diff options
| author | Jan Synacek <jsynacek@redhat.com> | 2013-07-12 10:34:41 +0200 |
|---|---|---|
| committer | Jan Synacek <jsynacek@redhat.com> | 2013-07-15 09:36:42 +0200 |
| commit | 35c4bc3cee6e621d05bffd4074e19d1f017868b6 (patch) | |
| tree | 64f4d1fb9ca9f22aa513030f6446a64c89980819 | |
| parent | be4b3f4524b33900aadcf9f84c257ed0465893f6 (diff) | |
| download | openlmi-providers-35c4bc3cee6e621d05bffd4074e19d1f017868b6.tar.gz openlmi-providers-35c4bc3cee6e621d05bffd4074e19d1f017868b6.tar.xz openlmi-providers-35c4bc3cee6e621d05bffd4074e19d1f017868b6.zip | |
LogicalFile: add selinux contexts support
Add support for displaying the current and the expected selinux
context on a file.
| -rw-r--r-- | mof/60_LMI_LogicalFile.mof | 7 | ||||
| -rw-r--r-- | src/logicalfile/CMakeLists.txt | 9 | ||||
| -rw-r--r-- | src/logicalfile/LMI_UnixFileProvider.c | 61 |
3 files changed, 76 insertions, 1 deletions
diff --git a/mof/60_LMI_LogicalFile.mof b/mof/60_LMI_LogicalFile.mof index 7ae2e82..5364598 100644 --- a/mof/60_LMI_LogicalFile.mof +++ b/mof/60_LMI_LogicalFile.mof @@ -21,6 +21,13 @@ class LMI_UnixFile : CIM_UnixFile { + [ Description ( + "Current SELinux context." ) ] + string SELinuxCurrentContext; + + [ Description ( + "Expected SELinux context." ) ] + string SELinuxExpectedContext; }; class LMI_DataFile : CIM_DataFile diff --git a/src/logicalfile/CMakeLists.txt b/src/logicalfile/CMakeLists.txt index c0d6b25..d8c6532 100644 --- a/src/logicalfile/CMakeLists.txt +++ b/src/logicalfile/CMakeLists.txt @@ -20,9 +20,16 @@ add_library(${LIBRARY_NAME} SHARED ) pkg_check_modules(LIBUDEV REQUIRED libudev) +pkg_check_modules(LIBSELINUX libselinux) +if(LIBSELINUX_FOUND EQUAL 1) + add_definitions(-DLOGICALFILE_SELINUX) +endif(LIBSELINUX_FOUND EQUAL 1) include_directories(${CMAKE_CURRENT_BINARY_DIR} ${CMPI_INCLUDE_DIR}) -target_link_libraries(${LIBRARY_NAME} openlmicommon ${KONKRETCMPI_LIBRARIES} ${LIBUDEV_LIBRARIES}) +target_link_libraries(${LIBRARY_NAME} openlmicommon + ${KONKRETCMPI_LIBRARIES} + ${LIBUDEV_LIBRARIES} + ${LIBSELINUX_LIBRARIES}) # Create registration file cim_registration(${PROVIDER_NAME} ${LIBRARY_NAME} ${MOF} share/openlmi-providers) diff --git a/src/logicalfile/LMI_UnixFileProvider.c b/src/logicalfile/LMI_UnixFileProvider.c index 937fa04..d822565 100644 --- a/src/logicalfile/LMI_UnixFileProvider.c +++ b/src/logicalfile/LMI_UnixFileProvider.c @@ -18,13 +18,50 @@ * Authors: Jan Synacek <jsynacek@redhat.com> */ #include <konkret/konkret.h> +#include <sys/time.h> #include "LMI_UnixFile.h" #include "file.h" static const CMPIBroker* _cb = NULL; +#ifdef LOGICALFILE_SELINUX +#include <selinux/selinux.h> +#include <selinux/label.h> + +static struct selabel_handle *_selabel_hnd = NULL; +static struct selabel_handle *get_selabel_handle() +{ + static struct timeval timestamp = {.tv_sec = 0, .tv_usec = 0}; + const unsigned int CHECK_PERIOD = 20; /* seconds */ + const char *err = "gettimeofday() failed, selinux handle might not get re-initialized"; + + if (_selabel_hnd == NULL) { + _selabel_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (gettimeofday(×tamp, NULL) < 0) { + lmi_warn(err); + } + } else { + struct timeval now; + if (gettimeofday(&now, NULL) < 0) { + lmi_warn(err); + } + /* reinit handle if it's too old */ + if (now.tv_sec - timestamp.tv_sec >= CHECK_PERIOD) { + selabel_close(_selabel_hnd); + _selabel_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (gettimeofday(×tamp, NULL) < 0) { + lmi_warn(err); + } + } + } + + return _selabel_hnd; +} +#endif + static void LMI_UnixFileInitialize() { + lmi_init_logging(LMI_UnixFile_ClassName, _cb); } static CMPIStatus LMI_UnixFileCleanup( @@ -32,6 +69,11 @@ static CMPIStatus LMI_UnixFileCleanup( const CMPIContext* cc, CMPIBoolean term) { +#ifdef LOGICALFILE_SELINUX + if (_selabel_hnd != NULL) { + selabel_close(_selabel_hnd); + } +#endif CMReturn(CMPI_RC_OK); } @@ -90,6 +132,25 @@ static CMPIStatus LMI_UnixFileGetInstance( LMI_UnixFile_Set_LinkCount(&lmi_file, sb.st_nlink); /* sticky bit */ LMI_UnixFile_Set_SaveText(&lmi_file, sb.st_mode & S_IFMT & S_ISVTX); +#ifdef LOGICALFILE_SELINUX + /* selinux */ + security_context_t context; + struct selabel_handle *hnd; + if (lgetfilecon(path, &context) < 0) { + CMReturnWithChars(_cb, CMPI_RC_ERR_NOT_FOUND, "Can't get selinux file context"); + } + LMI_UnixFile_Set_SELinuxCurrentContext(&lmi_file, context); + freecon(context); + hnd = get_selabel_handle(); + if (hnd == NULL) { + CMReturnWithChars(_cb, CMPI_RC_ERR_NOT_FOUND, "Can't get selabel handle"); + } + if (selabel_lookup(hnd, &context, path, 0) < 0) { + CMReturnWithChars(_cb, CMPI_RC_ERR_NOT_FOUND, "Can't look up selinux file context"); + } + LMI_UnixFile_Set_SELinuxExpectedContext(&lmi_file, context); + freecon(context); +#endif KReturnInstance(cr, lmi_file); CMReturn(CMPI_RC_OK); |