From fe00a581c3b85035c906441e76f95d78ab2bbfd1 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 25 Apr 2025 15:57:21 +0200 Subject: [PATCH] lib/, src/: add SELinux control flag in spw_unlock() Expand spw_unlock() interface to add a control flag for SELinux file context processing. Signed-off-by: Iker Pedrosa --- lib/cleanup_user.c | 2 +- lib/lockpw.c | 2 +- lib/shadowio.c | 4 ++-- lib/shadowio.h | 2 +- src/chage.c | 4 ++-- src/chpasswd.c | 4 ++-- src/newusers.c | 4 ++-- src/passwd.c | 6 +++--- src/pwck.c | 8 ++++---- src/pwconv.c | 4 ++-- src/pwunconv.c | 4 ++-- src/useradd.c | 4 ++-- src/userdel.c | 4 ++-- src/usermod.c | 4 ++-- 14 files changed, 28 insertions(+), 28 deletions(-) diff --git a/lib/cleanup_user.c b/lib/cleanup_user.c index e6a617a29..16fa3f375 100644 --- a/lib/cleanup_user.c +++ b/lib/cleanup_user.c @@ -117,7 +117,7 @@ void cleanup_unlock_passwd (MAYBE_UNUSED void *arg) */ void cleanup_unlock_shadow (MAYBE_UNUSED void *arg) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (log_get_logfd(), _("%s: failed to unlock %s\n"), log_get_progname(), spw_dbname ()); diff --git a/lib/lockpw.c b/lib/lockpw.c index 04cbdf36f..4f357b48b 100644 --- a/lib/lockpw.c +++ b/lib/lockpw.c @@ -78,7 +78,7 @@ int ulckpwdf (void) * Unlock both files. */ - return (pw_unlock (true) && spw_unlock ())? 0 : -1; + return (pw_unlock (true) && spw_unlock (true))? 0 : -1; } #else extern int ISO_C_forbids_an_empty_translation_unit; diff --git a/lib/shadowio.c b/lib/shadowio.c index efa33b5bf..4d2bf3b7f 100644 --- a/lib/shadowio.c +++ b/lib/shadowio.c @@ -206,14 +206,14 @@ int spw_close (bool process_selinux) return retval; } -int spw_unlock (void) +int spw_unlock (bool process_selinux) { #ifdef WITH_TCB int retval = 0; if (!getdef_bool ("USE_TCB")) { #endif /* WITH_TCB */ - return commonio_unlock (&shadow_db, true); + return commonio_unlock (&shadow_db, process_selinux); #ifdef WITH_TCB } if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) { diff --git a/lib/shadowio.h b/lib/shadowio.h index e64d8d602..be645d0e5 100644 --- a/lib/shadowio.h +++ b/lib/shadowio.h @@ -23,7 +23,7 @@ extern /*@observer@*/ /*@null@*/const struct spwd *spw_next (void); extern int spw_open (int mode); extern int spw_remove (const char *name); extern int spw_rewind (void); -extern int spw_unlock (void); +extern int spw_unlock (bool process_selinux); extern int spw_update (const struct spwd *sp); extern int spw_sort (void); diff --git a/src/chage.c b/src/chage.c index 09c8871e5..6547a4eeb 100644 --- a/src/chage.c +++ b/src/chage.c @@ -94,7 +94,7 @@ static void fail_exit (int code) { if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -562,7 +562,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failure while writing changes to %s", pw_dbname ())); fail_exit (E_NOPERM); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ diff --git a/src/chpasswd.c b/src/chpasswd.c index 2ddfd08ee..5eee5c2e9 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -91,7 +91,7 @@ static void fail_exit (int code) } if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -387,7 +387,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ())); fail_exit (1); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ diff --git a/src/newusers.c b/src/newusers.c index b93138950..961085a33 100644 --- a/src/newusers.c +++ b/src/newusers.c @@ -166,7 +166,7 @@ static void usage (int status) static void fail_exit (int code) { if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -960,7 +960,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ())); fail_exit (EXIT_FAILURE); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); diff --git a/src/passwd.c b/src/passwd.c index 342d77d1f..0e8e8c470 100644 --- a/src/passwd.c +++ b/src/passwd.c @@ -491,7 +491,7 @@ fail_exit (int status) } if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { (void) fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -627,7 +627,7 @@ static void update_shadow (void) /* Try to update the password in /etc/passwd instead. */ (void) spw_close (true); update_noshadow (); - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { (void) fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); @@ -688,7 +688,7 @@ static void update_shadow (void) SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ())); fail_exit (E_FAILURE); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { (void) fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); diff --git a/src/pwck.c b/src/pwck.c index c827b5ca0..4e55dd707 100644 --- a/src/pwck.c +++ b/src/pwck.c @@ -85,7 +85,7 @@ extern int allow_bad_names; static void fail_exit (int code) { if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); if (use_system_spw_file) { SYSLOG ((LOG_ERR, "failed to unlock %s", @@ -338,7 +338,7 @@ static void close_files (bool changed) * Don't be anti-social - unlock the files when you're done. */ if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); @@ -581,7 +581,7 @@ static void check_pw_file (bool *errors, bool *changed) _("%s: cannot open %s\n"), Prog, spw_dbname ()); *errors = true; - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); @@ -669,7 +669,7 @@ static void check_pw_file (bool *errors, bool *changed) } else { spw_opened = false; } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); diff --git a/src/pwconv.c b/src/pwconv.c index 6bef9be50..acefb0e27 100644 --- a/src/pwconv.c +++ b/src/pwconv.c @@ -91,7 +91,7 @@ static void fail_exit (int status) } if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -305,7 +305,7 @@ int main (int argc, char **argv) /* continue */ } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ diff --git a/src/pwunconv.c b/src/pwunconv.c index 2ce174ebe..ddbc81052 100644 --- a/src/pwunconv.c +++ b/src/pwunconv.c @@ -47,7 +47,7 @@ static void process_flags (int argc, char **argv); static void fail_exit (int status) { if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -222,7 +222,7 @@ int main (int argc, char **argv) fail_exit (3); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ diff --git a/src/useradd.c b/src/useradd.c index 0af295ce5..66f4ca66e 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -263,7 +263,7 @@ static void fail_exit (int code) SYSLOG((LOG_ERR, "failed to remove %s", prefix_user_home)); } - if (spw_locked && spw_unlock() == 0) { + if (spw_locked && spw_unlock(true) == 0) { fprintf(stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname()); SYSLOG((LOG_ERR, "failed to unlock %s", spw_dbname())); /* continue */ @@ -1591,7 +1591,7 @@ static void close_files (void) } #endif /* ENABLE_SUBIDS */ if (is_shadow_pwd) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); #ifdef WITH_AUDIT diff --git a/src/userdel.c b/src/userdel.c index fa1de9885..a74eea662 100644 --- a/src/userdel.c +++ b/src/userdel.c @@ -410,7 +410,7 @@ static void close_files (void) SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ())); fail_exit (E_PW_UPDATE); } - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -499,7 +499,7 @@ static void fail_exit (int code) } } if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ diff --git a/src/usermod.c b/src/usermod.c index 12cd13926..15c0f26dc 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -651,7 +651,7 @@ fail_exit (int code) } #endif if (spw_locked) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ())); /* continue */ @@ -1537,7 +1537,7 @@ static void close_files (void) } if (is_shadow_pwd) { - if (spw_unlock () == 0) { + if (spw_unlock (true) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ()); -- 2.47.3