From: Christian Göttsche Date: Mon, 2 Mar 2020 20:12:18 +0000 (+0100) Subject: selinux: cache enforced status and treat retrieve failure as enforced mode X-Git-Tag: v246-rc1~790^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F15010%2Fhead;p=thirdparty%2Fsystemd.git selinux: cache enforced status and treat retrieve failure as enforced mode --- diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index 5cad5641421..2b5f757134f 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -35,10 +35,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); static int mac_selinux_reload(int seqno); static int cached_use = -1; +static int cached_enforcing = -1; static struct selabel_handle *label_hnd = NULL; -#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, __VA_ARGS__) -#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__) +#define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__) +#define log_enforcing_errno(r, ...) log_full_errno(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__) #endif bool mac_selinux_use(void) { @@ -52,12 +53,37 @@ bool mac_selinux_use(void) { #endif } +bool mac_selinux_enforcing(void) { +#if HAVE_SELINUX + if (cached_enforcing < 0) { + cached_enforcing = security_getenforce(); + if (cached_enforcing == -1) { + log_error_errno(errno, "Failed to get SELinux enforced status: %m"); + } + } + + /* treat failure as enforced mode */ + return (cached_enforcing != 0); +#else + return false; +#endif +} + void mac_selinux_retest(void) { #if HAVE_SELINUX cached_use = -1; + cached_enforcing = -1; #endif } +#if HAVE_SELINUX +static int setenforce_callback(int enforcing) { + cached_enforcing = enforcing; + + return 0; +} +#endif + int mac_selinux_init(void) { int r = 0; @@ -66,6 +92,7 @@ int mac_selinux_init(void) { struct mallinfo before_mallinfo, after_mallinfo; selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload); + selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback); if (label_hnd) return 0; @@ -79,7 +106,7 @@ int mac_selinux_init(void) { label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); if (!label_hnd) { log_enforcing_errno(errno, "Failed to initialize SELinux context: %m"); - r = security_getenforce() == 1 ? -errno : 0; + r = mac_selinux_enforcing() ? -errno : 0; } else { char timespan[FORMAT_TIMESPAN_MAX]; int l; @@ -195,7 +222,7 @@ int mac_selinux_fix(const char *path, LabelFixFlags flags) { fail: log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path); - if (security_getenforce() == 1) + if (mac_selinux_enforcing()) return r; #endif @@ -213,7 +240,7 @@ int mac_selinux_apply(const char *path, const char *label) { if (setfilecon(path, label) < 0) { log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path); - if (security_getenforce() > 0) + if (mac_selinux_enforcing()) return -errno; } #endif @@ -375,7 +402,7 @@ static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath); } - if (security_getenforce() > 0) + if (mac_selinux_enforcing()) return -errno; return 0; @@ -456,7 +483,7 @@ int mac_selinux_create_socket_prepare(const char *label) { if (setsockcreatecon(label) < 0) { log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label); - if (security_getenforce() == 1) + if (mac_selinux_enforcing()) return -errno; } #endif @@ -530,13 +557,13 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { goto skipped; log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path); - if (security_getenforce() > 0) + if (mac_selinux_enforcing()) return -errno; } else { if (setfscreatecon_raw(fcon) < 0) { log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path); - if (security_getenforce() > 0) + if (mac_selinux_enforcing()) return -errno; } else context_changed = true; diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h index e3a40478cbc..159f3f16c24 100644 --- a/src/basic/selinux-util.h +++ b/src/basic/selinux-util.h @@ -16,6 +16,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon); #endif bool mac_selinux_use(void); +bool mac_selinux_enforcing(void); void mac_selinux_retest(void); int mac_selinux_init(void); diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 00f5241cd11..008a8ba9b6a 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -143,16 +143,16 @@ static int access_init(sd_bus_error *error) { return 1; if (avc_open(NULL, 0) != 0) { - int enforce, saved_errno = errno; + int saved_errno = errno; + const bool enforce = mac_selinux_enforcing(); - enforce = security_getenforce(); - log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m"); + log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m"); /* If enforcement isn't on, then let's suppress this * error, and just don't do any AVC checks. The * warning we printed is hence all the admin will * see. */ - if (enforce == 0) + if (!enforce) return 0; /* Return an access denied error, if we couldn't load @@ -185,7 +185,7 @@ int mac_selinux_generic_access_check( _cleanup_free_ char *cl = NULL; _cleanup_freecon_ char *fcon = NULL; char **cmdline = NULL; - bool enforce = false; /* Will be set to the real value later if needed */ + const bool enforce = mac_selinux_enforcing(); int r = 0; assert(message); @@ -223,7 +223,6 @@ int mac_selinux_generic_access_check( if (getfilecon_raw(path, &fcon) < 0) { r = -errno; - enforce = security_getenforce() > 0; log_warning_errno(r, "SELinux getfilecon_raw on '%s' failed%s (perm=%s): %m", path, @@ -240,7 +239,6 @@ int mac_selinux_generic_access_check( } else { if (getcon_raw(&fcon) < 0) { r = -errno; - enforce = security_getenforce() > 0; log_warning_errno(r, "SELinux getcon_raw failed%s (perm=%s): %m", enforce ? "" : ", ignoring", @@ -266,7 +264,6 @@ int mac_selinux_generic_access_check( r = selinux_check_access(scon, fcon, tclass, permission, &audit_info); if (r < 0) { r = errno_or_else(EPERM); - enforce = security_getenforce() > 0; if (enforce) sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");