static int add_match(sd_journal *j, const char *match) {
_cleanup_free_ char *p = NULL;
const char* prefix, *pattern;
pid_t pid;
int r;
if (strchr(match, '='))
prefix = "";
else if (strchr(match, '/')) {
r = path_make_absolute_cwd(match, &p);
if (r < 0)
return log_error_errno(r, "path_make_absolute_cwd(\"%s\"): %m", match);
match = p;
prefix = "COREDUMP_EXE=";
} else if (parse_pid(match, &pid) >= 0)
prefix = "COREDUMP_PID=";
else
prefix = "COREDUMP_COMM=";
pattern = strjoina(prefix, match);
log_debug("Adding match: %s", pattern);
r = sd_journal_add_match(j, pattern, 0);
if (r < 0)
return log_error_errno(r, "Failed to add match \"%s\": %m", match);
return 0;
}
static int add_match(Set *set, const char *match) {
_cleanup_free_ char *p = NULL;
char *pattern = NULL;
const char* prefix;
pid_t pid;
int r;
if (strchr(match, '='))
prefix = "";
else if (strchr(match, '/')) {
r = path_make_absolute_cwd(match, &p);
if (r < 0)
goto fail;
match = p;
prefix = "COREDUMP_EXE=";
} else if (parse_pid(match, &pid) >= 0)
prefix = "COREDUMP_PID=";
else
prefix = "COREDUMP_COMM=";
pattern = strjoin(prefix, match, NULL);
if (!pattern) {
r = -ENOMEM;
goto fail;
}
log_debug("Adding pattern: %s", pattern);
r = set_consume(set, pattern);
if (r < 0)
goto fail;
return 0;
fail:
return log_error_errno(r, "Failed to add match: %m");
}
int label_mkdir(
const char *path,
mode_t mode) {
/* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
int r;
security_context_t fcon = NULL;
if (use_selinux() && label_hnd) {
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, mode);
else {
char *newpath = NULL;
if (!(newpath = path_make_absolute_cwd(path)))
return -ENOMEM;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, mode);
free(newpath);
}
if (r == 0)
r = setfscreatecon(fcon);
if (r < 0 && errno != ENOENT) {
log_error("Failed to set security context %s for %s: %m", fcon, path);
r = -errno;
if (security_getenforce() == 1)
goto finish;
}
}
if ((r = mkdir(path, mode)) < 0)
r = -errno;
finish:
if (use_selinux() && label_hnd) {
setfscreatecon(NULL);
freecon(fcon);
}
return r;
#else
return mkdir(path, mode);
#endif
}
int path_strv_make_absolute_cwd(char **l) {
char **s;
int r;
/* Goes through every item in the string list and makes it
* absolute. This works in place and won't rollback any
* changes on failure. */
STRV_FOREACH(s, l) {
char *t;
r = path_make_absolute_cwd(*s, &t);
if (r < 0)
return r;
free(*s);
*s = t;
}
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
#ifdef HAVE_SELINUX
_cleanup_freecon_ char *filecon = NULL;
int r;
assert(path);
if (!label_hnd)
return 0;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
else {
_cleanup_free_ char *newpath = NULL;
r = path_make_absolute_cwd(path, &newpath);
if (r < 0)
return r;
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
if (r < 0) {
/* No context specified by the policy? Proceed without setting it. */
if (errno == ENOENT)
return 0;
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
} else {
if (setfscreatecon_raw(filecon) >= 0)
return 0; /* Success! */
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
}
if (security_getenforce() > 0)
return -errno;
#endif
return 0;
}
static int add_match(Set *set, const char *match) {
int r = -ENOMEM;
unsigned pid;
const char* prefix;
char *pattern = NULL;
_cleanup_free_ char *p = NULL;
if (strchr(match, '='))
prefix = "";
else if (strchr(match, '/')) {
p = path_make_absolute_cwd(match);
if (!p)
goto fail;
match = p;
prefix = "COREDUMP_EXE=";
}
else if (safe_atou(match, &pid) == 0)
prefix = "COREDUMP_PID=";
else
prefix = "COREDUMP_COMM=";
pattern = strjoin(prefix, match, NULL);
if (!pattern)
goto fail;
log_debug("Adding pattern: %s", pattern);
r = set_put(set, pattern);
if (r < 0) {
log_error("Failed to add pattern '%s': %s",
pattern, strerror(-r));
free(pattern);
goto fail;
}
return 0;
fail:
log_error("Failed to add match: %s", strerror(-r));
return r;
}
static int prepare_filename(const char *filename, char **ret) {
int r;
const char *name;
_cleanup_free_ char *abspath = NULL;
_cleanup_free_ char *dir = NULL;
_cleanup_free_ char *with_instance = NULL;
char *c;
assert(filename);
assert(ret);
r = path_make_absolute_cwd(filename, &abspath);
if (r < 0)
return r;
name = basename(abspath);
if (!unit_name_is_valid(name, UNIT_NAME_ANY))
return -EINVAL;
if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE)) {
r = unit_name_replace_instance(name, "i", &with_instance);
if (r < 0)
return r;
}
dir = dirname_malloc(abspath);
if (!dir)
return -ENOMEM;
if (with_instance)
c = path_join(NULL, dir, with_instance);
else
c = path_join(NULL, dir, name);
if (!c)
return -ENOMEM;
*ret = c;
return 0;
}
static int parse_argv(int argc, char *argv[]) {
enum {
ARG_VERSION = 0x100,
ARG_ROOT,
ARG_LOCALE,
ARG_LOCALE_MESSAGES,
ARG_TIMEZONE,
ARG_HOSTNAME,
ARG_MACHINE_ID,
ARG_ROOT_PASSWORD,
ARG_ROOT_PASSWORD_FILE,
ARG_PROMPT,
ARG_PROMPT_LOCALE,
ARG_PROMPT_TIMEZONE,
ARG_PROMPT_HOSTNAME,
ARG_PROMPT_ROOT_PASSWORD,
ARG_COPY,
ARG_COPY_LOCALE,
ARG_COPY_TIMEZONE,
ARG_COPY_ROOT_PASSWORD,
ARG_SETUP_MACHINE_ID,
};
static const struct option options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "root", required_argument, NULL, ARG_ROOT },
{ "locale", required_argument, NULL, ARG_LOCALE },
{ "locale-messages", required_argument, NULL, ARG_LOCALE_MESSAGES },
{ "timezone", required_argument, NULL, ARG_TIMEZONE },
{ "hostname", required_argument, NULL, ARG_HOSTNAME },
{ "machine-id", required_argument, NULL, ARG_MACHINE_ID },
{ "root-password", required_argument, NULL, ARG_ROOT_PASSWORD },
{ "root-password-file", required_argument, NULL, ARG_ROOT_PASSWORD_FILE },
{ "prompt", no_argument, NULL, ARG_PROMPT },
{ "prompt-locale", no_argument, NULL, ARG_PROMPT_LOCALE },
{ "prompt-timezone", no_argument, NULL, ARG_PROMPT_TIMEZONE },
{ "prompt-hostname", no_argument, NULL, ARG_PROMPT_HOSTNAME },
{ "prompt-root-password", no_argument, NULL, ARG_PROMPT_ROOT_PASSWORD },
{ "copy", no_argument, NULL, ARG_COPY },
{ "copy-locale", no_argument, NULL, ARG_COPY_LOCALE },
{ "copy-timezone", no_argument, NULL, ARG_COPY_TIMEZONE },
{ "copy-root-password", no_argument, NULL, ARG_COPY_ROOT_PASSWORD },
{ "setup-machine-id", no_argument, NULL, ARG_SETUP_MACHINE_ID },
{}
};
int r, c;
assert(argc >= 0);
assert(argv);
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
switch (c) {
case 'h':
help();
return 0;
case ARG_VERSION:
return version();
case ARG_ROOT:
free(arg_root);
arg_root = path_make_absolute_cwd(optarg);
if (!arg_root)
return log_oom();
path_kill_slashes(arg_root);
if (path_equal(arg_root, "/"))
arg_root = mfree(arg_root);
break;
case ARG_LOCALE:
if (!locale_is_valid(optarg)) {
log_error("Locale %s is not valid.", optarg);
return -EINVAL;
}
r = free_and_strdup(&arg_locale, optarg);
if (r < 0)
return log_oom();
break;
case ARG_LOCALE_MESSAGES:
if (!locale_is_valid(optarg)) {
log_error("Locale %s is not valid.", optarg);
return -EINVAL;
}
r = free_and_strdup(&arg_locale_messages, optarg);
if (r < 0)
return log_oom();
break;
case ARG_TIMEZONE:
if (!timezone_is_valid(optarg)) {
log_error("Timezone %s is not valid.", optarg);
return -EINVAL;
}
r = free_and_strdup(&arg_timezone, optarg);
if (r < 0)
return log_oom();
break;
case ARG_ROOT_PASSWORD:
r = free_and_strdup(&arg_root_password, optarg);
if (r < 0)
return log_oom();
break;
case ARG_ROOT_PASSWORD_FILE:
arg_root_password = mfree(arg_root_password);
r = read_one_line_file(optarg, &arg_root_password);
if (r < 0)
return log_error_errno(r, "Failed to read %s: %m", optarg);
break;
case ARG_HOSTNAME:
if (!hostname_is_valid(optarg, true)) {
log_error("Host name %s is not valid.", optarg);
return -EINVAL;
}
hostname_cleanup(optarg);
r = free_and_strdup(&arg_hostname, optarg);
if (r < 0)
return log_oom();
break;
case ARG_MACHINE_ID:
if (sd_id128_from_string(optarg, &arg_machine_id) < 0) {
log_error("Failed to parse machine id %s.", optarg);
return -EINVAL;
}
break;
case ARG_PROMPT:
arg_prompt_locale = arg_prompt_timezone = arg_prompt_hostname = arg_prompt_root_password = true;
break;
case ARG_PROMPT_LOCALE:
arg_prompt_locale = true;
break;
case ARG_PROMPT_TIMEZONE:
arg_prompt_timezone = true;
break;
case ARG_PROMPT_HOSTNAME:
arg_prompt_hostname = true;
break;
case ARG_PROMPT_ROOT_PASSWORD:
arg_prompt_root_password = true;
break;
case ARG_COPY:
arg_copy_locale = arg_copy_timezone = arg_copy_root_password = true;
break;
case ARG_COPY_LOCALE:
arg_copy_locale = true;
break;
case ARG_COPY_TIMEZONE:
arg_copy_timezone = true;
break;
case ARG_COPY_ROOT_PASSWORD:
arg_copy_root_password = true;
break;
case ARG_SETUP_MACHINE_ID:
r = sd_id128_randomize(&arg_machine_id);
if (r < 0)
return log_error_errno(r, "Failed to generate randomized machine ID: %m");
break;
case '?':
return -EINVAL;
default:
assert_not_reached("Unhandled option");
}
return 1;
}
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
#ifdef HAVE_SELINUX
_cleanup_freecon_ char *fcon = NULL;
const struct sockaddr_un *un;
bool context_changed = false;
char *path;
int r;
assert(fd >= 0);
assert(addr);
assert(addrlen >= sizeof(sa_family_t));
if (!label_hnd)
goto skipped;
/* Filter out non-local sockets */
if (addr->sa_family != AF_UNIX)
goto skipped;
/* Filter out anonymous sockets */
if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
goto skipped;
/* Filter out abstract namespace sockets */
un = (const struct sockaddr_un*) addr;
if (un->sun_path[0] == 0)
goto skipped;
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
_cleanup_free_ char *newpath = NULL;
r = path_make_absolute_cwd(path, &newpath);
if (r < 0)
return r;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
}
if (r < 0) {
/* No context specified by the policy? Proceed without setting it */
if (errno == ENOENT)
goto skipped;
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
if (security_getenforce() > 0)
return -errno;
} else {
if (setfscreatecon_raw(fcon) < 0) {
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
if (security_getenforce() > 0)
return -errno;
} else
context_changed = true;
}
r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
if (context_changed)
setfscreatecon_raw(NULL);
return r;
skipped:
#endif
if (bind(fd, addr, addrlen) < 0)
return -errno;
return 0;
}
