shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 01:27:11 +03:00
Code
43ef760376
systemd/src/shared/smack-util.c

208 lines
4.9 KiB
C
Raw Normal View History

Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2013 Intel Corporation
Author: Auke Kok <auke-jan.h.kok@intel.com>
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
build-sys: use glibc's xattr support instead of requiring libattr
2014-05-28 13:36:40 +04:00
#include <sys/xattr.h>
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
#include "util.h"
#include "path-util.h"
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 14:46:20 +03:00
#include "fileio.h"
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#include "smack-util.h"
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
smack: we don't need the special labels exported, hence don't
2014-10-23 20:40:03 +04:00
#define SMACK_FLOOR_LABEL "_"
#define SMACK_STAR_LABEL "*"
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
bool mac_smack_use(void) {
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#ifdef HAVE_SMACK
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
static int cached_use = -1;
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
if (cached_use < 0)
cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
return cached_use;
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#else
return false;
#endif
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
}
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix() Let's clean up the naming schemes a bit and use the same one for SMACK and for SELINUX.
2014-10-23 19:49:29 +04:00
int mac_smack_apply(const char *path, const char *label) {
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
int r = 0;
assert(path);
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#ifdef HAVE_SMACK
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
if (!mac_smack_use())
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
return 0;
if (label)
smack: never follow symlinks when relabelling previously mac_smack_apply(path, NULL) would operate on the symlink itself while mac_smack_apply(path, "foo") would follow the symlink. Let's clean this up an always operate on the symlink, which appears to be the safer option.
2014-10-23 20:32:22 +04:00
r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
else
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
r = lremovexattr(path, "security.SMACK64");
if (r < 0)
return -errno;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#endif
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
return r;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
}
mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix() Let's clean up the naming schemes a bit and use the same one for SMACK and for SELINUX.
2014-10-23 19:49:29 +04:00
int mac_smack_apply_fd(int fd, const char *label) {
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
int r = 0;
assert(fd >= 0);
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#ifdef HAVE_SMACK
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
if (!mac_smack_use())
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
return 0;
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
if (label)
r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64");
if (r < 0)
return -errno;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#endif
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
return r;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
}
mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix() Let's clean up the naming schemes a bit and use the same one for SMACK and for SELINUX.
2014-10-23 19:49:29 +04:00
int mac_smack_apply_ip_out_fd(int fd, const char *label) {
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
int r = 0;
assert(fd >= 0);
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#ifdef HAVE_SMACK
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
if (!mac_smack_use())
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
return 0;
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
if (label)
r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64IPOUT");
if (r < 0)
return -errno;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#endif
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
return r;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
}
mac: rename all calls that apply a label mac_{selinux|smack}_apply_xyz(), and all that reset it to defaults mac_{selinux|smack}_fix() Let's clean up the naming schemes a bit and use the same one for SMACK and for SELINUX.
2014-10-23 19:49:29 +04:00
int mac_smack_apply_ip_in_fd(int fd, const char *label) {
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
int r = 0;
assert(fd >= 0);
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#ifdef HAVE_SMACK
mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention
2014-10-23 19:34:30 +04:00
if (!mac_smack_use())
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
return 0;
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
if (label)
r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64IPIN");
if (r < 0)
return -errno;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#endif
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
return r;
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
}
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 14:46:20 +03:00
int mac_smack_apply_pid(pid_t pid, const char *label) {
smack-util: remove warning when building without SMACK support
2014-12-04 18:17:18 +03:00
#ifdef HAVE_SMACK
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 14:46:20 +03:00
const char *p;
smack-util: remove warning when building without SMACK support
2014-12-04 18:17:18 +03:00
#endif
int r = 0;
smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-24 14:46:20 +03:00
assert(label);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
p = procfs_file_alloca(pid, "attr/current");
r = write_string_file(p, label);
if (r < 0)
return r;
#endif
return r;
}
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
#ifdef HAVE_SMACK
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
struct stat st;
smack-util: remove warning when building without SMACK support
2014-12-04 18:17:18 +03:00
#endif
int r = 0;
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
assert(path);
smack-util: remove warning when building without SMACK support
2014-12-04 18:17:18 +03:00
#ifdef HAVE_SMACK
smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it
2014-10-23 20:06:51 +04:00
if (!mac_smack_use())
return 0;
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
/*
* Path must be in /dev and must exist
*/
if (!path_startswith(path, "/dev"))
return 0;
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
r = lstat(path, &st);
if (r >= 0) {
const char *label;
/*
* Label directories and character devices "*".
* Label symlinks "_".
* Don't change anything else.
*/
if (S_ISDIR(st.st_mode))
label = SMACK_STAR_LABEL;
else if (S_ISLNK(st.st_mode))
label = SMACK_FLOOR_LABEL;
else if (S_ISCHR(st.st_mode))
label = SMACK_STAR_LABEL;
else
return 0;
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
/* If the FS doesn't support labels, then exit without warning */
tree-wide: there is no ENOTSUP on linux Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.
2015-03-13 16:08:00 +03:00
if (r < 0 && errno == EOPNOTSUPP)
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
return 0;
}
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
if (r < 0) {
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
2014-10-23 20:34:58 +04:00
/* Ignore ENOENT in some cases */
if (ignore_enoent && errno == ENOENT)
return 0;
if (ignore_erofs && errno == EROFS)
return 0;
smack-util: remove warning when building without SMACK support
2014-12-04 18:17:18 +03:00
r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
label: rearrange mandatory access control(MAC) apis move label apis to selinux-util.ch or smack-util.ch appropriately.
2014-10-23 12:23:45 +04:00
}
#endif
return r;
}
Copy Permalink