#include "macro.h"
#include "smack-setup.h"
#include "util.h"
+#include "fileio.h"
#include "log.h"
#include "label.h"
#define SMACK_CONFIG "/etc/smack/accesses.d/"
+#define CIPSO_CONFIG "/etc/smack/cipso.d/"
+
+#ifdef HAVE_SMACK
static int write_rules(const char* dstpath, const char* srcdir) {
_cleanup_fclose_ FILE *dst = NULL;
if (!policy) {
if (r == 0)
r = -errno;
- close_nointr_nofail(fd);
+ safe_close(fd);
log_error("Failed to open %s: %m", entry->d_name);
continue;
}
return r;
}
+#endif
+
+int smack_setup(bool *loaded_policy) {
+
+#ifdef HAVE_SMACK
-int smack_setup(void) {
int r;
+ assert(loaded_policy);
+
r = write_rules("/sys/fs/smackfs/load2", SMACK_CONFIG);
switch(r) {
case -ENOENT:
return 0;
case 0:
log_info("Successfully loaded Smack policies.");
+ break;
+ default:
+ log_warning("Failed to load Smack access rules: %s, ignoring.",
+ strerror(abs(r)));
+ return 0;
+ }
+
+#ifdef SMACK_RUN_LABEL
+ r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL);
+ if (r)
+ log_warning("Failed to set SMACK label \"%s\" on self: %s",
+ SMACK_RUN_LABEL, strerror(-r));
+#endif
+
+ r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+ switch(r) {
+ case -ENOENT:
+ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
+ case ENOENT:
+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+ return 0;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
return 0;
default:
- log_warning("Failed to load smack access rules: %s, ignoring.",
+ log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
strerror(abs(r)));
return 0;
}
+
+ *loaded_policy = true;
+
+#endif
+
+ return 0;
}