mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-18 02:25:18 +00:00
39db0d2dce
We are currently able to work only with non-translated SELinux contexts, but we are using functions that work with translated contexts throughout the code. This patch swaps all SELinux context translation relative calls with their raw sisters to avoid parsing problems. The problems can be experienced with mcstrans for example. The difference is that if you have translations enabled (yum install mcstrans; service mcstrans start), fgetfilecon_raw() will get you something like 'system_u:object_r:virt_image_t:s0', whereas fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow' that we cannot parse. I was trying to confirm that the _raw variants were here since the dawn of time, but the only thing I see now is that it was imported together in the upstream repo [1] from svn, so before 2008. Thanks Laurent Bigonville for finding this out. [1] http://oss.tresys.com/git/selinux.git (cherry picked from commit 9674f2c637114fa6ac0680fe5658a41a62bb34a8)
67 lines
1.8 KiB
C
67 lines
1.8 KiB
C
/*
|
|
* Copyright (C) 2011-2012 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
#include <config.h>
|
|
|
|
#include <selinux/selinux.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
/*
|
|
* The kernel policy will not allow us to arbitrarily change
|
|
* test process context. This helper is used as an LD_PRELOAD
|
|
* so that the libvirt code /thinks/ it is changing/reading
|
|
* the process context, where as in fact we're faking it all
|
|
*/
|
|
|
|
int getcon_raw(security_context_t *context)
|
|
{
|
|
if (getenv("FAKE_CONTEXT") == NULL) {
|
|
*context = NULL;
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
if (!(*context = strdup(getenv("FAKE_CONTEXT"))))
|
|
return -1;
|
|
return 0;
|
|
}
|
|
|
|
int getpidcon_raw(pid_t pid, security_context_t *context)
|
|
{
|
|
if (pid != getpid()) {
|
|
*context = NULL;
|
|
errno = ESRCH;
|
|
return -1;
|
|
}
|
|
if (getenv("FAKE_CONTEXT") == NULL) {
|
|
*context = NULL;
|
|
errno = EINVAL;
|
|
return -1;
|
|
}
|
|
if (!(*context = strdup(getenv("FAKE_CONTEXT"))))
|
|
return -1;
|
|
return 0;
|
|
}
|
|
|
|
int setcon_raw(security_context_t context)
|
|
{
|
|
return setenv("FAKE_CONTEXT", context, 1);
|
|
}
|