summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/udev/smack-util.c47
-rw-r--r--src/udev/smack-util.h4
-rw-r--r--src/udev/udev-node.c19
3 files changed, 56 insertions, 14 deletions
diff --git a/src/udev/smack-util.c b/src/udev/smack-util.c
index 93c0d4a347..2711041c7e 100644
--- a/src/udev/smack-util.c
+++ b/src/udev/smack-util.c
@@ -40,3 +40,50 @@ bool use_smack(void) {
#endif
}
+
+int smack_label_path(const char *path, const char *label) {
+#ifdef HAVE_SMACK
+ if (!use_smack())
+ return 0;
+
+ if (label)
+ return setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ else
+ return lremovexattr(path, "security.SMACK64");
+#else
+ return 0;
+#endif
+}
+
+int smack_label_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+ if (!use_smack())
+ return 0;
+
+ return fsetxattr(fd, "security.SMACK64", label, strlen(label), 0);
+#else
+ return 0;
+#endif
+}
+
+int smack_label_ip_out_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+ if (!use_smack())
+ return 0;
+
+ return fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
+#else
+ return 0;
+#endif
+}
+
+int smack_label_ip_in_fd(int fd, const char *label) {
+#ifdef HAVE_SMACK
+ if (!use_smack())
+ return 0;
+
+ return fsetxattr(fd, "security.SMACK64IPIN", label, strlen(label), 0);
+#else
+ return 0;
+#endif
+}
diff --git a/src/udev/smack-util.h b/src/udev/smack-util.h
index d81e4aa403..88704894e7 100644
--- a/src/udev/smack-util.h
+++ b/src/udev/smack-util.h
@@ -22,3 +22,7 @@
#include <stdbool.h>
bool use_smack(void);
+int smack_label_path(const char *path, const char *label);
+int smack_label_fd(int fd, const char *label);
+int smack_label_ip_in_fd(int fd, const char *label);
+int smack_label_ip_out_fd(int fd, const char *label);
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 361068dd67..026cb8359a 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -28,12 +28,9 @@
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/types.h>
-#ifdef HAVE_XATTR
-#include <attr/xattr.h>
-#endif
-#include "smack-util.h"
#include "udev.h"
+#include "smack-util.h"
static int node_symlink(struct udev_device *dev, const char *node, const char *slink)
{
@@ -285,9 +282,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
if (apply) {
bool selinux = false;
-#ifdef HAVE_SMACK
bool smack = false;
-#endif
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_debug("set permissions %s, %#o, uid=%u, gid=%u\n", devnode, mode, uid, gid);
@@ -312,14 +307,12 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
else
log_debug("SECLABEL: set SELinux label '%s'", label);
-#ifdef HAVE_SMACK
- } else if (streq(name, "smack") && use_smack()) {
+ } else if (streq(name, "smack")) {
smack = true;
- if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
+ if (smack_label_path(devnode, label) < 0)
log_error("SECLABEL: failed to set SMACK label '%s'", label);
else
log_debug("SECLABEL: set SMACK label '%s'", label);
-#endif
} else
log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
@@ -328,10 +321,8 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
/* set the defaults */
if (!selinux)
label_fix(devnode, true, false);
-#ifdef HAVE_SMACK
- if (!smack && use_smack())
- lremovexattr(devnode, "security.SMACK64");
-#endif
+ if (!smack)
+ smack_label_path(devnode, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */