1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Intel Corporation
8 Author: Auke Kok <auke-jan.h.kok@intel.com>
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/xattr.h>
27 #include "process-util.h"
28 #include "path-util.h"
30 #include "smack-util.h"
32 #define SMACK_FLOOR_LABEL "_"
33 #define SMACK_STAR_LABEL "*"
36 bool mac_smack_use(void) {
37 static int cached_use = -1;
40 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
45 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
46 [SMACK_ATTR_ACCESS] = "security.SMACK64",
47 [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
48 [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
49 [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
50 [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
51 [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
54 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
56 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
58 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
64 return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
67 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
69 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
75 return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
78 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
82 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
88 r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
90 r = lremovexattr(path, smack_attr_to_string(attr));
97 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
101 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
103 if (!mac_smack_use())
107 r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
109 r = fremovexattr(fd, smack_attr_to_string(attr));
116 int mac_smack_apply_pid(pid_t pid, const char *label) {
122 if (!mac_smack_use())
125 p = procfs_file_alloca(pid, "attr/current");
126 r = write_string_file(p, label, 0);
133 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
139 if (!mac_smack_use())
143 * Path must be in /dev and must exist
145 if (!path_startswith(path, "/dev"))
148 r = lstat(path, &st);
153 * Label directories and character devices "*".
154 * Label symlinks "_".
155 * Don't change anything else.
158 if (S_ISDIR(st.st_mode))
159 label = SMACK_STAR_LABEL;
160 else if (S_ISLNK(st.st_mode))
161 label = SMACK_FLOOR_LABEL;
162 else if (S_ISCHR(st.st_mode))
163 label = SMACK_STAR_LABEL;
167 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
169 /* If the FS doesn't support labels, then exit without warning */
170 if (r < 0 && errno == EOPNOTSUPP)
175 /* Ignore ENOENT in some cases */
176 if (ignore_enoent && errno == ENOENT)
179 if (ignore_erofs && errno == EROFS)
182 r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
190 bool mac_smack_use(void) {
194 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
198 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
202 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
206 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
210 int mac_smack_apply_pid(pid_t pid, const char *label) {
214 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
~ianmdlvl / elogind.git / blob