</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>SECLABEL{<replaceable>module</replaceable>}</varname></term>
+ <listitem>
+ <para>Applies the specified Linux Security Module label to the device node.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>ATTR{<replaceable>key</replaceable>}</varname></term>
<listitem>
event->dev = dev;
event->udev = udev;
udev_list_init(udev, &event->run_list, false);
+ udev_list_init(udev, &event->seclabel_list, false);
event->fd_signal = -1;
event->birth_usec = now(CLOCK_MONOTONIC);
event->timeout_usec = 30 * 1000 * 1000;
if (event == NULL)
return;
udev_list_cleanup(&event->run_list);
+ udev_list_cleanup(&event->seclabel_list);
free(event->program_result);
free(event->name);
free(event);
}
apply = streq(udev_device_get_action(dev), "add") || event->owner_set || event->group_set || event->mode_set;
- udev_node_add(dev, apply, event->mode, event->uid, event->gid);
+ udev_node_add(dev, apply, event->mode, event->uid, event->gid, &event->seclabel_list);
}
/* preserve old, or get new initialization timestamp */
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/types.h>
+#ifdef HAVE_XATTR
+#include <attr/xattr.h>
+#endif
#include "udev.h"
}
}
-static int node_permissions_apply(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
-{
+static int node_permissions_apply(struct udev_device *dev, bool apply,
+ mode_t mode, uid_t uid, gid_t gid,
+ struct udev_list *seclabel_list) {
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
+ struct udev_list_entry *entry;
int err = 0;
if (streq(udev_device_get_subsystem(dev), "block"))
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
}
+
label_fix(devnode, true, false);
+
+ /* apply SECLABEL{$module}=$label */
+ udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
+ const char *name, *label;
+
+ name = udev_list_entry_get_name(entry);
+ label = udev_list_entry_get_value(entry);
+
+ if (streq(name, "selinux")) {
+ /* FIXME: hook up libselinux */
+ log_error("SECLABEL: failed to set selinux label '%s'", label);
+
+ } else if (streq(name, "smack")) {
+#ifdef HAVE_XATTR
+ if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
+ log_error("SECLABEL: failed to set SMACK label '%s'", label);
+ else
+ log_debug("SECLABEL: set SMACK label '%s'", label);
+#endif
+
+ } else
+ log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
+ }
}
/* always update timestamp when we re-use the node, like on media change events */
return err;
}
-void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid)
-{
+void udev_node_add(struct udev_device *dev, bool apply,
+ mode_t mode, uid_t uid, gid_t gid,
+ struct udev_list *seclabel_list) {
char filename[UTIL_PATH_SIZE];
struct udev_list_entry *list_entry;
log_debug("handling device node '%s', devnum=%s, mode=%#o, uid=%d, gid=%d\n",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev), mode, uid, gid);
- if (node_permissions_apply(dev, apply, mode, uid, gid) < 0)
+ if (node_permissions_apply(dev, apply, mode, uid, gid, seclabel_list) < 0)
return;
/* always add /dev/{block,char}/$major:$minor */
TK_A_MODE_ID, /* mode_t */
TK_A_TAG, /* val */
TK_A_STATIC_NODE, /* val */
+ TK_A_SECLABEL, /* val, attr */
TK_A_ENV, /* val, attr */
TK_A_NAME, /* val */
TK_A_DEVLINK, /* val */
[TK_A_OWNER_ID] = "A OWNER_ID",
[TK_A_GROUP_ID] = "A GROUP_ID",
[TK_A_STATIC_NODE] = "A STATIC_NODE",
+ [TK_A_SECLABEL] = "A SECLABEL",
[TK_A_MODE_ID] = "A MODE_ID",
[TK_A_ENV] = "A ENV",
[TK_A_TAG] = "A ENV",
case TK_A_STATIC_NODE:
log_debug("%s '%s'\n", token_str(type), value);
break;
+ case TK_A_SECLABEL:
+ log_debug("%s %s '%s' '%s'\n", token_str(type), operation_str(op), attr, value);
+ break;
case TK_M_EVENT_TIMEOUT:
log_debug("%s %u\n", token_str(type), token->key.event_timeout);
break;
case TK_M_ATTRS:
case TK_A_ATTR:
case TK_A_ENV:
+ case TK_A_SECLABEL:
attr = data;
token->key.value_off = rules_add_string(rule_tmp->rules, value);
token->key.attr_off = rules_add_string(rule_tmp->rules, attr);
continue;
}
+ if (startswith(key, "SECLABEL{")) {
+ attr = get_key_attribute(rules->udev, key + sizeof("SECLABEL")-1);
+ if (!attr) {
+ log_error("error parsing SECLABEL attribute\n");
+ goto invalid;
+ }
+
+ rule_add_key(&rule_tmp, TK_A_SECLABEL, op, value, attr);
+ continue;
+ }
+
if (streq(key, "KERNELS")) {
if (op > OP_MATCH_MAX) {
log_error("invalid KERNELS operation\n");
rules_str(rules, rule->rule.filename_off),
rule->rule.filename_line);
break;
+ case TK_A_SECLABEL: {
+ const char *name, *label;
+
+ name = rules_str(rules, cur->key.attr_off);
+ label = rules_str(rules, cur->key.value_off);
+ if (cur->key.op == OP_ASSIGN || cur->key.op == OP_ASSIGN_FINAL)
+ udev_list_cleanup(&event->seclabel_list);
+ udev_list_entry_add(&event->seclabel_list, name, label);
+ log_debug("SECLABEL{%s}='%s' %s:%u\n",
+ name, label,
+ rules_str(rules, rule->rule.filename_off),
+ rule->rule.filename_line);
+ break;
+ }
case TK_A_ENV: {
const char *name = rules_str(rules, cur->key.attr_off);
char *value = rules_str(rules, cur->key.value_off);
mode_t mode;
uid_t uid;
gid_t gid;
+ struct udev_list seclabel_list;
struct udev_list run_list;
int exec_delay;
usec_t birth_usec;
struct udev_device *udev_watch_lookup(struct udev *udev, int wd);
/* udev-node.c */
-void udev_node_add(struct udev_device *dev, bool apply, mode_t mode, uid_t uid, gid_t gid);
+void udev_node_add(struct udev_device *dev, bool apply,
+ mode_t mode, uid_t uid, gid_t gid,
+ struct udev_list *seclabel_list);
void udev_node_remove(struct udev_device *dev);
void udev_node_update_old_links(struct udev_device *dev, struct udev_device *dev_old);
~ianmdlvl / elogind.git / commitdiff