diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index d0a79b26359..8537f3eda99 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -26,6 +26,10 @@ #include "xattr-util.h" #if ENABLE_SMACK + +#define SMACK_FLOOR_LABEL "_" +#define SMACK_STAR_LABEL "*" + bool mac_smack_use(void) { static int cached_use = -1; @@ -44,80 +48,45 @@ static const char* const smack_attr_table[_SMACK_ATTR_MAX] = { [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT", }; -DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr); +DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(smack_attr, SmackAttr); -int mac_smack_read(const char *path, SmackAttr attr, char **label) { - assert(path); +int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret) { + assert(fd >= 0 || fd == AT_FDCWD); assert(attr >= 0 && attr < _SMACK_ATTR_MAX); - assert(label); + assert(ret); - if (!mac_smack_use()) + if (!mac_smack_use()) { + *ret = NULL; return 0; + } - return getxattr_malloc(path, smack_attr_to_string(attr), label); + return getxattr_at_malloc(fd, path, smack_attr_to_string(attr), /* at_flags = */ 0, ret); } -int mac_smack_read_fd(int fd, SmackAttr attr, char **label) { - assert(fd >= 0); - assert(attr >= 0 && attr < _SMACK_ATTR_MAX); - assert(label); - - if (!mac_smack_use()) - return 0; - - return fgetxattr_malloc(fd, smack_attr_to_string(attr), label); -} - -int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) { - _cleanup_close_ int fd = -EBADF; - - assert(path); +int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label) { + assert(fd >= 0 || fd == AT_FDCWD); assert(attr >= 0 && attr < _SMACK_ATTR_MAX); if (!mac_smack_use()) return 0; - fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW); - if (fd < 0) - return -errno; + if (!label) + return xremovexattr(fd, path, /* at_flags = */ 0, smack_attr_to_string(attr)); - return mac_smack_apply_fd(fd, attr, label); -} - -int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { - int r; - - assert(fd >= 0); - assert(attr >= 0 && attr < _SMACK_ATTR_MAX); - - if (!mac_smack_use()) - return 0; - - if (label) - r = setxattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr), label, strlen(label), 0); - else - r = removexattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr)); - if (r < 0) - return -errno; - - return 0; + return xsetxattr(fd, path, /* at_flags = */ 0, smack_attr_to_string(attr), label); } int mac_smack_apply_pid(pid_t pid, const char *label) { const char *p; - int r; + assert(pid >= 0); assert(label); if (!mac_smack_use()) return 0; p = procfs_file_alloca(pid, "attr/current"); - r = write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER); - if (r < 0) - return r; - - return r; + return write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER); } static int smack_fix_fd( @@ -156,25 +125,22 @@ static int smack_fix_fd( else return 0; - if (setxattr(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", label, strlen(label), 0) < 0) { + r = xsetxattr(fd, /* path = */ NULL, AT_EMPTY_PATH, "security.SMACK64", label); + if (ERRNO_IS_NEG_NOT_SUPPORTED(r)) /* If the FS doesn't support labels, then exit without warning */ + return 0; + if (r == -EROFS && FLAGS_SET(flags, LABEL_IGNORE_EROFS)) /* If the FS is read-only and we were told + to ignore failures caused by that, + suppress error */ + return 0; + if (r < 0) { + /* If the old label is identical to the new one, suppress any kind of error */ _cleanup_free_ char *old_label = NULL; - r = -errno; - - /* If the FS doesn't support labels, then exit without warning */ - if (ERRNO_IS_NOT_SUPPORTED(r)) - return 0; - - /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */ - if (r == -EROFS && (flags & LABEL_IGNORE_EROFS)) - return 0; - - /* If the old label is identical to the new one, suppress any kind of error */ - if (lgetxattr_malloc(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", &old_label) >= 0 && + if (fgetxattr_malloc(fd, "security.SMACK64", &old_label) >= 0 && streq(old_label, label)) return 0; - return log_debug_errno(r, "Unable to fix SMACK label of %s: %m", label_path); + return log_debug_errno(r, "Unable to fix SMACK label of '%s': %m", label_path); } return 0; @@ -190,8 +156,7 @@ int mac_smack_fix_full( _cleanup_free_ char *p = NULL; int r, inode_fd; - assert(atfd >= 0 || atfd == AT_FDCWD); - assert(atfd >= 0 || inode_path); + assert(atfd >= 0 || (atfd == AT_FDCWD && inode_path)); if (!mac_smack_use()) return 0; @@ -199,7 +164,7 @@ int mac_smack_fix_full( if (inode_path) { opened_fd = openat(atfd, inode_path, O_NOFOLLOW|O_CLOEXEC|O_PATH); if (opened_fd < 0) { - if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT) + if (errno == ENOENT && FLAGS_SET(flags, LABEL_IGNORE_ENOENT)) return 0; return -errno; @@ -224,8 +189,8 @@ int mac_smack_fix_full( } int mac_smack_copy(const char *dest, const char *src) { - int r; _cleanup_free_ char *label = NULL; + int r; assert(dest); assert(src); @@ -240,39 +205,6 @@ int mac_smack_copy(const char *dest, const char *src) { return r; } - -#else -bool mac_smack_use(void) { - return false; -} - -int mac_smack_read(const char *path, SmackAttr attr, char **label) { - return -EOPNOTSUPP; -} - -int mac_smack_read_fd(int fd, SmackAttr attr, char **label) { - return -EOPNOTSUPP; -} - -int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) { - return 0; -} - -int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { - return 0; -} - -int mac_smack_apply_pid(pid_t pid, const char *label) { - return 0; -} - -int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) { - return 0; -} - -int mac_smack_copy(const char *dest, const char *src) { - return 0; -} #endif int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to) { diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h index f6ed2ece38a..d42d2b553a3 100644 --- a/src/shared/smack-util.h +++ b/src/shared/smack-util.h @@ -13,9 +13,6 @@ #include "label-util.h" #include "macro.h" -#define SMACK_FLOOR_LABEL "_" -#define SMACK_STAR_LABEL "*" - typedef enum SmackAttr { SMACK_ATTR_ACCESS, SMACK_ATTR_EXEC, @@ -27,25 +24,61 @@ typedef enum SmackAttr { _SMACK_ATTR_INVALID = -EINVAL, } SmackAttr; +#if ENABLE_SMACK bool mac_smack_use(void); -int mac_smack_init(void); + +int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret); +int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label); + +int mac_smack_apply_pid(pid_t pid, const char *label); +int mac_smack_copy(const char *dest, const char *src); int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags); -static inline int mac_smack_fix(const char *path, LabelFixFlags flags) { - return mac_smack_fix_full(AT_FDCWD, path, path, flags); +#else +static inline bool mac_smack_use(void) { + return false; +} + +static inline int mac_smack_read_at(int fd, const char *path, SmackAttr attr, char **ret) { + return -EOPNOTSUPP; +} + +static inline int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label) { + return 0; +} + +static inline int mac_smack_apply_pid(pid_t pid, const char *label) { + return 0; +} + +static inline int mac_smack_copy(const char *dest, const char *src) { + return 0; +} + +static inline int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) { + return 0; +} +#endif + +int mac_smack_init(void); + +static inline int mac_smack_read(const char *path, SmackAttr attr, char **ret) { + return mac_smack_read_at(AT_FDCWD, path, attr, ret); +} +static inline int mac_smack_read_fd(int fd, SmackAttr attr, char **ret) { + return mac_smack_read_at(fd, NULL, attr, ret); } -const char* smack_attr_to_string(SmackAttr i) _const_; -SmackAttr smack_attr_from_string(const char *s) _pure_; -int mac_smack_read(const char *path, SmackAttr attr, char **label); -int mac_smack_read_fd(int fd, SmackAttr attr, char **label); -int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label); static inline int mac_smack_apply(const char *path, SmackAttr attr, const char *label) { return mac_smack_apply_at(AT_FDCWD, path, attr, label); } -int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label); -int mac_smack_apply_pid(pid_t pid, const char *label); -int mac_smack_copy(const char *dest, const char *src); +static inline int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { + return mac_smack_apply_at(fd, NULL, attr, label); +} + +static inline int mac_smack_fix(const char *path, LabelFixFlags flags) { + return mac_smack_fix_full(AT_FDCWD, path, path, flags); +} int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to); static inline int rename_and_apply_smack_floor_label(const char *from, const char *to) {