projects / thirdparty / systemd.git / blame
| Commit | Line | Data |
|---|---|---|
| db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
| ffbd2c4d | 2 | /*** |
| 810adae9 | 3 | Copyright © 2013 Intel Corporation |
| ffbd2c4d NC |
4 | Authors: |
| 5 | Nathaniel Chen <nathaniel.chen@intel.com> | |
| ffbd2c4d NC |
6 | ***/ |
| 7 | ||
| ffbd2c4d | 8 | #include <errno.h> |
| ffbd2c4d | 9 | #include <fcntl.h> |
| 07630cea LP |
10 | #include <stdio.h> |
| 11 | #include <stdlib.h> | |
| ca78ad1d | 12 | #include <unistd.h> |
| ffbd2c4d | 13 | |
| ad5db940 OJ |
14 | #include "sd-messages.h" |
| 15 | ||
| b5efdb8a | 16 | #include "alloc-util.h" |
| a0956174 | 17 | #include "dirent-util.h" |
| 3ffd4af2 | 18 | #include "fd-util.h" |
| 8b197c3a | 19 | #include "fileio.h" |
| ffbd2c4d | 20 | #include "log.h" |
| 07630cea | 21 | #include "macro.h" |
| 3ffd4af2 | 22 | #include "smack-setup.h" |
| 07630cea | 23 | #include "string-util.h" |
| ffbd2c4d | 24 | |
| f9fa32f0 | 25 | #if ENABLE_SMACK |
| 2b3e18de | 26 | |
| b636d78a ZJS |
27 | static int fdopen_unlocked_at(int dfd, const char *dir, const char *name, int *status, FILE **ret_file) { |
| 28 | int fd, r; | |
| 29 | FILE *f; | |
| 30 | ||
| 31 | fd = openat(dfd, name, O_RDONLY|O_CLOEXEC); | |
| 32 | if (fd < 0) { | |
| 33 | if (*status == 0) | |
| 34 | *status = -errno; | |
| 35 | ||
| 36 | return log_warning_errno(errno, "Failed to open \"%s/%s\": %m", dir, name); | |
| 37 | } | |
| 38 | ||
| 39 | r = fdopen_unlocked(fd, "r", &f); | |
| 40 | if (r < 0) { | |
| 41 | if (*status == 0) | |
| 42 | *status = r; | |
| 43 | ||
| 44 | safe_close(fd); | |
| 45 | return log_error_errno(r, "Failed to open \"%s/%s\": %m", dir, name); | |
| 46 | } | |
| 47 | ||
| 48 | *ret_file = f; | |
| 49 | return 0; | |
| 50 | } | |
| 51 | ||
| 52 | static int write_access2_rules(const char *srcdir) { | |
| 254d1313 | 53 | _cleanup_close_ int load2_fd = -EBADF, change_fd = -EBADF; |
| ffbd2c4d | 54 | _cleanup_closedir_ DIR *dir = NULL; |
| 254d1313 | 55 | int dfd = -EBADF, r = 0; |
| ffbd2c4d | 56 | |
| 6656aefb WC |
57 | load2_fd = open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); |
| 58 | if (load2_fd < 0) { | |
| 59 | if (errno != ENOENT) | |
| 60 | log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/load2': %m"); | |
| 61 | return -errno; /* negative error */ | |
| 62 | } | |
| 63 | ||
| 64 | change_fd = open("/sys/fs/smackfs/change-rule", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); | |
| 65 | if (change_fd < 0) { | |
| a4783bd1 | 66 | if (errno != ENOENT) |
| 6656aefb | 67 | log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/change-rule': %m"); |
| a4783bd1 | 68 | return -errno; /* negative error */ |
| ffbd2c4d NC |
69 | } |
| 70 | ||
| 6656aefb | 71 | /* write rules to load2 or change-rule from every file in the directory */ |
| a4783bd1 | 72 | dir = opendir(srcdir); |
| ffbd2c4d | 73 | if (!dir) { |
| a4783bd1 | 74 | if (errno != ENOENT) |
| 6656aefb | 75 | log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir); |
| a4783bd1 | 76 | return errno; /* positive on purpose */ |
| ffbd2c4d NC |
77 | } |
| 78 | ||
| 79 | dfd = dirfd(dir); | |
| fea7838e | 80 | assert(dfd >= 0); |
| ffbd2c4d NC |
81 | |
| 82 | FOREACH_DIRENT(entry, dir, return 0) { | |
| 83 | _cleanup_fclose_ FILE *policy = NULL; | |
| ffbd2c4d | 84 | |
| 6656aefb WC |
85 | if (!dirent_is_file(entry)) |
| 86 | continue; | |
| 87 | ||
| b636d78a | 88 | if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0) |
| ffbd2c4d | 89 | continue; |
| ffbd2c4d | 90 | |
| ffbd2c4d | 91 | /* load2 write rules in the kernel require a line buffered stream */ |
| ea8b6526 LP |
92 | for (;;) { |
| 93 | _cleanup_free_ char *buf = NULL, *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL; | |
| 94 | int q; | |
| 6656aefb | 95 | |
| ea8b6526 LP |
96 | q = read_line(policy, NAME_MAX, &buf); |
| 97 | if (q < 0) | |
| 98 | return log_error_errno(q, "Failed to read line from '%s': %m", entry->d_name); | |
| 99 | if (q == 0) | |
| 100 | break; | |
| 6656aefb | 101 | |
| ea8b6526 | 102 | if (isempty(buf) || strchr(COMMENTS, buf[0])) |
| 6656aefb WC |
103 | continue; |
| 104 | ||
| 105 | /* if 3 args -> load rule : subject object access1 */ | |
| 106 | /* if 4 args -> change rule : subject object access1 access2 */ | |
| 107 | if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) { | |
| 108 | log_error_errno(errno, "Failed to parse rule '%s' in '%s', ignoring.", buf, entry->d_name); | |
| 109 | continue; | |
| 110 | } | |
| 111 | ||
| 112 | if (write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)) < 0) { | |
| a4783bd1 | 113 | if (r == 0) |
| 6656aefb | 114 | r = -errno; |
| 5e1ee764 | 115 | log_error_errno(errno, "Failed to write '%s' to '%s' in '%s': %m", |
| 6656aefb | 116 | buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry->d_name); |
| a4783bd1 | 117 | } |
| 6656aefb WC |
118 | } |
| 119 | } | |
| 120 | ||
| 121 | return r; | |
| 122 | } | |
| 123 | ||
| b636d78a | 124 | static int write_cipso2_rules(const char *srcdir) { |
| 254d1313 | 125 | _cleanup_close_ int cipso2_fd = -EBADF; |
| 6656aefb | 126 | _cleanup_closedir_ DIR *dir = NULL; |
| 254d1313 | 127 | int dfd = -EBADF, r = 0; |
| 6656aefb WC |
128 | |
| 129 | cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); | |
| 130 | if (cipso2_fd < 0) { | |
| 131 | if (errno != ENOENT) | |
| 132 | log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/cipso2': %m"); | |
| 133 | return -errno; /* negative error */ | |
| 134 | } | |
| 135 | ||
| 136 | /* write rules to cipso2 from every file in the directory */ | |
| 137 | dir = opendir(srcdir); | |
| 138 | if (!dir) { | |
| 139 | if (errno != ENOENT) | |
| 140 | log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir); | |
| 141 | return errno; /* positive on purpose */ | |
| 142 | } | |
| 143 | ||
| 144 | dfd = dirfd(dir); | |
| 145 | assert(dfd >= 0); | |
| 146 | ||
| 147 | FOREACH_DIRENT(entry, dir, return 0) { | |
| 6656aefb WC |
148 | _cleanup_fclose_ FILE *policy = NULL; |
| 149 | ||
| 150 | if (!dirent_is_file(entry)) | |
| 151 | continue; | |
| 152 | ||
| b636d78a | 153 | if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0) |
| 6656aefb | 154 | continue; |
| 6656aefb WC |
155 | |
| 156 | /* cipso2 write rules in the kernel require a line buffered stream */ | |
| ea8b6526 LP |
157 | for (;;) { |
| 158 | _cleanup_free_ char *buf = NULL; | |
| 159 | int q; | |
| 160 | ||
| 161 | q = read_line(policy, NAME_MAX, &buf); | |
| 162 | if (q < 0) | |
| 163 | return log_error_errno(q, "Failed to read line from '%s': %m", entry->d_name); | |
| 164 | if (q == 0) | |
| 165 | break; | |
| 6656aefb | 166 | |
| ea8b6526 | 167 | if (isempty(buf) || strchr(COMMENTS, buf[0])) |
| 6656aefb WC |
168 | continue; |
| 169 | ||
| 170 | if (write(cipso2_fd, buf, strlen(buf)) < 0) { | |
| a4783bd1 ZJS |
171 | if (r == 0) |
| 172 | r = -errno; | |
| 5e1ee764 | 173 | log_error_errno(errno, "Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s': %m", |
| 6656aefb | 174 | buf, entry->d_name); |
| a4783bd1 ZJS |
175 | break; |
| 176 | } | |
| ffbd2c4d NC |
177 | } |
| 178 | } | |
| 179 | ||
| 6656aefb | 180 | return r; |
| a4783bd1 ZJS |
181 | } |
| 182 | ||
| b636d78a | 183 | static int write_netlabel_rules(const char *srcdir) { |
| ae176752 CS |
184 | _cleanup_fclose_ FILE *dst = NULL; |
| 185 | _cleanup_closedir_ DIR *dir = NULL; | |
| 254d1313 | 186 | int dfd = -EBADF, r = 0; |
| ae176752 CS |
187 | |
| 188 | dst = fopen("/sys/fs/smackfs/netlabel", "we"); | |
| 189 | if (!dst) { | |
| 190 | if (errno != ENOENT) | |
| 191 | log_warning_errno(errno, "Failed to open /sys/fs/smackfs/netlabel: %m"); | |
| 192 | return -errno; /* negative error */ | |
| 193 | } | |
| 194 | ||
| 195 | /* write rules to dst from every file in the directory */ | |
| 196 | dir = opendir(srcdir); | |
| 197 | if (!dir) { | |
| 198 | if (errno != ENOENT) | |
| 199 | log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); | |
| 200 | return errno; /* positive on purpose */ | |
| 201 | } | |
| 202 | ||
| 203 | dfd = dirfd(dir); | |
| 204 | assert(dfd >= 0); | |
| 205 | ||
| 206 | FOREACH_DIRENT(entry, dir, return 0) { | |
| ae176752 CS |
207 | _cleanup_fclose_ FILE *policy = NULL; |
| 208 | ||
| b636d78a | 209 | if (fdopen_unlocked_at(dfd, srcdir, entry->d_name, &r, &policy) < 0) |
| ae176752 | 210 | continue; |
| 0d536673 | 211 | |
| ae176752 | 212 | /* load2 write rules in the kernel require a line buffered stream */ |
| ea8b6526 LP |
213 | for (;;) { |
| 214 | _cleanup_free_ char *buf = NULL; | |
| 0d536673 LP |
215 | int q; |
| 216 | ||
| ea8b6526 LP |
217 | q = read_line(policy, NAME_MAX, &buf); |
| 218 | if (q < 0) | |
| 219 | return log_error_errno(q, "Failed to read line from %s: %m", entry->d_name); | |
| 220 | if (q == 0) | |
| 221 | break; | |
| 222 | ||
| 0d536673 | 223 | if (!fputs(buf, dst)) { |
| ae176752 CS |
224 | if (r == 0) |
| 225 | r = -EINVAL; | |
| 5e1ee764 | 226 | log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel: %m"); |
| ae176752 CS |
227 | break; |
| 228 | } | |
| 0d536673 LP |
229 | q = fflush_and_check(dst); |
| 230 | if (q < 0) { | |
| ae176752 | 231 | if (r == 0) |
| 0d536673 LP |
232 | r = q; |
| 233 | log_error_errno(q, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m"); | |
| ae176752 CS |
234 | break; |
| 235 | } | |
| 236 | } | |
| 237 | } | |
| 238 | ||
| 7f508f2c | 239 | return r; |
| ae176752 CS |
240 | } |
| 241 | ||
| 217f95db | 242 | static int write_onlycap_list(void) { |
| 254d1313 | 243 | _cleanup_close_ int onlycap_fd = -EBADF; |
| 217f95db WC |
244 | _cleanup_free_ char *list = NULL; |
| 245 | _cleanup_fclose_ FILE *f = NULL; | |
| 319a4f4b | 246 | size_t len = 0; |
| 217f95db WC |
247 | int r; |
| 248 | ||
| 249 | f = fopen("/etc/smack/onlycap", "re"); | |
| 250 | if (!f) { | |
| 251 | if (errno != ENOENT) | |
| 9fd0b029 LP |
252 | log_warning_errno(errno, "Failed to read '/etc/smack/onlycap': %m"); |
| 253 | ||
| 217f95db WC |
254 | return errno == ENOENT ? ENOENT : -errno; |
| 255 | } | |
| 256 | ||
| ea8b6526 LP |
257 | for (;;) { |
| 258 | _cleanup_free_ char *buf = NULL; | |
| 217f95db WC |
259 | size_t l; |
| 260 | ||
| ea8b6526 LP |
261 | r = read_line(f, LONG_LINE_MAX, &buf); |
| 262 | if (r < 0) | |
| 263 | return log_error_errno(r, "Failed to read line from /etc/smack/onlycap: %m"); | |
| 264 | if (r == 0) | |
| 265 | break; | |
| 266 | ||
| 267 | if (isempty(buf) || strchr(COMMENTS, *buf)) | |
| 217f95db WC |
268 | continue; |
| 269 | ||
| 270 | l = strlen(buf); | |
| 319a4f4b | 271 | if (!GREEDY_REALLOC(list, len + l + 1)) |
| 217f95db WC |
272 | return log_oom(); |
| 273 | ||
| 274 | stpcpy(list + len, buf)[0] = ' '; | |
| 275 | len += l + 1; | |
| 276 | } | |
| 277 | ||
| 9fd0b029 | 278 | if (len == 0) |
| 217f95db WC |
279 | return 0; |
| 280 | ||
| 281 | list[len - 1] = 0; | |
| 282 | ||
| 283 | onlycap_fd = open("/sys/fs/smackfs/onlycap", O_WRONLY|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); | |
| 284 | if (onlycap_fd < 0) { | |
| 285 | if (errno != ENOENT) | |
| 9fd0b029 | 286 | log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/onlycap': %m"); |
| 217f95db WC |
287 | return -errno; /* negative error */ |
| 288 | } | |
| 289 | ||
| 290 | r = write(onlycap_fd, list, len); | |
| 291 | if (r < 0) | |
| 9fd0b029 | 292 | return log_error_errno(errno, "Failed to write onlycap list(%s) to '/sys/fs/smackfs/onlycap': %m", list); |
| 217f95db WC |
293 | |
| 294 | return 0; | |
| 295 | } | |
| 296 | ||
| 2b3e18de | 297 | #endif |
| ffbd2c4d | 298 | |
| 8a188de9 | 299 | int mac_smack_setup(bool *loaded_policy) { |
| 2b3e18de | 300 | |
| f9fa32f0 | 301 | #if ENABLE_SMACK |
| 2b3e18de | 302 | |
| a4783bd1 ZJS |
303 | int r; |
| 304 | ||
| e49d3c01 ŁS |
305 | assert(loaded_policy); |
| 306 | ||
| 6656aefb | 307 | r = write_access2_rules("/etc/smack/accesses.d/"); |
| 79893116 | 308 | switch (r) { |
| a4783bd1 ZJS |
309 | case -ENOENT: |
| 310 | log_debug("Smack is not enabled in the kernel."); | |
| 311 | return 0; | |
| 312 | case ENOENT: | |
| 6656aefb | 313 | log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found"); |
| a4783bd1 ZJS |
314 | return 0; |
| 315 | case 0: | |
| 316 | log_info("Successfully loaded Smack policies."); | |
| abbacb1d NC |
317 | break; |
| 318 | default: | |
| e53fc357 | 319 | log_warning_errno(r, "Failed to load Smack access rules, ignoring: %m"); |
| abbacb1d NC |
320 | return 0; |
| 321 | } | |
| 322 | ||
| 07b382cc | 323 | #if HAVE_SMACK_RUN_LABEL |
| 57512c89 | 324 | r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER); |
| ae176752 CS |
325 | if (r < 0) |
| 326 | log_warning_errno(r, "Failed to set SMACK label \"" SMACK_RUN_LABEL "\" on self: %m"); | |
| 57512c89 | 327 | r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER); |
| ae176752 CS |
328 | if (r < 0) |
| 329 | log_warning_errno(r, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL "\": %m"); | |
| 330 | r = write_string_file("/sys/fs/smackfs/netlabel", | |
| 57512c89 | 331 | "0.0.0.0/0 " SMACK_RUN_LABEL, WRITE_STRING_FILE_DISABLE_BUFFER); |
| ae176752 CS |
332 | if (r < 0) |
| 333 | log_warning_errno(r, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL "\": %m"); | |
| 57512c89 | 334 | r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", WRITE_STRING_FILE_DISABLE_BUFFER); |
| ae176752 CS |
335 | if (r < 0) |
| 336 | log_warning_errno(r, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m"); | |
| 8b197c3a AK |
337 | #endif |
| 338 | ||
| 6656aefb | 339 | r = write_cipso2_rules("/etc/smack/cipso.d/"); |
| 79893116 | 340 | switch (r) { |
| abbacb1d NC |
341 | case -ENOENT: |
| 342 | log_debug("Smack/CIPSO is not enabled in the kernel."); | |
| 343 | return 0; | |
| 344 | case ENOENT: | |
| 6656aefb | 345 | log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found"); |
| ae176752 | 346 | break; |
| abbacb1d NC |
347 | case 0: |
| 348 | log_info("Successfully loaded Smack/CIPSO policies."); | |
| b9289d4c | 349 | break; |
| a4783bd1 | 350 | default: |
| e53fc357 | 351 | log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m"); |
| ae176752 CS |
352 | break; |
| 353 | } | |
| 354 | ||
| 355 | r = write_netlabel_rules("/etc/smack/netlabel.d/"); | |
| 79893116 | 356 | switch (r) { |
| ae176752 CS |
357 | case -ENOENT: |
| 358 | log_debug("Smack/CIPSO is not enabled in the kernel."); | |
| a4783bd1 | 359 | return 0; |
| ae176752 CS |
360 | case ENOENT: |
| 361 | log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found"); | |
| 362 | break; | |
| 363 | case 0: | |
| 364 | log_info("Successfully loaded Smack network host rules."); | |
| 365 | break; | |
| 366 | default: | |
| 367 | log_warning_errno(r, "Failed to load Smack network host rules: %m, ignoring."); | |
| 368 | break; | |
| a4783bd1 | 369 | } |
| 2b3e18de | 370 | |
| 217f95db | 371 | r = write_onlycap_list(); |
| 79893116 | 372 | switch (r) { |
| 217f95db WC |
373 | case -ENOENT: |
| 374 | log_debug("Smack is not enabled in the kernel."); | |
| 375 | break; | |
| 376 | case ENOENT: | |
| 377 | log_debug("Smack onlycap list file '/etc/smack/onlycap' not found"); | |
| 378 | break; | |
| 379 | case 0: | |
| 380 | log_info("Successfully wrote Smack onlycap list."); | |
| 381 | break; | |
| 382 | default: | |
| ad5db940 OJ |
383 | return log_struct_errno(LOG_EMERG, r, |
| 384 | LOG_MESSAGE("Failed to write Smack onlycap list: %m"), | |
| 385 | "MESSAGE_ID=" SD_MESSAGE_SMACK_FAILED_WRITE_STR); | |
| 217f95db WC |
386 | } |
| 387 | ||
| e49d3c01 ŁS |
388 | *loaded_policy = true; |
| 389 | ||
| 2b3e18de KL |
390 | #endif |
| 391 | ||
| 392 | return 0; | |
| ffbd2c4d | 393 | } |