1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2013 Intel Corporation
8 Author: Auke Kok <auke-jan.h.kok@intel.com>
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published by
12 the Free Software Foundation; either version 2.1 of the License, or
13 (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 #include <sys/xattr.h>
27 #include "process-util.h"
28 #include "path-util.h"
30 #include "smack-util.h"
33 bool mac_smack_use(void) {
34 static int cached_use = -1;
37 cached_use = access("/sys/fs/smackfs/", F_OK) >= 0;
42 static const char* const smack_attr_table[_SMACK_ATTR_MAX] = {
43 [SMACK_ATTR_ACCESS] = "security.SMACK64",
44 [SMACK_ATTR_EXEC] = "security.SMACK64EXEC",
45 [SMACK_ATTR_MMAP] = "security.SMACK64MMAP",
46 [SMACK_ATTR_TRANSMUTE] = "security.SMACK64TRANSMUTE",
47 [SMACK_ATTR_IPIN] = "security.SMACK64IPIN",
48 [SMACK_ATTR_IPOUT] = "security.SMACK64IPOUT",
51 DEFINE_STRING_TABLE_LOOKUP(smack_attr, SmackAttr);
53 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
55 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
61 return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
64 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
66 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
72 return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
75 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
79 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
85 r = lsetxattr(path, smack_attr_to_string(attr), label, strlen(label), 0);
87 r = lremovexattr(path, smack_attr_to_string(attr));
94 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
98 assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
100 if (!mac_smack_use())
104 r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
106 r = fremovexattr(fd, smack_attr_to_string(attr));
113 int mac_smack_apply_pid(pid_t pid, const char *label) {
119 if (!mac_smack_use())
122 p = procfs_file_alloca(pid, "attr/current");
123 r = write_string_file(p, label, 0);
130 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
136 if (!mac_smack_use())
140 * Path must be in /dev and must exist
142 if (!path_startswith(path, "/dev"))
145 r = lstat(path, &st);
150 * Label directories and character devices "*".
151 * Label symlinks "_".
152 * Don't change anything else.
155 if (S_ISDIR(st.st_mode))
156 label = SMACK_STAR_LABEL;
157 else if (S_ISLNK(st.st_mode))
158 label = SMACK_FLOOR_LABEL;
159 else if (S_ISCHR(st.st_mode))
160 label = SMACK_STAR_LABEL;
164 r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
166 /* If the FS doesn't support labels, then exit without warning */
167 if (r < 0 && errno == EOPNOTSUPP)
172 /* Ignore ENOENT in some cases */
173 if (ignore_enoent && errno == ENOENT)
176 if (ignore_erofs && errno == EROFS)
179 r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
185 int mac_smack_copy(const char *dest, const char *src) {
187 _cleanup_free_ char *label = NULL;
192 r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
196 r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
204 bool mac_smack_use(void) {
208 int mac_smack_read(const char *path, SmackAttr attr, char **label) {
212 int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
216 int mac_smack_apply(const char *path, SmackAttr attr, const char *label) {
220 int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
224 int mac_smack_apply_pid(pid_t pid, const char *label) {
228 int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
232 int mac_smack_copy(const char *dest, const char *src) {