1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright (C) 2013 Intel Corporation
8 Nathaniel Chen <nathaniel.chen@intel.com>
10 systemd is free software; you can redistribute it and/or modify it
11 under the terms of the GNU Lesser General Public License as published
12 by the Free Software Foundation; either version 2.1 of the License,
13 or (at your option) any later version.
15 systemd is distributed in the hope that it will be useful, but
16 WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
18 Lesser General Public License for more details.
20 You should have received a copy of the GNU Lesser General Public License
21 along with systemd; If not, see <http://www.gnu.org/licenses/>.
31 #include <sys/types.h>
33 #include <sys/mount.h>
37 #include "smack-setup.h"
45 static int write_access2_rules(const char* srcdir) {
46 _cleanup_close_ int load2_fd = -1, change_fd = -1;
47 _cleanup_closedir_ DIR *dir = NULL;
53 load2_fd = open("/sys/fs/smackfs/load2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
56 log_warning("Failed to open '%s': %m", "/sys/fs/smackfs/load2");
57 return -errno; /* negative error */
60 change_fd = open("/sys/fs/smackfs/change-rule", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
63 log_warning("Failed to open '%s': %m", "/sys/fs/smackfs/change-rule");
64 return -errno; /* negative error */
67 /* write rules to load2 or change-rule from every file in the directory */
68 dir = opendir(srcdir);
71 log_warning("Failed to opendir '%s': %m", srcdir);
72 return errno; /* positive on purpose */
78 FOREACH_DIRENT(entry, dir, return 0) {
80 _cleanup_fclose_ FILE *policy = NULL;
82 if (!dirent_is_file(entry))
85 fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
89 log_warning("Failed to open '%s': %m", entry->d_name);
93 policy = fdopen(fd, "re");
98 log_error("Failed to open '%s': %m", entry->d_name);
102 /* load2 write rules in the kernel require a line buffered stream */
103 FOREACH_LINE(buf, policy,
104 log_error("Failed to read line from '%s': %m",
107 _cleanup_free_ char *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL;
109 if (isempty(truncate_nl(buf)))
112 /* if 3 args -> load rule : subject object access1 */
113 /* if 4 args -> change rule : subject object access1 access2 */
114 if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) {
115 log_error("Failed to parse rule '%s' in '%s'", buf, entry->d_name);
119 if (write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)) < 0) {
122 log_error("Failed to write '%s' to '%s' in '%s'",
123 buf, isempty(acc2) ? "/sys/fs/smackfs/load2" : "/sys/fs/smackfs/change-rule", entry->d_name);
131 static int write_cipso2_rules(const char* srcdir) {
132 _cleanup_close_ int cipso2_fd = -1;
133 _cleanup_closedir_ DIR *dir = NULL;
134 struct dirent *entry;
139 cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY);
142 log_warning("Failed to open '%s': %m", "/sys/fs/smackfs/cipso2");
143 return -errno; /* negative error */
146 /* write rules to cipso2 from every file in the directory */
147 dir = opendir(srcdir);
150 log_warning("Failed to opendir '%s': %m", srcdir);
151 return errno; /* positive on purpose */
157 FOREACH_DIRENT(entry, dir, return 0) {
159 _cleanup_fclose_ FILE *policy = NULL;
161 if (!dirent_is_file(entry))
164 fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
168 log_warning("Failed to open '%s': %m", entry->d_name);
172 policy = fdopen(fd, "re");
177 log_error("Failed to open '%s': %m", entry->d_name);
181 /* cipso2 write rules in the kernel require a line buffered stream */
182 FOREACH_LINE(buf, policy,
183 log_error("Failed to read line from '%s': %m",
186 if (isempty(truncate_nl(buf)))
189 if (write(cipso2_fd, buf, strlen(buf)) < 0) {
192 log_error("Failed to write '%s' to '/sys/fs/smackfs/cipso2' in '%s'",
204 int smack_setup(bool *loaded_policy) {
210 assert(loaded_policy);
212 r = write_access2_rules("/etc/smack/accesses.d/");
215 log_debug("Smack is not enabled in the kernel.");
218 log_debug("Smack access rules directory '/etc/smack/accesses.d/' not found");
221 log_info("Successfully loaded Smack policies.");
224 log_warning("Failed to load Smack access rules: %s, ignoring.",
229 #ifdef SMACK_RUN_LABEL
230 r = write_string_file("/proc/self/attr/current", SMACK_RUN_LABEL);
232 log_warning("Failed to set SMACK label \"%s\" on self: %s",
233 SMACK_RUN_LABEL, strerror(-r));
236 r = write_cipso2_rules("/etc/smack/cipso.d/");
239 log_debug("Smack/CIPSO is not enabled in the kernel.");
242 log_debug("Smack/CIPSO access rules directory '/etc/smack/cipso.d/' not found");
245 log_info("Successfully loaded Smack/CIPSO policies.");
248 log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
253 *loaded_policy = true;