diff options
author | Nathaniel Chen <nathaniel.chen@intel.com> | 2013-03-12 16:16:44 -0700 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2013-03-15 22:56:40 -0400 |
commit | abbacb1defaaecb8d2477685f7bb3fabcf58585b (patch) | |
tree | bba719aaf1893116ee989446c0f3750770400601 | |
parent | a4783bd17ad96f55b0fe83a50959da13555292bf (diff) |
smack-setup: enable Smack/CIPSO mapping
CIPSO is the Common IP Security Option, an IETF standard for setting
security levels for a process sending packets. In Smack kernels,
CIPSO headers are mapped to Smack labels automatically, but can be changed.
This patch writes label/category mappings from /etc/smack/cipso/ to
/sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]...
For more information about Smack and CIPSO, see:
https://kernel.org/doc/Documentation/security/Smack.txt
-rw-r--r-- | src/core/smack-setup.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index 804678d6a6..73eeb04190 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -40,6 +40,7 @@ #include "label.h" #define SMACK_CONFIG "/etc/smack/accesses.d/" +#define CIPSO_CONFIG "/etc/smack/cipso/" static int write_rules(const char* dstpath, const char* srcdir) { _cleanup_fclose_ FILE *dst = NULL; @@ -124,9 +125,26 @@ int smack_setup(void) { return 0; case 0: log_info("Successfully loaded Smack policies."); + break; + default: + log_warning("Failed to load Smack access rules: %s, ignoring.", + strerror(abs(r))); + return 0; + } + + r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG); + switch(r) { + case -ENOENT: + log_debug("Smack/CIPSO is not enabled in the kernel."); + return 0; + case ENOENT: + log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found"); + return 0; + case 0: + log_info("Successfully loaded Smack/CIPSO policies."); return 0; default: - log_warning("Failed to load smack access rules: %s, ignoring.", + log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.", strerror(abs(r))); return 0; } |