]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/smack-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cryptenroll: allow to use a public key on a token
[thirdparty/systemd.git] / src / shared / smack-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2 /***
3 Copyright © 2013 Intel Corporation
4
5 Author: Auke Kok <auke-jan.h.kok@intel.com>
6 ***/
7
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <sys/stat.h>
11 #include <sys/xattr.h>
12 #include <unistd.h>
13
14 #include "alloc-util.h"
15 #include "errno-util.h"
16 #include "fd-util.h"
17 #include "fileio.h"
18 #include "label.h"
19 #include "log.h"
20 #include "macro.h"
21 #include "path-util.h"
22 #include "process-util.h"
23 #include "smack-util.h"
24 #include "stdio-util.h"
25 #include "string-table.h"
26 #include "xattr-util.h"
27
28 #if ENABLE_SMACK
29 bool mac_smack_use(void) {
30 static int cached_use = -1;
31
32 if (cached_use < 0)
33 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
34
35 return cached_use;
36 }
37
38 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
39 [SMACK_ATTR_ACCESS] = "security.SMACK64",
40 [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
41 [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
42 [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
43 [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
44 [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
45 };
46
47 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
48
49 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
50 assert(path);
51 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
52 assert(label);
53
54 if (!mac_smack_use())
55 return 0;
56
57 return getxattr_malloc(path, smack_attr_to_string(attr), label);
58 }
59
60 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
61 assert(fd >= 0);
62 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
63 assert(label);
64
65 if (!mac_smack_use())
66 return 0;
67
68 return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
69 }
70
71 int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) {
72 _cleanup_close_ int fd = -EBADF;
73
74 assert(path);
75 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
76
77 if (!mac_smack_use())
78 return 0;
79
80 fd = openat(dir_fd, path, O_PATH|O_CLOEXEC|O_NOFOLLOW);
81 if (fd < 0)
82 return -errno;
83
84 return mac_smack_apply_fd(fd, attr, label);
85 }
86
87 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
88 int r;
89
90 assert(fd >= 0);
91 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
92
93 if (!mac_smack_use())
94 return 0;
95
96 if (label)
97 r = setxattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr), label, strlen(label), 0);
98 else
99 r = removexattr(FORMAT_PROC_FD_PATH(fd), smack_attr_to_string(attr));
100 if (r < 0)
101 return -errno;
102
103 return 0;
104 }
105
106 int mac_smack_apply_pid(pid_t pid, const char *label) {
107 const char *p;
108 int r;
109
110 assert(label);
111
112 if (!mac_smack_use())
113 return 0;
114
115 p = procfs_file_alloca(pid, "attr/current");
116 r = write_string_file(p, label, WRITE_STRING_FILE_DISABLE_BUFFER);
117 if (r < 0)
118 return r;
119
120 return r;
121 }
122
123 static int smack_fix_fd(
124 int fd,
125 const char *label_path,
126 LabelFixFlags flags) {
127
128 const char *label;
129 struct stat st;
130 int r;
131
132 /* The caller should have done the sanity checks. */
133 assert(fd >= 0);
134 assert(label_path);
135 assert(path_is_absolute(label_path));
136
137 /* Path must be in /dev. */
138 if (!path_startswith(label_path, "/dev"))
139 return 0;
140
141 if (fstat(fd, &st) < 0)
142 return -errno;
143
144 /*
145 * Label directories and character devices "*".
146 * Label symlinks "_".
147 * Don't change anything else.
148 */
149
150 if (S_ISDIR(st.st_mode))
151 label = SMACK_STAR_LABEL;
152 else if (S_ISLNK(st.st_mode))
153 label = SMACK_FLOOR_LABEL;
154 else if (S_ISCHR(st.st_mode))
155 label = SMACK_STAR_LABEL;
156 else
157 return 0;
158
159 if (setxattr(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", label, strlen(label), 0) < 0) {
160 _cleanup_free_ char *old_label = NULL;
161
162 r = -errno;
163
164 /* If the FS doesn't support labels, then exit without warning */
165 if (ERRNO_IS_NOT_SUPPORTED(r))
166 return 0;
167
168 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
169 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
170 return 0;
171
172 /* If the old label is identical to the new one, suppress any kind of error */
173 if (lgetxattr_malloc(FORMAT_PROC_FD_PATH(fd), "security.SMACK64", &old_label) >= 0 &&
174 streq(old_label, label))
175 return 0;
176
177 return log_debug_errno(r, "Unable to fix SMACK label of %s: %m", label_path);
178 }
179
180 return 0;
181 }
182
183 int mac_smack_fix_full(
184 int atfd,
185 const char *inode_path,
186 const char *label_path,
187 LabelFixFlags flags) {
188
189 _cleanup_close_ int opened_fd = -EBADF;
190 _cleanup_free_ char *p = NULL;
191 int r, inode_fd;
192
193 assert(atfd >= 0 || atfd == AT_FDCWD);
194 assert(atfd >= 0 || inode_path);
195
196 if (!mac_smack_use())
197 return 0;
198
199 if (inode_path) {
200 opened_fd = openat(atfd, inode_path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
201 if (opened_fd < 0) {
202 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
203 return 0;
204
205 return -errno;
206 }
207 inode_fd = opened_fd;
208 } else
209 inode_fd = atfd;
210
211 if (!label_path) {
212 if (path_is_absolute(inode_path))
213 label_path = inode_path;
214 else {
215 r = fd_get_path(inode_fd, &p);
216 if (r < 0)
217 return r;
218
219 label_path = p;
220 }
221 }
222
223 return smack_fix_fd(inode_fd, label_path, flags);
224 }
225
226 int mac_smack_copy(const char *dest, const char *src) {
227 int r;
228 _cleanup_free_ char *label = NULL;
229
230 assert(dest);
231 assert(src);
232
233 r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
234 if (r < 0)
235 return r;
236
237 r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
238 if (r < 0)
239 return r;
240
241 return r;
242 }
243
244 #else
245 bool mac_smack_use(void) {
246 return false;
247 }
248
249 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
250 return -EOPNOTSUPP;
251 }
252
253 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
254 return -EOPNOTSUPP;
255 }
256
257 int mac_smack_apply_at(int dir_fd, const char *path, SmackAttr attr, const char *label) {
258 return 0;
259 }
260
261 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
262 return 0;
263 }
264
265 int mac_smack_apply_pid(pid_t pid, const char *label) {
266 return 0;
267 }
268
269 int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) {
270 return 0;
271 }
272
273 int mac_smack_copy(const char *dest, const char *src) {
274 return 0;
275 }
276 #endif
277
278 int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to) {
279
280 assert(fdf >= 0 || fdf == AT_FDCWD);
281 assert(fdt >= 0 || fdt == AT_FDCWD);
282
283 if (renameat(fdf, from, fdt, to) < 0)
284 return -errno;
285
286 #if HAVE_SMACK_RUN_LABEL
287 return mac_smack_apply_at(fdt, to, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
288 #else
289 return 0;
290 #endif
291 }
292
293 static int mac_smack_label_pre(int dir_fd, const char *path, mode_t mode) {
294 return 0;
295 }
296
297 static int mac_smack_label_post(int dir_fd, const char *path) {
298 return mac_smack_fix_full(dir_fd, path, NULL, 0);
299 }
300
301 int mac_smack_init(void) {
302 static const LabelOps label_ops = {
303 .pre = mac_smack_label_pre,
304 .post = mac_smack_label_post,
305 };
306
307 if (!mac_smack_use())
308 return 0;
309
310 return label_ops_set(&label_ops);
311 }
Unnamed repository; edit this file 'description' to name the repository.