From c26547d612733371494330e26c7d3604a5dba3d9 Mon Sep 17 00:00:00 2001 From: Kay Sievers Date: Tue, 8 Oct 2013 01:59:10 +0200 Subject: [PATCH] udev: support custom Linux Security Module labels for device nodes --- man/udev.xml | 7 +++++++ src/udev/udev-event.c | 4 +++- src/udev/udev-node.c | 40 +++++++++++++++++++++++++++++++++++----- src/udev/udev-rules.c | 31 +++++++++++++++++++++++++++++++ src/udev/udev.h | 5 ++++- 5 files changed, 80 insertions(+), 7 deletions(-) diff --git a/man/udev.xml b/man/udev.xml index f10748232..38acdf744 100644 --- a/man/udev.xml +++ b/man/udev.xml @@ -340,6 +340,13 @@ + + SECLABEL{module} + + Applies the specified Linux Security Module label to the device node. + + + ATTR{key} diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 3db2cb716..c4603a0c0 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -47,6 +47,7 @@ struct udev_event *udev_event_new(struct udev_device *dev) event->dev = dev; event->udev = udev; udev_list_init(udev, &event->run_list, false); + udev_list_init(udev, &event->seclabel_list, false); event->fd_signal = -1; event->birth_usec = now(CLOCK_MONOTONIC); event->timeout_usec = 30 * 1000 * 1000; @@ -58,6 +59,7 @@ void udev_event_unref(struct udev_event *event) if (event == NULL) return; udev_list_cleanup(&event->run_list); + udev_list_cleanup(&event->seclabel_list); free(event->program_result); free(event->name); free(event); @@ -864,7 +866,7 @@ int udev_event_execute_rules(struct udev_event *event, struct udev_rules *rules, } apply = streq(udev_device_get_action(dev), "add") || event->owner_set || event->group_set || event->mode_set; - udev_node_add(dev, apply, event->mode, event->uid, event->gid); + udev_node_add(dev, apply, event->mode, event->uid, event->gid, &event->seclabel_list); } /* preserve old, or get new initialization timestamp */ diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 1148a1529..6c9bef331 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -28,6 +28,9 @@ #include #include #include +#ifdef HAVE_XATTR +#include +#endif #include "udev.h" @@ -252,11 +255,13 @@ void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev } } -static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid) -{ +static int node_permissions_apply(struct udev_device *dev, bool apply, + mode_t mode, uid_t uid, gid_t gid, + struct udev_list *seclabel_list) { const char *devnode = udev_device_get_devnode(dev); dev_t devnum = udev_device_get_devnum(dev); struct stat stats; + struct udev_list_entry *entry; int err = 0; if (streq(udev_device_get_subsystem(dev), "block")) @@ -285,7 +290,31 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mo } else { log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid); } + label_fix(devnode, true, false); + + /* apply SECLABEL{$module}=$label */ + udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) { + const char *name, *label; + + name = udev_list_entry_get_name(entry); + label = udev_list_entry_get_value(entry); + + if (streq(name, "selinux")) { + /* FIXME: hook up libselinux */ + log_error("SECLABEL: failed to set selinux label '%s'", label); + + } else if (streq(name, "smack")) { +#ifdef HAVE_XATTR + if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0) + log_error("SECLABEL: failed to set SMACK label '%s'", label); + else + log_debug("SECLABEL: set SMACK label '%s'", label); +#endif + + } else + log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label); + } } /* always update timestamp when we re-use the node, like on media change events */ @@ -294,15 +323,16 @@ out: return err; } -void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid) -{ +void udev_node_add(struct udev_device *dev, bool apply, + mode_t mode, uid_t uid, gid_t gid, + struct udev_list *seclabel_list) { char filename[UTIL_PATH_SIZE]; struct udev_list_entry *list_entry; log_debug("handling device node '%s', devnum=%s, mode=%#o, uid=%d, gid=%d\n", udev_device_get_devnode(dev), udev_device_get_id_filename(dev), mode, uid, gid); - if (node_permissions_apply(dev, apply, mode, uid, gid) < 0) + if (node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list) < 0) return; /* always add /dev/{block,char}/$major:$minor */ diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c index 6f8b12787..9d9529a0f 100644 --- a/src/udev/udev-rules.c +++ b/src/udev/udev-rules.c @@ -156,6 +156,7 @@ enum token_type { TK_A_MODE_ID, /* mode_t */ TK_A_TAG, /* val */ TK_A_STATIC_NODE, /* val */ + TK_A_SECLABEL, /* val, attr */ TK_A_ENV, /* val, attr */ TK_A_NAME, /* val */ TK_A_DEVLINK, /* val */ @@ -291,6 +292,7 @@ static const char *token_str(enum token_type type) [TK_A_OWNER_ID] = "A OWNER_ID", [TK_A_GROUP_ID] = "A GROUP_ID", [TK_A_STATIC_NODE] = "A STATIC_NODE", + [TK_A_SECLABEL] = "A SECLABEL", [TK_A_MODE_ID] = "A MODE_ID", [TK_A_ENV] = "A ENV", [TK_A_TAG] = "A ENV", @@ -399,6 +401,9 @@ static void dump_token(struct udev_rules *rules, struct token *token) case TK_A_STATIC_NODE: log_debug("%s '%s'\n", token_str(type), value); break; + case TK_A_SECLABEL: + log_debug("%s %s '%s' '%s'\n", token_str(type), operation_str(op), attr, value); + break; case TK_M_EVENT_TIMEOUT: log_debug("%s %u\n", token_str(type), token->key.event_timeout); break; @@ -911,6 +916,7 @@ static int rule_add_key(struct rule_tmp *rule_tmp, enum token_type type, case TK_M_ATTRS: case TK_A_ATTR: case TK_A_ENV: + case TK_A_SECLABEL: attr = data; token->key.value_off = rules_add_string(rule_tmp->rules, value); token->key.attr_off = rules_add_string(rule_tmp->rules, attr); @@ -1158,6 +1164,17 @@ static int add_rule(struct udev_rules *rules, char *line, continue; } + if (startswith(key, "SECLABEL{")) { + attr = get_key_attribute(rules->udev, key + sizeof("SECLABEL")-1); + if (!attr) { + log_error("error parsing SECLABEL attribute\n"); + goto invalid; + } + + rule_add_key(&rule_tmp, TK_A_SECLABEL, op, value, attr); + continue; + } + if (streq(key, "KERNELS")) { if (op > OP_MATCH_MAX) { log_error("invalid KERNELS operation\n"); @@ -2329,6 +2346,20 @@ int udev_rules_apply_to_event(struct udev_rules *rules, struct udev_event *event rules_str(rules, rule->rule.filename_off), rule->rule.filename_line); break; + case TK_A_SECLABEL: { + const char *name, *label; + + name = rules_str(rules, cur->key.attr_off); + label = rules_str(rules, cur->key.value_off); + if (cur->key.op == OP_ASSIGN || cur->key.op == OP_ASSIGN_FINAL) + udev_list_cleanup(&event->seclabel_list); + udev_list_entry_add(&event->seclabel_list, name, label); + log_debug("SECLABEL{%s}='%s' %s:%u\n", + name, label, + rules_str(rules, rule->rule.filename_off), + rule->rule.filename_line); + break; + } case TK_A_ENV: { const char *name = rules_str(rules, cur->key.attr_off); char *value = rules_str(rules, cur->key.value_off); diff --git a/src/udev/udev.h b/src/udev/udev.h index 839592680..ed8b1834c 100644 --- a/src/udev/udev.h +++ b/src/udev/udev.h @@ -39,6 +39,7 @@ struct udev_event { mode_t mode; uid_t uid; gid_t gid; + struct udev_list seclabel_list; struct udev_list run_list; int exec_delay; usec_t birth_usec; @@ -95,7 +96,9 @@ void udev_watch_end(struct udev *udev, struct udev_device *dev); struct udev_device *udev_watch_lookup(struct udev *udev, int wd); /* udev-node.c */ -void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid); +void udev_node_add(struct udev_device *dev, bool apply, + mode_t mode, uid_t uid, gid_t gid, + struct udev_list *seclabel_list); void udev_node_remove(struct udev_device *dev); void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev_old); -- 2.30.2