[thirdparty/systemd.git] / src / basic / smack-util.c

/***
  This file is part of systemd.

  Copyright 2013 Intel Corporation

  Author: Auke Kok <auke-jan.h.kok@intel.com>

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/xattr.h>
#include <unistd.h>

#include "alloc-util.h"
#include "fileio.h"
#include "log.h"
#include "macro.h"
#include "path-util.h"
#include "process-util.h"
#include "smack-util.h"
#include "string-table.h"
#include "xattr-util.h"

#if HAVE_SMACK
bool mac_smack_use(void) {
        static int cached_use = -1;

        if (cached_use < 0)
                cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;

        return cached_use;
}

static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
        [SMACK_ATTR_ACCESS]     = "security.SMACK64",
        [SMACK_ATTR_EXEC]       = "security.SMACK64EXEC",
        [SMACK_ATTR_MMAP]       = "security.SMACK64MMAP",
        [SMACK_ATTR_TRANSMUTE]  = "security.SMACK64TRANSMUTE",
        [SMACK_ATTR_IPIN]       = "security.SMACK64IPIN",
        [SMACK_ATTR_IPOUT]      = "security.SMACK64IPOUT",
};

DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);

int mac_smack_read(const char *path, SmackAttr attr, char **label) {
        assert(path);
        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
        assert(label);

        if (!mac_smack_use())
                return 0;

        return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
}

int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
        assert(fd >= 0);
        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
        assert(label);

        if (!mac_smack_use())
                return 0;

        return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
}

int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
        int r;

        assert(path);
        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);

        if (!mac_smack_use())
                return 0;

        if (label)
                r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
        else
                r = lremovexattr(path, smack_attr_to_string(attr));
        if (r < 0)
                return -errno;

        return 0;
}

int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
        int r;

        assert(fd >= 0);
        assert(attr >= 0 && attr < _SMACK_ATTR_MAX);

        if (!mac_smack_use())
                return 0;

        if (label)
                r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
        else
                r = fremovexattr(fd, smack_attr_to_string(attr));
        if (r < 0)
                return -errno;

        return 0;
}

int mac_smack_apply_pid(pid_t pid, const char *label) {
        const char *p;
        int r = 0;

        assert(label);

        if (!mac_smack_use())
                return 0;

        p = procfs_file_alloca(pid, "attr/current");
        r = write_string_file(p, label, 0);
        if (r < 0)
                return r;

        return r;
}

int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
        struct stat st;
        int r = 0;

        assert(path);

        if (!mac_smack_use())
                return 0;

        /*
         * Path must be in /dev and must exist
         */
        if (!path_startswith(path, "/dev"))
                return 0;

        r = lstat(path, &st);
        if (r >= 0) {
                const char *label;

                /*
                 * Label directories and character devices "*".
                 * Label symlinks "_".
                 * Don't change anything else.
                 */

                if (S_ISDIR(st.st_mode))
                        label = SMACK_STAR_LABEL;
                else if (S_ISLNK(st.st_mode))
                        label = SMACK_FLOOR_LABEL;
                else if (S_ISCHR(st.st_mode))
                        label = SMACK_STAR_LABEL;
                else
                        return 0;

                r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);

                /* If the FS doesn't support labels, then exit without warning */
                if (r < 0 && errno == EOPNOTSUPP)
                        return 0;
        }

        if (r < 0) {
                /* Ignore ENOENT in some cases */
                if (ignore_enoent && errno == ENOENT)
                        return 0;

                if (ignore_erofs && errno == EROFS)
                        return 0;

                r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
        }

        return r;
}

int mac_smack_copy(const char *dest, const char *src) {
        int r = 0;
        _cleanup_free_ char *label = NULL;

        assert(dest);
        assert(src);

        r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
        if (r < 0)
                return r;

        r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
        if (r < 0)
                return r;

        return r;
}

#else
bool mac_smack_use(void) {
        return false;
}

int mac_smack_read(const char *path, SmackAttr attr, char **label) {
        return -EOPNOTSUPP;
}

int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
        return -EOPNOTSUPP;
}

int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
        return 0;
}

int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
        return 0;
}

int mac_smack_apply_pid(pid_t pid, const char *label) {
        return 0;
}

int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
        return 0;
}

int mac_smack_copy(const char *dest, const char *src) {
        return 0;
}
#endif
Commit	Line	Data
8552b176 AK	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2013 Intel Corporation
	5
	6	Author: Auke Kok <auke-jan.h.kok@intel.com>
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
11c3a366 TA	22	#include <errno.h>
	23	#include <string.h>
	24	#include <sys/stat.h>
d2edfae0	25	#include <sys/xattr.h>
11c3a366	26	#include <unistd.h>
8552b176	27
b5efdb8a	28	#include "alloc-util.h"
2ca620c4	29	#include "fileio.h"
93cc7779 TA	30	#include "log.h"
93cc7779 TA	31	#include "macro.h"
89a5a90c LP	32	#include "path-util.h"
89a5a90c LP	33	#include "process-util.h"
d682b3a7	34	#include "smack-util.h"
8b43440b	35	#include "string-table.h"
89a5a90c	36	#include "xattr-util.h"
8552b176	37
349cc4a5	38	#if HAVE_SMACK
5ab58c20	39	bool mac_smack_use(void) {
6baa7db0	40	static int cached_use = -1;
d682b3a7	41
6baa7db0 LP	42	if (cached_use < 0)
6baa7db0 LP	43	cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
8552b176	44
6baa7db0	45	return cached_use;
8552b176	46	}
9a4e038c	47
5ab58c20 WC	48	static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
	49	[SMACK_ATTR_ACCESS] = "security.SMACK64",
	50	[SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
	51	[SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
	52	[SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
	53	[SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
	54	[SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
	55	};
	56
	57	DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
d53e386d	58
5ab58c20	59	int mac_smack_read(const char path, SmackAttr attr, char *label) {
d53e386d	60	assert(path);
5ab58c20 WC	61	assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
5ab58c20 WC	62	assert(label);
d53e386d	63
6baa7db0	64	if (!mac_smack_use())
9a4e038c KS	65	return 0;
9a4e038c KS	66
5ab58c20	67	return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
9a4e038c KS	68	}
9a4e038c KS	69
5ab58c20	70	int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
d53e386d	71	assert(fd >= 0);
5ab58c20 WC	72	assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
5ab58c20 WC	73	assert(label);
d53e386d	74
6baa7db0	75	if (!mac_smack_use())
9a4e038c KS	76	return 0;
9a4e038c KS	77
5ab58c20	78	return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
9a4e038c KS	79	}
9a4e038c KS	80
5ab58c20 WC	81	int mac_smack_apply(const char path, SmackAttr attr, const char label) {
5ab58c20 WC	82	int r;
d53e386d	83
5ab58c20 WC	84	assert(path);
5ab58c20 WC	85	assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
d53e386d	86
6baa7db0	87	if (!mac_smack_use())
9a4e038c KS	88	return 0;
9a4e038c KS	89
d53e386d	90	if (label)
5ab58c20	91	r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
d53e386d	92	else
5ab58c20	93	r = lremovexattr(path, smack_attr_to_string(attr));
d53e386d LP	94	if (r < 0)
d53e386d LP	95	return -errno;
d53e386d	96
5ab58c20	97	return 0;
9a4e038c KS	98	}
9a4e038c KS	99
5ab58c20 WC	100	int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
5ab58c20 WC	101	int r;
d53e386d LP	102
d53e386d LP	103	assert(fd >= 0);
5ab58c20	104	assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
d53e386d	105
6baa7db0	106	if (!mac_smack_use())
9a4e038c KS	107	return 0;
9a4e038c KS	108
d53e386d	109	if (label)
5ab58c20	110	r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
d53e386d	111	else
5ab58c20	112	r = fremovexattr(fd, smack_attr_to_string(attr));
d53e386d LP	113	if (r < 0)
d53e386d LP	114	return -errno;
d53e386d	115
5ab58c20	116	return 0;
9a4e038c	117	}
66b6d9d5	118
2ca620c4	119	int mac_smack_apply_pid(pid_t pid, const char *label) {
2ca620c4	120	const char *p;
fae5694e	121	int r = 0;
2ca620c4 WC	122
	123	assert(label);
	124
2ca620c4 WC	125	if (!mac_smack_use())
	126	return 0;
	127
	128	p = procfs_file_alloca(pid, "attr/current");
ad118bda	129	r = write_string_file(p, label, 0);
2ca620c4 WC	130	if (r < 0)
2ca620c4 WC	131	return r;
2ca620c4 WC	132
	133	return r;
	134	}
	135
5dfc5461	136	int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
5dfc5461	137	struct stat st;
fae5694e	138	int r = 0;
d53e386d LP	139
	140	assert(path);
	141
d53e386d LP	142	if (!mac_smack_use())
d53e386d LP	143	return 0;
66b6d9d5 WC	144
	145	/*
	146	* Path must be in /dev and must exist
	147	*/
	148	if (!path_startswith(path, "/dev"))
	149	return 0;
	150
5dfc5461 LP	151	r = lstat(path, &st);
	152	if (r >= 0) {
	153	const char *label;
	154
	155	/*
	156	* Label directories and character devices "*".
	157	* Label symlinks "_".
	158	* Don't change anything else.
	159	*/
	160
	161	if (S_ISDIR(st.st_mode))
	162	label = SMACK_STAR_LABEL;
	163	else if (S_ISLNK(st.st_mode))
	164	label = SMACK_FLOOR_LABEL;
	165	else if (S_ISCHR(st.st_mode))
	166	label = SMACK_STAR_LABEL;
	167	else
	168	return 0;
66b6d9d5	169
5dfc5461 LP	170	r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
	171
	172	/* If the FS doesn't support labels, then exit without warning */
15411c0c	173	if (r < 0 && errno == EOPNOTSUPP)
5dfc5461 LP	174	return 0;
5dfc5461 LP	175	}
66b6d9d5	176
66b6d9d5	177	if (r < 0) {
5dfc5461 LP	178	/* Ignore ENOENT in some cases */
	179	if (ignore_enoent && errno == ENOENT)
	180	return 0;
	181
	182	if (ignore_erofs && errno == EROFS)
	183	return 0;
	184
fae5694e	185	r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
66b6d9d5	186	}
66b6d9d5 WC	187
	188	return r;
	189	}
5ab58c20	190
ba056b73 SW	191	int mac_smack_copy(const char dest, const char src) {
	192	int r = 0;
	193	_cleanup_free_ char *label = NULL;
	194
	195	assert(dest);
	196	assert(src);
	197
	198	r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
	199	if (r < 0)
	200	return r;
	201
	202	r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
	203	if (r < 0)
	204	return r;
	205
	206	return r;
	207	}
5ab58c20 WC	208
	209	#else
	210	bool mac_smack_use(void) {
	211	return false;
	212	}
	213
	214	int mac_smack_read(const char path, SmackAttr attr, char *label) {
	215	return -EOPNOTSUPP;
	216	}
	217
	218	int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
	219	return -EOPNOTSUPP;
	220	}
	221
	222	int mac_smack_apply(const char path, SmackAttr attr, const char label) {
	223	return 0;
	224	}
	225
	226	int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
	227	return 0;
	228	}
	229
	230	int mac_smack_apply_pid(pid_t pid, const char *label) {
	231	return 0;
	232	}
	233
	234	int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
	235	return 0;
	236	}
ba056b73 SW	237
	238	int mac_smack_copy(const char dest, const char src) {
	239	return 0;
	240	}
5ab58c20	241	#endif