]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/smack-setup.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright (C) 2013 Intel Corporation
7 Nathaniel Chen <nathaniel.chen@intel.com>
14 #include <stdio_ext.h>
18 #include "alloc-util.h"
19 #include "dirent-util.h"
24 #include "smack-setup.h"
25 #include "string-util.h"
30 static int write_access2_rules(const char* srcdir
) {
31 _cleanup_close_
int load2_fd
= -1, change_fd
= -1;
32 _cleanup_closedir_
DIR *dir
= NULL
;
38 load2_fd
= open("/sys/fs/smackfs/load2", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
41 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/load2': %m");
42 return -errno
; /* negative error */
45 change_fd
= open("/sys/fs/smackfs/change-rule", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
48 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/change-rule': %m");
49 return -errno
; /* negative error */
52 /* write rules to load2 or change-rule from every file in the directory */
53 dir
= opendir(srcdir
);
56 log_warning_errno(errno
, "Failed to opendir '%s': %m", srcdir
);
57 return errno
; /* positive on purpose */
63 FOREACH_DIRENT(entry
, dir
, return 0) {
65 _cleanup_fclose_
FILE *policy
= NULL
;
67 if (!dirent_is_file(entry
))
70 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
74 log_warning_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
78 policy
= fdopen(fd
, "re");
83 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
87 /* load2 write rules in the kernel require a line buffered stream */
88 FOREACH_LINE(buf
, policy
,
89 log_error_errno(errno
, "Failed to read line from '%s': %m",
92 _cleanup_free_
char *sbj
= NULL
, *obj
= NULL
, *acc1
= NULL
, *acc2
= NULL
;
94 if (isempty(truncate_nl(buf
)) || strchr(COMMENTS
, *buf
))
97 /* if 3 args -> load rule : subject object access1 */
98 /* if 4 args -> change rule : subject object access1 access2 */
99 if (sscanf(buf
, "%ms %ms %ms %ms", &sbj
, &obj
, &acc1
, &acc2
) < 3) {
100 log_error_errno(errno
, "Failed to parse rule '%s' in '%s', ignoring.", buf
, entry
->d_name
);
104 if (write(isempty(acc2
) ? load2_fd
: change_fd
, buf
, strlen(buf
)) < 0) {
107 log_error_errno(errno
, "Failed to write '%s' to '%s' in '%s'",
108 buf
, isempty(acc2
) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry
->d_name
);
116 static int write_cipso2_rules(const char* srcdir
) {
117 _cleanup_close_
int cipso2_fd
= -1;
118 _cleanup_closedir_
DIR *dir
= NULL
;
119 struct dirent
*entry
;
124 cipso2_fd
= open("/sys/fs/smackfs/cipso2", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
127 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/cipso2': %m");
128 return -errno
; /* negative error */
131 /* write rules to cipso2 from every file in the directory */
132 dir
= opendir(srcdir
);
135 log_warning_errno(errno
, "Failed to opendir '%s': %m", srcdir
);
136 return errno
; /* positive on purpose */
142 FOREACH_DIRENT(entry
, dir
, return 0) {
144 _cleanup_fclose_
FILE *policy
= NULL
;
146 if (!dirent_is_file(entry
))
149 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
153 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
157 policy
= fdopen(fd
, "re");
162 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
166 /* cipso2 write rules in the kernel require a line buffered stream */
167 FOREACH_LINE(buf
, policy
,
168 log_error_errno(errno
, "Failed to read line from '%s': %m",
171 if (isempty(truncate_nl(buf
)) || strchr(COMMENTS
, *buf
))
174 if (write(cipso2_fd
, buf
, strlen(buf
)) < 0) {
177 log_error_errno(errno
, "Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s'",
187 static int write_netlabel_rules(const char* srcdir
) {
188 _cleanup_fclose_
FILE *dst
= NULL
;
189 _cleanup_closedir_
DIR *dir
= NULL
;
190 struct dirent
*entry
;
195 dst
= fopen("/sys/fs/smackfs/netlabel", "we");
198 log_warning_errno(errno
, "Failed to open /sys/fs/smackfs/netlabel: %m");
199 return -errno
; /* negative error */
202 /* write rules to dst from every file in the directory */
203 dir
= opendir(srcdir
);
206 log_warning_errno(errno
, "Failed to opendir %s: %m", srcdir
);
207 return errno
; /* positive on purpose */
213 FOREACH_DIRENT(entry
, dir
, return 0) {
215 _cleanup_fclose_
FILE *policy
= NULL
;
217 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
221 log_warning_errno(errno
, "Failed to open %s: %m", entry
->d_name
);
225 policy
= fdopen(fd
, "re");
230 log_error_errno(errno
, "Failed to open %s: %m", entry
->d_name
);
234 (void) __fsetlocking(policy
, FSETLOCKING_BYCALLER
);
236 /* load2 write rules in the kernel require a line buffered stream */
237 FOREACH_LINE(buf
, policy
,
238 log_error_errno(errno
, "Failed to read line from %s: %m", entry
->d_name
)) {
242 if (!fputs(buf
, dst
)) {
245 log_error_errno(errno
, "Failed to write line to /sys/fs/smackfs/netlabel");
248 q
= fflush_and_check(dst
);
252 log_error_errno(q
, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m");
261 static int write_onlycap_list(void) {
262 _cleanup_close_
int onlycap_fd
= -1;
263 _cleanup_free_
char *list
= NULL
;
264 _cleanup_fclose_
FILE *f
= NULL
;
265 size_t len
= 0, allocated
= 0;
269 f
= fopen("/etc/smack/onlycap", "re");
272 log_warning_errno(errno
, "Failed to read '/etc/smack/onlycap'");
273 return errno
== ENOENT
? ENOENT
: -errno
;
276 FOREACH_LINE(buf
, f
, return -errno
) {
279 if (isempty(truncate_nl(buf
)) || strchr(COMMENTS
, *buf
))
283 if (!GREEDY_REALLOC(list
, allocated
, len
+ l
+ 1))
286 stpcpy(list
+ len
, buf
)[0] = ' ';
295 onlycap_fd
= open("/sys/fs/smackfs/onlycap", O_WRONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
296 if (onlycap_fd
< 0) {
298 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/onlycap'");
299 return -errno
; /* negative error */
302 r
= write(onlycap_fd
, list
, len
);
304 return log_error_errno(errno
, "Failed to write onlycap list(%s) to '/sys/fs/smackfs/onlycap'", list
);
311 int mac_smack_setup(bool *loaded_policy
) {
317 assert(loaded_policy
);
319 r
= write_access2_rules("/etc/smack/accesses.d/");
322 log_debug("Smack is not enabled in the kernel.");
325 log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
328 log_info("Successfully loaded Smack policies.");
331 log_warning_errno(r
, "Failed to load Smack access rules, ignoring: %m");
335 #ifdef SMACK_RUN_LABEL
336 r
= write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL
, 0);
338 log_warning_errno(r
, "Failed to set SMACK label \"" SMACK_RUN_LABEL
"\" on self: %m");
339 r
= write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL
, 0);
341 log_warning_errno(r
, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL
"\": %m");
342 r
= write_string_file("/sys/fs/smackfs/netlabel",
343 "0.0.0.0/0 " SMACK_RUN_LABEL
, 0);
345 log_warning_errno(r
, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL
"\": %m");
346 r
= write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
348 log_warning_errno(r
, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
351 r
= write_cipso2_rules("/etc/smack/cipso.d/");
354 log_debug("Smack/CIPSO is not enabled in the kernel.");
357 log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
360 log_info("Successfully loaded Smack/CIPSO policies.");
363 log_warning_errno(r
, "Failed to load Smack/CIPSO access rules, ignoring: %m");
367 r
= write_netlabel_rules("/etc/smack/netlabel.d/");
370 log_debug("Smack/CIPSO is not enabled in the kernel.");
373 log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
376 log_info("Successfully loaded Smack network host rules.");
379 log_warning_errno(r
, "Failed to load Smack network host rules: %m, ignoring.");
383 r
= write_onlycap_list();
386 log_debug("Smack is not enabled in the kernel.");
389 log_debug("Smack onlycap list file '/etc/smack/onlycap' not found");
392 log_info("Successfully wrote Smack onlycap list.");
395 log_emergency_errno(r
, "Failed to write Smack onlycap list.");
399 *loaded_policy
= true;
projects / thirdparty / systemd.git / blob