From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Sievers Date: Fri, 04 Feb 2005 12:24:30 +0000 Subject: udev: cleanup selinux integration Message-Id: <1107519871.4644.6.camel@localhost.localdomain> MIME-Version: 1 Content-Type: multipart/mixed; boundary="=-5Rn4J1cxch0xFEZhCEG8" List-Id: To: linux-hotplug@vger.kernel.org --=-5Rn4J1cxch0xFEZhCEG8 Content-Type: text/plain Content-Transfer-Encoding: 7bit Hi Harald, could you please verify that the selinux build still works in your environment. I've changed the way it is integrated into udev. It has it's own .c-file instead of the big inline header and the kernel name is passed down to find the ide media in /proc without assuming that the node name is equal to the kernel name. Thanks, Kay --=-5Rn4J1cxch0xFEZhCEG8 Content-Description: Content-Disposition: inline; filename=udev-selinux-01.patch Content-Type: text/x-patch; charset=UTF-8 Content-Transfer-Encoding: 7bit diff -Nru a/Makefile b/Makefile --- a/Makefile 2005-02-04 13:17:55 +01:00 +++ b/Makefile 2005-02-04 13:17:55 +01:00 @@ -203,7 +203,7 @@ udev_db.h \ udev_sysfs.h \ logging.h \ - selinux.h \ + udev_selinux.h \ list.h SYSFS_OBJS = \ @@ -243,6 +243,11 @@ klibc_fixups/klibc_fixups.o OBJS += klibc_fixups/klibc_fixups.a +endif + +ifeq ($(strip $(USE_SELINUX)),true) + UDEV_OBJS += udev_selinux.o + LIB_OBJS += -lselinux endif ifeq ($(strip $(V)),false) diff -Nru a/selinux.h b/selinux.h --- a/selinux.h 2005-02-04 13:17:55 +01:00 +++ /dev/null Wed Dec 31 16:00:00 196900 @@ -1,148 +0,0 @@ -#ifndef SELINUX_H -#define SELINUX_H - -#ifndef USE_SELINUX - -static inline void selinux_setfilecon(char *file, unsigned int mode) {} -static inline void selinux_setfscreatecon(char *file, unsigned int mode) {} -static inline void selinux_init(void) {} -static inline void selinux_restore(void) {} - -#else - -#include -#include -#include -#include - -static int selinux_enabled=-1; -static security_context_t prev_scontext=NULL; - -static inline int is_selinux_running(void) -{ - if (selinux_enabled == -1) - return selinux_enabled = is_selinux_enabled() > 0; - return selinux_enabled; -} - -static inline int selinux_get_media(char *path, int mode, char **media) -{ - FILE *fp; - char buf[PATH_MAX]; - char mediabuf[PATH_MAX]; - int ret = -1; - - *media = NULL; - if (!(mode && S_IFBLK)) { - return -1; - } - - snprintf(buf, sizeof(buf), "/proc/ide/%s/media", basename(path)); - - fp=fopen(buf,"r"); - if (!fp) - goto out; - - mediabuf[0] = '\0'; - - if (fgets(mediabuf, sizeof(mediabuf), fp) == NULL) - goto close_out; - - int size = strlen(mediabuf); - while (size-- > 0) { - if (isspace(mediabuf[size])) { - mediabuf[size]='\0'; - } else { - break; - } - } - *media = strdup(mediabuf); - info("selinux_get_media(%s)->%s \n", path, *media); - ret = 0; - -close_out: - fclose(fp); -out: - return ret; -} - -static inline void selinux_setfilecon(char *file, unsigned int mode) -{ - if (is_selinux_running()) { - security_context_t scontext=NULL; - char *media; - int ret=selinux_get_media(file, mode, &media); - if (ret == 0) { - ret = matchmediacon(media, &scontext); - free(media); - } - if (ret == -1) - if (matchpathcon(file, mode, &scontext) < 0) { - dbg("matchpathcon(%s) failed\n", file); - return; - } - if (setfilecon(file, scontext) < 0) - dbg("setfiles %s failed with error '%s'", - file, strerror(errno)); - freecon(scontext); - } -} - -static inline void selinux_setfscreatecon(char *file, unsigned int mode) -{ - int retval = 0; - security_context_t scontext=NULL; - - if (is_selinux_running()) { - char *media; - int ret = selinux_get_media(file, mode, &media); - - if (ret == 0) { - ret = matchmediacon(media, &scontext); - free(media); - } - - if (ret == -1) - if (matchpathcon(file, mode, &scontext) < 0) { - dbg("matchpathcon(%s) failed\n", file); - return; - } - - retval = setfscreatecon(scontext); - if (retval < 0) - dbg("setfiles %s failed with error '%s'", - file, strerror(errno)); - freecon(scontext); - } -} - -static inline void selinux_init(void) -{ - /* - * record the present security context, for file-creation - * restoration creation purposes. - */ - if (is_selinux_running()) { - if (getfscreatecon(&prev_scontext) < 0) { - dbg("getfscreatecon failed\n"); - } - prev_scontext = NULL; - } -} - -static inline void selinux_restore(void) -{ - if (is_selinux_running()) { - /* reset the file create context to its former glory */ - if (setfscreatecon(prev_scontext) < 0) - dbg("setfscreatecon failed\n"); - if (prev_scontext) { - freecon(prev_scontext); - prev_scontext = NULL; - } - } -} - -#endif /* USE_SELINUX */ - -#endif /* SELINUX_H */ diff -Nru a/udev_add.c b/udev_add.c --- a/udev_add.c 2005-02-04 13:17:55 +01:00 +++ b/udev_add.c 2005-02-04 13:17:55 +01:00 @@ -43,8 +43,7 @@ #include "logging.h" #include "namedev.h" #include "udev_db.h" - -#include "selinux.h" +#include "udev_selinux.h" /* * the major/minor of a device is stored in a file called "dev" @@ -68,7 +67,7 @@ return -1; } -static int make_node(char *file, int major, int minor, unsigned int mode, uid_t uid, gid_t gid) +static int make_node(struct udevice *udev, char *file, int major, int minor, unsigned int mode, uid_t uid, gid_t gid) { struct stat stats; int retval = 0; @@ -80,7 +79,7 @@ if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) && (stats.st_rdev == makedev(major, minor))) { dbg("preserve file '%s', cause it has correct dev_t", file); - selinux_setfilecon(file,stats.st_mode); + selinux_setfilecon(file, udev->kernel_name, stats.st_mode); goto perms; } @@ -90,7 +89,7 @@ dbg("already present file '%s' unlinked", file); create: - selinux_setfscreatecon(file, mode); + selinux_setfscreatecon(file, udev->kernel_name, mode); retval = mknod(file, mode, makedev(major, minor)); if (retval != 0) { dbg("mknod(%s, %#o, %u, %u) failed with error '%s'", @@ -184,7 +183,7 @@ if (!udev->test_run) { info("creating device node '%s'", filename); - if (make_node(filename, udev->major, udev->minor, udev->mode, uid, gid) != 0) + if (make_node(udev, filename, udev->major, udev->minor, udev->mode, uid, gid) != 0) goto error; } else { info("creating device node '%s', major = '%d', minor = '%d', " @@ -199,7 +198,7 @@ for (i = 1; i <= udev->partitions; i++) { strfieldcpy(partitionname, filename); strintcat(partitionname, i); - make_node(partitionname, udev->major, udev->minor + i, udev->mode, uid, gid); + make_node(udev, partitionname, udev->major, udev->minor + i, udev->mode, uid, gid); } } } @@ -237,7 +236,7 @@ dbg("symlink(%s, %s)", linktarget, filename); if (!udev->test_run) { - selinux_setfscreatecon(filename, S_IFLNK); + selinux_setfscreatecon(filename, udev->kernel_name, S_IFLNK); unlink(filename); if (symlink(linktarget, filename) != 0) dbg("symlink(%s, %s) failed with error '%s'", diff -Nru a/udev_selinux.h b/udev_selinux.h --- /dev/null Wed Dec 31 16:00:00 196900 +++ b/udev_selinux.h 2005-02-04 13:17:55 +01:00 @@ -0,0 +1,148 @@ +#ifndef SELINUX_H +#define SELINUX_H + +#ifndef USE_SELINUX + +static inline void selinux_setfilecon(char *file, unsigned int mode) {} +static inline void selinux_setfscreatecon(char *file, unsigned int mode) {} +static inline void selinux_init(void) {} +static inline void selinux_restore(void) {} + +#else + +#include +#include +#include +#include + +static int selinux_enabled=-1; +static security_context_t prev_scontext=NULL; + +static inline int is_selinux_running(void) +{ + if (selinux_enabled == -1) + return selinux_enabled = is_selinux_enabled() > 0; + return selinux_enabled; +} + +static inline int selinux_get_media(char *path, int mode, char **media) +{ + FILE *fp; + char buf[PATH_MAX]; + char mediabuf[PATH_MAX]; + int ret = -1; + + *media = NULL; + if (!(mode && S_IFBLK)) { + return -1; + } + + snprintf(buf, sizeof(buf), "/proc/ide/%s/media", basename(path)); + + fp=fopen(buf,"r"); + if (!fp) + goto out; + + mediabuf[0] = '\0'; + + if (fgets(mediabuf, sizeof(mediabuf), fp) == NULL) + goto close_out; + + int size = strlen(mediabuf); + while (size-- > 0) { + if (isspace(mediabuf[size])) { + mediabuf[size]='\0'; + } else { + break; + } + } + *media = strdup(mediabuf); + info("selinux_get_media(%s)->%s \n", path, *media); + ret = 0; + +close_out: + fclose(fp); +out: + return ret; +} + +static inline void selinux_setfilecon(char *file, unsigned int mode) +{ + if (is_selinux_running()) { + security_context_t scontext=NULL; + char *media; + int ret=selinux_get_media(file, mode, &media); + if (ret == 0) { + ret = matchmediacon(media, &scontext); + free(media); + } + if (ret == -1) + if (matchpathcon(file, mode, &scontext) < 0) { + dbg("matchpathcon(%s) failed\n", file); + return; + } + if (setfilecon(file, scontext) < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } +} + +static inline void selinux_setfscreatecon(char *file, unsigned int mode) +{ + int retval = 0; + security_context_t scontext=NULL; + + if (is_selinux_running()) { + char *media; + int ret = selinux_get_media(file, mode, &media); + + if (ret == 0) { + ret = matchmediacon(media, &scontext); + free(media); + } + + if (ret == -1) + if (matchpathcon(file, mode, &scontext) < 0) { + dbg("matchpathcon(%s) failed\n", file); + return; + } + + retval = setfscreatecon(scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } +} + +static inline void selinux_init(void) +{ + /* + * record the present security context, for file-creation + * restoration creation purposes. + */ + if (is_selinux_running()) { + if (getfscreatecon(&prev_scontext) < 0) { + dbg("getfscreatecon failed\n"); + } + prev_scontext = NULL; + } +} + +static inline void selinux_restore(void) +{ + if (is_selinux_running()) { + /* reset the file create context to its former glory */ + if (setfscreatecon(prev_scontext) < 0) + dbg("setfscreatecon failed\n"); + if (prev_scontext) { + freecon(prev_scontext); + prev_scontext = NULL; + } + } +} + +#endif /* USE_SELINUX */ + +#endif /* SELINUX_H */ --=-5Rn4J1cxch0xFEZhCEG8-- ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel