#include <unistd.h>
#include <utmpx.h>
-#ifdef HAVE_PAM
+#if HAVE_PAM
#include <security/pam_appl.h>
#endif
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
#include <selinux/selinux.h>
#endif
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
#include <seccomp.h>
#endif
-#ifdef HAVE_APPARMOR
+#if HAVE_APPARMOR
#include <sys/apparmor.h>
#endif
#include "af-list.h"
#include "alloc-util.h"
-#ifdef HAVE_APPARMOR
+#if HAVE_APPARMOR
#include "apparmor-util.h"
#endif
#include "async.h"
#include "process-util.h"
#include "rlimit-util.h"
#include "rm-rf.h"
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
#include "seccomp-util.h"
#endif
#include "securebits.h"
return 0;
}
-#ifdef HAVE_PAM
+#if HAVE_PAM
static int null_conv(
int num_msg,
char ***env,
int fds[], unsigned n_fds) {
-#ifdef HAVE_PAM
+#if HAVE_PAM
static const struct pam_conv conv = {
.conv = null_conv,
c->lock_personality;
}
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
static bool skip_seccomp_unavailable(const Unit* u, const char* msg) {
needs_setuid, /* Do we need to do the actual setresuid()/setresgid() calls? */
needs_mount_namespace, /* Do we need to set up a mount namespace for this kernel? */
needs_ambient_hack; /* Do we need to apply the ambient capabilities hack? */
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
bool use_selinux = false;
#endif
-#ifdef HAVE_SMACK
+#if ENABLE_SMACK
bool use_smack = false;
#endif
-#ifdef HAVE_APPARMOR
+#if HAVE_APPARMOR
bool use_apparmor = false;
#endif
uid_t uid = UID_INVALID;
* present. The actual MAC context application will happen later, as late as possible, to avoid
* impacting our own code paths. */
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
use_selinux = mac_selinux_use();
#endif
-#ifdef HAVE_SMACK
+#if ENABLE_SMACK
use_smack = mac_smack_use();
#endif
-#ifdef HAVE_APPARMOR
+#if HAVE_APPARMOR
use_apparmor = mac_apparmor_use();
#endif
}
}
if (needs_sandboxing) {
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
if (use_selinux && params->selinux_context_net && socket_fd >= 0) {
r = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
if (r < 0) {
* syscalls that are subject to seccomp filtering, hence should probably be applied before the syscalls
* are restricted. */
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
if (use_selinux) {
char *exec_context = mac_selinux_context_net ?: context->selinux_context;
}
#endif
-#ifdef HAVE_SMACK
+#if ENABLE_SMACK
if (use_smack) {
r = setup_smack(context, command);
if (r < 0) {
}
#endif
-#ifdef HAVE_APPARMOR
+#if HAVE_APPARMOR
if (use_apparmor && context->apparmor_profile) {
r = aa_change_onexec(context->apparmor_profile);
if (r < 0 && !context->apparmor_profile_ignore) {
return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m");
}
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
r = apply_address_families(unit, context);
if (r < 0) {
*exit_status = EXIT_ADDRESS_FAMILIES;
prefix, yes_no(c->lock_personality));
if (c->syscall_filter) {
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
Iterator j;
void *id;
bool first = true;
if (!c->syscall_whitelist)
fputc('~', f);
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
SET_FOREACH(id, c->syscall_filter, j) {
_cleanup_free_ char *name = NULL;
}
if (c->syscall_archs) {
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
Iterator j;
void *id;
#endif
"%sSystemCallArchitectures:",
prefix);
-#ifdef HAVE_SECCOMP
+#if HAVE_SECCOMP
SET_FOREACH(id, c->syscall_archs, j)
fprintf(f, " %s", strna(seccomp_arch_to_string(PTR_TO_UINT32(id) - 1)));
#endif