From: Lennart Poettering Date: Thu, 23 Oct 2014 16:06:51 +0000 (+0200) Subject: smack: rework smack APIs a bit X-Git-Tag: v217~105 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=d53e386db62ee7f03e7d493ae0e6db7a31a5d811 smack: rework smack APIs a bit a) always return negative errno error codes b) always become a noop if smack is off c) always take a NULL label as a request to remove it --- diff --git a/src/core/socket.c b/src/core/socket.c index abe829ade..780015012 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -807,6 +807,8 @@ static void socket_close_fds(Socket *s) { } static void socket_apply_socket_options(Socket *s, int fd) { + int r; + assert(s); assert(fd >= 0); @@ -894,7 +896,7 @@ static void socket_apply_socket_options(Socket *s, int fd) { log_warning_unit(UNIT(s)->id, "IP_TOS failed: %m"); if (s->ip_ttl >= 0) { - int r, x; + int x; r = setsockopt(fd, IPPROTO_IP, IP_TTL, &s->ip_ttl, sizeof(s->ip_ttl)); @@ -920,27 +922,34 @@ static void socket_apply_socket_options(Socket *s, int fd) { log_warning_unit(UNIT(s)->id, "SO_REUSEPORT failed: %m"); } - if (s->smack_ip_in) - if (mac_smack_apply_ip_in_fd(fd, s->smack_ip_in) < 0) - log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_in_fd: %m"); + if (s->smack_ip_in) { + r = mac_smack_apply_ip_in_fd(fd, s->smack_ip_in); + if (r < 0) + log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_in_fd: %s", strerror(-r)); + } - if (s->smack_ip_out) - if (mac_smack_apply_ip_out_fd(fd, s->smack_ip_out) < 0) - log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_out_fd: %m"); + if (s->smack_ip_out) { + r = mac_smack_apply_ip_out_fd(fd, s->smack_ip_out); + if (r < 0) + log_error_unit(UNIT(s)->id, "mac_smack_apply_ip_out_fd: %s", strerror(-r)); + } } static void socket_apply_fifo_options(Socket *s, int fd) { + int r; + assert(s); assert(fd >= 0); if (s->pipe_size > 0) if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0) - log_warning_unit(UNIT(s)->id, - "F_SETPIPE_SZ: %m"); + log_warning_unit(UNIT(s)->id, "F_SETPIPE_SZ: %m"); - if (s->smack) - if (mac_smack_apply_fd(fd, s->smack) < 0) - log_error_unit(UNIT(s)->id, "mac_smack_apply_fd: %m"); + if (s->smack) { + r = mac_smack_apply_fd(fd, s->smack); + if (r < 0) + log_error_unit(UNIT(s)->id, "mac_smack_apply_fd: %s", strerror(-r)); + } } static int fifo_address_create( diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index 7726d69b0..4a94922a4 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -38,54 +38,86 @@ bool mac_smack_use(void) { #else return false; #endif - } int mac_smack_apply(const char *path, const char *label) { + int r = 0; + + assert(path); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; if (label) - return setxattr(path, "security.SMACK64", label, strlen(label), 0); + r = setxattr(path, "security.SMACK64", label, strlen(label), 0); else - return lremovexattr(path, "security.SMACK64"); -#else - return 0; + r = lremovexattr(path, "security.SMACK64"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_ip_out_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64IPOUT"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_ip_in_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64IPIN"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_fix(const char *path) { @@ -94,6 +126,13 @@ int mac_smack_fix(const char *path) { #ifdef HAVE_SMACK struct stat sb; const char *label; +#endif + + assert(path); + +#ifdef HAVE_SMACK + if (!mac_smack_use()) + return 0; /* * Path must be in /dev and must exist diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 803d80327..8d5bada5a 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -294,21 +294,25 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, /* apply SECLABEL{$module}=$label */ udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) { const char *name, *label; + int r; name = udev_list_entry_get_name(entry); label = udev_list_entry_get_value(entry); if (streq(name, "selinux")) { selinux = true; + if (mac_selinux_apply(devnode, label) < 0) - log_error("SECLABEL: failed to set SELinux label '%s'", label); + log_error("SECLABEL: failed to set SELinux label '%s': %s", label, strerror(-r)); else log_debug("SECLABEL: set SELinux label '%s'", label); } else if (streq(name, "smack")) { smack = true; - if (mac_smack_apply(devnode, label) < 0) - log_error("SECLABEL: failed to set SMACK label '%s'", label); + + r = mac_smack_apply(devnode, label); + if (r < 0) + log_error("SECLABEL: failed to set SMACK label '%s': %s", label, strerror(-r)); else log_debug("SECLABEL: set SMACK label '%s'", label);