shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-02 09:47:03 +03:00
Code

udev: support custom Linux Security Module labels for device nodes

Browse Source
This commit is contained in:
Kay Sievers 2013-10-08 01:59:10 +02:00
parent 8b197c3a8a
commit c26547d612
5 changed files with 80 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
man/udev.xml
View File

@ -340,6 +340,13 @@
</listitem>
</varlistentry>
<varlistentry>
<term><varname>SECLABEL{<replaceable>module</replaceable>}</varname></term>
<listitem>
<para>Applies the specified Linux Security Module label to the device node.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>ATTR{<replaceable>key</replaceable>}</varname></term>
<listitem>

4
src/udev/udev-event.c
View File

@ -47,6 +47,7 @@ struct udev_event *udev_event_new(struct udev_device *dev)
event->dev = dev;
event->udev = udev;
udev_list_init(udev, &event->run_list, false);
udev_list_init(udev, &event->seclabel_list, false);
event->fd_signal = -1;
event->birth_usec = now(CLOCK_MONOTONIC);
event->timeout_usec = 30 * 1000 * 1000;
@ -58,6 +59,7 @@ void udev_event_unref(struct udev_event *event)
if (event == NULL)
return;
udev_list_cleanup(&event->run_list);
udev_list_cleanup(&event->seclabel_list);
free(event->program_result);
free(event->name);
free(event);
@ -864,7 +866,7 @@ int udev_event_execute_rules(struct udev_event *event, struct udev_rules *rules,
}
apply = streq(udev_device_get_action(dev), "add") || event->owner_set || event->group_set || event->mode_set;
udev_node_add(dev, apply, event->mode, event->uid, event->gid);
udev_node_add(dev, apply, event->mode, event->uid, event->gid, &event->seclabel_list);
}
/* preserve old, or get new initialization timestamp */

40
src/udev/udev-node.c
View File

@ -28,6 +28,9 @@
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/types.h>
#ifdef HAVE_XATTR
#include <attr/xattr.h>
#endif
#include "udev.h"
@ -252,11 +255,13 @@ void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev
}
}
static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
{
static int node_permissions_apply(struct udev_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
struct udev_list *seclabel_list) {
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
struct udev_list_entry *entry;
int err = 0;
if (streq(udev_device_get_subsystem(dev), "block"))
@ -285,7 +290,31 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mo
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
}
label_fix(devnode, true, false);
/* apply SECLABEL{$module}=$label */
udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
const char *name, *label;
name = udev_list_entry_get_name(entry);
label = udev_list_entry_get_value(entry);
if (streq(name, "selinux")) {
/* FIXME: hook up libselinux */
log_error("SECLABEL: failed to set selinux label '%s'", label);
} else if (streq(name, "smack")) {
#ifdef HAVE_XATTR
if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
log_error("SECLABEL: failed to set SMACK label '%s'", label);
else
log_debug("SECLABEL: set SMACK label '%s'", label);
#endif
} else
log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
}
}
/* always update timestamp when we re-use the node, like on media change events */
@ -294,15 +323,16 @@ out:
return err;
}
void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
{
void udev_node_add(struct udev_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
struct udev_list *seclabel_list) {
char filename[UTIL_PATH_SIZE];
struct udev_list_entry *list_entry;
log_debug("handling device node '%s', devnum=%s, mode=%#o, uid=%d, gid=%d\n",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev), mode, uid, gid);
if (node_permissions_apply(dev, apply, mode, uid, gid) < 0)
if (node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list) < 0)
return;
/* always add /dev/{block,char}/$major:$minor */

31
src/udev/udev-rules.c
View File

@ -156,6 +156,7 @@ enum token_type {
TK_A_MODE_ID, /* mode_t */
TK_A_TAG, /* val */
TK_A_STATIC_NODE, /* val */
TK_A_SECLABEL, /* val, attr */
TK_A_ENV, /* val, attr */
TK_A_NAME, /* val */
TK_A_DEVLINK, /* val */
@ -291,6 +292,7 @@ static const char *token_str(enum token_type type)
[TK_A_OWNER_ID] = "A OWNER_ID",
[TK_A_GROUP_ID] = "A GROUP_ID",
[TK_A_STATIC_NODE] = "A STATIC_NODE",
[TK_A_SECLABEL] = "A SECLABEL",
[TK_A_MODE_ID] = "A MODE_ID",
[TK_A_ENV] = "A ENV",
[TK_A_TAG] = "A ENV",
@ -399,6 +401,9 @@ static void dump_token(struct udev_rules *rules, struct token *token)
case TK_A_STATIC_NODE:
log_debug("%s '%s'\n", token_str(type), value);
break;
case TK_A_SECLABEL:
log_debug("%s %s '%s' '%s'\n", token_str(type), operation_str(op), attr, value);
break;
case TK_M_EVENT_TIMEOUT:
log_debug("%s %u\n", token_str(type), token->key.event_timeout);
break;
@ -911,6 +916,7 @@ static int rule_add_key(struct rule_tmp *rule_tmp, enum token_type type,
case TK_M_ATTRS:
case TK_A_ATTR:
case TK_A_ENV:
case TK_A_SECLABEL:
attr = data;
token->key.value_off = rules_add_string(rule_tmp->rules, value);
token->key.attr_off = rules_add_string(rule_tmp->rules, attr);
@ -1158,6 +1164,17 @@ static int add_rule(struct udev_rules *rules, char *line,
continue;
}
if (startswith(key, "SECLABEL{")) {
attr = get_key_attribute(rules->udev, key + sizeof("SECLABEL")-1);
if (!attr) {
log_error("error parsing SECLABEL attribute\n");
goto invalid;
}
rule_add_key(&rule_tmp, TK_A_SECLABEL, op, value, attr);
continue;
}
if (streq(key, "KERNELS")) {
if (op > OP_MATCH_MAX) {
log_error("invalid KERNELS operation\n");
@ -2329,6 +2346,20 @@ int udev_rules_apply_to_event(struct udev_rules *rules, struct udev_event *event
rules_str(rules, rule->rule.filename_off),
rule->rule.filename_line);
break;
case TK_A_SECLABEL: {
const char *name, *label;
name = rules_str(rules, cur->key.attr_off);
label = rules_str(rules, cur->key.value_off);
if (cur->key.op == OP_ASSIGN || cur->key.op == OP_ASSIGN_FINAL)
udev_list_cleanup(&event->seclabel_list);
udev_list_entry_add(&event->seclabel_list, name, label);
log_debug("SECLABEL{%s}='%s' %s:%u\n",
name, label,
rules_str(rules, rule->rule.filename_off),
rule->rule.filename_line);
break;
}
case TK_A_ENV: {
const char *name = rules_str(rules, cur->key.attr_off);
char *value = rules_str(rules, cur->key.value_off);

5
src/udev/udev.h
View File

@ -39,6 +39,7 @@ struct udev_event {
mode_t mode;
uid_t uid;
gid_t gid;
struct udev_list seclabel_list;
struct udev_list run_list;
int exec_delay;
usec_t birth_usec;
@ -95,7 +96,9 @@ void udev_watch_end(struct udev *udev, struct udev_device *dev);
struct udev_device *udev_watch_lookup(struct udev *udev, int wd);
/* udev-node.c */
void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid);
void udev_node_add(struct udev_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
struct udev_list *seclabel_list);
void udev_node_remove(struct udev_device *dev);
void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev_old);