Skip to content

Commit fe3f2ac

Browse files
ikruglovikruglov
committed
selinux: check_access()
1 parent 84c05ec commit fe3f2ac

File tree

1 file changed

+39
-12
lines changed

1 file changed

+39
-12
lines changed

src/core/selinux-access.c

Lines changed: 39 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -197,6 +197,44 @@ static int get_our_contexts(const Unit *unit, const char **ret_acon, const char
197197
return 0;
198198
}
199199

200+
static int check_access(
201+
const char *scon,
202+
const char *tcon,
203+
const char *tclass,
204+
const char *permission,
205+
struct audit_info *audit_info,
206+
sd_bus_error *error) {
207+
bool enforce = mac_selinux_enforcing();
208+
int r;
209+
210+
assert(scon);
211+
assert(tcon);
212+
assert(tclass);
213+
assert(permission);
214+
assert(audit_info);
215+
assert(audit_info->function);
216+
217+
r = selinux_check_access(scon, tcon, tclass, permission, &audit_info);
218+
if (r < 0) {
219+
errno = -(r = errno_or_else(EPERM));
220+
221+
if (enforce)
222+
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access: %m");
223+
}
224+
225+
return log_selinux_enforcing_errno(
226+
r,
227+
"SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m",
228+
scon,
229+
tcon,
230+
tclass,
231+
permission,
232+
enforce ? "enforcing" : "permissive",
233+
audit_info->function,
234+
empty_to_na(audit_info->path),
235+
empty_to_na(audit_info->cmdline));
236+
}
237+
200238
/*
201239
This function communicates with the kernel to check whether or not it should
202240
allow the access.
@@ -276,18 +314,7 @@ int mac_selinux_access_check_bus_internal(
276314
.function = function,
277315
};
278316

279-
r = selinux_check_access(scon, acon, tclass, permission, &audit_info);
280-
if (r < 0) {
281-
errno = -(r = errno_or_else(EPERM));
282-
283-
if (enforce)
284-
sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access: %m");
285-
}
286-
287-
log_full_errno_zerook(LOG_DEBUG, r,
288-
"SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s function=%s path=%s cmdline=%s: %m",
289-
scon, acon, tclass, permission, enforce ? "enforcing" : "permissive", function, strna(unit ? unit->fragment_path : NULL), empty_to_na(cl));
290-
return enforce ? r : 0;
317+
return check_access(scon, acon, tclass, permission, &audit_info, error);
291318
}
292319

293320
#else /* HAVE_SELINUX */

0 commit comments

Comments
 (0)