein = g_file_read (policy_config_path, cancellable, error); g_autoptr(GFileInputStream) filein = filein = g_file_read (policy_config_path, cancellable, error);
if (!filein)
goto out;
datain = g_data_input_stream_new ((GInputStream*)filein); if (!filein)
return FALSE;
g_autoptr(GDataInputStream) datain = g_data_input_stream_new ((GInputStream*)filein);
while (TRUE) while (TRUE)
{ {
gsize len; gsize len;
GError *temp_error = NULL; g_autoptr(GError) temp_error = NULL;
g_autofree char *line = g_data_input_stream_read_line_utf8 (datain, &len, g_autofree char *line = g_data_input_stream_read_line_utf8 (datain, &len,
cancellable, &temp_error); cancellable, &temp_error);
if (temp_error) if (temp_error)
{ return g_propagate_error (error, g_steal_pointer (&temp_error)), FALSE;
g_propagate_error (error, temp_error);
goto out;
}
if (!line) if (!line)
break; break;
if (g_str_has_prefix (line, selinuxtype_prefix)) if (g_str_has_prefix (line, selinuxtype_prefix))
{ {
policytype = g_strstrip (g_strdup (line + strlen (selinuxtype_prefix))); policytype = g_strstrip (g_strdup (line + strlen (selinuxtype_prefix)));
@ -363,56 +346,32 @@ initable_init (GInitable *initable,
if (enabled) if (enabled)
{ {
self->runtime_enabled = is_selinux_enabled () == 1; self->runtime_enabled = is_selinux_enabled () == 1;
const char *policy_rootpath = gs_file_get_path_cached (policy_root);
g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE); g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
if (selinux_set_policy_root (gs_file_get_path_cached (policy_root)) != 0) if (selinux_set_policy_root (policy_rootpath) != 0)
{ return glnx_throw_errno_prefix (error, "selinux_set_policy_root(%s)", policy_rootpath);
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"selinux_set_policy_root(%s): %s",
gs_file_get_path_cached (etc_selinux_dir),
strerror (errno));
goto out;
}
self->selinux_hnd = selabel_open (SELABEL_CTX_FILE, NULL, 0); self->selinux_hnd = selabel_open (SELABEL_CTX_FILE, NULL, 0);
if (!self->selinux_hnd) if (!self->selinux_hnd)
{ return glnx_throw_errno_prefix (error, "With policy root '%s': selabel_open(SELABEL_CTX_FILE)",
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, policy_rootpath);
"With policy root '%s': selabel_open(SELABEL_CTX_FILE): %s",
gs_file_get_path_cached (etc_selinux_dir),
strerror (errno));
goto out;
}
{ char *con = NULL;
char *con = NULL; if (selabel_lookup_raw (self->selinux_hnd, &con, "/", 0755) != 0)
if (selabel_lookup_raw (self->selinux_hnd, &con, "/", 0755) != 0) return glnx_throw_errno_prefix (error, "With policy root '%s': Failed to look up context of /",
{ policy_rootpath);
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED, freecon (con);
"With policy root '%s': Failed to look up context of /: %s",
gs_file_get_path_cached (etc_selinux_dir),
strerror (errno));
goto out;
}
freecon (con);
}
if (!get_policy_checksum (&self->selinux_policy_csum, cancellable, error)) if (!get_policy_checksum (&self->selinux_policy_csum, cancellable, error))
{ return g_prefix_error (error, "While calculating SELinux checksum: "), FALSE;
g_prefix_error (error, "While calculating SELinux checksum: ");
goto out;
}
self->selinux_policy_name = g_steal_pointer (&policytype); self->selinux_policy_name = g_steal_pointer (&policytype);
self->selinux_policy_root = g_object_ref (etc_selinux_dir); self->selinux_policy_root = g_object_ref (etc_selinux_dir);
} }
ret = TRUE;
out:
return ret;
#else
return TRUE;
#endif #endif
return TRUE;
} }
static void static void
@ -580,11 +539,7 @@ ostree_sepolicy_restorecon (OstreeSePolicy *self,
GError **error) GError **error)
{ {
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
gboolean ret = FALSE;
g_autoptr(GFileInfo) src_info = NULL; g_autoptr(GFileInfo) src_info = NULL;
g_autofree char *label = NULL;
gboolean do_relabel = TRUE;
if (info != NULL) if (info != NULL)
src_info = g_object_ref (info); src_info = g_object_ref (info);
else else
@ -593,9 +548,10 @@ ostree_sepolicy_restorecon (OstreeSePolicy *self,
G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS,
cancellable, error); cancellable, error);
if (!src_info) if (!src_info)
goto out; return FALSE;
} }
gboolean do_relabel = TRUE;
if (flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING) if (flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_KEEP_EXISTING)
{ {
char *existing_con = NULL; char *existing_con = NULL;
@ -607,42 +563,31 @@ ostree_sepolicy_restorecon (OstreeSePolicy *self,
} }
} }
g_autofree char *label = NULL;
if (do_relabel) if (do_relabel)
{ {
if (!ostree_sepolicy_get_label (self, path, if (!ostree_sepolicy_get_label (self, path,
g_file_info_get_attribute_uint32 (src_info, "unix::mode"), g_file_info_get_attribute_uint32 (src_info, "unix::mode"),
&label, &label,
cancellable, error)) cancellable, error))
goto out; return FALSE;
if (!label) if (!label)
{ {
if (!(flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL)) if (!(flags & OSTREE_SEPOLICY_RESTORECON_FLAGS_ALLOW_NOLABEL))
{ return glnx_throw (error, "No label found for '%s'", path);
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
"No label found for '%s'", path);
goto out;
}
} }
else else
{ {
int res = lsetfilecon (gs_file_get_path_cached (target), label); if (lsetfilecon (gs_file_get_path_cached (target), label) < 0)
if (res != 0) return glnx_throw_errno_prefix (error, "lsetfilecon");
{
glnx_set_error_from_errno (error);
goto out;
}
} }
} }
ret = TRUE;
if (out_new_label) if (out_new_label)
*out_new_label = g_steal_pointer (&label); *out_new_label = g_steal_pointer (&label);
out:
return ret;
#else
return TRUE;
#endif #endif
return TRUE;
} }
/** /**
@ -660,7 +605,6 @@ ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
GError **error) GError **error)
{ {
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
gboolean ret = FALSE;
g_autofree char *label = NULL; g_autofree char *label = NULL;
/* setfscreatecon() will bomb out if the host has SELinux disabled, /* setfscreatecon() will bomb out if the host has SELinux disabled,
@ -673,20 +617,13 @@ ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
return TRUE; return TRUE;
if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error)) if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error))
goto out; return FALSE;
if (setfscreatecon_raw (label) != 0) if (setfscreatecon_raw (label) != 0)
{ return glnx_throw_errno_prefix (error, "setfscreatecon");
glnx_set_error_from_errno (error);
return FALSE;
}
ret = TRUE;
out:
return ret;
#else
return TRUE;
#endif #endif
return TRUE;
} }
/** /**