| Message ID | 20240322145019.60220-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 6e2f7033406a |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | [v2] libselinux: avoid logs in get_ordered_context_list() without policy | expand |
On Fri, Mar 22, 2024 at 10:59 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > If no policy has been loaded yet and thus the current context is still > "kernel" avoid logging failures in get_ordered_context_list(), like: > > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts > > Move the context parsing from get_context_user() to its caller > get_ordered_context_list(), so an invalid context is not treated as an > get_context_user() failure and not logged. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > v2: > - move the context parsing from get_context_user() to its caller > - add Signed-off-by > --- > libselinux/src/get_context_list.c | 24 ++++++++++++------------ > 1 file changed, 12 insertions(+), 12 deletions(-) > > diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c > index 7e23be05..0ad24654 100644 > --- a/libselinux/src/get_context_list.c > +++ b/libselinux/src/get_context_list.c > @@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str) > } > > static int get_context_user(FILE * fp, > - const char * fromcon, > + context_t fromcon, > const char * user, > char ***reachable, > unsigned int *nreachable) > @@ -146,7 +146,6 @@ static int get_context_user(FILE * fp, > char **new_reachable = NULL; > char *usercon_str; > const char *usercon_str2; > - context_t con; > context_t usercon; > > int rc; > @@ -155,14 +154,10 @@ static int get_context_user(FILE * fp, > > /* Extract the role and type of the fromcon for matching. > User identity and MLS range can be variable. */ > - con = context_new(fromcon); > - if (!con) > - return -1; > - fromrole = context_role_get(con); > - fromtype = context_type_get(con); > - fromlevel = context_range_get(con); > + fromrole = context_role_get(fromcon); > + fromtype = context_type_get(fromcon); > + fromlevel = context_range_get(fromcon); > if (!fromrole || !fromtype) { > - context_free(con); > return -1; > } > > @@ -296,7 +291,6 @@ static int get_context_user(FILE * fp, > rc = 0; > > out: > - context_free(con); > free(line); > return rc; > } > @@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user, > char *fname = NULL; > size_t fname_len; > const char *user_contexts_path = selinux_user_contexts_path(); > + context_t con = NULL; > > if (!fromcon) { > /* Get the current context and use it for the starting context */ > @@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user, > fromcon = backup_fromcon; > } > > + con = context_new(fromcon); > + if (!con) > + goto failsafe; > + > /* Determine the ordering to apply from the optional per-user config > and from the global config. */ > fname_len = strlen(user_contexts_path) + strlen(user) + 2; > @@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user, > fp = fopen(fname, "re"); > if (fp) { > __fsetlocking(fp, FSETLOCKING_BYCALLER); > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); > + rc = get_context_user(fp, con, user, &reachable, &nreachable); > > fclose(fp); > if (rc < 0 && errno != ENOENT) { > @@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user, > fp = fopen(selinux_default_context_path(), "re"); > if (fp) { > __fsetlocking(fp, FSETLOCKING_BYCALLER); > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); > + rc = get_context_user(fp, con, user, &reachable, &nreachable); > fclose(fp); > if (rc < 0 && errno != ENOENT) { > selinux_log(SELINUX_ERROR, > @@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user, > else > freeconary(reachable); > > + context_free(con); > freecon(backup_fromcon); > > return rc; > -- > 2.43.0 > >
On Mon, Mar 25, 2024 at 3:10 PM James Carter <jwcart2@gmail.com> wrote: > > On Fri, Mar 22, 2024 at 10:59 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > If no policy has been loaded yet and thus the current context is still > > "kernel" avoid logging failures in get_ordered_context_list(), like: > > > > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root > > get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts > > > > Move the context parsing from get_context_user() to its caller > > get_ordered_context_list(), so an invalid context is not treated as an > > get_context_user() failure and not logged. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > v2: > > - move the context parsing from get_context_user() to its caller > > - add Signed-off-by > > --- > > libselinux/src/get_context_list.c | 24 ++++++++++++------------ > > 1 file changed, 12 insertions(+), 12 deletions(-) > > > > diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c > > index 7e23be05..0ad24654 100644 > > --- a/libselinux/src/get_context_list.c > > +++ b/libselinux/src/get_context_list.c > > @@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str) > > } > > > > static int get_context_user(FILE * fp, > > - const char * fromcon, > > + context_t fromcon, > > const char * user, > > char ***reachable, > > unsigned int *nreachable) > > @@ -146,7 +146,6 @@ static int get_context_user(FILE * fp, > > char **new_reachable = NULL; > > char *usercon_str; > > const char *usercon_str2; > > - context_t con; > > context_t usercon; > > > > int rc; > > @@ -155,14 +154,10 @@ static int get_context_user(FILE * fp, > > > > /* Extract the role and type of the fromcon for matching. > > User identity and MLS range can be variable. */ > > - con = context_new(fromcon); > > - if (!con) > > - return -1; > > - fromrole = context_role_get(con); > > - fromtype = context_type_get(con); > > - fromlevel = context_range_get(con); > > + fromrole = context_role_get(fromcon); > > + fromtype = context_type_get(fromcon); > > + fromlevel = context_range_get(fromcon); > > if (!fromrole || !fromtype) { > > - context_free(con); > > return -1; > > } > > > > @@ -296,7 +291,6 @@ static int get_context_user(FILE * fp, > > rc = 0; > > > > out: > > - context_free(con); > > free(line); > > return rc; > > } > > @@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user, > > char *fname = NULL; > > size_t fname_len; > > const char *user_contexts_path = selinux_user_contexts_path(); > > + context_t con = NULL; > > > > if (!fromcon) { > > /* Get the current context and use it for the starting context */ > > @@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user, > > fromcon = backup_fromcon; > > } > > > > + con = context_new(fromcon); > > + if (!con) > > + goto failsafe; > > + > > /* Determine the ordering to apply from the optional per-user config > > and from the global config. */ > > fname_len = strlen(user_contexts_path) + strlen(user) + 2; > > @@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user, > > fp = fopen(fname, "re"); > > if (fp) { > > __fsetlocking(fp, FSETLOCKING_BYCALLER); > > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); > > + rc = get_context_user(fp, con, user, &reachable, &nreachable); > > > > fclose(fp); > > if (rc < 0 && errno != ENOENT) { > > @@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user, > > fp = fopen(selinux_default_context_path(), "re"); > > if (fp) { > > __fsetlocking(fp, FSETLOCKING_BYCALLER); > > - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); > > + rc = get_context_user(fp, con, user, &reachable, &nreachable); > > fclose(fp); > > if (rc < 0 && errno != ENOENT) { > > selinux_log(SELINUX_ERROR, > > @@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user, > > else > > freeconary(reachable); > > > > + context_free(con); > > freecon(backup_fromcon); > > > > return rc; > > -- > > 2.43.0 > > > >
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c index 7e23be05..0ad24654 100644 --- a/libselinux/src/get_context_list.c +++ b/libselinux/src/get_context_list.c @@ -130,7 +130,7 @@ static int is_in_reachable(char **reachable, const char *usercon_str) } static int get_context_user(FILE * fp, - const char * fromcon, + context_t fromcon, const char * user, char ***reachable, unsigned int *nreachable) @@ -146,7 +146,6 @@ static int get_context_user(FILE * fp, char **new_reachable = NULL; char *usercon_str; const char *usercon_str2; - context_t con; context_t usercon; int rc; @@ -155,14 +154,10 @@ static int get_context_user(FILE * fp, /* Extract the role and type of the fromcon for matching. User identity and MLS range can be variable. */ - con = context_new(fromcon); - if (!con) - return -1; - fromrole = context_role_get(con); - fromtype = context_type_get(con); - fromlevel = context_range_get(con); + fromrole = context_role_get(fromcon); + fromtype = context_type_get(fromcon); + fromlevel = context_range_get(fromcon); if (!fromrole || !fromtype) { - context_free(con); return -1; } @@ -296,7 +291,6 @@ static int get_context_user(FILE * fp, rc = 0; out: - context_free(con); free(line); return rc; } @@ -418,6 +412,7 @@ int get_ordered_context_list(const char *user, char *fname = NULL; size_t fname_len; const char *user_contexts_path = selinux_user_contexts_path(); + context_t con = NULL; if (!fromcon) { /* Get the current context and use it for the starting context */ @@ -427,6 +422,10 @@ int get_ordered_context_list(const char *user, fromcon = backup_fromcon; } + con = context_new(fromcon); + if (!con) + goto failsafe; + /* Determine the ordering to apply from the optional per-user config and from the global config. */ fname_len = strlen(user_contexts_path) + strlen(user) + 2; @@ -437,7 +436,7 @@ int get_ordered_context_list(const char *user, fp = fopen(fname, "re"); if (fp) { __fsetlocking(fp, FSETLOCKING_BYCALLER); - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); + rc = get_context_user(fp, con, user, &reachable, &nreachable); fclose(fp); if (rc < 0 && errno != ENOENT) { @@ -451,7 +450,7 @@ int get_ordered_context_list(const char *user, fp = fopen(selinux_default_context_path(), "re"); if (fp) { __fsetlocking(fp, FSETLOCKING_BYCALLER); - rc = get_context_user(fp, fromcon, user, &reachable, &nreachable); + rc = get_context_user(fp, con, user, &reachable, &nreachable); fclose(fp); if (rc < 0 && errno != ENOENT) { selinux_log(SELINUX_ERROR, @@ -472,6 +471,7 @@ int get_ordered_context_list(const char *user, else freeconary(reachable); + context_free(con); freecon(backup_fromcon); return rc;
If no policy has been loaded yet and thus the current context is still "kernel" avoid logging failures in get_ordered_context_list(), like: get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/users/root get_ordered_context_list: error in processing configuration file /etc/selinux/debian/contexts/default_contexts Move the context parsing from get_context_user() to its caller get_ordered_context_list(), so an invalid context is not treated as an get_context_user() failure and not logged. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- v2: - move the context parsing from get_context_user() to its caller - add Signed-off-by --- libselinux/src/get_context_list.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-)