summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorƁukasz Stelmach <l.stelmach@samsung.com>2014-02-19 16:39:04 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-24 17:36:06 +0100
commit2453d7e447057f2652114c1822bfc8c5600236fe (patch)
treecf520b016a79e23093e8c1b39f492462813ba58d
parent650264033f2f98f6319513958d94d59078654af8 (diff)
smack: relabel directories and files created by systemd
Systemd creates directories in /dev. These directories will get the label of systemd, which is the label of the System domain, which is not accessable to everyone. Relabel the directories, files and symlinks created so that they can be generally used. Based on a patch by Casey Schaufler <casey@schaufler-ca.com>.
-rw-r--r--src/shared/label.c60
1 files changed, 57 insertions, 3 deletions
diff --git a/src/shared/label.c b/src/shared/label.c
index 92f10f9f90..3632e3ebf9 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -41,6 +41,48 @@
static struct selabel_handle *label_hnd = NULL;
#endif
+#ifdef HAVE_SMACK
+#include <sys/xattr.h>
+#include <string.h>
+#define FLOOR_LABEL "_"
+#define STAR_LABEL "*"
+
+static void smack_relabel_in_dev(const char *path) {
+ struct stat sb;
+ const char *label;
+ int r;
+
+ /*
+ * Path must be in /dev and must exist
+ */
+ if (!path_equal(path, "/dev") &&
+ !path_startswith(path, "/dev"))
+ return;
+
+ r = lstat(path, &sb);
+ if (r < 0)
+ return;
+
+ /*
+ * Label directories and character devices "*".
+ * Label symlinks "_".
+ * Don't change anything else.
+ */
+ if (S_ISDIR(sb.st_mode))
+ label = STAR_LABEL;
+ else if (S_ISLNK(sb.st_mode))
+ label = FLOOR_LABEL;
+ else if (S_ISCHR(sb.st_mode))
+ label = STAR_LABEL;
+ else
+ return;
+
+ r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ if (r < 0)
+ log_error("Smack relabeling \"%s\" %s", path, strerror(errno));
+ return;
+}
+#endif
int label_init(const char *prefix) {
int r = 0;
@@ -130,6 +172,9 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
return r;
}
@@ -207,6 +252,9 @@ int label_context_set(const char *path, mode_t mode) {
if (r < 0 && security_getenforce() == 0)
r = 0;
#endif
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
return r;
}
@@ -260,11 +308,11 @@ void label_free(const char *label) {
}
int label_mkdir(const char *path, mode_t mode) {
+ int r;
- /* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
+ /* Creates a directory and labels it according to the SELinux policy */
security_context_t fcon = NULL;
- int r;
if (!use_selinux() || !label_hnd)
goto skipped;
@@ -305,7 +353,13 @@ finish:
skipped:
#endif
- return mkdir(path, mode) < 0 ? -errno : 0;
+ r = mkdir(path, mode);
+ if (r)
+ return -errno;
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
+ return 0;
}
int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {