1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Intel Corporation
8 Author: Auke Kok <auke-jan.h.kok@intel.com>
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/xattr.h>
27 #include "process-util.h"
28 #include "path-util.h"
30 #include "smack-util.h"
33 bool mac_smack_use(void) {
34 static int cached_use = -1;
37 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
42 /// UNNEEDED by elogind
44 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
45 [SMACK_ATTR_ACCESS] = "security.SMACK64",
46 [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
47 [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
48 [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
49 [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
50 [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
53 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
55 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
57 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
63 return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
66 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
68 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
74 return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
77 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
81 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
87 r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
89 r = lremovexattr(path, smack_attr_to_string(attr));
96 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
100 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
102 if (!mac_smack_use())
106 r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
108 r = fremovexattr(fd, smack_attr_to_string(attr));
115 int mac_smack_apply_pid(pid_t pid, const char *label) {
121 if (!mac_smack_use())
124 p = procfs_file_alloca(pid, "attr/current");
125 r = write_string_file(p, label, 0);
133 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
139 if (!mac_smack_use())
143 * Path must be in /dev and must exist
145 if (!path_startswith(path, "/dev"))
148 r = lstat(path, &st);
153 * Label directories and character devices "*".
154 * Label symlinks "_".
155 * Don't change anything else.
158 if (S_ISDIR(st.st_mode))
159 label = SMACK_STAR_LABEL;
160 else if (S_ISLNK(st.st_mode))
161 label = SMACK_FLOOR_LABEL;
162 else if (S_ISCHR(st.st_mode))
163 label = SMACK_STAR_LABEL;
167 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
169 /* If the FS doesn't support labels, then exit without warning */
170 if (r < 0 && errno == EOPNOTSUPP)
175 /* Ignore ENOENT in some cases */
176 if (ignore_enoent && errno == ENOENT)
179 if (ignore_erofs && errno == EROFS)
182 r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
188 /// UNNEEDED by elogind
190 int mac_smack_copy(const char *dest, const char *src) {
192 _cleanup_free_ char *label = NULL;
197 r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
201 r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
210 bool mac_smack_use(void) {
214 /// UNNEEDED by elogind
216 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
220 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
224 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
228 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
232 int mac_smack_apply_pid(pid_t pid, const char *label) {
237 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
241 /// UNNEEDED by elogind
243 int mac_smack_copy(const char *dest, const char *src) {