summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Makefile.am2
-rw-r--r--README2
-rw-r--r--src/core/main.c3
-rw-r--r--src/core/mount-setup.c4
-rw-r--r--src/core/smack-setup.c98
-rw-r--r--src/core/smack-setup.h26
6 files changed, 134 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index 7e408798a6..3f64937732 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -842,6 +842,8 @@ libsystemd_core_la_SOURCES = \
src/core/selinux-access.h \
src/core/selinux-setup.c \
src/core/selinux-setup.h \
+ src/core/smack-setup.c \
+ src/core/smack-setup.h \
src/core/ima-setup.c \
src/core/ima-setup.h \
src/core/locale-setup.h \
diff --git a/README b/README
index 5649a51689..9d7a54769d 100644
--- a/README
+++ b/README
@@ -44,6 +44,8 @@ REQUIREMENTS:
CONFIG_NET
CONFIG_SYSFS
+ Linux kernel >= 3.8 for Smack support
+
Udev will fail to work with the legacy layout:
CONFIG_SYSFS_DEPRECATED=n
diff --git a/src/core/main.c b/src/core/main.c
index 24d8d3e982..727a410740 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -67,6 +67,7 @@
#include "selinux-setup.h"
#include "ima-setup.h"
#include "fileio.h"
+#include "smack-setup.h"
static enum {
ACTION_RUN,
@@ -1362,6 +1363,8 @@ int main(int argc, char *argv[]) {
goto finish;
if (ima_setup() < 0)
goto finish;
+ if (smack_setup() < 0)
+ goto finish;
}
if (label_init(NULL) < 0)
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index dab3601467..42cdc6dc52 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -66,7 +66,7 @@ typedef struct MountPoint {
/* The first three entries we might need before SELinux is up. The
* fourth (securityfs) is needed by IMA to load a custom policy. The
* other ones we can delay until SELinux and IMA are loaded. */
-#define N_EARLY_MOUNT 4
+#define N_EARLY_MOUNT 5
static const MountPoint mount_table[] = {
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
@@ -77,6 +77,8 @@ static const MountPoint mount_table[] = {
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_NONE },
+ { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_NONE },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
new file mode 100644
index 0000000000..88e6437445
--- /dev/null
+++ b/src/core/smack-setup.c
@@ -0,0 +1,98 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright (C) 2013 Intel Corporation
+ Authors:
+ Nathaniel Chen <nathaniel.chen@intel.com>
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License,
+ or (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/vfs.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/mount.h>
+#include <stdint.h>
+
+#include "macro.h"
+#include "smack-setup.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
+
+int smack_setup(void) {
+ _cleanup_fclose_ FILE *smack = NULL;
+ _cleanup_closedir_ DIR *dir = NULL;
+ struct dirent *entry;
+ char buf[NAME_MAX];
+ int dfd = -1;
+
+ smack = fopen("/sys/fs/smackfs/load2", "we");
+ if (!smack) {
+ log_info("Smack is not enabled in the kernel, not loading access rules.");
+ return 0;
+ }
+
+ /* write rules to load2 from every file in the directory */
+ dir = opendir(ACCESSES_D_PATH);
+ if (!dir) {
+ log_info("Smack access rules directory not found: " ACCESSES_D_PATH);
+ return 0;
+ }
+
+ dfd = dirfd(dir);
+ if (dfd < 0) {
+ log_error("Smack access rules directory " ACCESSES_D_PATH " not opened: %m");
+ return 0;
+ }
+
+ FOREACH_DIRENT(entry, dir, return 0) {
+ _cleanup_fclose_ FILE *policy = NULL;
+ _cleanup_close_ int pol = -1;
+
+ pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
+ if (pol < 0) {
+ log_error("Smack access rule file %s not opened: %m", entry->d_name);
+ continue;
+ }
+
+ policy = fdopen(pol, "re");
+ if (!policy) {
+ log_error("Smack access rule file %s not opened: %m", entry->d_name);
+ continue;
+ }
+
+ pol = -1;
+
+ /* load2 write rules in the kernel require a line buffered stream */
+ FOREACH_LINE(buf, policy, log_error("Failed to read from Smack access rule file %s: %m", entry->d_name)) {
+ fputs(buf, smack);
+ fflush(smack);
+ }
+ }
+
+ log_info("Successfully loaded Smack policies.");
+
+ return 0;
+}
diff --git a/src/core/smack-setup.h b/src/core/smack-setup.h
new file mode 100644
index 0000000000..ffe91843c3
--- /dev/null
+++ b/src/core/smack-setup.h
@@ -0,0 +1,26 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright (C) 2013 Intel Corporation
+ Authors:
+ Nathaniel Chen <nathaniel.chen@intel.com>
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License,
+ or (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int smack_setup(void);