Age | Commit message (Collapse) | Author |
|
The line under the last switch statement *loaded_policy = true;
would never be executed. As all switch cases return 0. Thus the
policy would never be marked as loaded.
Found with Coverity. Fixes: CID#1237785
|
|
safe_close() automatically becomes a NOP when a negative fd is passed,
and returns -1 unconditionally. This makes it easy to write lines like
this:
fd = safe_close(fd);
Which will close an fd if it is open, and reset the fd variable
correctly.
By making use of this new scheme we can drop a > 200 lines of code that
was required to test for non-negative fds or to reset the closed fd
variable afterwards.
|
|
With loaded_policy set to true mount_setup() relabels /dev properly.
|
|
Allows the systemd --system process to change its current
SMACK label to a predefined custom label (usually "system")
at boot time.
This is needed to have a few system-generated folders and
sockets automatically be created with the right SMACK
label. Without that, processes either cannot communicate with
systemd or systemd fails to perform some actions.
|
|
The correct path to the dir with CIPSO mappings is /etc/smack/cipso.d/;
/etc/smack/cipso is a file that can include these mappings as well,
though it is no longer supported in upstream libsmack.
|
|
Additionally, compile out rule loading if feature is disabled.
|
|
CIPSO is the Common IP Security Option, an IETF standard for setting
security levels for a process sending packets. In Smack kernels,
CIPSO headers are mapped to Smack labels automatically, but can be changed.
This patch writes label/category mappings from /etc/smack/cipso/ to
/sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]...
For more information about Smack and CIPSO, see:
https://kernel.org/doc/Documentation/security/Smack.txt
|
|
Check all errors.
|
|
BogdanR> I think it's cool it supports SMACK and that it encourages
them to use a propper mount point for smackfs but I don't
think it's cool that it's printing on the screen even when
I parse quiet to the kernel that "SMACK support is not
enabled ...".
|
|
SMACK is the Simple Mandatory Access Control Kernel, a minimal
approach to Access Control implemented as a kernel LSM.
The kernel exposes the smackfs filesystem API through which access
rules can be loaded. At boot time, we want to load the access rules
as early as possible to ensure all early boot steps are checked by Smack.
This patch mounts smackfs at the new location at /sys/fs/smackfs for
kernels 3.8 and above. The /smack mountpoint is not supported.
After mounting smackfs, rules are loaded from the usual location.
For more information about Smack see:
http://www.kernel.org/doc/Documentation/security/Smack.txt
|