-/* SPDX-License-Identifier: LGPL-2.1+ */
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
/***
Copyright © 2013 Intel Corporation
Authors:
Nathaniel Chen <nathaniel.chen@intel.com>
***/
-#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
-#include <stdio_ext.h>
#include <stdlib.h>
-#include <string.h>
+#include <unistd.h>
#include "alloc-util.h"
-#include "def.h"
#include "dirent-util.h"
#include "fd-util.h"
#include "fileio.h"
#if ENABLE_SMACK
-static int write_access2_rules(const char* srcdir) {
+static int fdopen_unlocked_at(int dfd, const char *dir, const char *name, int *status, FILE **ret_file) {
+ int fd, r;
+ FILE *f;
+
+ fd = openat(dfd, name, O_RDONLY|O_CLOEXEC);
+ if (fd < 0) {
+ if (*status == 0)
+ *status = -errno;
+
+ return log_warning_errno(errno, "Failed to open \"%s/%s\": %m", dir, name);
+ }
+
+ r = fdopen_unlocked(fd, "r", &f);
+ if (r < 0) {
+ if (*status == 0)
+ *status = r;
+
+ safe_close(fd);
+ return log_error_errno(r, "Failed to open \"%s/%s\": %m", dir, name);
+ }
+
+ *ret_file = f;
+ return 0;
+}
+
+static int write_access2_rules(const char *srcdir) {
_cleanup_close_ int load2_fd = -1, change_fd = -1;
_cleanup_closedir_ DIR *dir = NULL;
struct dirent *entry;
- int dfd = -1;
- int r = 0;
+ int dfd = -1, r = 0;
load2_fd = open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
if (load2_fd < 0) {
assert(dfd >= 0);
FOREACH_DIRENT(entry, dir, return 0) {
- int fd;
_cleanup_fclose_ FILE *policy = NULL;
+ dirent_ensure_type(dir, entry);
if (!dirent_is_file(entry))
continue;
- fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
- if (fd < 0) {
- if (r == 0)
- r = -errno;
- log_warning_errno(errno, "Failed to open '%s': %m", entry->d_name);
+ if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
continue;
- }
-
- policy = fdopen(fd, "re");
- if (!policy) {
- if (r == 0)
- r = -errno;
- safe_close(fd);
- log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
- continue;
- }
/* load2 write rules in the kernel require a line buffered stream */
for (;;) {
return r;
}
-static int write_cipso2_rules(const char* srcdir) {
+static int write_cipso2_rules(const char *srcdir) {
_cleanup_close_ int cipso2_fd = -1;
_cleanup_closedir_ DIR *dir = NULL;
struct dirent *entry;
- int dfd = -1;
- int r = 0;
+ int dfd = -1, r = 0;
cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
if (cipso2_fd < 0) {
assert(dfd >= 0);
FOREACH_DIRENT(entry, dir, return 0) {
- int fd;
_cleanup_fclose_ FILE *policy = NULL;
+ dirent_ensure_type(dir, entry);
if (!dirent_is_file(entry))
continue;
- fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
- if (fd < 0) {
- if (r == 0)
- r = -errno;
- log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
- continue;
- }
-
- policy = fdopen(fd, "re");
- if (!policy) {
- if (r == 0)
- r = -errno;
- safe_close(fd);
- log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
+ if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
continue;
- }
/* cipso2 write rules in the kernel require a line buffered stream */
for (;;) {
return r;
}
-static int write_netlabel_rules(const char* srcdir) {
+static int write_netlabel_rules(const char *srcdir) {
_cleanup_fclose_ FILE *dst = NULL;
_cleanup_closedir_ DIR *dir = NULL;
struct dirent *entry;
- int dfd = -1;
- int r = 0;
+ int dfd = -1, r = 0;
dst = fopen("/sys/fs/smackfs/netlabel", "we");
if (!dst) {
assert(dfd >= 0);
FOREACH_DIRENT(entry, dir, return 0) {
- int fd;
_cleanup_fclose_ FILE *policy = NULL;
- fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
- if (fd < 0) {
- if (r == 0)
- r = -errno;
- log_warning_errno(errno, "Failed to open %s: %m", entry->d_name);
+ if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
continue;
- }
-
- policy = fdopen(fd, "re");
- if (!policy) {
- if (r == 0)
- r = -errno;
- safe_close(fd);
- log_error_errno(errno, "Failed to open %s: %m", entry->d_name);
- continue;
- }
-
- (void) __fsetlocking(policy, FSETLOCKING_BYCALLER);
/* load2 write rules in the kernel require a line buffered stream */
for (;;) {
}
#ifdef SMACK_RUN_LABEL
- r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0);
+ r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
if (r < 0)
log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
- r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, 0);
+ r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
if (r < 0)
log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
r = write_string_file("/sys/fs/smackfs/netlabel",
- "0.0.0.0/0 " SMACK_RUN_LABEL, 0);
+ "0.0.0.0/0 " SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
if (r < 0)
log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
- r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
+ r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", WRITE_STRING_FILE_DISABLE_BUFFER);
if (r < 0)
log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
#endif
log_info("Successfully wrote Smack onlycap list.");
break;
default:
- log_emergency_errno(r, "Failed to write Smack onlycap list: %m");
- return r;
+ return log_emergency_errno(r, "Failed to write Smack onlycap list: %m");
}
*loaded_policy = true;