diff options
-rw-r--r-- | src/shared/smack-util.c | 67 | ||||
-rw-r--r-- | src/udev/udev-node.c | 10 |
2 files changed, 60 insertions, 17 deletions
diff --git a/src/shared/smack-util.c b/src/shared/smack-util.c index e06feb42c3..34f9c68733 100644 --- a/src/shared/smack-util.c +++ b/src/shared/smack-util.c @@ -38,54 +38,86 @@ bool mac_smack_use(void) { #else return false; #endif - } int mac_smack_apply(const char *path, const char *label) { + int r = 0; + + assert(path); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; if (label) - return setxattr(path, "security.SMACK64", label, strlen(label), 0); + r = setxattr(path, "security.SMACK64", label, strlen(label), 0); else - return lremovexattr(path, "security.SMACK64"); -#else - return 0; + r = lremovexattr(path, "security.SMACK64"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_ip_out_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64IPOUT"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_apply_ip_in_fd(int fd, const char *label) { + int r = 0; + + assert(fd >= 0); + #ifdef HAVE_SMACK if (!mac_smack_use()) return 0; - return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0); -#else - return 0; + if (label) + r = fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0); + else + r = fremovexattr(fd, "security.SMACK64IPIN"); + if (r < 0) + return -errno; #endif + + return r; } int mac_smack_fix(const char *path) { @@ -94,6 +126,13 @@ int mac_smack_fix(const char *path) { #ifdef HAVE_SMACK struct stat sb; const char *label; +#endif + + assert(path); + +#ifdef HAVE_SMACK + if (!mac_smack_use()) + return 0; /* * Path must be in /dev and must exist diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 803d803279..8d5bada5a4 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -294,21 +294,25 @@ static int node_permissions_apply(struct udev_device *dev, bool apply, /* apply SECLABEL{$module}=$label */ udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) { const char *name, *label; + int r; name = udev_list_entry_get_name(entry); label = udev_list_entry_get_value(entry); if (streq(name, "selinux")) { selinux = true; + if (mac_selinux_apply(devnode, label) < 0) - log_error("SECLABEL: failed to set SELinux label '%s'", label); + log_error("SECLABEL: failed to set SELinux label '%s': %s", label, strerror(-r)); else log_debug("SECLABEL: set SELinux label '%s'", label); } else if (streq(name, "smack")) { smack = true; - if (mac_smack_apply(devnode, label) < 0) - log_error("SECLABEL: failed to set SMACK label '%s'", label); + + r = mac_smack_apply(devnode, label); + if (r < 0) + log_error("SECLABEL: failed to set SMACK label '%s': %s", label, strerror(-r)); else log_debug("SECLABEL: set SMACK label '%s'", label); |