diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-10-23 18:34:58 +0200 | 
|---|---|---|
| committer | Anthony G. Basile <blueness@gentoo.org> | 2014-10-25 18:34:28 -0400 | 
| commit | 7ede4612365f6420a3aad963d0d8bb7bd390344d (patch) | |
| tree | 81943a1c2bf39e396fb2bd70ab2529a2504212a9 | |
| parent | c649be35f12331321ef2e5da522d91baa9a77550 (diff) | |
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
| -rw-r--r-- | src/shared/label.c | 20 | ||||
| -rw-r--r-- | src/shared/mkdir-label.c | 2 | ||||
| -rw-r--r-- | src/shared/selinux-util.c | 19 | ||||
| -rw-r--r-- | src/shared/smack-util.c | 59 | ||||
| -rw-r--r-- | src/shared/smack-util.h | 2 | 
5 files changed, 55 insertions, 47 deletions
| diff --git a/src/shared/label.c b/src/shared/label.c index 32b155088c..44b1eca0c2 100644 --- a/src/shared/label.c +++ b/src/shared/label.c @@ -21,19 +21,15 @@  #include "util.h"  int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { -        int r = 0; +        int r, q; -        if (mac_selinux_use()) { -                r = mac_selinux_fix(path, ignore_enoent, ignore_erofs); -                if (r < 0) -                        return r; -        } +        r = mac_selinux_fix(path, ignore_enoent, ignore_erofs); +        q = mac_smack_fix(path, ignore_enoent, ignore_erofs); -        if (mac_smack_use()) { -                r = mac_smack_fix(path); -                if (r < 0) -                        return r; -        } +        if (r < 0) +                return r; +        if (q < 0) +                return q; -        return r; +        return 0;  } diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c index d9a481bd86..1b16c3bd72 100644 --- a/src/shared/mkdir-label.c +++ b/src/shared/mkdir-label.c @@ -44,7 +44,7 @@ static int label_mkdir(const char *path, mode_t mode) {                  if (r < 0 && errno != EEXIST)                          return -errno; -                r = mac_smack_fix(path); +                r = mac_smack_fix(path, false, false);                  if (r < 0)                          return r;          } diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index bab7183bcf..0e4b6c00e0 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -111,22 +111,25 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {  #ifdef HAVE_SELINUX          struct stat st; -        security_context_t fcon; +        assert(path); + +        /* if mac_selinux_init() wasn't called before we are a NOOP */          if (!label_hnd)                  return 0;          r = lstat(path, &st); -        if (r == 0) { +        if (r >= 0) { +                _cleanup_security_context_free_ security_context_t fcon = NULL; +                  r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);                  /* If there's no label to set, then exit without warning */                  if (r < 0 && errno == ENOENT)                          return 0; -                if (r == 0) { +                if (r >= 0) {                          r = lsetfilecon(path, fcon); -                        freecon(fcon);                          /* If the FS doesn't support labels, then exit without warning */                          if (r < 0 && errno == ENOTSUP) @@ -142,8 +145,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {                  if (ignore_erofs && errno == EROFS)                          return 0; -                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, -                         "Unable to fix label of %s: %m", path); +                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path);                  r = security_getenforce() == 1 ? -errno : 0;          }  #endif @@ -154,11 +156,10 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {  void mac_selinux_finish(void) {  #ifdef HAVE_SELINUX -        if (!mac_selinux_use()) +        if (!label_hnd)                  return; -        if (label_hnd) -                selabel_close(label_hnd); +        selabel_close(label_hnd);  #endif  } diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index 8ba4617d85..837c5ab428 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -120,17 +120,14 @@ int mac_smack_apply_ip_in_fd(int fd, const char *label) {          return r;  } -int mac_smack_fix(const char *path) { +int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {          int r = 0;  #ifdef HAVE_SMACK -        struct stat sb; -        const char *label; -#endif +        struct stat st;          assert(path); -#ifdef HAVE_SMACK          if (!mac_smack_use())                  return 0; @@ -140,28 +137,42 @@ int mac_smack_fix(const char *path) {          if (!path_startswith(path, "/dev"))                  return 0; -        r = lstat(path, &sb); -        if (r < 0) -                return -errno; +        r = lstat(path, &st); +        if (r >= 0) { +                const char *label; + +                /* +                 * Label directories and character devices "*". +                 * Label symlinks "_". +                 * Don't change anything else. +                 */ + +                if (S_ISDIR(st.st_mode)) +                        label = SMACK_STAR_LABEL; +                else if (S_ISLNK(st.st_mode)) +                        label = SMACK_FLOOR_LABEL; +                else if (S_ISCHR(st.st_mode)) +                        label = SMACK_STAR_LABEL; +                else +                        return 0; -        /* -         * Label directories and character devices "*". -         * Label symlinks "_". -         * Don't change anything else. -         */ -        if (S_ISDIR(sb.st_mode)) -                label = SMACK_STAR_LABEL; -        else if (S_ISLNK(sb.st_mode)) -                label = SMACK_FLOOR_LABEL; -        else if (S_ISCHR(sb.st_mode)) -                label = SMACK_STAR_LABEL; -        else -                return 0; +                r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0); + +                /* If the FS doesn't support labels, then exit without warning */ +                if (r < 0 && errno == ENOTSUP) +                        return 0; +        } -        r = setxattr(path, "security.SMACK64", label, strlen(label), 0);          if (r < 0) { -                log_error("Smack relabeling \"%s\" %m", path); -                return -errno; +                /* Ignore ENOENT in some cases */ +                if (ignore_enoent && errno == ENOENT) +                        return 0; + +                if (ignore_erofs && errno == EROFS) +                        return 0; + +                log_debug("Unable to fix SMACK label of %s: %m", path); +                r = -errno;          }  #endif diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h index 8b9556dce6..da92502928 100644 --- a/src/shared/smack-util.h +++ b/src/shared/smack-util.h @@ -28,7 +28,7 @@  bool mac_smack_use(void); -int mac_smack_fix(const char *path); +int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs);  int mac_smack_apply(const char *path, const char *label);  int mac_smack_apply_fd(int fd, const char *label); | 
