]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/smack-util.c
2 This file is part of systemd.
4 Copyright 2013 Intel Corporation
6 Author: Auke Kok <auke-jan.h.kok@intel.com>
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/xattr.h>
28 #include "alloc-util.h"
32 #include "path-util.h"
33 #include "process-util.h"
34 #include "smack-util.h"
35 #include "string-table.h"
36 #include "xattr-util.h"
39 bool mac_smack_use(void) {
40 static int cached_use
= -1;
43 cached_use
= access("/sys/fs/smackfs/", F_OK
) >= 0;
48 static const char* const smack_attr_table
[_SMACK_ATTR_MAX
] = {
49 [SMACK_ATTR_ACCESS
] = "security.SMACK64",
50 [SMACK_ATTR_EXEC
] = "security.SMACK64EXEC",
51 [SMACK_ATTR_MMAP
] = "security.SMACK64MMAP",
52 [SMACK_ATTR_TRANSMUTE
] = "security.SMACK64TRANSMUTE",
53 [SMACK_ATTR_IPIN
] = "security.SMACK64IPIN",
54 [SMACK_ATTR_IPOUT
] = "security.SMACK64IPOUT",
57 DEFINE_STRING_TABLE_LOOKUP(smack_attr
, SmackAttr
);
59 int mac_smack_read(const char *path
, SmackAttr attr
, char **label
) {
61 assert(attr
>= 0 && attr
< _SMACK_ATTR_MAX
);
67 return getxattr_malloc(path
, smack_attr_to_string(attr
), label
, true);
70 int mac_smack_read_fd(int fd
, SmackAttr attr
, char **label
) {
72 assert(attr
>= 0 && attr
< _SMACK_ATTR_MAX
);
78 return fgetxattr_malloc(fd
, smack_attr_to_string(attr
), label
);
81 int mac_smack_apply(const char *path
, SmackAttr attr
, const char *label
) {
85 assert(attr
>= 0 && attr
< _SMACK_ATTR_MAX
);
91 r
= lsetxattr(path
, smack_attr_to_string(attr
), label
, strlen(label
), 0);
93 r
= lremovexattr(path
, smack_attr_to_string(attr
));
100 int mac_smack_apply_fd(int fd
, SmackAttr attr
, const char *label
) {
104 assert(attr
>= 0 && attr
< _SMACK_ATTR_MAX
);
106 if (!mac_smack_use())
110 r
= fsetxattr(fd
, smack_attr_to_string(attr
), label
, strlen(label
), 0);
112 r
= fremovexattr(fd
, smack_attr_to_string(attr
));
119 int mac_smack_apply_pid(pid_t pid
, const char *label
) {
125 if (!mac_smack_use())
128 p
= procfs_file_alloca(pid
, "attr/current");
129 r
= write_string_file(p
, label
, 0);
136 int mac_smack_fix(const char *path
, bool ignore_enoent
, bool ignore_erofs
) {
142 if (!mac_smack_use())
146 * Path must be in /dev and must exist
148 if (!path_startswith(path
, "/dev"))
151 r
= lstat(path
, &st
);
156 * Label directories and character devices "*".
157 * Label symlinks "_".
158 * Don't change anything else.
161 if (S_ISDIR(st
.st_mode
))
162 label
= SMACK_STAR_LABEL
;
163 else if (S_ISLNK(st
.st_mode
))
164 label
= SMACK_FLOOR_LABEL
;
165 else if (S_ISCHR(st
.st_mode
))
166 label
= SMACK_STAR_LABEL
;
170 r
= lsetxattr(path
, "security.SMACK64", label
, strlen(label
), 0);
172 /* If the FS doesn't support labels, then exit without warning */
173 if (r
< 0 && errno
== EOPNOTSUPP
)
178 /* Ignore ENOENT in some cases */
179 if (ignore_enoent
&& errno
== ENOENT
)
182 if (ignore_erofs
&& errno
== EROFS
)
185 r
= log_debug_errno(errno
, "Unable to fix SMACK label of %s: %m", path
);
191 int mac_smack_copy(const char *dest
, const char *src
) {
193 _cleanup_free_
char *label
= NULL
;
198 r
= mac_smack_read(src
, SMACK_ATTR_ACCESS
, &label
);
202 r
= mac_smack_apply(dest
, SMACK_ATTR_ACCESS
, label
);
210 bool mac_smack_use(void) {
214 int mac_smack_read(const char *path
, SmackAttr attr
, char **label
) {
218 int mac_smack_read_fd(int fd
, SmackAttr attr
, char **label
) {
222 int mac_smack_apply(const char *path
, SmackAttr attr
, const char *label
) {
226 int mac_smack_apply_fd(int fd
, SmackAttr attr
, const char *label
) {
230 int mac_smack_apply_pid(pid_t pid
, const char *label
) {
234 int mac_smack_fix(const char *path
, bool ignore_enoent
, bool ignore_erofs
) {
238 int mac_smack_copy(const char *dest
, const char *src
) {