From 45b30d15b8bf1dd877f9871951d9c7f66c957769 Mon Sep 17 00:00:00 2001 From: Kay Sievers <kay@vrfy.org> Date: Wed, 11 Apr 2012 12:30:53 +0200 Subject: [PATCH] split selinux label operations out of cgroup-util, socket-util This prevents linking of selinux and libdl for another 15 binaries. (cherry picked from commit cc527a4734d636f1ab5a66576cb7e232af3cc261) Conflicts: Makefile.am --- Makefile.am | 111 +++++++++++++++++++++-------------- src/shared/cgroup-label.c | 81 +++++++++++++++++++++++++ src/shared/cgroup-util.c | 45 -------------- src/shared/socket-label.c | 143 +++++++++++++++++++++++++++++++++++++++++++++ src/shared/socket-util.c | 104 --------------------------------- 5 files changed, 291 insertions(+), 193 deletions(-) create mode 100644 src/shared/cgroup-label.c create mode 100644 src/shared/socket-label.c diff --git a/Makefile.am b/Makefile.am index 87c94b2..27a283e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -564,29 +564,30 @@ libsystemd_shared_la_SOURCES = \ src/shared/pager.c \ src/shared/pager.h \ src/shared/ioprio.h \ + src/shared/socket-util.c \ + src/shared/socket-util.h \ + src/shared/cgroup-util.c \ + src/shared/cgroup-util.h \ src/shared/list.h \ src/shared/macro.h # ------------------------------------------------------------------------------ noinst_LTLIBRARIES += \ - libsystemd-shared-selinux.la + libsystemd-label.la -libsystemd_shared_selinux_la_SOURCES = \ - src/shared/cgroup-util.c \ - src/shared/cgroup-util.h \ - src/shared/socket-util.c \ - src/shared/socket-util.h \ +libsystemd_label_la_SOURCES = \ + src/shared/cgroup-label.c \ + src/shared/socket-label.c \ src/shared/label.c \ src/shared/label.h \ src/shared/mkdir.c \ src/shared/mkdir.h -libsystemd_shared_selinux_la_CFLAGS = \ +libsystemd_label_la_CFLAGS = \ $(AM_CFLAGS) \ $(SELINUX_CFLAGS) -libsystemd_shared_selinux_la_LIBADD = \ - libsystemd-shared.la \ +libsystemd_label_la_LIBADD = \ $(SELINUX_LIBS) # ------------------------------------------------------------------------------ @@ -775,8 +776,9 @@ libsystemd_core_la_CFLAGS = \ $(KMOD_CFLAGS) libsystemd_core_la_LIBADD = \ - libsystemd-shared-selinux.la \ libsystemd-capability.la \ + libsystemd-label.la \ + libsystemd-shared.la \ $(DBUS_LIBS) \ $(UDEV_LIBS) \ $(LIBWRAP_LIBS) \ @@ -832,7 +834,7 @@ test_loopback_SOURCES = \ src/loopback-setup.c test_loopback_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-shared.la test_hostname_SOURCES = \ src/test-hostname.c \ @@ -852,7 +854,8 @@ test_cgroup_SOURCES = \ src/test-cgroup.c test_cgroup_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la test_env_replace_SOURCES = \ src/test-env-replace.c @@ -878,7 +881,8 @@ test_install_CFLAGS = \ $(DBUS_CFLAGS) test_install_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la test_watchdog_SOURCES = \ src/test-watchdog.c \ @@ -924,7 +928,8 @@ systemd_shutdownd_SOURCES = \ src/shutdownd.c systemd_shutdownd_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-daemon.la pkginclude_HEADERS += \ @@ -943,7 +948,8 @@ systemd_shutdown_CFLAGS = \ $(UDEV_CFLAGS) systemd_shutdown_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ $(UDEV_LIBS) # ------------------------------------------------------------------------------ @@ -963,7 +969,8 @@ systemd_tmpfiles_SOURCES = \ src/tmpfiles.c systemd_tmpfiles_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_machine_id_setup_SOURCES = \ @@ -971,7 +978,8 @@ systemd_machine_id_setup_SOURCES = \ src/machine-id-main.c systemd_machine_id_setup_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-id128.la # ------------------------------------------------------------------------------ @@ -1028,14 +1036,16 @@ systemd_getty_generator_SOURCES = \ src/unit-name.c systemd_getty_generator_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_rc_local_generator_SOURCES = \ src/rc-local-generator.c systemd_rc_local_generator_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_remount_api_vfs_SOURCES = \ @@ -1075,7 +1085,8 @@ systemctl_CFLAGS = \ $(DBUS_CFLAGS) systemctl_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-daemon.la \ libsystemd-journal.la \ libsystemd-id128.la \ @@ -1096,7 +1107,8 @@ systemd_ask_password_SOURCES = \ src/ask-password-api.c systemd_ask_password_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_reply_password_SOURCES = \ @@ -1111,14 +1123,14 @@ systemd_cgls_SOURCES = \ src/cgroup-show.c systemd_cgls_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_cgtop_SOURCES = \ src/cgtop.c systemd_cgtop_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-shared.la # ------------------------------------------------------------------------------ systemd_nspawn_SOURCES = \ @@ -1126,7 +1138,8 @@ systemd_nspawn_SOURCES = \ src/loopback-setup.c systemd_nspawn_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-capability.la \ libsystemd-daemon.la @@ -1190,7 +1203,8 @@ systemd_tty_ask_password_agent_SOURCES = \ src/utmp-wtmp.c systemd_tty_ask_password_agent_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la # ------------------------------------------------------------------------------ libsystemd_daemon_la_SOURCES = \ @@ -1280,7 +1294,7 @@ test_id128_SOURCES = \ src/test-id128.c test_id128_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ libsystemd-id128.la noinst_PROGRAMS += \ @@ -1340,7 +1354,8 @@ nodist_systemd_journald_SOURCES = \ systemd_journald_CFLAGS = systemd_journald_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-audit.la \ libsystemd-daemon.la \ libsystemd-login.la \ @@ -1367,7 +1382,7 @@ systemd_cat_SOURCES = \ src/journal/cat.c systemd_cat_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ libsystemd-journal.la journalctl_SOURCES = \ @@ -1375,7 +1390,7 @@ journalctl_SOURCES = \ src/logs-show.c journalctl_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ libsystemd-journal.la \ libsystemd-id128.la @@ -1397,7 +1412,8 @@ test_journal_SOURCES = \ src/journal/journal-send.c test_journal_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-id128.la if HAVE_XZ @@ -1416,7 +1432,7 @@ test_journal_send_SOURCES = \ src/journal/test-journal-send.c test_journal_send_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ libsystemd-journal.la libsystemd_journal_la_SOURCES = \ @@ -1436,7 +1452,7 @@ libsystemd_journal_la_LDFLAGS = \ -Wl,--version-script=$(top_srcdir)/src/journal/libsystemd-journal.sym libsystemd_journal_la_LIBADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ libsystemd-id128.la if HAVE_XZ @@ -1533,7 +1549,8 @@ systemd_coredump_SOURCES = \ systemd_coredump_LDADD = \ libsystemd-journal.la \ libsystemd-login.la \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la rootlibexec_PROGRAMS += \ systemd-coredump @@ -1707,7 +1724,8 @@ systemd_random_seed_SOURCES = \ src/random-seed.c systemd_random_seed_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la randomseed-install-data-hook: $(MKDIR_P) -m 0755 \ @@ -1745,7 +1763,8 @@ systemd_cryptsetup_CFLAGS = \ $(UDEV_CFLAGS) systemd_cryptsetup_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ $(UDEV_LIBS) \ $(LIBCRYPTSETUP_LIBS) @@ -1754,7 +1773,8 @@ systemd_cryptsetup_generator_SOURCES = \ src/unit-name.c systemd_cryptsetup_generator_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-label.la \ + libsystemd-shared.la cryptsetup-install-data-hook: $(MKDIR_P) -m 0755 \ @@ -1830,7 +1850,8 @@ systemd_localed_CFLAGS = \ $(DBUS_CFLAGS) systemd_localed_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-daemon.la \ $(DBUS_LIBS) @@ -1961,7 +1982,8 @@ systemd_logind_CFLAGS = \ $(DBUS_CFLAGS) systemd_logind_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ libsystemd-audit.la \ libsystemd-daemon.la \ $(UDEV_LIBS) \ @@ -1979,7 +2001,7 @@ systemd_user_sessions_SOURCES = \ src/login/user-sessions.c systemd_user_sessions_LDADD = \ - libsystemd-shared-selinux.la + libsystemd-shared.la rootlibexec_PROGRAMS += \ systemd-logind \ @@ -1997,7 +2019,7 @@ loginctl_CFLAGS = \ $(UDEV_CFLAGS) loginctl_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ $(DBUS_LIBS) \ $(UDEV_LIBS) @@ -2009,7 +2031,7 @@ test_login_SOURCES = \ test_login_LDADD = \ libsystemd-login.la \ - libsystemd-shared-selinux.la + libsystemd-shared.la noinst_PROGRAMS += \ test-login @@ -2028,7 +2050,7 @@ libsystemd_login_la_LDFLAGS = \ -Wl,--version-script=$(top_srcdir)/src/login/libsystemd-login.sym libsystemd_login_la_LIBADD = \ - libsystemd-shared-selinux.la + libsystemd-shared.la if HAVE_PAM pam_systemd_la_SOURCES = \ @@ -2052,7 +2074,7 @@ pam_systemd_la_LDFLAGS = \ pam_systemd_la_LIBADD = \ libsystemd-daemon.la \ libsystemd-audit.la \ - libsystemd-shared-selinux.la \ + libsystemd-shared.la \ $(PAM_LIBS) \ $(DBUS_LIBS) @@ -2127,7 +2149,8 @@ systemd_multi_seat_x_CFLAGS = \ $(UDEV_CFLAGS) systemd_multi_seat_x_LDADD = \ - libsystemd-shared-selinux.la \ + libsystemd-label.la \ + libsystemd-shared.la \ $(UDEV_LIBS) rootlibexec_PROGRAMS += \ diff --git a/src/shared/cgroup-label.c b/src/shared/cgroup-label.c new file mode 100644 index 0000000..f9a42c6 --- /dev/null +++ b/src/shared/cgroup-label.c @@ -0,0 +1,81 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <errno.h> +#include <unistd.h> +#include <signal.h> +#include <string.h> +#include <stdlib.h> +#include <dirent.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <ftw.h> + +#include "cgroup-util.h" +#include "log.h" +#include "set.h" +#include "macro.h" +#include "util.h" +#include "mkdir.h" + +int cg_create(const char *controller, const char *path) { + char *fs; + int r; + + assert(controller); + assert(path); + + if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) + return r; + + r = mkdir_parents(fs, 0755); + + if (r >= 0) { + if (mkdir(fs, 0755) >= 0) + r = 1; + else if (errno == EEXIST) + r = 0; + else + r = -errno; + } + + free(fs); + + return r; +} + +int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { + int r, q; + + assert(controller); + assert(path); + assert(pid >= 0); + + if ((r = cg_create(controller, path)) < 0) + return r; + + if ((q = cg_attach(controller, path, pid)) < 0) + return q; + + /* This does not remove the cgroup on failure */ + + return r; +} diff --git a/src/shared/cgroup-util.c b/src/shared/cgroup-util.c index 5647624..ad677d4 100644 --- a/src/shared/cgroup-util.c +++ b/src/shared/cgroup-util.c @@ -34,7 +34,6 @@ #include "set.h" #include "macro.h" #include "util.h" -#include "mkdir.h" int cg_enumerate_processes(const char *controller, const char *path, FILE **_f) { char *fs; @@ -638,32 +637,6 @@ int cg_delete(const char *controller, const char *path) { return r == -ENOENT ? 0 : r; } -int cg_create(const char *controller, const char *path) { - char *fs; - int r; - - assert(controller); - assert(path); - - if ((r = cg_get_path(controller, path, NULL, &fs)) < 0) - return r; - - r = mkdir_parents(fs, 0755); - - if (r >= 0) { - if (mkdir(fs, 0755) >= 0) - r = 1; - else if (errno == EEXIST) - r = 0; - else - r = -errno; - } - - free(fs); - - return r; -} - int cg_attach(const char *controller, const char *path, pid_t pid) { char *fs; int r; @@ -688,24 +661,6 @@ int cg_attach(const char *controller, const char *path, pid_t pid) { return r; } -int cg_create_and_attach(const char *controller, const char *path, pid_t pid) { - int r, q; - - assert(controller); - assert(path); - assert(pid >= 0); - - if ((r = cg_create(controller, path)) < 0) - return r; - - if ((q = cg_attach(controller, path, pid)) < 0) - return q; - - /* This does not remove the cgroup on failure */ - - return r; -} - int cg_set_group_access(const char *controller, const char *path, mode_t mode, uid_t uid, gid_t gid) { char *fs; int r; diff --git a/src/shared/socket-label.c b/src/shared/socket-label.c new file mode 100644 index 0000000..9ab07a9 --- /dev/null +++ b/src/shared/socket-label.c @@ -0,0 +1,143 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** + This file is part of systemd. + + Copyright 2010 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <assert.h> +#include <string.h> +#include <unistd.h> +#include <errno.h> +#include <stdlib.h> +#include <arpa/inet.h> +#include <stdio.h> +#include <net/if.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <stddef.h> +#include <sys/ioctl.h> + +#include "macro.h" +#include "util.h" +#include "mkdir.h" +#include "socket-util.h" +#include "missing.h" +#include "label.h" + +int socket_address_listen( + const SocketAddress *a, + int backlog, + SocketAddressBindIPv6Only only, + const char *bind_to_device, + bool free_bind, + bool transparent, + mode_t directory_mode, + mode_t socket_mode, + const char *label, + int *ret) { + + int r, fd, one; + assert(a); + assert(ret); + + if ((r = socket_address_verify(a)) < 0) + return r; + + if (socket_address_family(a) == AF_INET6 && !socket_ipv6_is_supported()) + return -EAFNOSUPPORT; + + r = label_socket_set(label); + if (r < 0) + return r; + + fd = socket(socket_address_family(a), a->type | SOCK_NONBLOCK | SOCK_CLOEXEC, a->protocol); + r = fd < 0 ? -errno : 0; + + label_socket_clear(); + + if (r < 0) + return r; + + if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) { + int flag = only == SOCKET_ADDRESS_IPV6_ONLY; + + if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &flag, sizeof(flag)) < 0) + goto fail; + } + + if (socket_address_family(a) == AF_INET || socket_address_family(a) == AF_INET6) { + if (bind_to_device) + if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, bind_to_device, strlen(bind_to_device)+1) < 0) + goto fail; + + if (free_bind) { + one = 1; + if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &one, sizeof(one)) < 0) + log_warning("IP_FREEBIND failed: %m"); + } + + if (transparent) { + one = 1; + if (setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) + log_warning("IP_TRANSPARENT failed: %m"); + } + } + + one = 1; + if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0) + goto fail; + + if (socket_address_family(a) == AF_UNIX && a->sockaddr.un.sun_path[0] != 0) { + mode_t old_mask; + + /* Create parents */ + mkdir_parents(a->sockaddr.un.sun_path, directory_mode); + + /* Enforce the right access mode for the socket*/ + old_mask = umask(~ socket_mode); + + /* Include the original umask in our mask */ + umask(~socket_mode | old_mask); + + r = label_bind(fd, &a->sockaddr.sa, a->size); + + if (r < 0 && errno == EADDRINUSE) { + /* Unlink and try again */ + unlink(a->sockaddr.un.sun_path); + r = bind(fd, &a->sockaddr.sa, a->size); + } + + umask(old_mask); + } else + r = bind(fd, &a->sockaddr.sa, a->size); + + if (r < 0) + goto fail; + + if (socket_address_can_accept(a)) + if (listen(fd, backlog) < 0) + goto fail; + + *ret = fd; + return 0; + +fail: + r = -errno; + close_nointr_nofail(fd); + return r; +} diff --git a/src/shared/socket-util.c b/src/shared/socket-util.c index 554f8ac..618c928 100644 --- a/src/shared/socket-util.c +++ b/src/shared/socket-util.c @@ -37,7 +37,6 @@ #include "mkdir.h" #include "socket-util.h" #include "missing.h" -#include "label.h" int socket_address_parse(SocketAddress *a, const char *s) { int r; @@ -384,109 +383,6 @@ int socket_address_print(const SocketAddress *a, char **p) { } } -int socket_address_listen( - const SocketAddress *a, - int backlog, - SocketAddressBindIPv6Only only, - const char *bind_to_device, - bool free_bind, - bool transparent, - mode_t directory_mode, - mode_t socket_mode, - const char *label, - int *ret) { - - int r, fd, one; - assert(a); - assert(ret); - - if ((r = socket_address_verify(a)) < 0) - return r; - - if (socket_address_family(a) == AF_INET6 && !socket_ipv6_is_supported()) - return -EAFNOSUPPORT; - - r = label_socket_set(label); - if (r < 0) - return r; - - fd = socket(socket_address_family(a), a->type | SOCK_NONBLOCK | SOCK_CLOEXEC, a->protocol); - r = fd < 0 ? -errno : 0; - - label_socket_clear(); - - if (r < 0) - return r; - - if (socket_address_family(a) == AF_INET6 && only != SOCKET_ADDRESS_DEFAULT) { - int flag = only == SOCKET_ADDRESS_IPV6_ONLY; - - if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &flag, sizeof(flag)) < 0) - goto fail; - } - - if (socket_address_family(a) == AF_INET || socket_address_family(a) == AF_INET6) { - if (bind_to_device) - if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, bind_to_device, strlen(bind_to_device)+1) < 0) - goto fail; - - if (free_bind) { - one = 1; - if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &one, sizeof(one)) < 0) - log_warning("IP_FREEBIND failed: %m"); - } - - if (transparent) { - one = 1; - if (setsockopt(fd, IPPROTO_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) - log_warning("IP_TRANSPARENT failed: %m"); - } - } - - one = 1; - if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0) - goto fail; - - if (socket_address_family(a) == AF_UNIX && a->sockaddr.un.sun_path[0] != 0) { - mode_t old_mask; - - /* Create parents */ - mkdir_parents(a->sockaddr.un.sun_path, directory_mode); - - /* Enforce the right access mode for the socket*/ - old_mask = umask(~ socket_mode); - - /* Include the original umask in our mask */ - umask(~socket_mode | old_mask); - - r = label_bind(fd, &a->sockaddr.sa, a->size); - - if (r < 0 && errno == EADDRINUSE) { - /* Unlink and try again */ - unlink(a->sockaddr.un.sun_path); - r = bind(fd, &a->sockaddr.sa, a->size); - } - - umask(old_mask); - } else - r = bind(fd, &a->sockaddr.sa, a->size); - - if (r < 0) - goto fail; - - if (socket_address_can_accept(a)) - if (listen(fd, backlog) < 0) - goto fail; - - *ret = fd; - return 0; - -fail: - r = -errno; - close_nointr_nofail(fd); - return r; -} - bool socket_address_can_accept(const SocketAddress *a) { assert(a);