diff options
author | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2008-08-28 23:45:17 -0400 |
---|---|---|
committer | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2008-08-28 23:45:17 -0400 |
commit | 60ad8d5d05485339e89d7f1f9f1ded75de7c7ea1 (patch) | |
tree | a546ce81cd707a5e8d742eff6f9cc9ed453e11c1 /Xext/xselinux.c | |
parent | ebea78cdba0ff14a397239ee1936bd254c181e1b (diff) |
Attempt getpeercon() on remote sockets as well as local ones.
Diffstat (limited to 'Xext/xselinux.c')
-rw-r--r-- | Xext/xselinux.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c index 2a8be0b6d..60fd23cdf 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -461,6 +461,7 @@ static void SELinuxLabelClient(ClientPtr client) { XtransConnInfo ci = ((OsCommPtr)client->osPrivate)->trans_conn; + int fd = _XSERVTransGetConnectionNumber(ci); SELinuxSubjectRec *subj; SELinuxObjectRec *obj; security_context_t ctx; @@ -470,19 +471,20 @@ SELinuxLabelClient(ClientPtr client) obj = dixLookupPrivate(&client->devPrivates, objectKey); sidput(obj->sid); + /* Try to get a context from the socket */ + if (fd < 0 || getpeercon(fd, &ctx) < 0) { + /* Otherwise, fall back to a default context */ + if (selabel_lookup(label_hnd, &ctx, NULL, SELABEL_X_CLIENT) < 0) + FatalError("SELinux: failed to look up remote-client context\n"); + } + + /* For local clients, try and determine the executable name */ if (_XSERVTransIsLocal(ci)) { - int fd = _XSERVTransGetConnectionNumber(ci); struct ucred creds; socklen_t len = sizeof(creds); char path[PATH_MAX + 1]; size_t bytes; - /* For local clients, can get context from the socket */ - if (getpeercon(fd, &ctx) < 0) - FatalError("SELinux: client %d: couldn't get context from socket\n", - client->index); - - /* Try and determine the client's executable name */ memset(&creds, 0, sizeof(creds)); if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &creds, &len) < 0) goto finish; @@ -503,10 +505,7 @@ SELinuxLabelClient(ClientPtr client) memcpy(subj->command, path, bytes); subj->command[bytes - 1] = 0; - } else - /* For remote clients, need to use a default context */ - if (selabel_lookup(label_hnd, &ctx, NULL, SELABEL_X_CLIENT) < 0) - FatalError("SELinux: failed to look up remote-client context\n"); + } finish: /* Get a SID from the context */ |