Re: [systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
On Mon, Sep 8, 2014 at 3:42 PM, Michal Sekletar msekl...@redhat.com wrote:
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore pmo...@redhat.com
---
Changes in v5:
* removed unneeded #include of libselinux headers from socket.c
* fixed white-space issue in service_set_socket_fd
As all the comments from v4 has been fixed, please go ahead and commit this.
Cheers,
Tom
man/systemd.socket.xml| 26
src/core/execute.c| 29 +++--
src/core/execute.h| 1 +
src/core/load-fragment-gperf.gperf.m4 | 3 +
src/core/service.c| 10 +--
src/core/service.h| 3 +-
src/core/socket.c | 16 +++--
src/core/socket.h | 2 +
src/shared/label.c| 113
++
src/shared/label.h| 2 +
10 files changed, 190 insertions(+), 15 deletions(-)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 7a63348..dad0267 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -676,6 +676,32 @@
/varlistentry
varlistentry
+
termvarnameSELinuxContextFromNet=/varname/term
+ listitemparaTakes a boolean
+ argument. When true systemd will attempt
+ to figure out the SELinux label used
+ for the instantiated service from the
+ information handed by the peer over the
+ network. Note that only the security
+ level is used from the information
+ provided by the peer. Other parts of
+ the resulting SELinux context originate
+ from either the target binary that is
+ effectively triggered by socket unit
+ are taken from the value of the
+ varnameSELinuxContext=/varname
+ option.This configuration option only
+ affects sockets with
+ varnameAccept=/varname mode set to
+ literaltrue/literal. Also note that
+ this option is useful only when
+ MLS/MCS SELinux policy is
+ deployed. Defaults to
+ literalfalse/literal.
+ /para/listitem
+/varlistentry
+
+varlistentry
termvarnamePipeSize=/varname/term
listitemparaTakes a size in
bytes. Controls the pipe buffer size
diff --git a/src/core/execute.c b/src/core/execute.c
index 0a59147..37b9ed4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -83,6 +83,7 @@
#include af-list.h
#include mkdir.h
#include apparmor-util.h
+#include label.h
#ifdef HAVE_SECCOMP
#include seccomp-util.h
@@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command,
#endif
#ifdef HAVE_SELINUX
-if (context-selinux_context use_selinux()) {
-err = setexeccon(context-selinux_context);
-if (err 0 !context-selinux_context_ignore) {
-*error = EXIT_SELINUX_CONTEXT;
-return err;
+if (use_selinux()) {
+if (context-selinux_context) {
+err = setexeccon(context-selinux_context);
+if (err 0
!context-selinux_context_ignore) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
+}
+
+if (params-selinux_context_net socket_fd = 0) {
+_cleanup_free_ char *label = NULL;
+
+err = label_get_child_mls_label(socket_fd,
command-path, label);
+if (err 0) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
+
+err = setexeccon(label);
+
Re: [systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
On Fri, Sep 19, 2014 at 12:13:18PM +0200, Tom Gundersen wrote:
On Mon, Sep 8, 2014 at 3:42 PM, Michal Sekletar msekl...@redhat.com wrote:
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore pmo...@redhat.com
---
Changes in v5:
* removed unneeded #include of libselinux headers from socket.c
* fixed white-space issue in service_set_socket_fd
As all the comments from v4 has been fixed, please go ahead and commit this.
Rebased and pushed.
Regards,
Michal
Cheers,
Tom
man/systemd.socket.xml| 26
src/core/execute.c| 29 +++--
src/core/execute.h| 1 +
src/core/load-fragment-gperf.gperf.m4 | 3 +
src/core/service.c| 10 +--
src/core/service.h| 3 +-
src/core/socket.c | 16 +++--
src/core/socket.h | 2 +
src/shared/label.c| 113
++
src/shared/label.h| 2 +
10 files changed, 190 insertions(+), 15 deletions(-)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 7a63348..dad0267 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -676,6 +676,32 @@
/varlistentry
varlistentry
+
termvarnameSELinuxContextFromNet=/varname/term
+ listitemparaTakes a boolean
+ argument. When true systemd will attempt
+ to figure out the SELinux label used
+ for the instantiated service from the
+ information handed by the peer over the
+ network. Note that only the security
+ level is used from the information
+ provided by the peer. Other parts of
+ the resulting SELinux context originate
+ from either the target binary that is
+ effectively triggered by socket unit
+ are taken from the value of the
+ varnameSELinuxContext=/varname
+ option.This configuration option only
+ affects sockets with
+ varnameAccept=/varname mode set to
+ literaltrue/literal. Also note that
+ this option is useful only when
+ MLS/MCS SELinux policy is
+ deployed. Defaults to
+ literalfalse/literal.
+ /para/listitem
+/varlistentry
+
+varlistentry
termvarnamePipeSize=/varname/term
listitemparaTakes a size in
bytes. Controls the pipe buffer size
diff --git a/src/core/execute.c b/src/core/execute.c
index 0a59147..37b9ed4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -83,6 +83,7 @@
#include af-list.h
#include mkdir.h
#include apparmor-util.h
+#include label.h
#ifdef HAVE_SECCOMP
#include seccomp-util.h
@@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command,
#endif
#ifdef HAVE_SELINUX
-if (context-selinux_context use_selinux()) {
-err = setexeccon(context-selinux_context);
-if (err 0 !context-selinux_context_ignore) {
-*error = EXIT_SELINUX_CONTEXT;
-return err;
+if (use_selinux()) {
+if (context-selinux_context) {
+err = setexeccon(context-selinux_context);
+if (err 0
!context-selinux_context_ignore) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
+}
+
+if (params-selinux_context_net socket_fd = 0)
{
+_cleanup_free_ char *label = NULL;
+
+err = label_get_child_mls_label(socket_fd,
command-path, label);
+if (err 0) {
+
[systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore pmo...@redhat.com
---
Changes in v5:
* removed unneeded #include of libselinux headers from socket.c
* fixed white-space issue in service_set_socket_fd
man/systemd.socket.xml| 26
src/core/execute.c| 29 +++--
src/core/execute.h| 1 +
src/core/load-fragment-gperf.gperf.m4 | 3 +
src/core/service.c| 10 +--
src/core/service.h| 3 +-
src/core/socket.c | 16 +++--
src/core/socket.h | 2 +
src/shared/label.c| 113 ++
src/shared/label.h| 2 +
10 files changed, 190 insertions(+), 15 deletions(-)
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index 7a63348..dad0267 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -676,6 +676,32 @@
/varlistentry
varlistentry
+
termvarnameSELinuxContextFromNet=/varname/term
+ listitemparaTakes a boolean
+ argument. When true systemd will attempt
+ to figure out the SELinux label used
+ for the instantiated service from the
+ information handed by the peer over the
+ network. Note that only the security
+ level is used from the information
+ provided by the peer. Other parts of
+ the resulting SELinux context originate
+ from either the target binary that is
+ effectively triggered by socket unit
+ are taken from the value of the
+ varnameSELinuxContext=/varname
+ option.This configuration option only
+ affects sockets with
+ varnameAccept=/varname mode set to
+ literaltrue/literal. Also note that
+ this option is useful only when
+ MLS/MCS SELinux policy is
+ deployed. Defaults to
+ literalfalse/literal.
+ /para/listitem
+/varlistentry
+
+varlistentry
termvarnamePipeSize=/varname/term
listitemparaTakes a size in
bytes. Controls the pipe buffer size
diff --git a/src/core/execute.c b/src/core/execute.c
index 0a59147..37b9ed4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -83,6 +83,7 @@
#include af-list.h
#include mkdir.h
#include apparmor-util.h
+#include label.h
#ifdef HAVE_SECCOMP
#include seccomp-util.h
@@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command,
#endif
#ifdef HAVE_SELINUX
-if (context-selinux_context use_selinux()) {
-err = setexeccon(context-selinux_context);
-if (err 0 !context-selinux_context_ignore) {
-*error = EXIT_SELINUX_CONTEXT;
-return err;
+if (use_selinux()) {
+if (context-selinux_context) {
+err = setexeccon(context-selinux_context);
+if (err 0
!context-selinux_context_ignore) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
+}
+
+if (params-selinux_context_net socket_fd = 0) {
+_cleanup_free_ char *label = NULL;
+
+err = label_get_child_mls_label(socket_fd,
command-path, label);
+if (err 0) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
+
+err = setexeccon(label);
+if (err 0) {
+*error = EXIT_SELINUX_CONTEXT;
+return err;
+}
}
}
#endif
diff --git
