1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Intel Corporation
8 Author: Auke Kok <auke-jan.h.kok@intel.com>
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/xattr.h>
27 #include "path-util.h"
28 #include "smack-util.h"
30 #define SMACK_FLOOR_LABEL "_"
31 #define SMACK_STAR_LABEL "*"
33 bool mac_smack_use(void) {
35 static int cached_use = -1;
38 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
46 int mac_smack_apply(const char *path, const char *label) {
56 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
58 r = lremovexattr(path, "security.SMACK64");
66 int mac_smack_apply_fd(int fd, const char *label) {
76 r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
78 r = fremovexattr(fd, "security.SMACK64");
86 int mac_smack_apply_ip_out_fd(int fd, const char *label) {
96 r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
98 r = fremovexattr(fd, "security.SMACK64IPOUT");
106 int mac_smack_apply_ip_in_fd(int fd, const char *label) {
112 if (!mac_smack_use())
116 r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
118 r = fremovexattr(fd, "security.SMACK64IPIN");
126 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
134 if (!mac_smack_use())
138 * Path must be in /dev and must exist
140 if (!path_startswith(path, "/dev"))
143 r = lstat(path, &st);
148 * Label directories and character devices "*".
149 * Label symlinks "_".
150 * Don't change anything else.
153 if (S_ISDIR(st.st_mode))
154 label = SMACK_STAR_LABEL;
155 else if (S_ISLNK(st.st_mode))
156 label = SMACK_FLOOR_LABEL;
157 else if (S_ISCHR(st.st_mode))
158 label = SMACK_STAR_LABEL;
162 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
164 /* If the FS doesn't support labels, then exit without warning */
165 if (r < 0 && errno == ENOTSUP)
170 /* Ignore ENOENT in some cases */
171 if (ignore_enoent && errno == ENOENT)
174 if (ignore_erofs && errno == EROFS)
177 log_debug("Unable to fix SMACK label of %s: %m", path);