From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 21 Oct 2024 20:07:56 +0000 (+0200)
Subject: label: tweak LabelOps post() hook to take "created" boolean
X-Git-Tag: v257-rc1~161^2~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d49449c89b3bec486b16ddaec582a4de28bc3dea;p=thirdparty%2Fsystemd.git

label: tweak LabelOps post() hook to take "created" boolean

We have two distinct implementations of the post hook.

1. For SELinux we just reset the selinux label we told the kernel
   earlier to use for new inodes.

2. For SMACK we might apply an xattr to the specified file.

The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
---

diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
index bbf2fea3e62..7ccd3f6750a 100644
--- a/src/basic/fs-util.c
+++ b/src/basic/fs-util.c
@@ -1184,7 +1184,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
                         made_dir = true;
 
                 if (FLAGS_SET(xopen_flags, XO_LABEL)) {
-                        r = label_ops_post(dir_fd, path);
+                        r = label_ops_post(dir_fd, path, made_dir);
                         if (r < 0)
                                 goto error;
                 }
@@ -1211,7 +1211,7 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
         }
 
         if (FLAGS_SET(open_flags, O_CREAT) && FLAGS_SET(xopen_flags, XO_LABEL)) {
-                r = label_ops_post(dir_fd, path);
+                r = label_ops_post(dir_fd, path, made_file || made_dir);
                 if (r < 0)
                         goto error;
         }
diff --git a/src/basic/label.c b/src/basic/label.c
index 8b084a7c05f..47d19678255 100644
--- a/src/basic/label.c
+++ b/src/basic/label.c
@@ -22,11 +22,11 @@ int label_ops_pre(int dir_fd, const char *path, mode_t mode) {
         return label_ops->pre(dir_fd, path, mode);
 }
 
-int label_ops_post(int dir_fd, const char *path) {
+int label_ops_post(int dir_fd, const char *path, bool created) {
         if (!label_ops || !label_ops->post)
                 return 0;
 
-        return label_ops->post(dir_fd, path);
+        return label_ops->post(dir_fd, path, created);
 }
 
 void label_ops_reset(void) {
diff --git a/src/basic/label.h b/src/basic/label.h
index a070bf28cc3..eb851bcb4f4 100644
--- a/src/basic/label.h
+++ b/src/basic/label.h
@@ -1,15 +1,17 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include <stdbool.h>
 #include <sys/types.h>
 
 typedef struct LabelOps {
         int (*pre)(int dir_fd, const char *path, mode_t mode);
-        int (*post)(int dir_fd, const char *path);
+        int (*post)(int dir_fd, const char *path, bool created);
 } LabelOps;
 
 int label_ops_set(const LabelOps *label_ops);
 
 int label_ops_pre(int dir_fd, const char *path, mode_t mode);
-int label_ops_post(int dir_fd, const char *path);
+int label_ops_post(int dir_fd, const char *path, bool created);
+
 void label_ops_reset(void);
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index e4f6e07e530..4d3b127d8e9 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -64,7 +64,7 @@ static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) {
         return mac_selinux_create_file_prepare_at(dir_fd, path, mode);
 }
 
-static int mac_selinux_label_post(int dir_fd, const char *path) {
+static int mac_selinux_label_post(int dir_fd, const char *path, bool created) {
         mac_selinux_create_file_clear();
         return 0;
 }
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c
index 1f88e724d00..d0a79b26359 100644
--- a/src/shared/smack-util.c
+++ b/src/shared/smack-util.c
@@ -294,7 +294,10 @@ static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) {
         return 0;
 }
 
-static int mac_smack_label_post(int dir_fd, const char *path) {
+static int mac_smack_label_post(int dir_fd, const char *path, bool created) {
+        if (!created)
+                return 0;
+
         return mac_smack_fix_full(dir_fd, path, NULL, 0);
 }
 
diff --git a/src/test/test-label.c b/src/test/test-label.c
index 9d7ac18ba9a..06690ec86c9 100644
--- a/src/test/test-label.c
+++ b/src/test/test-label.c
@@ -43,7 +43,7 @@ static int pre_labelling_func(int dir_fd, const char *path, mode_t mode) {
         return 0;
 }
 
-static int post_labelling_func(int dir_fd, const char *path) {
+static int post_labelling_func(int dir_fd, const char *path, bool created) {
        int r;
 
         /* assume label policies that restrict certain labels */
@@ -140,17 +140,17 @@ TEST(label_ops_post) {
         text1 = "Add initial texts to file for testing label operations to file1\n";
 
         assert(labelling_op(fd, text1, "file1.txt", 0644) == 0);
-        assert_se(label_ops_post(fd, "file1.txt") == 0);
+        assert_se(label_ops_post(fd, "file1.txt", true) == 0);
         assert_se(strlen(text1) == (size_t)buf.st_size);
         text2 = "Add text2 data to file2\n";
 
         assert(labelling_op(fd, text2, "file2.txt", 0644) == 0);
-        assert_se(label_ops_post(fd, "file2.txt") == 0);
+        assert_se(label_ops_post(fd, "file2.txt", true) == 0);
         assert_se(strlen(text2) == (size_t)buf.st_size);
-        assert_se(label_ops_post(fd, "file3.txt") == -ENOENT);
-        assert_se(label_ops_post(fd, "/abcd") == -ENOENT);
-        assert_se(label_ops_post(fd, "/restricted_directory") == -EACCES);
-        assert_se(label_ops_post(fd, "") == -EINVAL);
+        assert_se(label_ops_post(fd, "file3.txt", true) == -ENOENT);
+        assert_se(label_ops_post(fd, "/abcd", true) == -ENOENT);
+        assert_se(label_ops_post(fd, "/restricted_directory", true) == -EACCES);
+        assert_se(label_ops_post(fd, "", true) == -EINVAL);
 }
 
 DEFINE_TEST_MAIN(LOG_INFO)