[thirdparty/systemd.git] / src / core / smack-setup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */
/***
  Copyright © 2013 Intel Corporation
  Authors:
        Nathaniel Chen <nathaniel.chen@intel.com>
***/

#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>

#include "sd-messages.h"

#include "alloc-util.h"
#include "dirent-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "log.h"
#include "smack-setup.h"
#include "string-util.h"

#if ENABLE_SMACK

static int fdopen_unlocked_at(int dfd, const char *dir, const char *name, int *status, FILE **ret_file) {
        int fd, r;
        FILE *f;

        fd = openat(dfd, name, O_RDONLY|O_CLOEXEC);
        if (fd < 0) {
                if (*status == 0)
                        *status = -errno;

                return log_warning_errno(errno, "Failed to open \"%s/%s\": %m", dir, name);
        }

        r = fdopen_unlocked(fd, "r", &f);
        if (r < 0) {
                if (*status == 0)
                        *status = r;

                safe_close(fd);
                return log_error_errno(r, "Failed to open \"%s/%s\": %m", dir, name);
        }

        *ret_file = f;
        return 0;
}

static int write_access2_rules(const char *srcdir) {
        _cleanup_close_ int load2_fd = -EBADF, change_fd = -EBADF;
        _cleanup_closedir_ DIR *dir = NULL;
        int dfd, r;

        load2_fd = r = RET_NERRNO(open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY));
        if (r < 0)  {
                if (r != -ENOENT)
                        log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/load2");
                return r;
        }

        change_fd = r = RET_NERRNO(open("/sys/fs/smackfs/change-rule", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY));
        if (r < 0)  {
                if (r != -ENOENT)
                        log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/change-rule");
                return r;
        }

        /* write rules to load2 or change-rule from every file in the directory */
        dir = opendir(srcdir);
        if (!dir) {
                if (errno != ENOENT)
                        log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
                return errno; /* positive on purpose */
        }

        dfd = dirfd(dir);
        assert(dfd >= 0);

        r = 0;
        FOREACH_DIRENT(entry, dir, return 0) {
                _cleanup_fclose_ FILE *policy = NULL;

                if (!dirent_is_file(entry))
                        continue;

                if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
                        continue;

                /* load2 write rules in the kernel require a line buffered stream */
                for (;;) {
                        _cleanup_free_ char *buf = NULL, *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL;
                        int q;

                        q = read_line(policy, NAME_MAX, &buf);
                        if (q < 0)
                                return log_error_errno(q, "%s/%s: failed to read line: %m", srcdir, entry->d_name);
                        if (q == 0)
                                break;

                        if (isempty(buf) || strchr(COMMENTS, buf[0]))
                                continue;

                        /* if 3 args -> load rule   : subject object access1 */
                        /* if 4 args -> change rule : subject object access1 access2 */
                        if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) {
                                log_error_errno(errno, "%s/%s: failed to parse rule '%s', ignoring.",
                                                srcdir, entry->d_name, buf);
                                continue;
                        }

                        q = RET_NERRNO(write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)));
                        if (q < 0) {
                                log_error_errno(q, "%s/%s: failed to write '%s' to '%s': %m",
                                                srcdir, entry->d_name,
                                                buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule");
                                RET_GATHER(r, q);
                        }
                }
        }

        return r;
}

static int write_cipso2_rules(const char *srcdir) {
        _cleanup_close_ int cipso2_fd = -EBADF;
        _cleanup_closedir_ DIR *dir = NULL;
        int dfd, r;

        cipso2_fd = r = RET_NERRNO(open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY));
        if (r < 0)  {
                if (r != -ENOENT)
                        log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/cipso2");
                return r;
        }

        /* write rules to cipso2 from every file in the directory */
        dir = opendir(srcdir);
        if (!dir) {
                if (errno != ENOENT)
                        log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
                return errno; /* positive on purpose */
        }

        dfd = dirfd(dir);
        assert(dfd >= 0);

        r = 0;
        FOREACH_DIRENT(entry, dir, return 0) {
                _cleanup_fclose_ FILE *policy = NULL;

                if (!dirent_is_file(entry))
                        continue;

                if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
                        continue;

                /* cipso2 write rules in the kernel require a line buffered stream */
                for (;;) {
                        _cleanup_free_ char *buf = NULL;
                        int q;

                        q = read_line(policy, NAME_MAX, &buf);
                        if (q < 0)
                                return log_error_errno(q, "%s/%s: failed to read line: %m",
                                                       srcdir, entry->d_name);
                        if (q == 0)
                                break;

                        if (isempty(buf) || strchr(COMMENTS, buf[0]))
                                continue;

                        q = RET_NERRNO(write(cipso2_fd, buf, strlen(buf)));
                        if (q < 0) {
                                log_error_errno(q, "%s/%s: failed to write '%s' to %s: %m",
                                                srcdir, entry->d_name,
                                                buf, "/sys/fs/smackfs/cipso2");
                                RET_GATHER(r, q);
                                break;
                        }
                }
        }

        return r;
}

static int write_netlabel_rules(const char *srcdir) {
        _cleanup_fclose_ FILE *dst = NULL;
        _cleanup_closedir_ DIR *dir = NULL;
        int dfd, r;

        dst = fopen("/sys/fs/smackfs/netlabel", "we");
        if (!dst)  {
                if (errno != ENOENT)
                        log_warning_errno(errno, "Failed to open %s/: %m", "/sys/fs/smackfs/netlabel");
                return -errno; /* negative error */
        }

        /* write rules to dst from every file in the directory */
        dir = opendir(srcdir);
        if (!dir) {
                if (errno != ENOENT)
                        log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
                return errno; /* positive on purpose */
        }

        dfd = dirfd(dir);
        assert(dfd >= 0);

        r = 0;
        FOREACH_DIRENT(entry, dir, return 0) {
                _cleanup_fclose_ FILE *policy = NULL;

                if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
                        continue;

                /* load2 write rules in the kernel require a line buffered stream */
                for (;;) {
                        _cleanup_free_ char *buf = NULL;
                        int q;

                        q = read_line(policy, NAME_MAX, &buf);
                        if (q < 0)
                                return log_error_errno(q, "%s/%s: failed to read line: %m",
                                                       srcdir, entry->d_name);
                        if (q == 0)
                                break;

                        if (!fputs(buf, dst)) {
                                log_error_errno(errno, "Failed to write line to %s: %m", "/sys/fs/smackfs/netlabel");
                                RET_GATHER(r, -errno);
                                break;
                        }
                        q = fflush_and_check(dst);
                        if (q < 0) {
                                log_error_errno(q, "Failed to flush %s: %m", "/sys/fs/smackfs/netlabel");
                                RET_GATHER(r, q);
                                break;
                        }
                }
        }

        return r;
}

static int write_onlycap_list(void) {
        _cleanup_close_ int onlycap_fd = -EBADF;
        _cleanup_free_ char *list = NULL;
        _cleanup_fclose_ FILE *f = NULL;
        size_t len = 0;
        int r;

        f = fopen("/etc/smack/onlycap", "re");
        if (!f) {
                if (errno != ENOENT)
                        log_warning_errno(errno, "Failed to open %s: %m", "/etc/smack/onlycap");

                return errno == ENOENT ? ENOENT : -errno;
        }

        for (;;) {
                _cleanup_free_ char *buf = NULL;
                size_t l;

                r = read_line(f, LONG_LINE_MAX, &buf);
                if (r < 0)
                        return log_error_errno(r, "%s: failed to read line: %m", "/etc/smack/onlycap");
                if (r == 0)
                        break;

                if (isempty(buf) || strchr(COMMENTS, *buf))
                        continue;

                l = strlen(buf);
                if (!GREEDY_REALLOC(list, len + l + 1))
                        return log_oom();

                stpcpy(list + len, buf)[0] = ' ';
                len += l + 1;
        }

        if (len == 0)
                return 0;

        list[len - 1] = 0;

        onlycap_fd = r = RET_NERRNO(open("/sys/fs/smackfs/onlycap", O_WRONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY));
        if (r < 0) {
                if (r != -ENOENT)
                        log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/onlycap");
                return r;
        }

        r = RET_NERRNO(write(onlycap_fd, list, len));
        if (r < 0)
                return log_error_errno(r, "%s: failed to write onlycap list(%s): %m",
                                       "/sys/fs/smackfs/onlycap", list);

        return 0;
}

#endif

int mac_smack_setup(bool *loaded_policy) {

#if ENABLE_SMACK
        int r;

        assert(loaded_policy);

        r = write_access2_rules("/etc/smack/accesses.d");
        switch (r) {
        case -ENOENT:
                log_debug("Smack is not enabled in the kernel.");
                return 0;
        case ENOENT:
                log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
                return 0;
        case 0:
                log_info("Successfully loaded Smack policies.");
                break;
        default:
                log_warning_errno(r, "Failed to load Smack access rules, ignoring: %m");
                return 0;
        }

#if HAVE_SMACK_RUN_LABEL
        r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
        if (r < 0)
                log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
        r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
        if (r < 0)
                log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
        r = write_string_file("/sys/fs/smackfs/netlabel",
                              "0.0.0.0/0 " SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
        if (r < 0)
                log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
        r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", WRITE_STRING_FILE_DISABLE_BUFFER);
        if (r < 0)
                log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
#endif

        r = write_cipso2_rules("/etc/smack/cipso.d");
        switch (r) {
        case -ENOENT:
                log_debug("Smack/CIPSO is not enabled in the kernel.");
                return 0;
        case ENOENT:
                log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
                break;
        case 0:
                log_info("Successfully loaded Smack/CIPSO policies.");
                break;
        default:
                log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
        }

        r = write_netlabel_rules("/etc/smack/netlabel.d");
        switch (r) {
        case -ENOENT:
                log_debug("Smack/CIPSO is not enabled in the kernel.");
                return 0;
        case ENOENT:
                log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
                break;
        case 0:
                log_info("Successfully loaded Smack network host rules.");
                break;
        default:
                log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring.");
        }

        r = write_onlycap_list();
        switch (r) {
        case -ENOENT:
                log_debug("Smack is not enabled in the kernel.");
                break;
        case ENOENT:
                log_debug("Smack onlycap list file '/etc/smack/onlycap' not found");
                break;
        case 0:
                log_info("Successfully wrote Smack onlycap list.");
                break;
        default:
                return log_struct_errno(LOG_EMERG, r,
                                        LOG_MESSAGE("Failed to write Smack onlycap list: %m"),
                                        LOG_MESSAGE_ID(SD_MESSAGE_SMACK_FAILED_WRITE_STR));
        }

        *loaded_policy = true;

#endif

        return 0;
}
Commit	Line	Data
	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
	2	/***
	3	Copyright © 2013 Intel Corporation
	4	Authors:
	5	Nathaniel Chen <nathaniel.chen@intel.com>
	6	***/
	7
	8	#include <fcntl.h>
	9	#include <stdio.h>
	10	#include <unistd.h>
	11
	12	#include "sd-messages.h"
	13
	14	#include "alloc-util.h"
	15	#include "dirent-util.h"
	16	#include "errno-util.h"
	17	#include "fd-util.h"
	18	#include "fileio.h"
	19	#include "log.h"
	20	#include "smack-setup.h"
	21	#include "string-util.h"
	22
	23	#if ENABLE_SMACK
	24
	25	static int fdopen_unlocked_at(int dfd, const char dir, const char name, int status, FILE *ret_file) {
	26	int fd, r;
	27	FILE *f;
	28
	29	fd = openat(dfd, name, O_RDONLY\|O_CLOEXEC);
	30	if (fd < 0) {
	31	if (*status == 0)
	32	*status = -errno;
	33
	34	return log_warning_errno(errno, "Failed to open \"%s/%s\": %m", dir, name);
	35	}
	36
	37	r = fdopen_unlocked(fd, "r", &f);
	38	if (r < 0) {
	39	if (*status == 0)
	40	*status = r;
	41
	42	safe_close(fd);
	43	return log_error_errno(r, "Failed to open \"%s/%s\": %m", dir, name);
	44	}
	45
	46	*ret_file = f;
	47	return 0;
	48	}
	49
	50	static int write_access2_rules(const char *srcdir) {
	51	_cleanup_close_ int load2_fd = -EBADF, change_fd = -EBADF;
	52	_cleanup_closedir_ DIR *dir = NULL;
	53	int dfd, r;
	54
	55	load2_fd = r = RET_NERRNO(open("/sys/fs/smackfs/load2", O_RDWR\|O_CLOEXEC\|O_NONBLOCK\|O_NOCTTY));
	56	if (r < 0) {
	57	if (r != -ENOENT)
	58	log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/load2");
	59	return r;
	60	}
	61
	62	change_fd = r = RET_NERRNO(open("/sys/fs/smackfs/change-rule", O_RDWR\|O_CLOEXEC\|O_NONBLOCK\|O_NOCTTY));
	63	if (r < 0) {
	64	if (r != -ENOENT)
	65	log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/change-rule");
	66	return r;
	67	}
	68
	69	/* write rules to load2 or change-rule from every file in the directory */
	70	dir = opendir(srcdir);
	71	if (!dir) {
	72	if (errno != ENOENT)
	73	log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
	74	return errno; /* positive on purpose */
	75	}
	76
	77	dfd = dirfd(dir);
	78	assert(dfd >= 0);
	79
	80	r = 0;
	81	FOREACH_DIRENT(entry, dir, return 0) {
	82	_cleanup_fclose_ FILE *policy = NULL;
	83
	84	if (!dirent_is_file(entry))
	85	continue;
	86
	87	if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
	88	continue;
	89
	90	/* load2 write rules in the kernel require a line buffered stream */
	91	for (;;) {
	92	_cleanup_free_ char buf = NULL, sbj = NULL, obj = NULL, acc1 = NULL, *acc2 = NULL;
	93	int q;
	94
	95	q = read_line(policy, NAME_MAX, &buf);
	96	if (q < 0)
	97	return log_error_errno(q, "%s/%s: failed to read line: %m", srcdir, entry->d_name);
	98	if (q == 0)
	99	break;
	100
	101	if (isempty(buf) \|\| strchr(COMMENTS, buf[0]))
	102	continue;
	103
	104	/* if 3 args -> load rule : subject object access1 */
	105	/* if 4 args -> change rule : subject object access1 access2 */
	106	if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) {
	107	log_error_errno(errno, "%s/%s: failed to parse rule '%s', ignoring.",
	108	srcdir, entry->d_name, buf);
	109	continue;
	110	}
	111
	112	q = RET_NERRNO(write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)));
	113	if (q < 0) {
	114	log_error_errno(q, "%s/%s: failed to write '%s' to '%s': %m",
	115	srcdir, entry->d_name,
	116	buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule");
	117	RET_GATHER(r, q);
	118	}
	119	}
	120	}
	121
	122	return r;
	123	}
	124
	125	static int write_cipso2_rules(const char *srcdir) {
	126	_cleanup_close_ int cipso2_fd = -EBADF;
	127	_cleanup_closedir_ DIR *dir = NULL;
	128	int dfd, r;
	129
	130	cipso2_fd = r = RET_NERRNO(open("/sys/fs/smackfs/cipso2", O_RDWR\|O_CLOEXEC\|O_NONBLOCK\|O_NOCTTY));
	131	if (r < 0) {
	132	if (r != -ENOENT)
	133	log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/cipso2");
	134	return r;
	135	}
	136
	137	/* write rules to cipso2 from every file in the directory */
	138	dir = opendir(srcdir);
	139	if (!dir) {
	140	if (errno != ENOENT)
	141	log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
	142	return errno; /* positive on purpose */
	143	}
	144
	145	dfd = dirfd(dir);
	146	assert(dfd >= 0);
	147
	148	r = 0;
	149	FOREACH_DIRENT(entry, dir, return 0) {
	150	_cleanup_fclose_ FILE *policy = NULL;
	151
	152	if (!dirent_is_file(entry))
	153	continue;
	154
	155	if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
	156	continue;
	157
	158	/* cipso2 write rules in the kernel require a line buffered stream */
	159	for (;;) {
	160	_cleanup_free_ char *buf = NULL;
	161	int q;
	162
	163	q = read_line(policy, NAME_MAX, &buf);
	164	if (q < 0)
	165	return log_error_errno(q, "%s/%s: failed to read line: %m",
	166	srcdir, entry->d_name);
	167	if (q == 0)
	168	break;
	169
	170	if (isempty(buf) \|\| strchr(COMMENTS, buf[0]))
	171	continue;
	172
	173	q = RET_NERRNO(write(cipso2_fd, buf, strlen(buf)));
	174	if (q < 0) {
	175	log_error_errno(q, "%s/%s: failed to write '%s' to %s: %m",
	176	srcdir, entry->d_name,
	177	buf, "/sys/fs/smackfs/cipso2");
	178	RET_GATHER(r, q);
	179	break;
	180	}
	181	}
	182	}
	183
	184	return r;
	185	}
	186
	187	static int write_netlabel_rules(const char *srcdir) {
	188	_cleanup_fclose_ FILE *dst = NULL;
	189	_cleanup_closedir_ DIR *dir = NULL;
	190	int dfd, r;
	191
	192	dst = fopen("/sys/fs/smackfs/netlabel", "we");
	193	if (!dst) {
	194	if (errno != ENOENT)
	195	log_warning_errno(errno, "Failed to open %s/: %m", "/sys/fs/smackfs/netlabel");
	196	return -errno; /* negative error */
	197	}
	198
	199	/* write rules to dst from every file in the directory */
	200	dir = opendir(srcdir);
	201	if (!dir) {
	202	if (errno != ENOENT)
	203	log_warning_errno(errno, "Failed to open %s/: %m", srcdir);
	204	return errno; /* positive on purpose */
	205	}
	206
	207	dfd = dirfd(dir);
	208	assert(dfd >= 0);
	209
	210	r = 0;
	211	FOREACH_DIRENT(entry, dir, return 0) {
	212	_cleanup_fclose_ FILE *policy = NULL;
	213
	214	if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
	215	continue;
	216
	217	/* load2 write rules in the kernel require a line buffered stream */
	218	for (;;) {
	219	_cleanup_free_ char *buf = NULL;
	220	int q;
	221
	222	q = read_line(policy, NAME_MAX, &buf);
	223	if (q < 0)
	224	return log_error_errno(q, "%s/%s: failed to read line: %m",
	225	srcdir, entry->d_name);
	226	if (q == 0)
	227	break;
	228
	229	if (!fputs(buf, dst)) {
	230	log_error_errno(errno, "Failed to write line to %s: %m", "/sys/fs/smackfs/netlabel");
	231	RET_GATHER(r, -errno);
	232	break;
	233	}
	234	q = fflush_and_check(dst);
	235	if (q < 0) {
	236	log_error_errno(q, "Failed to flush %s: %m", "/sys/fs/smackfs/netlabel");
	237	RET_GATHER(r, q);
	238	break;
	239	}
	240	}
	241	}
	242
	243	return r;
	244	}
	245
	246	static int write_onlycap_list(void) {
	247	_cleanup_close_ int onlycap_fd = -EBADF;
	248	_cleanup_free_ char *list = NULL;
	249	_cleanup_fclose_ FILE *f = NULL;
	250	size_t len = 0;
	251	int r;
	252
	253	f = fopen("/etc/smack/onlycap", "re");
	254	if (!f) {
	255	if (errno != ENOENT)
	256	log_warning_errno(errno, "Failed to open %s: %m", "/etc/smack/onlycap");
	257
	258	return errno == ENOENT ? ENOENT : -errno;
	259	}
	260
	261	for (;;) {
	262	_cleanup_free_ char *buf = NULL;
	263	size_t l;
	264
	265	r = read_line(f, LONG_LINE_MAX, &buf);
	266	if (r < 0)
	267	return log_error_errno(r, "%s: failed to read line: %m", "/etc/smack/onlycap");
	268	if (r == 0)
	269	break;
	270
	271	if (isempty(buf) \|\| strchr(COMMENTS, *buf))
	272	continue;
	273
	274	l = strlen(buf);
	275	if (!GREEDY_REALLOC(list, len + l + 1))
	276	return log_oom();
	277
	278	stpcpy(list + len, buf)[0] = ' ';
	279	len += l + 1;
	280	}
	281
	282	if (len == 0)
	283	return 0;
	284
	285	list[len - 1] = 0;
	286
	287	onlycap_fd = r = RET_NERRNO(open("/sys/fs/smackfs/onlycap", O_WRONLY\|O_CLOEXEC\|O_NONBLOCK\|O_NOCTTY));
	288	if (r < 0) {
	289	if (r != -ENOENT)
	290	log_warning_errno(r, "Failed to open %s: %m", "/sys/fs/smackfs/onlycap");
	291	return r;
	292	}
	293
	294	r = RET_NERRNO(write(onlycap_fd, list, len));
	295	if (r < 0)
	296	return log_error_errno(r, "%s: failed to write onlycap list(%s): %m",
	297	"/sys/fs/smackfs/onlycap", list);
	298
	299	return 0;
	300	}
	301
	302	#endif
	303
	304	int mac_smack_setup(bool *loaded_policy) {
	305
	306	#if ENABLE_SMACK
	307	int r;
	308
	309	assert(loaded_policy);
	310
	311	r = write_access2_rules("/etc/smack/accesses.d");
	312	switch (r) {
	313	case -ENOENT:
	314	log_debug("Smack is not enabled in the kernel.");
	315	return 0;
	316	case ENOENT:
	317	log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
	318	return 0;
	319	case 0:
	320	log_info("Successfully loaded Smack policies.");
	321	break;
	322	default:
	323	log_warning_errno(r, "Failed to load Smack access rules, ignoring: %m");
	324	return 0;
	325	}
	326
	327	#if HAVE_SMACK_RUN_LABEL
	328	r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
	329	if (r < 0)
	330	log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
	331	r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
	332	if (r < 0)
	333	log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
	334	r = write_string_file("/sys/fs/smackfs/netlabel",
	335	"0.0.0.0/0 " SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
	336	if (r < 0)
	337	log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
	338	r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", WRITE_STRING_FILE_DISABLE_BUFFER);
	339	if (r < 0)
	340	log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
	341	#endif
	342
	343	r = write_cipso2_rules("/etc/smack/cipso.d");
	344	switch (r) {
	345	case -ENOENT:
	346	log_debug("Smack/CIPSO is not enabled in the kernel.");
	347	return 0;
	348	case ENOENT:
	349	log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
	350	break;
	351	case 0:
	352	log_info("Successfully loaded Smack/CIPSO policies.");
	353	break;
	354	default:
	355	log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
	356	}
	357
	358	r = write_netlabel_rules("/etc/smack/netlabel.d");
	359	switch (r) {
	360	case -ENOENT:
	361	log_debug("Smack/CIPSO is not enabled in the kernel.");
	362	return 0;
	363	case ENOENT:
	364	log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
	365	break;
	366	case 0:
	367	log_info("Successfully loaded Smack network host rules.");
	368	break;
	369	default:
	370	log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring.");
	371	}
	372
	373	r = write_onlycap_list();
	374	switch (r) {
	375	case -ENOENT:
	376	log_debug("Smack is not enabled in the kernel.");
	377	break;
	378	case ENOENT:
	379	log_debug("Smack onlycap list file '/etc/smack/onlycap' not found");
	380	break;
	381	case 0:
	382	log_info("Successfully wrote Smack onlycap list.");
	383	break;
	384	default:
	385	return log_struct_errno(LOG_EMERG, r,
	386	LOG_MESSAGE("Failed to write Smack onlycap list: %m"),
	387	LOG_MESSAGE_ID(SD_MESSAGE_SMACK_FAILED_WRITE_STR));
	388	}
	389
	390	*loaded_policy = true;
	391
	392	#endif
	393
	394	return 0;
	395	}