label: tweak LabelOps post() hook to take "created" boolean

We have two distinct implementations of the post hook.

1. For SELinux we just reset the selinux label we told the kernel
   earlier to use for new inodes.

2. For SMACK we might apply an xattr to the specified file.

The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.

diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
index bbf2fea3e62753992c36ff48f39c6f28f838a5b4..7ccd3f6750aebca256ff3e107336dde287116597 100644 (file)
--- a/src/basic/fs-util.c
+++ b/src/basic/fs-util.c
@@ -1184,7 +1184,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
                         made_dir = true;
 
                 if (FLAGS_SET(xopen_flags, XO_LABEL)) {
-                        r = label_ops_post(dir_fd, path);
+                        r = label_ops_post(dir_fd, path, made_dir);
                         if (r < 0)
                                 goto error;
                 }
@@ -1211,7 +1211,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
         }
 
         if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
-                r = label_ops_post(dir_fd, path);
+                r = label_ops_post(dir_fd, path, made_file || made_dir);
                 if (r < 0)
                         goto error;
         }

diff --git a/src/basic/label.c b/src/basic/label.c
index 8b084a7c05f5acfc8d6bb6699cbd2b01927fab77..47d19678255d4ed80926d3ea1ec1a595afe6e1c1 100644 (file)
--- a/src/basic/label.c
+++ b/src/basic/label.c
@@ -22,11 +22,11 @@ int label_ops_pre(int dir_fd, const char *path, mode_t mode) {
         return label_ops->pre(dir_fd, path, mode);
 }
 
-int label_ops_post(int dir_fd, const char *path) {
+int label_ops_post(int dir_fd, const char *path, bool created) {
         if (!label_ops || !label_ops->post)
                 return 0;
 
-        return label_ops->post(dir_fd, path);
+        return label_ops->post(dir_fd, path, created);
 }
 
 void label_ops_reset(void) {

diff --git a/src/basic/label.h b/src/basic/label.h
index a070bf28cc3344a7123f55aeeae0c22eda2f8d3e..eb851bcb4f4a24bcc12d35e0ed9ee26fbf2e5029 100644 (file)
--- a/src/basic/label.h
+++ b/src/basic/label.h
@@ -1,15 +1,17 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include <stdbool.h>
 #include <sys/types.h>
 
 typedef struct LabelOps {
         int (*pre)(int dir_fd, const char *path, mode_t mode);
-        int (*post)(int dir_fd, const char *path);
+        int (*post)(int dir_fd, const char *path, bool created);
 } LabelOps;
 
 int label_ops_set(const LabelOps *label_ops);
 
 int label_ops_pre(int dir_fd, const char *path, mode_t mode);
-int label_ops_post(int dir_fd, const char *path);
+int label_ops_post(int dir_fd, const char *path, bool created);
+
 void label_ops_reset(void);

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index e4f6e07e53070580dac2cd92648778575d7af217..4d3b127d8e9a50b1f192e214c138d7d0308270a5 100644 (file)
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -64,7 +64,7 @@ static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) {
         return mac_selinux_create_file_prepare_at(dir_fd, path, mode);
 }
 
-static int mac_selinux_label_post(int dir_fd, const char *path) {
+static int mac_selinux_label_post(int dir_fd, const char *path, bool created) {
         mac_selinux_create_file_clear();
         return 0;
 }

diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 1f88e724d007dd63790b8c64d460fcc35c79f95a..d0a79b263594e911dd8010a6660dbb8dfca4e231 100644 (file)
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -294,7 +294,10 @@ static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) {
         return 0;
 }
 
-static int mac_smack_label_post(int dir_fd, const char *path) {
+static int mac_smack_label_post(int dir_fd, const char *path, bool created) {
+        if (!created)
+                return 0;
+
         return mac_smack_fix_full(dir_fd, path, NULL, 0);
 }
 

diff --git a/src/test/test-label.c b/src/test/test-label.c
index 9d7ac18ba9a0dc10d015d011f8e497e89507f1d1..06690ec86c9055d306b049dc642b77d9d4b847b7 100644 (file)
--- a/src/test/test-label.c
+++ b/src/test/test-label.c
@@ -43,7 +43,7 @@ static int pre_labelling_func(int dir_fd, const char *path, mode_t mode) {
         return 0;
 }
 
-static int post_labelling_func(int dir_fd, const char *path) {
+static int post_labelling_func(int dir_fd, const char *path, bool created) {
        int r;
 
         /* assume label policies that restrict certain labels */
@@ -140,17 +140,17 @@ TEST(label_ops_post) {
         text1 = "Add initial texts to file for testing label operations to file1\n";
 
         assert(labelling_op(fd, text1, "file1.txt", 0644) == 0);
-        assert_se(label_ops_post(fd, "file1.txt") == 0);
+        assert_se(label_ops_post(fd, "file1.txt", true) == 0);
         assert_se(strlen(text1) == (size_t)buf.st_size);
         text2 = "Add text2 data to file2\n";
 
         assert(labelling_op(fd, text2, "file2.txt", 0644) == 0);
-        assert_se(label_ops_post(fd, "file2.txt") == 0);
+        assert_se(label_ops_post(fd, "file2.txt", true) == 0);
         assert_se(strlen(text2) == (size_t)buf.st_size);
-        assert_se(label_ops_post(fd, "file3.txt") == -ENOENT);
-        assert_se(label_ops_post(fd, "/abcd") == -ENOENT);
-        assert_se(label_ops_post(fd, "/restricted_directory") == -EACCES);
-        assert_se(label_ops_post(fd, "") == -EINVAL);
+        assert_se(label_ops_post(fd, "file3.txt", true) == -ENOENT);
+        assert_se(label_ops_post(fd, "/abcd", true) == -ENOENT);
+        assert_se(label_ops_post(fd, "/restricted_directory", true) == -EACCES);
+        assert_se(label_ops_post(fd, "", true) == -EINVAL);
 }
 
 DEFINE_TEST_MAIN(LOG_INFO)