]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/smack-setup.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #29343 from DaanDeMeyer/tmp
[thirdparty/systemd.git] / src / core / smack-setup.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 /***
3 Copyright © 2013 Intel Corporation
4 Authors:
5 Nathaniel Chen <nathaniel.chen@intel.com>
6 ***/
7
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <stdio.h>
11 #include <stdlib.h>
12 #include <unistd.h>
13
14 #include "sd-messages.h"
15
16 #include "alloc-util.h"
17 #include "dirent-util.h"
18 #include "fd-util.h"
19 #include "fileio.h"
20 #include "log.h"
21 #include "macro.h"
22 #include "smack-setup.h"
23 #include "string-util.h"
24
25 #if ENABLE_SMACK
26
27 static int fdopen_unlocked_at(int dfd, const char *dir, const char *name, int *status, FILE **ret_file) {
28 int fd, r;
29 FILE *f;
30
31 fd = openat(dfd, name, O_RDONLY|O_CLOEXEC);
32 if (fd < 0) {
33 if (*status == 0)
34 *status = -errno;
35
36 return log_warning_errno(errno, "Failed to open \"%s/%s\": %m", dir, name);
37 }
38
39 r = fdopen_unlocked(fd, "r", &f);
40 if (r < 0) {
41 if (*status == 0)
42 *status = r;
43
44 safe_close(fd);
45 return log_error_errno(r, "Failed to open \"%s/%s\": %m", dir, name);
46 }
47
48 *ret_file = f;
49 return 0;
50 }
51
52 static int write_access2_rules(const char *srcdir) {
53 _cleanup_close_ int load2_fd = -EBADF, change_fd = -EBADF;
54 _cleanup_closedir_ DIR *dir = NULL;
55 int dfd = -EBADF, r = 0;
56
57 load2_fd = open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
58 if (load2_fd < 0) {
59 if (errno != ENOENT)
60 log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/load2': %m");
61 return -errno; /* negative error */
62 }
63
64 change_fd = open("/sys/fs/smackfs/change-rule", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
65 if (change_fd < 0) {
66 if (errno != ENOENT)
67 log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/change-rule': %m");
68 return -errno; /* negative error */
69 }
70
71 /* write rules to load2 or change-rule from every file in the directory */
72 dir = opendir(srcdir);
73 if (!dir) {
74 if (errno != ENOENT)
75 log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir);
76 return errno; /* positive on purpose */
77 }
78
79 dfd = dirfd(dir);
80 assert(dfd >= 0);
81
82 FOREACH_DIRENT(entry, dir, return 0) {
83 _cleanup_fclose_ FILE *policy = NULL;
84
85 if (!dirent_is_file(entry))
86 continue;
87
88 if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
89 continue;
90
91 /* load2 write rules in the kernel require a line buffered stream */
92 for (;;) {
93 _cleanup_free_ char *buf = NULL, *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL;
94 int q;
95
96 q = read_line(policy, NAME_MAX, &buf);
97 if (q < 0)
98 return log_error_errno(q, "Failed to read line from '%s': %m", entry->d_name);
99 if (q == 0)
100 break;
101
102 if (isempty(buf) || strchr(COMMENTS, buf[0]))
103 continue;
104
105 /* if 3 args -> load rule : subject object access1 */
106 /* if 4 args -> change rule : subject object access1 access2 */
107 if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) {
108 log_error_errno(errno, "Failed to parse rule '%s' in '%s', ignoring.", buf, entry->d_name);
109 continue;
110 }
111
112 if (write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)) < 0) {
113 if (r == 0)
114 r = -errno;
115 log_error_errno(errno, "Failed to write '%s' to '%s' in '%s': %m",
116 buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry->d_name);
117 }
118 }
119 }
120
121 return r;
122 }
123
124 static int write_cipso2_rules(const char *srcdir) {
125 _cleanup_close_ int cipso2_fd = -EBADF;
126 _cleanup_closedir_ DIR *dir = NULL;
127 int dfd = -EBADF, r = 0;
128
129 cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
130 if (cipso2_fd < 0) {
131 if (errno != ENOENT)
132 log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/cipso2': %m");
133 return -errno; /* negative error */
134 }
135
136 /* write rules to cipso2 from every file in the directory */
137 dir = opendir(srcdir);
138 if (!dir) {
139 if (errno != ENOENT)
140 log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir);
141 return errno; /* positive on purpose */
142 }
143
144 dfd = dirfd(dir);
145 assert(dfd >= 0);
146
147 FOREACH_DIRENT(entry, dir, return 0) {
148 _cleanup_fclose_ FILE *policy = NULL;
149
150 if (!dirent_is_file(entry))
151 continue;
152
153 if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
154 continue;
155
156 /* cipso2 write rules in the kernel require a line buffered stream */
157 for (;;) {
158 _cleanup_free_ char *buf = NULL;
159 int q;
160
161 q = read_line(policy, NAME_MAX, &buf);
162 if (q < 0)
163 return log_error_errno(q, "Failed to read line from '%s': %m", entry->d_name);
164 if (q == 0)
165 break;
166
167 if (isempty(buf) || strchr(COMMENTS, buf[0]))
168 continue;
169
170 if (write(cipso2_fd, buf, strlen(buf)) < 0) {
171 if (r == 0)
172 r = -errno;
173 log_error_errno(errno, "Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s': %m",
174 buf, entry->d_name);
175 break;
176 }
177 }
178 }
179
180 return r;
181 }
182
183 static int write_netlabel_rules(const char *srcdir) {
184 _cleanup_fclose_ FILE *dst = NULL;
185 _cleanup_closedir_ DIR *dir = NULL;
186 int dfd = -EBADF, r = 0;
187
188 dst = fopen("/sys/fs/smackfs/netlabel", "we");
189 if (!dst) {
190 if (errno != ENOENT)
191 log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m");
192 return -errno; /* negative error */
193 }
194
195 /* write rules to dst from every file in the directory */
196 dir = opendir(srcdir);
197 if (!dir) {
198 if (errno != ENOENT)
199 log_warning_errno(errno, "Failed to opendir %s: %m", srcdir);
200 return errno; /* positive on purpose */
201 }
202
203 dfd = dirfd(dir);
204 assert(dfd >= 0);
205
206 FOREACH_DIRENT(entry, dir, return 0) {
207 _cleanup_fclose_ FILE *policy = NULL;
208
209 if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0)
210 continue;
211
212 /* load2 write rules in the kernel require a line buffered stream */
213 for (;;) {
214 _cleanup_free_ char *buf = NULL;
215 int q;
216
217 q = read_line(policy, NAME_MAX, &buf);
218 if (q < 0)
219 return log_error_errno(q, "Failed to read line from %s: %m", entry->d_name);
220 if (q == 0)
221 break;
222
223 if (!fputs(buf, dst)) {
224 if (r == 0)
225 r = -EINVAL;
226 log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel: %m");
227 break;
228 }
229 q = fflush_and_check(dst);
230 if (q < 0) {
231 if (r == 0)
232 r = q;
233 log_error_errno(q, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m");
234 break;
235 }
236 }
237 }
238
239 return r;
240 }
241
242 static int write_onlycap_list(void) {
243 _cleanup_close_ int onlycap_fd = -EBADF;
244 _cleanup_free_ char *list = NULL;
245 _cleanup_fclose_ FILE *f = NULL;
246 size_t len = 0;
247 int r;
248
249 f = fopen("/etc/smack/onlycap", "re");
250 if (!f) {
251 if (errno != ENOENT)
252 log_warning_errno(errno, "Failed to read '/etc/smack/onlycap': %m");
253
254 return errno == ENOENT ? ENOENT : -errno;
255 }
256
257 for (;;) {
258 _cleanup_free_ char *buf = NULL;
259 size_t l;
260
261 r = read_line(f, LONG_LINE_MAX, &buf);
262 if (r < 0)
263 return log_error_errno(r, "Failed to read line from /etc/smack/onlycap: %m");
264 if (r == 0)
265 break;
266
267 if (isempty(buf) || strchr(COMMENTS, *buf))
268 continue;
269
270 l = strlen(buf);
271 if (!GREEDY_REALLOC(list, len + l + 1))
272 return log_oom();
273
274 stpcpy(list + len, buf)[0] = ' ';
275 len += l + 1;
276 }
277
278 if (len == 0)
279 return 0;
280
281 list[len - 1] = 0;
282
283 onlycap_fd = open("/sys/fs/smackfs/onlycap", O_WRONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
284 if (onlycap_fd < 0) {
285 if (errno != ENOENT)
286 log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/onlycap': %m");
287 return -errno; /* negative error */
288 }
289
290 r = write(onlycap_fd, list, len);
291 if (r < 0)
292 return log_error_errno(errno, "Failed to write onlycap list(%s) to '/sys/fs/smackfs/onlycap': %m", list);
293
294 return 0;
295 }
296
297 #endif
298
299 int mac_smack_setup(bool *loaded_policy) {
300
301 #if ENABLE_SMACK
302
303 int r;
304
305 assert(loaded_policy);
306
307 r = write_access2_rules("/etc/smack/accesses.d/");
308 switch (r) {
309 case -ENOENT:
310 log_debug("Smack is not enabled in the kernel.");
311 return 0;
312 case ENOENT:
313 log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
314 return 0;
315 case 0:
316 log_info("Successfully loaded Smack policies.");
317 break;
318 default:
319 log_warning_errno(r, "Failed to load Smack access rules, ignoring: %m");
320 return 0;
321 }
322
323 #if HAVE_SMACK_RUN_LABEL
324 r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
325 if (r < 0)
326 log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m");
327 r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
328 if (r < 0)
329 log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m");
330 r = write_string_file("/sys/fs/smackfs/netlabel",
331 "0.0.0.0/0 " SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER);
332 if (r < 0)
333 log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m");
334 r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", WRITE_STRING_FILE_DISABLE_BUFFER);
335 if (r < 0)
336 log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
337 #endif
338
339 r = write_cipso2_rules("/etc/smack/cipso.d/");
340 switch (r) {
341 case -ENOENT:
342 log_debug("Smack/CIPSO is not enabled in the kernel.");
343 return 0;
344 case ENOENT:
345 log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
346 break;
347 case 0:
348 log_info("Successfully loaded Smack/CIPSO policies.");
349 break;
350 default:
351 log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
352 break;
353 }
354
355 r = write_netlabel_rules("/etc/smack/netlabel.d/");
356 switch (r) {
357 case -ENOENT:
358 log_debug("Smack/CIPSO is not enabled in the kernel.");
359 return 0;
360 case ENOENT:
361 log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
362 break;
363 case 0:
364 log_info("Successfully loaded Smack network host rules.");
365 break;
366 default:
367 log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring.");
368 break;
369 }
370
371 r = write_onlycap_list();
372 switch (r) {
373 case -ENOENT:
374 log_debug("Smack is not enabled in the kernel.");
375 break;
376 case ENOENT:
377 log_debug("Smack onlycap list file '/etc/smack/onlycap' not found");
378 break;
379 case 0:
380 log_info("Successfully wrote Smack onlycap list.");
381 break;
382 default:
383 return log_struct_errno(LOG_EMERG, r,
384 LOG_MESSAGE("Failed to write Smack onlycap list: %m"),
385 "MESSAGE_ID=" SD_MESSAGE_SMACK_FAILED_WRITE_STR);
386 }
387
388 *loaded_policy = true;
389
390 #endif
391
392 return 0;
393 }
Unnamed repository; edit this file 'description' to name the repository.