1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2013 Intel Corporation
7 Author: Auke Kok <auke-jan.h.kok@intel.com>
14 #include <sys/xattr.h>
17 #include "alloc-util.h"
18 //#include "fd-util.h"
22 #include "path-util.h"
23 #include "process-util.h"
24 #include "smack-util.h"
25 //#include "stdio-util.h"
26 #include "string-table.h"
27 #include "xattr-util.h"
30 bool mac_smack_use(void) {
31 static int cached_use = -1;
34 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
39 #if 0 /// UNNEEDED by elogind
40 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
41 [SMACK_ATTR_ACCESS] = "security.SMACK64",
42 [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
43 [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
44 [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
45 [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
46 [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
49 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
51 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
53 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
59 return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
62 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
64 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
70 return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
73 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
77 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
83 r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
85 r = lremovexattr(path, smack_attr_to_string(attr));
92 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
96 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
102 r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
104 r = fremovexattr(fd, smack_attr_to_string(attr));
111 int mac_smack_apply_pid(pid_t pid, const char *label) {
117 if (!mac_smack_use())
120 p = procfs_file_alloca(pid, "attr/current");
121 r = write_string_file(p, label, 0);
129 int mac_smack_fix(const char *path, LabelFixFlags flags) {
130 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
131 _cleanup_close_ int fd = -1;
138 if (!mac_smack_use())
141 /* Path must be in /dev. Note that this check is pretty sloppy, as we might be called with non-normalized paths
142 * and hence not detect all cases of /dev. */
144 if (path_is_absolute(path)) {
145 if (!path_startswith(path, "/dev"))
148 _cleanup_free_ char *cwd = NULL;
150 r = safe_getcwd(&cwd);
154 if (!path_startswith(cwd, "/dev"))
158 fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
160 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
166 if (fstat(fd, &st) < 0)
170 * Label directories and character devices "*".
171 * Label symlinks "_".
172 * Don't change anything else.
175 if (S_ISDIR(st.st_mode))
176 label = SMACK_STAR_LABEL;
177 else if (S_ISLNK(st.st_mode))
178 label = SMACK_FLOOR_LABEL;
179 else if (S_ISCHR(st.st_mode))
180 label = SMACK_STAR_LABEL;
184 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
185 if (setxattr(procfs_path, "security.SMACK64", label, strlen(label), 0) < 0) {
186 _cleanup_free_ char *old_label = NULL;
190 /* If the FS doesn't support labels, then exit without warning */
191 if (r == -EOPNOTSUPP)
194 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
195 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
198 /* If the old label is identical to the new one, suppress any kind of error */
199 if (getxattr_malloc(procfs_path, "security.SMACK64", &old_label, false) >= 0 &&
200 streq(old_label, label))
203 return log_debug_errno(r, "Unable to fix SMACK label of %s: %m", path);
209 #if 0 /// UNNEEDED by elogind
210 int mac_smack_copy(const char *dest, const char *src) {
212 _cleanup_free_ char *label = NULL;
217 r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
221 r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
230 bool mac_smack_use(void) {
234 #if 0 /// UNNEEDED by elogind
235 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
239 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
243 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
247 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
251 int mac_smack_apply_pid(pid_t pid, const char *label) {
256 int mac_smack_fix(const char *path, LabelFixFlags flags) {
260 #if 0 /// UNNEEDED by elogind
261 int mac_smack_copy(const char *dest, const char *src) {