mirror of
https://github.com/systemd/systemd.git
synced 2025-03-22 06:50:18 +03:00
smack-util: several cleanups
- Make _read_at and _apply_at variants the "canonical" functions (which leverage xsetxattr()/xremovexattr()), turn others into static inline helpers - Unexport string table lookup (not used anywhere else) - Define nop functions as static inline if !ENABLE_SMACK
This commit is contained in:
Mike Yuan
parent
61b3d116ee
commit
3c06e2efb8
@ -26,6 +26,10 @@
|
||||
#include "xattr-util.h"
|
||||
|
||||
#if ENABLE_SMACK
|
||||
|
||||
#define SMACK_FLOOR_LABEL "_"
|
||||
#define SMACK_STAR_LABEL "*"
|
||||
|
||||
bool mac_smack_use(void) {
|
||||
static int cached_use = -1;
|
||||
|
||||
@ -44,80 +48,45 @@ static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
|
||||
[SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
|
||||
};
|
||||
|
||||
DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
|
||||
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(smack_attr, SmackAttr);
|
||||
|
||||
int mac_smack_read(const char *path, SmackAttr attr, char **label) {
|
||||
assert(path);
|
||||
int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret) {
|
||||
assert(fd >= 0 || fd == AT_FDCWD);
|
||||
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
|
||||
assert(label);
|
||||
assert(ret);
|
||||
|
||||
if (!mac_smack_use())
|
||||
if (!mac_smack_use()) {
|
||||
*ret = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
return getxattr_malloc(path, smack_attr_to_string(attr), label);
|
||||
return getxattr_at_malloc(fd, path, smack_attr_to_string(attr), /* at_flags = */ 0, ret);
|
||||
}
|
||||
|
||||
int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
|
||||
assert(fd >= 0);
|
||||
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
|
||||
assert(label);
|
||||
|
||||
if (!mac_smack_use())
|
||||
return 0;
|
||||
|
||||
return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
|
||||
}
|
||||
|
||||
int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) {
|
||||
_cleanup_close_ int fd = -EBADF;
|
||||
|
||||
assert(path);
|
||||
int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label) {
|
||||
assert(fd >= 0 || fd == AT_FDCWD);
|
||||
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
|
||||
|
||||
if (!mac_smack_use())
|
||||
return 0;
|
||||
|
||||
fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
|
||||
if (fd < 0)
|
||||
return -errno;
|
||||
if (!label)
|
||||
return xremovexattr(fd, path, /* at_flags = */ 0, smack_attr_to_string(attr));
|
||||
|
||||
return mac_smack_apply_fd(fd, attr, label);
|
||||
}
|
||||
|
||||
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
|
||||
int r;
|
||||
|
||||
assert(fd >= 0);
|
||||
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
|
||||
|
||||
if (!mac_smack_use())
|
||||
return 0;
|
||||
|
||||
if (label)
|
||||
r = setxattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr), label, strlen(label), 0);
|
||||
else
|
||||
r = removexattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr));
|
||||
if (r < 0)
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
return xsetxattr(fd, path, /* at_flags = */ 0, smack_attr_to_string(attr), label);
|
||||
}
|
||||
|
||||
int mac_smack_apply_pid(pid_t pid, const char *label) {
|
||||
const char *p;
|
||||
int r;
|
||||
|
||||
assert(pid >= 0);
|
||||
assert(label);
|
||||
|
||||
if (!mac_smack_use())
|
||||
return 0;
|
||||
|
||||
p = procfs_file_alloca(pid, "attr/current");
|
||||
r = write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return r;
|
||||
return write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER);
|
||||
}
|
||||
|
||||
static int smack_fix_fd(
|
||||
@ -156,25 +125,22 @@ static int smack_fix_fd(
|
||||
else
|
||||
return 0;
|
||||
|
||||
if (setxattr(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", label, strlen(label), 0) < 0) {
|
||||
r = xsetxattr(fd, /* path = */ NULL, AT_EMPTY_PATH, "security.SMACK64", label);
|
||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(r)) /* If the FS doesn't support labels, then exit without warning */
|
||||
return 0;
|
||||
if (r == -EROFS && FLAGS_SET(flags, LABEL_IGNORE_EROFS)) /* If the FS is read-only and we were told
|
||||
to ignore failures caused by that,
|
||||
suppress error */
|
||||
return 0;
|
||||
if (r < 0) {
|
||||
/* If the old label is identical to the new one, suppress any kind of error */
|
||||
_cleanup_free_ char *old_label = NULL;
|
||||
|
||||
r = -errno;
|
||||
|
||||
/* If the FS doesn't support labels, then exit without warning */
|
||||
if (ERRNO_IS_NOT_SUPPORTED(r))
|
||||
return 0;
|
||||
|
||||
/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
|
||||
if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
|
||||
return 0;
|
||||
|
||||
/* If the old label is identical to the new one, suppress any kind of error */
|
||||
if (lgetxattr_malloc(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", &old_label) >= 0 &&
|
||||
if (fgetxattr_malloc(fd, "security.SMACK64", &old_label) >= 0 &&
|
||||
streq(old_label, label))
|
||||
return 0;
|
||||
|
||||
return log_debug_errno(r, "Unable to fix SMACK label of %s: %m", label_path);
|
||||
return log_debug_errno(r, "Unable to fix SMACK label of '%s': %m", label_path);
|
||||
}
|
||||
|
||||
return 0;
|
||||
@ -190,8 +156,7 @@ int mac_smack_fix_full(
|
||||
_cleanup_free_ char *p = NULL;
|
||||
int r, inode_fd;
|
||||
|
||||
assert(atfd >= 0 || atfd == AT_FDCWD);
|
||||
assert(atfd >= 0 || inode_path);
|
||||
assert(atfd >= 0 || (atfd == AT_FDCWD && inode_path));
|
||||
|
||||
if (!mac_smack_use())
|
||||
return 0;
|
||||
@ -199,7 +164,7 @@ int mac_smack_fix_full(
|
||||
if (inode_path) {
|
||||
opened_fd = openat(atfd, inode_path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
|
||||
if (opened_fd < 0) {
|
||||
if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
|
||||
if (errno == ENOENT && FLAGS_SET(flags, LABEL_IGNORE_ENOENT))
|
||||
return 0;
|
||||
|
||||
return -errno;
|
||||
@ -224,8 +189,8 @@ int mac_smack_fix_full(
|
||||
}
|
||||
|
||||
int mac_smack_copy(const char *dest, const char *src) {
|
||||
int r;
|
||||
_cleanup_free_ char *label = NULL;
|
||||
int r;
|
||||
|
||||
assert(dest);
|
||||
assert(src);
|
||||
@ -240,39 +205,6 @@ int mac_smack_copy(const char *dest, const char *src) {
|
||||
|
||||
return r;
|
||||
}
|
||||
|
||||
#else
|
||||
bool mac_smack_use(void) {
|
||||
return false;
|
||||
}
|
||||
|
||||
int mac_smack_read(const char *path, SmackAttr attr, char **label) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mac_smack_apply_pid(pid_t pid, const char *label) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
int mac_smack_copy(const char *dest, const char *src) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to) {
|
||||
|
||||
@ -13,9 +13,6 @@
|
||||
#include "label-util.h"
|
||||
#include "macro.h"
|
||||
|
||||
#define SMACK_FLOOR_LABEL "_"
|
||||
#define SMACK_STAR_LABEL "*"
|
||||
|
||||
typedef enum SmackAttr {
|
||||
SMACK_ATTR_ACCESS,
|
||||
SMACK_ATTR_EXEC,
|
||||
@ -27,25 +24,61 @@ typedef enum SmackAttr {
|
||||
_SMACK_ATTR_INVALID = -EINVAL,
|
||||
} SmackAttr;
|
||||
|
||||
#if ENABLE_SMACK
|
||||
bool mac_smack_use(void);
|
||||
int mac_smack_init(void);
|
||||
|
||||
int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret);
|
||||
int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label);
|
||||
|
||||
int mac_smack_apply_pid(pid_t pid, const char *label);
|
||||
int mac_smack_copy(const char *dest, const char *src);
|
||||
|
||||
int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
|
||||
static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
||||
return mac_smack_fix_full(AT_FDCWD, path, path, flags);
|
||||
#else
|
||||
static inline bool mac_smack_use(void) {
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret) {
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
static inline int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int mac_smack_apply_pid(pid_t pid, const char *label) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int mac_smack_copy(const char *dest, const char *src) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) {
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
int mac_smack_init(void);
|
||||
|
||||
static inline int mac_smack_read(const char *path, SmackAttr attr, char **ret) {
|
||||
return mac_smack_read_at(AT_FDCWD, path, attr, ret);
|
||||
}
|
||||
static inline int mac_smack_read_fd(int fd, SmackAttr attr, char **ret) {
|
||||
return mac_smack_read_at(fd, NULL, attr, ret);
|
||||
}
|
||||
|
||||
const char* smack_attr_to_string(SmackAttr i) _const_;
|
||||
SmackAttr smack_attr_from_string(const char *s) _pure_;
|
||||
int mac_smack_read(const char *path, SmackAttr attr, char **label);
|
||||
int mac_smack_read_fd(int fd, SmackAttr attr, char **label);
|
||||
int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label);
|
||||
static inline int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
|
||||
return mac_smack_apply_at(AT_FDCWD, path, attr, label);
|
||||
}
|
||||
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label);
|
||||
int mac_smack_apply_pid(pid_t pid, const char *label);
|
||||
int mac_smack_copy(const char *dest, const char *src);
|
||||
static inline int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
|
||||
return mac_smack_apply_at(fd, NULL, attr, label);
|
||||
}
|
||||
|
||||
static inline int mac_smack_fix(const char *path, LabelFixFlags flags) {
|
||||
return mac_smack_fix_full(AT_FDCWD, path, path, flags);
|
||||
}
|
||||
|
||||
int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to);
|
||||
static inline int rename_and_apply_smack_floor_label(const char *from, const char *to) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user