From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 31 Jan 2018 18:53:43 +0000 (+0100)
Subject: selinux: make sure we never use /dev/null for making unit selinux access decisions
X-Git-Tag: v238~160^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=81e9871e8719b498eaa005e090bb7806c2679f39;p=thirdparty%2Fsystemd.git

selinux: make sure we never use /dev/null for making unit selinux access decisions
---

diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index c5f5fb975e4..dd48d0654e9 100644
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -33,10 +33,7 @@ int mac_selinux_generic_access_check(sd_bus_message *message, const char *path,
         mac_selinux_generic_access_check((message), NULL, (permission), (error))
 
 #define mac_selinux_unit_access_check(unit, message, permission, error) \
-        ({                                                              \
-                const Unit *_unit = (unit);                             \
-                mac_selinux_generic_access_check((message), _unit->source_path ?: _unit->fragment_path, (permission), (error)); \
-        })
+        mac_selinux_generic_access_check((message), unit_label_path(unit), (permission), (error))
 
 #else
 
diff --git a/src/core/unit.c b/src/core/unit.c
index 932f05baa27..54e298cae41 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -5375,6 +5375,23 @@ bool unit_needs_console(Unit *u) {
         return exec_context_may_touch_console(ec);
 }
 
+const char *unit_label_path(Unit *u) {
+        const char *p;
+
+        /* Returns the file system path to use for MAC access decisions, i.e. the file to read the SELinux label off
+         * when validating access checks. */
+
+        p = u->source_path ?: u->fragment_path;
+        if (!p)
+                return NULL;
+
+        /* If a unit is masked, then don't read the SELinux label of /dev/null, as that really makes no sense */
+        if (path_equal(p, "/dev/null"))
+                return NULL;
+
+        return p;
+}
+
 static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
         [COLLECT_INACTIVE] = "inactive",
         [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",
diff --git a/src/core/unit.h b/src/core/unit.h
index 8c79d4ed2eb..32105830509 100644
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -801,6 +801,8 @@ void unit_warn_leftover_processes(Unit *u);
 
 bool unit_needs_console(Unit *u);
 
+const char *unit_label_path(Unit *u);
+
 /* Macros which append UNIT= or USER_UNIT= to the message */
 
 #define log_unit_full(unit, level, error, ...)                          \