Re: [systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
On Mon, Sep 8, 2014 at 3:42 PM, Michal Sekletar msekl...@redhat.com wrote: This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore pmo...@redhat.com --- Changes in v5: * removed unneeded #include of libselinux headers from socket.c * fixed white-space issue in service_set_socket_fd As all the comments from v4 has been fixed, please go ahead and commit this. Cheers, Tom man/systemd.socket.xml| 26 src/core/execute.c| 29 +++-- src/core/execute.h| 1 + src/core/load-fragment-gperf.gperf.m4 | 3 + src/core/service.c| 10 +-- src/core/service.h| 3 +- src/core/socket.c | 16 +++-- src/core/socket.h | 2 + src/shared/label.c| 113 ++ src/shared/label.h| 2 + 10 files changed, 190 insertions(+), 15 deletions(-) diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 7a63348..dad0267 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -676,6 +676,32 @@ /varlistentry varlistentry + termvarnameSELinuxContextFromNet=/varname/term + listitemparaTakes a boolean + argument. When true systemd will attempt + to figure out the SELinux label used + for the instantiated service from the + information handed by the peer over the + network. Note that only the security + level is used from the information + provided by the peer. Other parts of + the resulting SELinux context originate + from either the target binary that is + effectively triggered by socket unit + are taken from the value of the + varnameSELinuxContext=/varname + option.This configuration option only + affects sockets with + varnameAccept=/varname mode set to + literaltrue/literal. Also note that + this option is useful only when + MLS/MCS SELinux policy is + deployed. Defaults to + literalfalse/literal. + /para/listitem +/varlistentry + +varlistentry termvarnamePipeSize=/varname/term listitemparaTakes a size in bytes. Controls the pipe buffer size diff --git a/src/core/execute.c b/src/core/execute.c index 0a59147..37b9ed4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,7 @@ #include af-list.h #include mkdir.h #include apparmor-util.h +#include label.h #ifdef HAVE_SECCOMP #include seccomp-util.h @@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX -if (context-selinux_context use_selinux()) { -err = setexeccon(context-selinux_context); -if (err 0 !context-selinux_context_ignore) { -*error = EXIT_SELINUX_CONTEXT; -return err; +if (use_selinux()) { +if (context-selinux_context) { +err = setexeccon(context-selinux_context); +if (err 0 !context-selinux_context_ignore) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} +} + +if (params-selinux_context_net socket_fd = 0) { +_cleanup_free_ char *label = NULL; + +err = label_get_child_mls_label(socket_fd, command-path, label); +if (err 0) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} + +err = setexeccon(label); +
Re: [systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
On Fri, Sep 19, 2014 at 12:13:18PM +0200, Tom Gundersen wrote: On Mon, Sep 8, 2014 at 3:42 PM, Michal Sekletar msekl...@redhat.com wrote: This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore pmo...@redhat.com --- Changes in v5: * removed unneeded #include of libselinux headers from socket.c * fixed white-space issue in service_set_socket_fd As all the comments from v4 has been fixed, please go ahead and commit this. Rebased and pushed. Regards, Michal Cheers, Tom man/systemd.socket.xml| 26 src/core/execute.c| 29 +++-- src/core/execute.h| 1 + src/core/load-fragment-gperf.gperf.m4 | 3 + src/core/service.c| 10 +-- src/core/service.h| 3 +- src/core/socket.c | 16 +++-- src/core/socket.h | 2 + src/shared/label.c| 113 ++ src/shared/label.h| 2 + 10 files changed, 190 insertions(+), 15 deletions(-) diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 7a63348..dad0267 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -676,6 +676,32 @@ /varlistentry varlistentry + termvarnameSELinuxContextFromNet=/varname/term + listitemparaTakes a boolean + argument. When true systemd will attempt + to figure out the SELinux label used + for the instantiated service from the + information handed by the peer over the + network. Note that only the security + level is used from the information + provided by the peer. Other parts of + the resulting SELinux context originate + from either the target binary that is + effectively triggered by socket unit + are taken from the value of the + varnameSELinuxContext=/varname + option.This configuration option only + affects sockets with + varnameAccept=/varname mode set to + literaltrue/literal. Also note that + this option is useful only when + MLS/MCS SELinux policy is + deployed. Defaults to + literalfalse/literal. + /para/listitem +/varlistentry + +varlistentry termvarnamePipeSize=/varname/term listitemparaTakes a size in bytes. Controls the pipe buffer size diff --git a/src/core/execute.c b/src/core/execute.c index 0a59147..37b9ed4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,7 @@ #include af-list.h #include mkdir.h #include apparmor-util.h +#include label.h #ifdef HAVE_SECCOMP #include seccomp-util.h @@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX -if (context-selinux_context use_selinux()) { -err = setexeccon(context-selinux_context); -if (err 0 !context-selinux_context_ignore) { -*error = EXIT_SELINUX_CONTEXT; -return err; +if (use_selinux()) { +if (context-selinux_context) { +err = setexeccon(context-selinux_context); +if (err 0 !context-selinux_context_ignore) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} +} + +if (params-selinux_context_net socket_fd = 0) { +_cleanup_free_ char *label = NULL; + +err = label_get_child_mls_label(socket_fd, command-path, label); +if (err 0) { +
[systemd-devel] [PATCH v5] socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore pmo...@redhat.com --- Changes in v5: * removed unneeded #include of libselinux headers from socket.c * fixed white-space issue in service_set_socket_fd man/systemd.socket.xml| 26 src/core/execute.c| 29 +++-- src/core/execute.h| 1 + src/core/load-fragment-gperf.gperf.m4 | 3 + src/core/service.c| 10 +-- src/core/service.h| 3 +- src/core/socket.c | 16 +++-- src/core/socket.h | 2 + src/shared/label.c| 113 ++ src/shared/label.h| 2 + 10 files changed, 190 insertions(+), 15 deletions(-) diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 7a63348..dad0267 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -676,6 +676,32 @@ /varlistentry varlistentry + termvarnameSELinuxContextFromNet=/varname/term + listitemparaTakes a boolean + argument. When true systemd will attempt + to figure out the SELinux label used + for the instantiated service from the + information handed by the peer over the + network. Note that only the security + level is used from the information + provided by the peer. Other parts of + the resulting SELinux context originate + from either the target binary that is + effectively triggered by socket unit + are taken from the value of the + varnameSELinuxContext=/varname + option.This configuration option only + affects sockets with + varnameAccept=/varname mode set to + literaltrue/literal. Also note that + this option is useful only when + MLS/MCS SELinux policy is + deployed. Defaults to + literalfalse/literal. + /para/listitem +/varlistentry + +varlistentry termvarnamePipeSize=/varname/term listitemparaTakes a size in bytes. Controls the pipe buffer size diff --git a/src/core/execute.c b/src/core/execute.c index 0a59147..37b9ed4 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,7 @@ #include af-list.h #include mkdir.h #include apparmor-util.h +#include label.h #ifdef HAVE_SECCOMP #include seccomp-util.h @@ -1646,11 +1647,29 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX -if (context-selinux_context use_selinux()) { -err = setexeccon(context-selinux_context); -if (err 0 !context-selinux_context_ignore) { -*error = EXIT_SELINUX_CONTEXT; -return err; +if (use_selinux()) { +if (context-selinux_context) { +err = setexeccon(context-selinux_context); +if (err 0 !context-selinux_context_ignore) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} +} + +if (params-selinux_context_net socket_fd = 0) { +_cleanup_free_ char *label = NULL; + +err = label_get_child_mls_label(socket_fd, command-path, label); +if (err 0) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} + +err = setexeccon(label); +if (err 0) { +*error = EXIT_SELINUX_CONTEXT; +return err; +} } } #endif diff --git