diff mbox series

systemd socket activation selinux context pr review

Message ID CAFPpqQFxHtjJ-8FQpB71WHhHwOgREGwU4TexjO5Vty8pjM+o3A@mail.gmail.com (mailing list archive)
State Not Applicable
Headers show
Series systemd socket activation selinux context pr review | expand

Commit Message

Ted Toth Oct. 10, 2022, 5:20 p.m. UTC 
I'd appreciate it if some committers would review this pull request
and add comments as it seems to have stalled.

https://github.com/systemd/systemd/pull/24702

From 86f28a8638a59cb73800c54b26c0bd5874bc50dc Mon Sep 17 00:00:00 2001
From: "Ted X. Toth" <txtoth@flycast.org>
Date: Tue, 13 Sep 2022 15:27:47 -0700
Subject: [PATCH] Use target process context to set socket context when using
 SELinuxContextFromNet not systemds context

---
 src/core/socket.c | 46 +++++++++++++++++-----------------------------
 1 file changed, 17 insertions(+), 29 deletions(-)


+        r = mac_selinux_get_create_label_from_exe(path, ret);
+        if (IN_SET(r, -EPERM, -EOPNOTSUPP))
+                goto no_label;
         return r;

 no_label:

Comments

Paul Moore Oct. 10, 2022, 8:27 p.m. UTC | #1 
On Mon, Oct 10, 2022 at 1:21 PM Ted Toth <txtoth@gmail.com> wrote:
>
> I'd appreciate it if some committers would review this pull request
> and add comments as it seems to have stalled.
>
> https://github.com/systemd/systemd/pull/24702

Looking quickly at the GH issue it looks like a rebase has been
requested?  Doing that might help things ...
diff mbox series

Patch

diff --git a/src/core/socket.c b/src/core/socket.c
index f67a79705499..ad0e81607807 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1409,39 +1409,27 @@  static int
socket_determine_selinux_label(Socket *s, char **ret) {
         assert(s);
         assert(ret);

-        if (s->selinux_context_from_net) {
-                /* If this is requested, get the label from the
network label */
+        Unit *service;
+        ExecCommand *c;
+        _cleanup_free_ char *path = NULL;

-                r = mac_selinux_get_our_label(ret);
-                if (r == -EOPNOTSUPP)
-                        goto no_label;
-
-        } else {
-                /* Otherwise, get it from the executable we are about
to start. */
-
-                Unit *service;
-                ExecCommand *c;
-                _cleanup_free_ char *path = NULL;
-
-                r = socket_load_service_unit(s, -1, &service);
-                if (r == -ENODATA)
-                        goto no_label;
-                if (r < 0)
-                        return r;
-
-                c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
-                if (!c)
-                        goto no_label;
+        r = socket_load_service_unit(s, -1, &service);
+        if (r == -ENODATA)
+                goto no_label;
+        if (r < 0)
+                return r;

-                r = chase_symlinks(c->path,
SERVICE(service)->exec_context.root_directory, CHASE_PREFIX_ROOT,
&path, NULL);
-                if (r < 0)
-                        goto no_label;
+        c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
+        if (!c)
+                goto no_label;

-                r = mac_selinux_get_create_label_from_exe(path, ret);
-                if (IN_SET(r, -EPERM, -EOPNOTSUPP))
-                        goto no_label;
-        }
+        r = chase_symlinks(c->path,
SERVICE(service)->exec_context.root_directory, CHASE_PREFIX_ROOT,
&path, NULL);
+        if (r < 0)
+                goto no_label;