]>
Commit | Line | Data |
---|---|---|
8552b176 AK |
1 | /*** |
2 | This file is part of systemd. | |
3 | ||
4 | Copyright 2013 Intel Corporation | |
5 | ||
6 | Author: Auke Kok <auke-jan.h.kok@intel.com> | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU Lesser General Public License as published by | |
10 | the Free Software Foundation; either version 2.1 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | Lesser General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU Lesser General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
11c3a366 TA |
22 | #include <errno.h> |
23 | #include <string.h> | |
24 | #include <sys/stat.h> | |
d2edfae0 | 25 | #include <sys/xattr.h> |
11c3a366 | 26 | #include <unistd.h> |
8552b176 | 27 | |
b5efdb8a | 28 | #include "alloc-util.h" |
2ca620c4 | 29 | #include "fileio.h" |
93cc7779 TA |
30 | #include "log.h" |
31 | #include "macro.h" | |
89a5a90c LP |
32 | #include "path-util.h" |
33 | #include "process-util.h" | |
d682b3a7 | 34 | #include "smack-util.h" |
8b43440b | 35 | #include "string-table.h" |
89a5a90c | 36 | #include "xattr-util.h" |
8552b176 | 37 | |
d682b3a7 | 38 | #ifdef HAVE_SMACK |
5ab58c20 | 39 | bool mac_smack_use(void) { |
6baa7db0 | 40 | static int cached_use = -1; |
d682b3a7 | 41 | |
6baa7db0 LP |
42 | if (cached_use < 0) |
43 | cached_use = access("/sys/fs/smackfs/", F_OK) >= 0; | |
8552b176 | 44 | |
6baa7db0 | 45 | return cached_use; |
8552b176 | 46 | } |
9a4e038c | 47 | |
5ab58c20 WC |
48 | static const char* const smack_attr_table[_SMACK_ATTR_MAX] = { |
49 | [SMACK_ATTR_ACCESS] = "security.SMACK64", | |
50 | [SMACK_ATTR_EXEC] = "security.SMACK64EXEC", | |
51 | [SMACK_ATTR_MMAP] = "security.SMACK64MMAP", | |
52 | [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE", | |
53 | [SMACK_ATTR_IPIN] = "security.SMACK64IPIN", | |
54 | [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT", | |
55 | }; | |
56 | ||
57 | DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr); | |
d53e386d | 58 | |
5ab58c20 | 59 | int mac_smack_read(const char *path, SmackAttr attr, char **label) { |
d53e386d | 60 | assert(path); |
5ab58c20 WC |
61 | assert(attr >= 0 && attr < _SMACK_ATTR_MAX); |
62 | assert(label); | |
d53e386d | 63 | |
6baa7db0 | 64 | if (!mac_smack_use()) |
9a4e038c KS |
65 | return 0; |
66 | ||
5ab58c20 | 67 | return getxattr_malloc(path, smack_attr_to_string(attr), label, true); |
9a4e038c KS |
68 | } |
69 | ||
5ab58c20 | 70 | int mac_smack_read_fd(int fd, SmackAttr attr, char **label) { |
d53e386d | 71 | assert(fd >= 0); |
5ab58c20 WC |
72 | assert(attr >= 0 && attr < _SMACK_ATTR_MAX); |
73 | assert(label); | |
d53e386d | 74 | |
6baa7db0 | 75 | if (!mac_smack_use()) |
9a4e038c KS |
76 | return 0; |
77 | ||
5ab58c20 | 78 | return fgetxattr_malloc(fd, smack_attr_to_string(attr), label); |
9a4e038c KS |
79 | } |
80 | ||
5ab58c20 WC |
81 | int mac_smack_apply(const char *path, SmackAttr attr, const char *label) { |
82 | int r; | |
d53e386d | 83 | |
5ab58c20 WC |
84 | assert(path); |
85 | assert(attr >= 0 && attr < _SMACK_ATTR_MAX); | |
d53e386d | 86 | |
6baa7db0 | 87 | if (!mac_smack_use()) |
9a4e038c KS |
88 | return 0; |
89 | ||
d53e386d | 90 | if (label) |
5ab58c20 | 91 | r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0); |
d53e386d | 92 | else |
5ab58c20 | 93 | r = lremovexattr(path, smack_attr_to_string(attr)); |
d53e386d LP |
94 | if (r < 0) |
95 | return -errno; | |
d53e386d | 96 | |
5ab58c20 | 97 | return 0; |
9a4e038c KS |
98 | } |
99 | ||
5ab58c20 WC |
100 | int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { |
101 | int r; | |
d53e386d LP |
102 | |
103 | assert(fd >= 0); | |
5ab58c20 | 104 | assert(attr >= 0 && attr < _SMACK_ATTR_MAX); |
d53e386d | 105 | |
6baa7db0 | 106 | if (!mac_smack_use()) |
9a4e038c KS |
107 | return 0; |
108 | ||
d53e386d | 109 | if (label) |
5ab58c20 | 110 | r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0); |
d53e386d | 111 | else |
5ab58c20 | 112 | r = fremovexattr(fd, smack_attr_to_string(attr)); |
d53e386d LP |
113 | if (r < 0) |
114 | return -errno; | |
d53e386d | 115 | |
5ab58c20 | 116 | return 0; |
9a4e038c | 117 | } |
66b6d9d5 | 118 | |
2ca620c4 | 119 | int mac_smack_apply_pid(pid_t pid, const char *label) { |
2ca620c4 | 120 | const char *p; |
fae5694e | 121 | int r = 0; |
2ca620c4 WC |
122 | |
123 | assert(label); | |
124 | ||
2ca620c4 WC |
125 | if (!mac_smack_use()) |
126 | return 0; | |
127 | ||
128 | p = procfs_file_alloca(pid, "attr/current"); | |
ad118bda | 129 | r = write_string_file(p, label, 0); |
2ca620c4 WC |
130 | if (r < 0) |
131 | return r; | |
2ca620c4 WC |
132 | |
133 | return r; | |
134 | } | |
135 | ||
5dfc5461 | 136 | int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { |
5dfc5461 | 137 | struct stat st; |
fae5694e | 138 | int r = 0; |
d53e386d LP |
139 | |
140 | assert(path); | |
141 | ||
d53e386d LP |
142 | if (!mac_smack_use()) |
143 | return 0; | |
66b6d9d5 WC |
144 | |
145 | /* | |
146 | * Path must be in /dev and must exist | |
147 | */ | |
148 | if (!path_startswith(path, "/dev")) | |
149 | return 0; | |
150 | ||
5dfc5461 LP |
151 | r = lstat(path, &st); |
152 | if (r >= 0) { | |
153 | const char *label; | |
154 | ||
155 | /* | |
156 | * Label directories and character devices "*". | |
157 | * Label symlinks "_". | |
158 | * Don't change anything else. | |
159 | */ | |
160 | ||
161 | if (S_ISDIR(st.st_mode)) | |
162 | label = SMACK_STAR_LABEL; | |
163 | else if (S_ISLNK(st.st_mode)) | |
164 | label = SMACK_FLOOR_LABEL; | |
165 | else if (S_ISCHR(st.st_mode)) | |
166 | label = SMACK_STAR_LABEL; | |
167 | else | |
168 | return 0; | |
66b6d9d5 | 169 | |
5dfc5461 LP |
170 | r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0); |
171 | ||
172 | /* If the FS doesn't support labels, then exit without warning */ | |
15411c0c | 173 | if (r < 0 && errno == EOPNOTSUPP) |
5dfc5461 LP |
174 | return 0; |
175 | } | |
66b6d9d5 | 176 | |
66b6d9d5 | 177 | if (r < 0) { |
5dfc5461 LP |
178 | /* Ignore ENOENT in some cases */ |
179 | if (ignore_enoent && errno == ENOENT) | |
180 | return 0; | |
181 | ||
182 | if (ignore_erofs && errno == EROFS) | |
183 | return 0; | |
184 | ||
fae5694e | 185 | r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path); |
66b6d9d5 | 186 | } |
66b6d9d5 WC |
187 | |
188 | return r; | |
189 | } | |
5ab58c20 | 190 | |
ba056b73 SW |
191 | int mac_smack_copy(const char *dest, const char *src) { |
192 | int r = 0; | |
193 | _cleanup_free_ char *label = NULL; | |
194 | ||
195 | assert(dest); | |
196 | assert(src); | |
197 | ||
198 | r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label); | |
199 | if (r < 0) | |
200 | return r; | |
201 | ||
202 | r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label); | |
203 | if (r < 0) | |
204 | return r; | |
205 | ||
206 | return r; | |
207 | } | |
5ab58c20 WC |
208 | |
209 | #else | |
210 | bool mac_smack_use(void) { | |
211 | return false; | |
212 | } | |
213 | ||
214 | int mac_smack_read(const char *path, SmackAttr attr, char **label) { | |
215 | return -EOPNOTSUPP; | |
216 | } | |
217 | ||
218 | int mac_smack_read_fd(int fd, SmackAttr attr, char **label) { | |
219 | return -EOPNOTSUPP; | |
220 | } | |
221 | ||
222 | int mac_smack_apply(const char *path, SmackAttr attr, const char *label) { | |
223 | return 0; | |
224 | } | |
225 | ||
226 | int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) { | |
227 | return 0; | |
228 | } | |
229 | ||
230 | int mac_smack_apply_pid(pid_t pid, const char *label) { | |
231 | return 0; | |
232 | } | |
233 | ||
234 | int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { | |
235 | return 0; | |
236 | } | |
ba056b73 SW |
237 | |
238 | int mac_smack_copy(const char *dest, const char *src) { | |
239 | return 0; | |
240 | } | |
5ab58c20 | 241 | #endif |