diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/main.c | 3 | ||||
| -rw-r--r-- | src/core/mount-setup.c | 4 | ||||
| -rw-r--r-- | src/core/smack-setup.c | 98 | ||||
| -rw-r--r-- | src/core/smack-setup.h | 26 | 
4 files changed, 130 insertions, 1 deletions
| diff --git a/src/core/main.c b/src/core/main.c index 24d8d3e982..727a410740 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -67,6 +67,7 @@  #include "selinux-setup.h"  #include "ima-setup.h"  #include "fileio.h" +#include "smack-setup.h"  static enum {          ACTION_RUN, @@ -1362,6 +1363,8 @@ int main(int argc, char *argv[]) {                                  goto finish;                          if (ima_setup() < 0)                                  goto finish; +                        if (smack_setup() < 0) +                                goto finish;                  }                  if (label_init(NULL) < 0) diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index dab3601467..42cdc6dc52 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -66,7 +66,7 @@ typedef struct MountPoint {  /* The first three entries we might need before SELinux is up. The   * fourth (securityfs) is needed by IMA to load a custom policy. The   * other ones we can delay until SELinux and IMA are loaded. */ -#define N_EARLY_MOUNT 4 +#define N_EARLY_MOUNT 5  static const MountPoint mount_table[] = {          { "proc",       "/proc",                     "proc",       NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, @@ -77,6 +77,8 @@ static const MountPoint mount_table[] = {            NULL,       MNT_FATAL|MNT_IN_CONTAINER },          { "securityfs", "/sys/kernel/security",      "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,            NULL,       MNT_NONE }, +        { "smackfs",    "/sys/fs/smackfs",           "smackfs",    "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, +          NULL,       MNT_NONE },          { "tmpfs",      "/dev/shm",                  "tmpfs",      "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,            NULL,       MNT_FATAL|MNT_IN_CONTAINER },          { "devpts",     "/dev/pts",                  "devpts",     "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c new file mode 100644 index 0000000000..88e6437445 --- /dev/null +++ b/src/core/smack-setup.c @@ -0,0 +1,98 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +/*** +  This file is part of systemd. + +  Copyright (C) 2013 Intel Corporation +  Authors: +        Nathaniel Chen <nathaniel.chen@intel.com> + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published +  by the Free Software Foundation; either version 2.1 of the License, +  or (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <stdio.h> +#include <errno.h> +#include <string.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/vfs.h> +#include <fcntl.h> +#include <sys/types.h> +#include <dirent.h> +#include <sys/mount.h> +#include <stdint.h> + +#include "macro.h" +#include "smack-setup.h" +#include "util.h" +#include "log.h" +#include "label.h" + +#define ACCESSES_D_PATH "/etc/smack/accesses.d/" + +int smack_setup(void) { +        _cleanup_fclose_ FILE *smack = NULL; +        _cleanup_closedir_ DIR *dir = NULL; +        struct dirent *entry; +        char buf[NAME_MAX]; +        int dfd = -1; + +        smack = fopen("/sys/fs/smackfs/load2", "we"); +        if (!smack)  { +                log_info("Smack is not enabled in the kernel, not loading access rules."); +                return 0; +        } + +        /* write rules to load2 from every file in the directory */ +        dir = opendir(ACCESSES_D_PATH); +        if (!dir) { +                log_info("Smack access rules directory not found: " ACCESSES_D_PATH); +                return 0; +        } + +        dfd = dirfd(dir); +        if (dfd < 0) { +                log_error("Smack access rules directory " ACCESSES_D_PATH " not opened: %m"); +                return 0; +        } + +        FOREACH_DIRENT(entry, dir, return 0) { +                _cleanup_fclose_ FILE *policy = NULL; +                _cleanup_close_ int pol = -1; + +                pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); +                if (pol < 0) { +                        log_error("Smack access rule file %s not opened: %m", entry->d_name); +                        continue; +                } + +                policy = fdopen(pol, "re"); +                if (!policy) { +                        log_error("Smack access rule file %s not opened: %m", entry->d_name); +                        continue; +                } + +                pol = -1; + +                /* load2 write rules in the kernel require a line buffered stream */ +                FOREACH_LINE(buf, policy, log_error("Failed to read from Smack access rule file %s: %m", entry->d_name)) { +                        fputs(buf, smack); +                        fflush(smack); +                } +        } + +        log_info("Successfully loaded Smack policies."); + +        return 0; +} diff --git a/src/core/smack-setup.h b/src/core/smack-setup.h new file mode 100644 index 0000000000..ffe91843c3 --- /dev/null +++ b/src/core/smack-setup.h @@ -0,0 +1,26 @@ +/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ + +#pragma once + +/*** +  This file is part of systemd. + +  Copyright (C) 2013 Intel Corporation +  Authors: +        Nathaniel Chen <nathaniel.chen@intel.com> + +  systemd is free software; you can redistribute it and/or modify it +  under the terms of the GNU Lesser General Public License as published +  by  the Free Software Foundation; either version 2.1 of the License, +  or  (at your option) any later version. + +  systemd is distributed in the hope that it will be useful, but +  WITHOUT ANY WARRANTY; without even the implied warranty of +  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +  Lesser General Public License for more details. + +  You should have received a copy of the GNU Lesser General Public License +  along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +int smack_setup(void); | 
