summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNathaniel Chen <nathaniel.chen@intel.com>2013-03-12 16:16:44 -0700
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2013-03-15 22:56:40 -0400
commitabbacb1defaaecb8d2477685f7bb3fabcf58585b (patch)
treebba719aaf1893116ee989446c0f3750770400601
parenta4783bd17ad96f55b0fe83a50959da13555292bf (diff)
smack-setup: enable Smack/CIPSO mapping
CIPSO is the Common IP Security Option, an IETF standard for setting security levels for a process sending packets. In Smack kernels, CIPSO headers are mapped to Smack labels automatically, but can be changed. This patch writes label/category mappings from /etc/smack/cipso/ to /sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]... For more information about Smack and CIPSO, see: https://kernel.org/doc/Documentation/security/Smack.txt
-rw-r--r--src/core/smack-setup.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 804678d6a6..73eeb04190 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -40,6 +40,7 @@
#include "label.h"
#define SMACK_CONFIG "/etc/smack/accesses.d/"
+#define CIPSO_CONFIG "/etc/smack/cipso/"
static int write_rules(const char* dstpath, const char* srcdir) {
_cleanup_fclose_ FILE *dst = NULL;
@@ -124,9 +125,26 @@ int smack_setup(void) {
return 0;
case 0:
log_info("Successfully loaded Smack policies.");
+ break;
+ default:
+ log_warning("Failed to load Smack access rules: %s, ignoring.",
+ strerror(abs(r)));
+ return 0;
+ }
+
+ r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
+ switch(r) {
+ case -ENOENT:
+ log_debug("Smack/CIPSO is not enabled in the kernel.");
+ return 0;
+ case ENOENT:
+ log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
+ return 0;
+ case 0:
+ log_info("Successfully loaded Smack/CIPSO policies.");
return 0;
default:
- log_warning("Failed to load smack access rules: %s, ignoring.",
+ log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
strerror(abs(r)));
return 0;
}