summaryrefslogtreecommitdiff
path: root/src/core/smack-setup.c
AgeCommit message (Collapse)Author
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-10-28mac: add mac_ prefix to distinguish origin security apisWaLyong Cho
2014-09-13core: smack-setup: Actually allow for succesfully loading CIPSO policyPhilippe De Swert
The line under the last switch statement *loaded_policy = true; would never be executed. As all switch cases return 0. Thus the policy would never be marked as loaded. Found with Coverity. Fixes: CID#1237785
2014-03-18util: replace close_nointr_nofail() by a more useful safe_close()Lennart Poettering
safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-02-24smack: set loaded_policy in smack_setup()Łukasz Stelmach
With loaded_policy set to true mount_setup() relabels /dev properly.
2013-10-07Run with a custom SMACK domain (label).Auke Kok
Allows the systemd --system process to change its current SMACK label to a predefined custom label (usually "system") at boot time. This is needed to have a few system-generated folders and sockets automatically be created with the right SMACK label. Without that, processes either cannot communicate with systemd or systemd fails to perform some actions.
2013-10-01smack-setup: fix path to Smack/CIPSO mappingsPatrick McCarty
The correct path to the dir with CIPSO mappings is /etc/smack/cipso.d/; /etc/smack/cipso is a file that can include these mappings as well, though it is no longer supported in upstream libsmack.
2013-05-17Make it possible to disable smack separately from xattr supportKarol Lewandowski
Additionally, compile out rule loading if feature is disabled.
2013-03-15smack-setup: enable Smack/CIPSO mappingNathaniel Chen
CIPSO is the Common IP Security Option, an IETF standard for setting security levels for a process sending packets. In Smack kernels, CIPSO headers are mapped to Smack labels automatically, but can be changed. This patch writes label/category mappings from /etc/smack/cipso/ to /sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]... For more information about Smack and CIPSO, see: https://kernel.org/doc/Documentation/security/Smack.txt
2013-03-15smack-setup: extract rule writing into a separate functionZbigniew Jędrzejewski-Szmek
Check all errors.
2013-03-11core/smack: downgrade info to debugZbigniew Jędrzejewski-Szmek
BogdanR> I think it's cool it supports SMACK and that it encourages them to use a propper mount point for smackfs but I don't think it's cool that it's printing on the screen even when I parse quiet to the kernel that "SMACK support is not enabled ...".
2013-03-07core: mount and initialize SmackNathaniel Chen
SMACK is the Simple Mandatory Access Control Kernel, a minimal approach to Access Control implemented as a kernel LSM. The kernel exposes the smackfs filesystem API through which access rules can be loaded. At boot time, we want to load the access rules as early as possible to ensure all early boot steps are checked by Smack. This patch mounts smackfs at the new location at /sys/fs/smackfs for kernels 3.8 and above. The /smack mountpoint is not supported. After mounting smackfs, rules are loaded from the usual location. For more information about Smack see: http://www.kernel.org/doc/Documentation/security/Smack.txt