src/core/smack-setup.c

	smack-setup.c revision fea7838e7e0b2724f5e0bc028121a08b42995045
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen/***
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  This file is part of systemd.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  Copyright (C) 2013 Intel Corporation
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  Authors:
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        Nathaniel Chen <nathaniel.chen@intel.com>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  systemd is free software; you can redistribute it and/or modify it
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  under the terms of the GNU Lesser General Public License as published
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  by the Free Software Foundation; either version 2.1 of the License,
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  or (at your option) any later version.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  systemd is distributed in the hope that it will be useful, but
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  WITHOUT ANY WARRANTY; without even the implied warranty of
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  Lesser General Public License for more details.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  You should have received a copy of the GNU Lesser General Public License
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen  along with systemd; If not, see <http://www.gnu.org/licenses/>.
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen***/
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <stdio.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <errno.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <string.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <unistd.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <stdlib.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <sys/vfs.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <fcntl.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <sys/types.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <dirent.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <sys/mount.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include <stdint.h>
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "macro.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "smack-setup.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "util.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "log.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#include "label.h"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chenint smack_setup(void) {
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        _cleanup_fclose_ FILE *smack = NULL;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        _cleanup_closedir_ DIR *dir = NULL;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        struct dirent *entry;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        char buf[NAME_MAX];
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        int dfd = -1;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        smack = fopen("/sys/fs/smackfs/load2", "we");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        if (!smack)  {
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                if (errno == ENOENT)
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                        log_debug("Smack is not enabled in the kernel, not loading access rules.");
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                else
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                        log_warning("Failed to open /sys/fs/smackfs/load2: %m");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                return 0;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        /* write rules to load2 from every file in the directory */
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        dir = opendir(ACCESSES_D_PATH);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        if (!dir) {
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING,
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                         "Opening Smack access rules directory "
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                         ACCESSES_D_PATH ": %m");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                return 0;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        dfd = dirfd(dir);
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek        assert(dfd >= 0);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        FOREACH_DIRENT(entry, dir, return 0) {
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                _cleanup_fclose_ FILE *policy = NULL;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                _cleanup_close_ int pol = -1;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                if (pol < 0) {
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                        log_error("Smack access rule file %s not opened: %m",
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                                  entry->d_name);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                        continue;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                policy = fdopen(pol, "re");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                if (!policy) {
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                        log_error("Smack access rule file %s not opened: %m",
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                                  entry->d_name);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                        continue;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                pol = -1;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                /* load2 write rules in the kernel require a line buffered stream */
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                FOREACH_LINE(buf, policy,
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                             log_error("Failed to read from Smack access rule file %s: %m",
fea7838e7e0b2724f5e0bc028121a08b42995045Zbigniew Jędrzejewski-Szmek                                       entry->d_name)) {
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                        fputs(buf, smack);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                        fflush(smack);
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen                }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        }
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        log_info("Successfully loaded Smack policies.");
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen        return 0;
ffbd2c4d45787ba5ba85a32db6551efba66a1ee6Nathaniel Chen}