smack-setup.c revision e53fc357a9bb9d0a5362ccc4246d598cb0febd5e
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen/***
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen This file is part of systemd.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen Copyright (C) 2013 Intel Corporation
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen Authors:
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen Nathaniel Chen <nathaniel.chen@intel.com>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen systemd is free software; you can redistribute it and/or modify it
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen under the terms of the GNU Lesser General Public License as published
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen by the Free Software Foundation; either version 2.1 of the License,
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen or (at your option) any later version.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen systemd is distributed in the hope that it will be useful, but
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen WITHOUT ANY WARRANTY; without even the implied warranty of
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen Lesser General Public License for more details.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen You should have received a copy of the GNU Lesser General Public License
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen along with systemd; If not, see <http://www.gnu.org/licenses/>.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen***/
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <stdio.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <errno.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <string.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <stdlib.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <fcntl.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <dirent.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "macro.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "smack-setup.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "util.h"
8b197c3a8a57c3f7c231b39e5660856fd9580c80Auke Kok#include "fileio.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "log.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski#ifdef HAVE_SMACK
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski
6656aefb42385b468dd96867118d049f945cbf81WaLyong Chostatic int write_access2_rules(const char* srcdir) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho _cleanup_close_ int load2_fd = -1, change_fd = -1;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen _cleanup_closedir_ DIR *dir = NULL;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen struct dirent *entry;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen char buf[NAME_MAX];
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen int dfd = -1;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek int r = 0;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho load2_fd = open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (load2_fd < 0) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (errno != ENOENT)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/load2': %m");
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho return -errno; /* negative error */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho change_fd = open("/sys/fs/smackfs/change-rule", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (change_fd < 0) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (errno != ENOENT)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/change-rule': %m");
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek return -errno; /* negative error */
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho /* write rules to load2 or change-rule from every file in the directory */
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek dir = opendir(srcdir);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen if (!dir) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (errno != ENOENT)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir);
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek return errno; /* positive on purpose */
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen dfd = dirfd(dir);
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek assert(dfd >= 0);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen FOREACH_DIRENT(entry, dir, return 0) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek int fd;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen _cleanup_fclose_ FILE *policy = NULL;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (!dirent_is_file(entry))
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (fd < 0) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (r == 0)
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek r = -errno;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to open '%s': %m", entry->d_name);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen continue;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek policy = fdopen(fd, "re");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen if (!policy) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (r == 0)
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek r = -errno;
03e334a1c7dc8c20c38902aa039440763acc9b17Lennart Poettering safe_close(fd);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen continue;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen /* load2 write rules in the kernel require a line buffered stream */
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek FOREACH_LINE(buf, policy,
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to read line from '%s': %m",
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho entry->d_name)) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho _cleanup_free_ char *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (isempty(truncate_nl(buf)))
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho /* if 3 args -> load rule : subject object access1 */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho /* if 4 args -> change rule : subject object access1 access2 */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to parse rule '%s' in '%s', ignoring.", buf, entry->d_name);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)) < 0) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (r == 0)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho r = -errno;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to write '%s' to '%s' in '%s'",
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry->d_name);
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho return r;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho}
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Chostatic int write_cipso2_rules(const char* srcdir) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho _cleanup_close_ int cipso2_fd = -1;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho _cleanup_closedir_ DIR *dir = NULL;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho struct dirent *entry;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho char buf[NAME_MAX];
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho int dfd = -1;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho int r = 0;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (cipso2_fd < 0) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (errno != ENOENT)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/cipso2': %m");
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho return -errno; /* negative error */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho /* write rules to cipso2 from every file in the directory */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho dir = opendir(srcdir);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (!dir) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (errno != ENOENT)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho return errno; /* positive on purpose */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho dfd = dirfd(dir);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho assert(dfd >= 0);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho FOREACH_DIRENT(entry, dir, return 0) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho int fd;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho _cleanup_fclose_ FILE *policy = NULL;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (!dirent_is_file(entry))
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (fd < 0) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (r == 0)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho r = -errno;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho policy = fdopen(fd, "re");
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (!policy) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (r == 0)
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho r = -errno;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho safe_close(fd);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to open '%s': %m", entry->d_name);
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho }
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho /* cipso2 write rules in the kernel require a line buffered stream */
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho FOREACH_LINE(buf, policy,
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to read line from '%s': %m",
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho entry->d_name)) {
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (isempty(truncate_nl(buf)))
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho continue;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho if (write(cipso2_fd, buf, strlen(buf)) < 0) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek if (r == 0)
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek r = -errno;
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_error_errno(errno, "Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s'",
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho buf, entry->d_name);
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek break;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho return r;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek}
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski#endif
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
8a188de9e0ea41509beda12084126d7a75ebe86eWaLyong Choint mac_smack_setup(bool *loaded_policy) {
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski#ifdef HAVE_SMACK
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek int r;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek
e49d3c016751c03e544697656e8e596af8a664d7Łukasz Stelmach assert(loaded_policy);
e49d3c016751c03e544697656e8e596af8a664d7Łukasz Stelmach
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho r = write_access2_rules("/etc/smack/accesses.d/");
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek switch(r) {
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek case -ENOENT:
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek log_debug("Smack is not enabled in the kernel.");
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek return 0;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek case ENOENT:
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek return 0;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek case 0:
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek log_info("Successfully loaded Smack policies.");
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen break;
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen default:
e53fc357a9bb9d0a5362ccc4246d598cb0febd5eLennart Poettering log_warning_errno(r, "Failed to load Smack access rules, ignoring: %m");
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen return 0;
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen }
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen
8b197c3a8a57c3f7c231b39e5660856fd9580c80Auke Kok#ifdef SMACK_RUN_LABEL
4c1fc3e404d648c70bd2f50ac50aeac6ece8872eDaniel Mack r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL, 0);
8b197c3a8a57c3f7c231b39e5660856fd9580c80Auke Kok if (r)
e53fc357a9bb9d0a5362ccc4246d598cb0febd5eLennart Poettering log_warning_errno("Failed to set SMACK label \"%s\" on self: %m", SMACK_RUN_LABEL);
8b197c3a8a57c3f7c231b39e5660856fd9580c80Auke Kok#endif
8b197c3a8a57c3f7c231b39e5660856fd9580c80Auke Kok
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho r = write_cipso2_rules("/etc/smack/cipso.d/");
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen switch(r) {
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen case -ENOENT:
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen log_debug("Smack/CIPSO is not enabled in the kernel.");
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen return 0;
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen case ENOENT:
6656aefb42385b468dd96867118d049f945cbf81WaLyong Cho log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen return 0;
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen case 0:
abbacb1defaaecb8d2477685f7bb3fabcf58585bNathaniel Chen log_info("Successfully loaded Smack/CIPSO policies.");
b9289d4c6e13ec5fb67bfce69c826d93b004da6aPhilippe De Swert break;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek default:
e53fc357a9bb9d0a5362ccc4246d598cb0febd5eLennart Poettering log_warning_errno(r, "Failed to load Smack/CIPSO access rules, ignoring: %m");
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek return 0;
a4783bd17ad96f55b0fe83a50959da13555292bfZbigniew Jędrzejewski-Szmek }
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski
e49d3c016751c03e544697656e8e596af8a664d7Łukasz Stelmach *loaded_policy = true;
e49d3c016751c03e544697656e8e596af8a664d7Łukasz Stelmach
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski#endif
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski
2b3e18de74ca89b374dd4f7a2c30e5731d347841Karol Lewandowski return 0;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen}