src/basic/smack-util.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2013 Intel Corporation
   7
   8   Author: Auke Kok <auke-jan.h.kok@intel.com>
   9
  10   systemd is free software; you can redistribute it and/or modify it
  11   under the terms of the GNU Lesser General Public License as published by
  12   the Free Software Foundation; either version 2.1 of the License, or
  13   (at your option) any later version.
  14
  15   systemd is distributed in the hope that it will be useful, but
  16   WITHOUT ANY WARRANTY; without even the implied warranty of
  17   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  18   Lesser General Public License for more details.
  19
  20   You should have received a copy of the GNU Lesser General Public License
  21   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  22 ***/
  23
  24 #include <sys/xattr.h>
  25
  26 #include "alloc-util.h"
  27 #include "fileio.h"
  28 #include "path-util.h"
  29 #include "process-util.h"
  30 #include "smack-util.h"
  31 #include "string-table.h"
  32 #include "util.h"
  33 #include "xattr-util.h"
  34
  35 #ifdef HAVE_SMACK
  36 bool mac_smack_use(void) {
  37         static int cached_use = -1;
  38
  39         if (cached_use < 0)
  40                 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
  41
  42         return cached_use;
  43 }
  44
  45 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
  46         [SMACK_ATTR_ACCESS]     = "security.SMACK64",
  47         [SMACK_ATTR_EXEC]       = "security.SMACK64EXEC",
  48         [SMACK_ATTR_MMAP]       = "security.SMACK64MMAP",
  49         [SMACK_ATTR_TRANSMUTE]  = "security.SMACK64TRANSMUTE",
  50         [SMACK_ATTR_IPIN]       = "security.SMACK64IPIN",
  51         [SMACK_ATTR_IPOUT]      = "security.SMACK64IPOUT",
  52 };
  53
  54 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
  55
  56 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
  57         assert(path);
  58         assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
  59         assert(label);
  60
  61         if (!mac_smack_use())
  62                 return 0;
  63
  64         return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
  65 }
  66
  67 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
  68         assert(fd >= 0);
  69         assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
  70         assert(label);
  71
  72         if (!mac_smack_use())
  73                 return 0;
  74
  75         return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
  76 }
  77
  78 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
  79         int r;
  80
  81         assert(path);
  82         assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
  83
  84         if (!mac_smack_use())
  85                 return 0;
  86
  87         if (label)
  88                 r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
  89         else
  90                 r = lremovexattr(path, smack_attr_to_string(attr));
  91         if (r < 0)
  92                 return -errno;
  93
  94         return 0;
  95 }
  96
  97 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
  98         int r;
  99
 100         assert(fd >= 0);
 101         assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
 102
 103         if (!mac_smack_use())
 104                 return 0;
 105
 106         if (label)
 107                 r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
 108         else
 109                 r = fremovexattr(fd, smack_attr_to_string(attr));
 110         if (r < 0)
 111                 return -errno;
 112
 113         return 0;
 114 }
 115
 116 int mac_smack_apply_pid(pid_t pid, const char *label) {
 117         const char *p;
 118         int r = 0;
 119
 120         assert(label);
 121
 122         if (!mac_smack_use())
 123                 return 0;
 124
 125         p = procfs_file_alloca(pid, "attr/current");
 126         r = write_string_file(p, label, 0);
 127         if (r < 0)
 128                 return r;
 129
 130         return r;
 131 }
 132
 133 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
 134         struct stat st;
 135         int r = 0;
 136
 137         assert(path);
 138
 139         if (!mac_smack_use())
 140                 return 0;
 141
 142         /*
 143          * Path must be in /dev and must exist
 144          */
 145         if (!path_startswith(path, "/dev"))
 146                 return 0;
 147
 148         r = lstat(path, &st);
 149         if (r >= 0) {
 150                 const char *label;
 151
 152                 /*
 153                  * Label directories and character devices "*".
 154                  * Label symlinks "_".
 155                  * Don't change anything else.
 156                  */
 157
 158                 if (S_ISDIR(st.st_mode))
 159                         label = SMACK_STAR_LABEL;
 160                 else if (S_ISLNK(st.st_mode))
 161                         label = SMACK_FLOOR_LABEL;
 162                 else if (S_ISCHR(st.st_mode))
 163                         label = SMACK_STAR_LABEL;
 164                 else
 165                         return 0;
 166
 167                 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
 168
 169                 /* If the FS doesn't support labels, then exit without warning */
 170                 if (r < 0 && errno == EOPNOTSUPP)
 171                         return 0;
 172         }
 173
 174         if (r < 0) {
 175                 /* Ignore ENOENT in some cases */
 176                 if (ignore_enoent && errno == ENOENT)
 177                         return 0;
 178
 179                 if (ignore_erofs && errno == EROFS)
 180                         return 0;
 181
 182                 r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
 183         }
 184
 185         return r;
 186 }
 187
 188 int mac_smack_copy(const char *dest, const char *src) {
 189         int r = 0;
 190         _cleanup_free_ char *label = NULL;
 191
 192         assert(dest);
 193         assert(src);
 194
 195         r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
 196         if (r < 0)
 197                 return r;
 198
 199         r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
 200         if (r < 0)
 201                 return r;
 202
 203         return r;
 204 }
 205
 206 #else
 207 bool mac_smack_use(void) {
 208         return false;
 209 }
 210
 211 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
 212         return -EOPNOTSUPP;
 213 }
 214
 215 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
 216         return -EOPNOTSUPP;
 217 }
 218
 219 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
 220         return 0;
 221 }
 222
 223 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
 224         return 0;
 225 }
 226
 227 int mac_smack_apply_pid(pid_t pid, const char *label) {
 228         return 0;
 229 }
 230
 231 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
 232         return 0;
 233 }
 234
 235 int mac_smack_copy(const char *dest, const char *src) {
 236         return 0;
 237 }
 238 #endif