ls: with -Z, show SMACK security context

Enable showing of file SMACK security with '-Z' command-line switch
if SMACK is enabled.  Showing SMACK context of a file does not strictly
require SMACK to be enabled but this required to make choice whether to
show SELinux or SMACK security context.

* src/ls.c (getfilecon_cache): Retrieve SMACK context if available.
(gobble_file): Handle SMACK context similarly to SELinux context.
* src/local.mk: Link lsl with libsmack.
* NEWS: Mention the new feature.
* .mailmap: Merge the Author's 2 email addresses.

diff --git a/.mailmap b/.mailmap
index dcabcb5344704f71b989403f5cc75bc8c61428e4..b5cf17cf4318ad9ae6236b6bccdda7c23b49323b 100644 (file)
--- a/.mailmap
+++ b/.mailmap
@@ -26,6 +26,7 @@ Pádraig Brady <p@draigBrady.com> <P@draigBrady.com>
 <psfales@alcatel-lucent.com> <psfales@lucent.com>
 <karl@gnu.org> <karl@freefriends.org>
 <stephane.raimbault@gmail.com> <stephane.raimbault@makina-corpus.com>
+<jarkko.sakkinen@iki.fi> <jarkko.sakkinen@linux.intel.com>
 
 # Prefer spelled-out middle name and its address.
 Arne Henrik Juul <arnej@imf.unit.no> Arne H. Juul <arnej@solan.unit.no>

diff --git a/NEWS b/NEWS
index b728ec0074815352d9fc22ae5decd352f21267f7..320638504a9cd620412d83a4b6360d4244a8445b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -29,7 +29,7 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 ** New features
 
-  id -Z reports the SMACK security context where available.
+  ls -Z and id -Z report the SMACK security context where available.
 
   join accepts a new option: --zero-terminated (-z). As with the sort,uniq
   option of the same name, this makes join consume and produce NUL-terminated

diff --git a/src/local.mk b/src/local.mk
index efb003880cddddbc1fc1d27336e87a33b91803dd..626d580de663aa3ef19575b283704e51723af1fa 100644 (file)
--- a/src/local.mk
+++ b/src/local.mk
@@ -230,6 +230,7 @@ src_ginstall_LDADD += $(LIB_SELINUX)
 src_id_LDADD += $(LIB_SELINUX)
 src_id_LDADD += $(LIB_SMACK)
 src_ls_LDADD += $(LIB_SELINUX)
+src_ls_LDADD += $(LIB_SMACK)
 src_mkdir_LDADD += $(LIB_SELINUX)
 src_mkfifo_LDADD += $(LIB_SELINUX)
 src_mknod_LDADD += $(LIB_SELINUX)

diff --git a/src/ls.c b/src/ls.c
index 72aee994f32874d9dd939683189156b15481d019..61324c3f43a84d32a6ce58ebc709145f0421c3db 100644 (file)
--- a/src/ls.c
+++ b/src/ls.c
@@ -115,6 +115,10 @@
 # include <sys/capability.h>
 #endif
 
+#ifdef HAVE_SMACK
+# include <sys/smack.h>
+#endif
+
 #define PROGRAM_NAME (ls_mode == LS_LS ? "ls" \
                       : (ls_mode == LS_MULTI_COL \
                          ? "dir" : "vdir"))
@@ -2757,7 +2761,14 @@ free_ent (struct fileinfo *f)
   free (f->name);
   free (f->linkname);
   if (f->scontext != UNKNOWN_SECURITY_CONTEXT)
-    freecon (f->scontext);
+    {
+#ifdef HAVE_SMACK
+      if (smack_smackfs_path ())
+        free (f->scontext);
+      else
+#endif
+        freecon (f->scontext);
+    }
 }
 
 /* Empty the table of files.  */
@@ -2812,9 +2823,16 @@ getfilecon_cache (char const *file, struct fileinfo *f, bool deref)
       errno = ENOTSUP;
       return -1;
     }
-  int r = (deref
-           ? getfilecon (file, &f->scontext)
-           : lgetfilecon (file, &f->scontext));
+  int r = 0;
+#ifdef HAVE_SMACK
+  if (smack_smackfs_path ())
+    r = smack_new_label_from_path (file, "security.SMACK64", deref,
+                                   &f->scontext);
+  else
+#endif
+    r = (deref
+         ? getfilecon (file, &f->scontext)
+         : lgetfilecon (file, &f->scontext));
   if (r < 0 && errno_unsupported (errno))
     unsupported_device = f->stat.st_dev;
   return r;
@@ -3005,13 +3023,20 @@ gobble_file (char const *name, enum filetype type, ino_t inode,
 
       if (format == long_format || print_scontext)
         {
-          bool have_selinux = false;
+          bool have_scontext = false;
           bool have_acl = false;
           int attr_len = getfilecon_cache (absolute_name, f, do_deref);
           err = (attr_len < 0);
 
           if (err == 0)
-            have_selinux = ! STREQ ("unlabeled", f->scontext);
+            {
+#ifdef HAVE_SMACK
+              if (smack_smackfs_path ())
+                have_scontext = ! STREQ ("_", f->scontext);
+              else
+#endif
+                have_scontext = ! STREQ ("unlabeled", f->scontext);
+            }
           else
             {
               f->scontext = UNKNOWN_SECURITY_CONTEXT;
@@ -3031,9 +3056,9 @@ gobble_file (char const *name, enum filetype type, ino_t inode,
               have_acl = (0 < n);
             }
 
-          f->acl_type = (!have_selinux && !have_acl
+          f->acl_type = (!have_scontext && !have_acl
                          ? ACL_T_NONE
-                         : (have_selinux && !have_acl
+                         : (have_scontext && !have_acl
                             ? ACL_T_SELINUX_ONLY
                             : ACL_T_YES));
           any_has_acl |= f->acl_type != ACL_T_NONE;