smack: minimize ifdef use, and move all labeling to smack-util.c

src/core/socket.c

@@ -775,17 +775,13 @@ static void socket_apply_socket_options(Socket *s, int fd) {
                         log_warning_unit(UNIT(s)->id, "SO_REUSEPORT failed: %m");
         }
 
-#ifdef HAVE_SMACK
-        if (s->smack_ip_in && use_smack())
-                if (fsetxattr(fd, "security.SMACK64IPIN", s->smack_ip_in, strlen(s->smack_ip_in), 0) < 0)
-                        log_error_unit(UNIT(s)->id,
-                                       "fsetxattr(\"security.SMACK64IPIN\"): %m");
+        if (s->smack_ip_in)
+                if (smack_label_ip_in_fd(fd, s->smack_ip_in) < 0)
+                        log_error_unit(UNIT(s)->id, "smack_label_ip_in_fd: %m");
 
-        if (s->smack_ip_out && use_smack())
-                if (fsetxattr(fd, "security.SMACK64IPOUT", s->smack_ip_out, strlen(s->smack_ip_out), 0) < 0)
-                        log_error_unit(UNIT(s)->id,
-                                       "fsetxattr(\"security.SMACK64IPOUT\"): %m");
-#endif
+        if (s->smack_ip_out)
+                if (smack_label_ip_out_fd(fd, s->smack_ip_out) < 0)
+                        log_error_unit(UNIT(s)->id, "smack_label_ip_out_fd: %m");
 }
 
 static void socket_apply_fifo_options(Socket *s, int fd) {
@@ -797,12 +793,9 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
                         log_warning_unit(UNIT(s)->id,
                                          "F_SETPIPE_SZ: %m");
 
-#ifdef HAVE_SMACK
-        if (s->smack && use_smack())
-                if (fsetxattr(fd, "security.SMACK64", s->smack, strlen(s->smack), 0) < 0)
-                        log_error_unit(UNIT(s)->id,
-                                       "fsetxattr(\"security.SMACK64\"): %m");
-#endif
+        if (s->smack)
+                if (smack_label_fd(fd, s->smack) < 0)
+                        log_error_unit(UNIT(s)->id, "smack_label_fd: %m");
 }
 
 static int fifo_address_create(

src/shared/smack-util.c

@@ -22,11 +22,14 @@
 ***/
 
 #include <unistd.h>
+#include <string.h>
+#ifdef HAVE_XATTR
+#include <attr/xattr.h>
+#endif
 
 #include "smack-util.h"
 
 bool use_smack(void) {
-
 #ifdef HAVE_SMACK
         static int use_smack_cached = -1;
 
@@ -39,3 +42,50 @@ bool use_smack(void) {
 #endif
 
 }
+
+int smack_label_path(const char *path, const char *label) {
+#ifdef HAVE_SMACK
+        if (!use_smack())
+                return 0;
+
+        if (label)
+                return setxattr(path, "security.SMACK64", label, strlen(label), 0);
+        else
+                return lremovexattr(path, "security.SMACK64");
+#else
+        return 0;
+#endif
+}
+
+int smack_label_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+        if (!use_smack())
+                return 0;
+
+        return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
+#else
+        return 0;
+#endif
+}
+
+int smack_label_ip_out_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+        if (!use_smack())
+                return 0;
+
+        return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
+#else
+        return 0;
+#endif
+}
+
+int smack_label_ip_in_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+        if (!use_smack())
+                return 0;
+
+        return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
+#else
+        return 0;
+#endif
+}

src/shared/smack-util.h

@@ -26,3 +26,7 @@
 #include <stdbool.h>
 
 bool use_smack(void);
+int smack_label_path(const char *path, const char *label);
+int smack_label_fd(int fd, const char *label);
+int smack_label_ip_in_fd(int fd, const char *label);
+int smack_label_ip_out_fd(int fd, const char *label);

src/udev/udev-node.c

@@ -28,12 +28,9 @@
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#ifdef HAVE_XATTR
-#include <attr/xattr.h>
-#endif
 
-#include "smack-util.h"
 #include "udev.h"
+#include "smack-util.h"
 
 static int node_symlink(struct udev_device *dev, const char *node, const char *slink)
 {
@@ -285,9 +282,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
 
         if (apply) {
                 bool selinux = false;
-#ifdef HAVE_SMACK
                 bool smack = false;
-#endif
 
                 if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
                         log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
@@ -311,14 +306,12 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                                 else
                                         log_debug("SECLABEL: set SELinux label '%s'", label);
 
-#ifdef HAVE_SMACK
-                        } else if (streq(name, "smack") && use_smack()) {
+                        } else if (streq(name, "smack")) {
                                 smack = true;
-                                if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
+                                if (smack_label_path(devnode, label) < 0)
                                         log_error("SECLABEL: failed to set SMACK label '%s'", label);
                                 else
                                         log_debug("SECLABEL: set SMACK label '%s'", label);
-#endif
 
                         } else
                                 log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
@@ -327,10 +320,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                 /* set the defaults */
                 if (!selinux)
                         label_fix(devnode, true, false);
-#ifdef HAVE_SMACK
-                if (!smack && use_smack())
-                        lremovexattr(devnode, "security.SMACK64");
-#endif
+                if (!smack)
+                        smack_label_path(devnode, NULL);
         }
 
         /* always update timestamp when we re-use the node, like on media change events */