security: rework selinux, smack, ima, apparmor detection logic

Always cache the results, and bypass low-level security calls when
the respective subsystem is not enabled.

Signed-off-by: Anthony G. Basile <blueness@gentoo.org>

4 files changed, 73 insertions, 4 deletions

diff --git a/src/udev/Makefile.am b/src/udev/Makefile.am
index 4e806fbfca..d395620abb 100644
--- a/src/udev/Makefile.am
+++ b/src/udev/Makefile.am
@@ -57,7 +57,8 @@ libudev_core_la_SOURCES = \
 	udev-builtin-usb_id.c \
 	dev-setup.c \
 	label.c \
-	mkdir.c
+	mkdir.c \
+	smack-util.c
 
 if ENABLE_FIRMWARE
 libudev_core_la_SOURCES += \
@@ -67,7 +68,8 @@ endif
 noinst_HEADERS = \
 	dev-setup.h \
 	label.h \
-	mkdir.h
+	mkdir.h \
+	smack-util.h
 
 include_HEADERS = \
 	udev.h
diff --git a/src/udev/smack-util.c b/src/udev/smack-util.c
new file mode 100644
index 0000000000..93c0d4a347
--- /dev/null
+++ b/src/udev/smack-util.c
@@ -0,0 +1,42 @@
+/***
+  This file is part of eudev, forked from systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok@intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <unistd.h>
+#include <string.h>
+#ifdef HAVE_XATTR
+#include <attr/xattr.h>
+#endif
+
+#include "smack-util.h"
+
+bool use_smack(void) {
+#ifdef HAVE_SMACK
+        static int use_smack_cached = -1;
+
+        if (use_smack_cached < 0)
+                use_smack_cached = access("/sys/fs/smackfs/", F_OK) >= 0;
+
+        return use_smack_cached;
+#else
+        return false;
+#endif
+
+}
diff --git a/src/udev/smack-util.h b/src/udev/smack-util.h
new file mode 100644
index 0000000000..d81e4aa403
--- /dev/null
+++ b/src/udev/smack-util.h
@@ -0,0 +1,24 @@
+/***
+  This file is part of eudev, forked from systemd.
+
+  Copyright 2013 Intel Corporation
+
+  Author: Auke Kok <auke-jan.h.kok@intel.com>
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool use_smack(void);
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 76644ccdba..361068dd67 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -32,6 +32,7 @@
 #include <attr/xattr.h>
 #endif
 
+#include "smack-util.h"
 #include "udev.h"
 
 static int node_symlink(struct udev_device *dev, const char *node, const char *slink)
@@ -312,7 +313,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                                         log_debug("SECLABEL: set SELinux label '%s'", label);
 
 #ifdef HAVE_SMACK
-                        } else if (streq(name, "smack")) {
+                        } else if (streq(name, "smack") && use_smack()) {
                                 smack = true;
                                 if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
                                         log_error("SECLABEL: failed to set SMACK label '%s'", label);
@@ -328,7 +329,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                 if (!selinux)
                         label_fix(devnode, true, false);
 #ifdef HAVE_SMACK
-                if (!smack)
+                if (!smack && use_smack())
                         lremovexattr(devnode, "security.SMACK64");
 #endif
         }