← Back to branch summary

~ubuntu-branches/ubuntu/trusty/systemd/trusty

« back to all changes in this revision

Viewing changes to src/core/smack-setup.c

Tags: upstream-202
ImportĀ upstreamĀ versionĀ 202

Show diffs side-by-side

added added

removed removed

Lines of Context:
src/core/smack-setup.c
39
39
#include "log.h"
40
40
#include "label.h"
41
41
 
42
 
#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
 
42
#define SMACK_CONFIG "/etc/smack/accesses.d/"
 
43
#define CIPSO_CONFIG "/etc/smack/cipso/"
43
44
 
44
 
int smack_setup(void) {
45
 
        _cleanup_fclose_ FILE *smack = NULL;
 
45
static int write_rules(const char* dstpath, const char* srcdir) {
 
46
        _cleanup_fclose_ FILE *dst = NULL;
46
47
        _cleanup_closedir_ DIR *dir = NULL;
47
48
        struct dirent *entry;
48
49
        char buf[NAME_MAX];
49
50
        int dfd = -1;
 
51
        int r = 0;
50
52
 
51
 
        smack = fopen("/sys/fs/smackfs/load2", "we");
52
 
        if (!smack)  {
53
 
                log_info("Smack is not enabled in the kernel, not loading access rules.");
54
 
                return 0;
 
53
        dst = fopen(dstpath, "we");
 
54
        if (!dst)  {
 
55
                if (errno != ENOENT)
 
56
                        log_warning("Failed to open %s: %m", dstpath);
 
57
                return -errno; /* negative error */
55
58
        }
56
59
 
57
 
        /* write rules to load2 from every file in the directory */
58
 
        dir = opendir(ACCESSES_D_PATH);
 
60
        /* write rules to dst from every file in the directory */
 
61
        dir = opendir(srcdir);
59
62
        if (!dir) {
60
 
                log_info("Smack access rules directory not found: " ACCESSES_D_PATH);
61
 
                return 0;
 
63
                if (errno != ENOENT)
 
64
                        log_warning("Failed to opendir %s: %m", srcdir);
 
65
                return errno; /* positive on purpose */
62
66
        }
63
67
 
64
68
        dfd = dirfd(dir);
65
 
        if (dfd < 0) {
66
 
                log_error("Smack access rules directory " ACCESSES_D_PATH " not opened: %m");
67
 
                return 0;
68
 
        }
 
69
        assert(dfd >= 0);
69
70
 
70
71
        FOREACH_DIRENT(entry, dir, return 0) {
 
72
                int fd;
71
73
                _cleanup_fclose_ FILE *policy = NULL;
72
 
                _cleanup_close_ int pol = -1;
73
74
 
74
 
                pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
75
 
                if (pol < 0) {
76
 
                        log_error("Smack access rule file %s not opened: %m", entry->d_name);
 
75
                fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
 
76
                if (fd < 0) {
 
77
                        if (r == 0)
 
78
                                r = -errno;
 
79
                        log_warning("Failed to open %s: %m", entry->d_name);
77
80
                        continue;
78
81
                }
79
82
 
80
 
                policy = fdopen(pol, "re");
 
83
                policy = fdopen(fd, "re");
81
84
                if (!policy) {
82
 
                        log_error("Smack access rule file %s not opened: %m", entry->d_name);
 
85
                        if (r == 0)
 
86
                                r = -errno;
 
87
                        close_nointr_nofail(fd);
 
88
                        log_error("Failed to open %s: %m", entry->d_name);
83
89
                        continue;
84
90
                }
85
91
 
86
 
                pol = -1;
87
 
 
88
92
                /* load2 write rules in the kernel require a line buffered stream */
89
 
                FOREACH_LINE(buf, policy, log_error("Failed to read from Smack access rule file %s: %m", entry->d_name)) {
90
 
                        fputs(buf, smack);
91
 
                        fflush(smack);
 
93
                FOREACH_LINE(buf, policy,
 
94
                             log_error("Failed to read line from %s: %m",
 
95
                                       entry->d_name)) {
 
96
                        if (!fputs(buf, dst)) {
 
97
                                if (r == 0)
 
98
                                        r = -EINVAL;
 
99
                                log_error("Failed to write line to %s", dstpath);
 
100
                                break;
 
101
                        }
 
102
                        if (fflush(dst)) {
 
103
                                if (r == 0)
 
104
                                        r = -errno;
 
105
                                log_error("Failed to flush writes to %s: %m", dstpath);
 
106
                                break;
 
107
                        }
92
108
                }
93
109
        }
94
110
 
95
 
        log_info("Successfully loaded Smack policies.");
96
 
 
97
 
        return 0;
 
111
       return r;
 
112
}
 
113
 
 
114
 
 
115
int smack_setup(void) {
 
116
        int r;
 
117
 
 
118
        r = write_rules("/sys/fs/smackfs/load2", SMACK_CONFIG);
 
119
        switch(r) {
 
120
        case -ENOENT:
 
121
                log_debug("Smack is not enabled in the kernel.");
 
122
                return 0;
 
123
        case ENOENT:
 
124
                log_debug("Smack access rules directory " SMACK_CONFIG " not found");
 
125
                return 0;
 
126
        case 0:
 
127
                log_info("Successfully loaded Smack policies.");
 
128
                break;
 
129
        default:
 
130
                log_warning("Failed to load Smack access rules: %s, ignoring.",
 
131
                            strerror(abs(r)));
 
132
                return 0;
 
133
        }
 
134
 
 
135
        r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
 
136
        switch(r) {
 
137
        case -ENOENT:
 
138
                log_debug("Smack/CIPSO is not enabled in the kernel.");
 
139
                return 0;
 
140
        case ENOENT:
 
141
                log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
 
142
                return 0;
 
143
        case 0:
 
144
                log_info("Successfully loaded Smack/CIPSO policies.");
 
145
                return 0;
 
146
        default:
 
147
                log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
 
148
                            strerror(abs(r)));
 
149
                return 0;
 
150
        }
98
151
}