-#include "path-util.h"
-#include "selinux-util.h"
-#include "smack-util.h"
-
-#ifdef HAVE_SELINUX
-DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
-DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
-
-#define _cleanup_security_context_free_ _cleanup_(freeconp)
-#define _cleanup_context_free_ _cleanup_(context_freep)
-
-static struct selabel_handle *label_hnd = NULL;
-#endif
-
-static int smack_relabel_in_dev(const char *path) {
- int r = 0;
-
-#ifdef HAVE_SMACK
- struct stat sb;
- const char *label;
-
- /*
- * Path must be in /dev and must exist
- */
- if (!path_startswith(path, "/dev"))
- return 0;
-
- r = lstat(path, &sb);
- if (r < 0)
- return -errno;
-
- /*
- * Label directories and character devices "*".
- * Label symlinks "_".
- * Don't change anything else.
- */
- if (S_ISDIR(sb.st_mode))
- label = SMACK_STAR_LABEL;
- else if (S_ISLNK(sb.st_mode))
- label = SMACK_FLOOR_LABEL;
- else if (S_ISCHR(sb.st_mode))
- label = SMACK_STAR_LABEL;
- else
- return 0;
-
- r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
- if (r < 0) {
- log_error("Smack relabeling \"%s\" %m", path);
- return -errno;
- }
-#endif
-
- return r;
-}
-
-int label_init(const char *prefix) {
- int r = 0;
-
-#ifdef HAVE_SELINUX
- usec_t before_timestamp, after_timestamp;
- struct mallinfo before_mallinfo, after_mallinfo;
-
- if (!use_selinux())
- return 0;
-
- if (label_hnd)
- return 0;
-
- before_mallinfo = mallinfo();
- before_timestamp = now(CLOCK_MONOTONIC);
-
- if (prefix) {
- struct selinux_opt options[] = {
- { .type = SELABEL_OPT_SUBSET, .value = prefix },
- };
-
- label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
- } else
- label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-
- if (!label_hnd) {
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
- "Failed to initialize SELinux context: %m");
- r = security_getenforce() == 1 ? -errno : 0;
- } else {
- char timespan[FORMAT_TIMESPAN_MAX];
- int l;
-
- after_timestamp = now(CLOCK_MONOTONIC);
- after_mallinfo = mallinfo();
-
- l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
-
- log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
- format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
- (l+1023)/1024);
- }
-#endif
-
- return r;
-}
-
-static int label_fix_selinux(const char *path, bool ignore_enoent, bool ignore_erofs) {
- int r = 0;
-
-#ifdef HAVE_SELINUX
- struct stat st;
- security_context_t fcon;
-
- if (!label_hnd)
- return 0;
-
- r = lstat(path, &st);
- if (r == 0) {
- r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
-
- /* If there's no label to set, then exit without warning */
- if (r < 0 && errno == ENOENT)
- return 0;
-
- if (r == 0) {
- r = lsetfilecon(path, fcon);
- freecon(fcon);
-
- /* If the FS doesn't support labels, then exit without warning */
- if (r < 0 && errno == ENOTSUP)
- return 0;
- }
- }
-
- if (r < 0) {
- /* Ignore ENOENT in some cases */
- if (ignore_enoent && errno == ENOENT)
- return 0;
-
- if (ignore_erofs && errno == EROFS)
- return 0;
-
- log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
- "Unable to fix label of %s: %m", path);
- r = security_getenforce() == 1 ? -errno : 0;
- }
-#endif
-
- return r;
-}