chiark / gitweb /
smack-setup: enable Smack/CIPSO mapping
authorNathaniel Chen <nathaniel.chen@intel.com>
Tue, 12 Mar 2013 23:16:44 +0000 (16:16 -0700)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 16 Mar 2013 02:56:40 +0000 (22:56 -0400)
CIPSO is the Common IP Security Option, an IETF standard for setting
security levels for a process sending packets. In Smack kernels,
CIPSO headers are mapped to Smack labels automatically, but can be changed.

This patch writes label/category mappings from /etc/smack/cipso/ to
/sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]...

For more information about Smack and CIPSO, see:
  https://kernel.org/doc/Documentation/security/Smack.txt

src/core/smack-setup.c

index 804678d..73eeb04 100644 (file)
@@ -40,6 +40,7 @@
 #include "label.h"
 
 #define SMACK_CONFIG "/etc/smack/accesses.d/"
+#define CIPSO_CONFIG "/etc/smack/cipso/"
 
 static int write_rules(const char* dstpath, const char* srcdir) {
         _cleanup_fclose_ FILE *dst = NULL;
@@ -124,9 +125,26 @@ int smack_setup(void) {
                 return 0;
         case 0:
                 log_info("Successfully loaded Smack policies.");
+                break;
+        default:
+                log_warning("Failed to load Smack access rules: %s, ignoring.",
+                            strerror(abs(r)));
+                return 0;
+        }
+
+        r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+        switch(r) {
+        case -ENOENT:
+                log_debug("Smack/CIPSO is not enabled in the kernel.");
+                return 0;
+        case ENOENT:
+                log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+                return 0;
+        case 0:
+                log_info("Successfully loaded Smack/CIPSO policies.");
                 return 0;
         default:
-                log_warning("Failed to load smack access rules: %s, ignoring.",
+                log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
                             strerror(abs(r)));
                 return 0;
         }