shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-28 11:55:23 +03:00
Code

smack-util: revise smack-util apis and add read smack attr apis

Browse Source 
- Add smack xattr lookup table
- Unify all of mac_smack_apply_xxx{_fd}() to mac_smack_apply() and
  mac_smack_apply_fd().
- Add smack xattr read apis similar with apply apis as
  mac_smack_read{_fd}().
This commit is contained in:
WaLyong Cho 2015-07-28 02:43:55 +09:00
parent 7b9c9ab810
commit 5ab58c2091
4 changed files with 102 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
src/basic/smack-util.c
View File

@ -32,109 +32,93 @@
#define SMACK_FLOOR_LABEL "_"
#define SMACK_STAR_LABEL "*"
bool mac_smack_use(void) {
#ifdef HAVE_SMACK
bool mac_smack_use(void) {
static int cached_use = -1;
if (cached_use < 0)
cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
return cached_use;
#else
return false;
#endif
}
int mac_smack_apply(const char *path, const char *label) {
int r = 0;
static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
[SMACK_ATTR_ACCESS] = "security.SMACK64",
[SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
[SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
[SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
[SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
[SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
};
DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
int mac_smack_read(const char *path, SmackAttr attr, char **label) {
assert(path);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
assert(label);
if (!mac_smack_use())
return 0;
return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
}
int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
assert(fd >= 0);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
assert(label);
if (!mac_smack_use())
return 0;
return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
}
int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
int r;
assert(path);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
else
r = lremovexattr(path, "security.SMACK64");
r = lremovexattr(path, smack_attr_to_string(attr));
if (r < 0)
return -errno;
#endif
return r;
return 0;
}
int mac_smack_apply_fd(int fd, const char *label) {
int r = 0;
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
int r;
assert(fd >= 0);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64");
r = fremovexattr(fd, smack_attr_to_string(attr));
if (r < 0)
return -errno;
#endif
return r;
}
int mac_smack_apply_ip_out_fd(int fd, const char *label) {
int r = 0;
assert(fd >= 0);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64IPOUT");
if (r < 0)
return -errno;
#endif
return r;
}
int mac_smack_apply_ip_in_fd(int fd, const char *label) {
int r = 0;
assert(fd >= 0);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64IPIN");
if (r < 0)
return -errno;
#endif
return r;
return 0;
}
int mac_smack_apply_pid(pid_t pid, const char *label) {
#ifdef HAVE_SMACK
const char *p;
#endif
int r = 0;
assert(label);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@ -142,21 +126,16 @@ int mac_smack_apply_pid(pid_t pid, const char *label) {
r = write_string_file(p, label, 0);
if (r < 0)
return r;
#endif
return r;
}
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
#ifdef HAVE_SMACK
struct stat st;
#endif
int r = 0;
assert(path);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
@ -202,7 +181,37 @@ int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
}
#endif
return r;
}
#else
bool mac_smack_use(void) {
return false;
}
int mac_smack_read(const char *path, SmackAttr attr, char **label) {
return -EOPNOTSUPP;
}
int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
return -EOPNOTSUPP;
}
int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
return 0;
}
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
return 0;
}
int mac_smack_apply_pid(pid_t pid, const char *label) {
return 0;
}
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
return 0;
}
#endif

24
src/basic/smack-util.h
View File

@ -25,12 +25,28 @@
#include <stdbool.h>
#include "macro.h"
typedef enum SmackAttr {
SMACK_ATTR_ACCESS = 0,
SMACK_ATTR_EXEC = 1,
SMACK_ATTR_MMAP = 2,
SMACK_ATTR_TRANSMUTE = 3,
SMACK_ATTR_IPIN = 4,
SMACK_ATTR_IPOUT = 5,
_SMACK_ATTR_MAX,
_SMACK_ATTR_INVALID = -1,
} SmackAttr;
bool mac_smack_use(void);
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
int mac_smack_apply(const char *path, const char *label);
int mac_smack_apply_fd(int fd, const char *label);
const char* smack_attr_to_string(SmackAttr i) _const_;
SmackAttr smack_attr_from_string(const char *s) _pure_;
int mac_smack_read(const char *path, SmackAttr attr, char **label);
int mac_smack_read_fd(int fd, SmackAttr attr, char **label);
int mac_smack_apply(const char *path, SmackAttr attr, const char *label);
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
int mac_smack_apply_pid(pid_t pid, const char *label);
int mac_smack_apply_ip_in_fd(int fd, const char *label);
int mac_smack_apply_ip_out_fd(int fd, const char *label);

6
src/core/socket.c
View File

@ -923,13 +923,13 @@ static void socket_apply_socket_options(Socket *s, int fd) {
log_unit_warning_errno(UNIT(s), errno, "TCP_CONGESTION failed: %m");
if (s->smack_ip_in) {
r = mac_smack_apply_ip_in_fd(fd, s->smack_ip_in);
r = mac_smack_apply_fd(fd, SMACK_ATTR_IPIN, s->smack_ip_in);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_in_fd: %m");
}
if (s->smack_ip_out) {
r = mac_smack_apply_ip_out_fd(fd, s->smack_ip_out);
r = mac_smack_apply_fd(fd, SMACK_ATTR_IPOUT, s->smack_ip_out);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_ip_out_fd: %m");
}
@ -946,7 +946,7 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
log_unit_warning_errno(UNIT(s), errno, "F_SETPIPE_SZ: %m");
if (s->smack) {
r = mac_smack_apply_fd(fd, s->smack);
r = mac_smack_apply_fd(fd, SMACK_ATTR_ACCESS, s->smack);
if (r < 0)
log_unit_error_errno(UNIT(s), r, "mac_smack_apply_fd: %m");
}

4
src/udev/udev-node.c
View File

@ -309,7 +309,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
} else if (streq(name, "smack")) {
smack = true;
r = mac_smack_apply(devnode, label);
r = mac_smack_apply(devnode, SMACK_ATTR_ACCESS, label);
if (r < 0)
log_error_errno(r, "SECLABEL: failed to set SMACK label '%s': %m", label);
else
@ -323,7 +323,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
if (!selinux)
mac_selinux_fix(devnode, true, false);
if (!smack)
mac_smack_apply(devnode, NULL);
mac_smack_apply(devnode, SMACK_ATTR_ACCESS, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */