]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/smack-setup.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright (C) 2013 Intel Corporation
7 Nathaniel Chen <nathaniel.chen@intel.com>
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published
11 by the Free Software Foundation; either version 2.1 of the License,
12 or (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
30 #include "alloc-util.h"
31 #include "dirent-util.h"
36 #include "smack-setup.h"
37 #include "string-util.h"
42 static int write_access2_rules(const char* srcdir
) {
43 _cleanup_close_
int load2_fd
= -1, change_fd
= -1;
44 _cleanup_closedir_
DIR *dir
= NULL
;
50 load2_fd
= open("/sys/fs/smackfs/load2", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
53 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/load2': %m");
54 return -errno
; /* negative error */
57 change_fd
= open("/sys/fs/smackfs/change-rule", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
60 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/change-rule': %m");
61 return -errno
; /* negative error */
64 /* write rules to load2 or change-rule from every file in the directory */
65 dir
= opendir(srcdir
);
68 log_warning_errno(errno
, "Failed to opendir '%s': %m", srcdir
);
69 return errno
; /* positive on purpose */
75 FOREACH_DIRENT(entry
, dir
, return 0) {
77 _cleanup_fclose_
FILE *policy
= NULL
;
79 if (!dirent_is_file(entry
))
82 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
86 log_warning_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
90 policy
= fdopen(fd
, "re");
95 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
99 /* load2 write rules in the kernel require a line buffered stream */
100 FOREACH_LINE(buf
, policy
,
101 log_error_errno(errno
, "Failed to read line from '%s': %m",
104 _cleanup_free_
char *sbj
= NULL
, *obj
= NULL
, *acc1
= NULL
, *acc2
= NULL
;
106 if (isempty(truncate_nl(buf
)))
109 /* if 3 args -> load rule : subject object access1 */
110 /* if 4 args -> change rule : subject object access1 access2 */
111 if (sscanf(buf
, "%ms %ms %ms %ms", &sbj
, &obj
, &acc1
, &acc2
) < 3) {
112 log_error_errno(errno
, "Failed to parse rule '%s' in '%s', ignoring.", buf
, entry
->d_name
);
116 if (write(isempty(acc2
) ? load2_fd
: change_fd
, buf
, strlen(buf
)) < 0) {
119 log_error_errno(errno
, "Failed to write '%s' to '%s' in '%s'",
120 buf
, isempty(acc2
) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry
->d_name
);
128 static int write_cipso2_rules(const char* srcdir
) {
129 _cleanup_close_
int cipso2_fd
= -1;
130 _cleanup_closedir_
DIR *dir
= NULL
;
131 struct dirent
*entry
;
136 cipso2_fd
= open("/sys/fs/smackfs/cipso2", O_RDWR
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
139 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/cipso2': %m");
140 return -errno
; /* negative error */
143 /* write rules to cipso2 from every file in the directory */
144 dir
= opendir(srcdir
);
147 log_warning_errno(errno
, "Failed to opendir '%s': %m", srcdir
);
148 return errno
; /* positive on purpose */
154 FOREACH_DIRENT(entry
, dir
, return 0) {
156 _cleanup_fclose_
FILE *policy
= NULL
;
158 if (!dirent_is_file(entry
))
161 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
165 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
169 policy
= fdopen(fd
, "re");
174 log_error_errno(errno
, "Failed to open '%s': %m", entry
->d_name
);
178 /* cipso2 write rules in the kernel require a line buffered stream */
179 FOREACH_LINE(buf
, policy
,
180 log_error_errno(errno
, "Failed to read line from '%s': %m",
183 if (isempty(truncate_nl(buf
)))
186 if (write(cipso2_fd
, buf
, strlen(buf
)) < 0) {
189 log_error_errno(errno
, "Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s'",
199 static int write_netlabel_rules(const char* srcdir
) {
200 _cleanup_fclose_
FILE *dst
= NULL
;
201 _cleanup_closedir_
DIR *dir
= NULL
;
202 struct dirent
*entry
;
207 dst
= fopen("/sys/fs/smackfs/netlabel", "we");
210 log_warning_errno(errno
, "Failed to open /sys/fs/smackfs/netlabel: %m");
211 return -errno
; /* negative error */
214 /* write rules to dst from every file in the directory */
215 dir
= opendir(srcdir
);
218 log_warning_errno(errno
, "Failed to opendir %s: %m", srcdir
);
219 return errno
; /* positive on purpose */
225 FOREACH_DIRENT(entry
, dir
, return 0) {
227 _cleanup_fclose_
FILE *policy
= NULL
;
229 fd
= openat(dfd
, entry
->d_name
, O_RDONLY
|O_CLOEXEC
);
233 log_warning_errno(errno
, "Failed to open %s: %m", entry
->d_name
);
237 policy
= fdopen(fd
, "re");
242 log_error_errno(errno
, "Failed to open %s: %m", entry
->d_name
);
246 /* load2 write rules in the kernel require a line buffered stream */
247 FOREACH_LINE(buf
, policy
,
248 log_error_errno(errno
, "Failed to read line from %s: %m",
250 if (!fputs_unlocked(buf
, dst
)) {
253 log_error_errno(errno
, "Failed to write line to /sys/fs/smackfs/netlabel");
259 log_error_errno(errno
, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m");
268 static int write_onlycap_list(void) {
269 _cleanup_close_
int onlycap_fd
= -1;
270 _cleanup_free_
char *list
= NULL
;
271 _cleanup_fclose_
FILE *f
= NULL
;
272 size_t len
= 0, allocated
= 0;
276 f
= fopen("/etc/smack/onlycap", "re");
279 log_warning_errno(errno
, "Failed to read '/etc/smack/onlycap'");
280 return errno
== ENOENT
? ENOENT
: -errno
;
283 FOREACH_LINE(buf
, f
, return -errno
) {
286 if (isempty(truncate_nl(buf
)) || strchr(COMMENTS
, *buf
))
290 if (!GREEDY_REALLOC(list
, allocated
, len
+ l
+ 1))
293 stpcpy(list
+ len
, buf
)[0] = ' ';
302 onlycap_fd
= open("/sys/fs/smackfs/onlycap", O_WRONLY
|O_CLOEXEC
|O_NONBLOCK
|O_NOCTTY
);
303 if (onlycap_fd
< 0) {
305 log_warning_errno(errno
, "Failed to open '/sys/fs/smackfs/onlycap'");
306 return -errno
; /* negative error */
309 r
= write(onlycap_fd
, list
, len
);
311 return log_error_errno(errno
, "Failed to write onlycap list(%s) to '/sys/fs/smackfs/onlycap'", list
);
318 int mac_smack_setup(bool *loaded_policy
) {
324 assert(loaded_policy
);
326 r
= write_access2_rules("/etc/smack/accesses.d/");
329 log_debug("Smack is not enabled in the kernel.");
332 log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
335 log_info("Successfully loaded Smack policies.");
338 log_warning_errno(r
, "Failed to load Smack access rules, ignoring: %m");
342 #ifdef SMACK_RUN_LABEL
343 r
= write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL
, 0);
345 log_warning_errno(r
, "Failed to set SMACK label \"" SMACK_RUN_LABEL
"\" on self: %m");
346 r
= write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL
, 0);
348 log_warning_errno(r
, "Failed to set SMACK ambient label \"" SMACK_RUN_LABEL
"\": %m");
349 r
= write_string_file("/sys/fs/smackfs/netlabel",
350 "0.0.0.0/0 " SMACK_RUN_LABEL
, 0);
352 log_warning_errno(r
, "Failed to set SMACK netlabel rule \"0.0.0.0/0 " SMACK_RUN_LABEL
"\": %m");
353 r
= write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO", 0);
355 log_warning_errno(r
, "Failed to set SMACK netlabel rule \"127.0.0.1 -CIPSO\": %m");
358 r
= write_cipso2_rules("/etc/smack/cipso.d/");
361 log_debug("Smack/CIPSO is not enabled in the kernel.");
364 log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
367 log_info("Successfully loaded Smack/CIPSO policies.");
370 log_warning_errno(r
, "Failed to load Smack/CIPSO access rules, ignoring: %m");
374 r
= write_netlabel_rules("/etc/smack/netlabel.d/");
377 log_debug("Smack/CIPSO is not enabled in the kernel.");
380 log_debug("Smack network host rules directory '/etc/smack/netlabel.d/' not found");
383 log_info("Successfully loaded Smack network host rules.");
386 log_warning_errno(r
, "Failed to load Smack network host rules: %m, ignoring.");
390 r
= write_onlycap_list();
393 log_debug("Smack is not enabled in the kernel.");
396 log_debug("Smack onlycap list file '/etc/smack/onlycap' not found");
399 log_info("Successfully wrote Smack onlycap list.");
402 log_emergency_errno(r
, "Failed to write Smack onlycap list.");
406 *loaded_policy
= true;