shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 01:27:11 +03:00
Code
99a1ab10b0
systemd/src/shared/smack-util.c

90 lines
2.2 KiB
C
Raw Normal View History

Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2013 Intel Corporation
Author: Auke Kok <auke-jan.h.kok@intel.com>
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <unistd.h>
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
#include <string.h>
build-sys: use glibc's xattr support instead of requiring libattr
2014-05-28 13:36:40 +04:00
#include <sys/xattr.h>
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#include "smack-util.h"
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
bool use_smack(void) {
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#ifdef HAVE_SMACK
static int use_smack_cached = -1;
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
if (use_smack_cached < 0)
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
use_smack_cached = access("/sys/fs/smackfs/", F_OK) >= 0;
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
return use_smack_cached;
security: rework selinux, smack, ima, apparmor detection logic Always cache the results, and bypass low-level security calls when the respective subsystem is not enabled.
2013-10-10 18:35:44 +04:00
#else
return false;
#endif
Smack: Test if smack is enabled before mounting Since on most systems with xattr systemd will compile with Smack support enabled, we still attempt to mount various fs's with Smack-only options. Before mounting any of these Smack-related filesystems with Smack specific mount options, check if Smack is functionally active on the running kernel. If Smack is really enabled in the kernel, all these Smack mounts are now *fatal*, as they should be. We no longer mount smackfs if systemd was compiled without Smack support. This makes it easier to make smackfs mount failures a critical error when Smack is enabled. We no longer mount these filesystems with their Smack specific options inside containers. There these filesystems will be mounted with there non-mount smack options for now.
2013-10-09 21:52:15 +04:00
}
smack: minimize ifdef use, and move all labeling to smack-util.c
2013-10-11 11:47:31 +04:00
int smack_label_path(const char *path, const char *label) {
#ifdef HAVE_SMACK
if (!use_smack())
return 0;
if (label)
return setxattr(path, "security.SMACK64", label, strlen(label), 0);
else
return lremovexattr(path, "security.SMACK64");
#else
return 0;
#endif
}
int smack_label_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!use_smack())
return 0;
return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
#else
return 0;
#endif
}
int smack_label_ip_out_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!use_smack())
return 0;
return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
#else
return 0;
#endif
}
int smack_label_ip_in_fd(int fd, const char *label) {
#ifdef HAVE_SMACK
if (!use_smack())
return 0;
return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
#else
return 0;
#endif
}
Copy Permalink