2 * This file is part of libsmack
4 * Copyright (C) 2011 Intel Corporation
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public License
8 * version 2.1 as published by the Free Software Foundation.
10 * This library is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
21 * Brian McGillion <brian.mcgillion@intel.com>
34 #include <sys/inotify.h>
35 #include <sys/select.h>
37 #define PID_FILE "/var/run/smackd.pid"
38 #define BUF_SIZE (4 * (sizeof(struct inotify_event) + NAME_MAX + 1))
43 int notify_handles[2];
44 static volatile sig_atomic_t terminate = 0;
45 static volatile sig_atomic_t restart = 0;
53 static void clear_all_rules()
56 syslog(LOG_ERR, "Failed to clear all rules");
59 static void load_all_rules()
61 if (apply_rules(ACCESSES_D_PATH, 0))
62 syslog(LOG_DEBUG, "Failed to load all rules");
65 static void signal_handler(int sig)
75 syslog(LOG_DEBUG, "Unrequested signal : %d", sig);
80 static int lockPidFile()
86 fd = open(PID_FILE, O_RDWR | O_CREAT | O_CLOEXEC,
87 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
89 syslog(LOG_ERR, "Failed to open (%s) : %m", PID_FILE);
95 lock.l_type = F_WRLCK;
96 lock.l_whence = SEEK_SET;
98 if (fcntl(fd, F_SETLK, &lock) < 0) {
99 if (errno == EACCES || errno == EAGAIN) {
100 syslog(LOG_ERR, "Daemon is already running (%s) : %m", PID_FILE);
103 syslog(LOG_ERR, "Could not lock PID_FILE (%s) : %m", PID_FILE);
109 if (ftruncate(fd, 0) < 0) {
110 syslog(LOG_ERR, "Could not truncate PID_FILE (%s) : %m", PID_FILE);
115 snprintf(buf, BUF_SIZE, "%ld\n", (long)getpid());
116 if (write(fd, buf, strlen(buf)) != strlen(buf)) {
117 syslog(LOG_ERR, "Could not write to PID_FILE (%s) : %m", PID_FILE);
125 static int daemonize()
131 syslog(LOG_ERR, "Failed to fork : %m");
142 //do not regain a terminal
145 syslog(LOG_ERR, "Failed to fork (2) : %m");
156 syslog(LOG_ERR, "Failed to chdir '/' : %m");
158 maxfd = sysconf(_SC_OPEN_MAX);
159 maxfd = maxfd != -1 ? maxfd : 4096;
161 for (fd = 0; fd < maxfd; fd++)
164 if (!freopen("/dev/null", "r", stdin))
165 syslog(LOG_DEBUG, "Failed to reopen stdin : %m");
166 if(!freopen("/dev/null", "w", stdout))
167 syslog(LOG_DEBUG, "Failed to reopen stout : %m");
168 if(!freopen("/dev/null", "w", stderr))
169 syslog(LOG_DEBUG, "Failed to reopen sterr : %m");
171 return lockPidFile();
174 static int configure_inotify()
178 inotifyFd = inotify_init();
180 syslog(LOG_ERR, "Failed to init inotify : %m");
184 fd = inotify_add_watch(inotifyFd, ACCESSES_D_PATH,
185 IN_DELETE | IN_CLOSE_WRITE | IN_MOVE);
187 syslog(LOG_ERR, "Failed to inotify_add_watch (%s) : %m",
192 notify_handles[ACCESS_FD] = fd;
194 fd = inotify_add_watch(inotifyFd, CIPSO_D_PATH,
195 IN_DELETE | IN_CLOSE_WRITE | IN_MOVE);
197 syslog(LOG_ERR, "Failed to inotify_add_watch (%s) : %m",
202 notify_handles[CIPSO_FD] = fd;
207 static void modify_access_rules(char *file, enum mask_action action)
212 sprintf(path,"%s/%s", ACCESSES_D_PATH, file);
214 if (action == CREATE)
215 ret = apply_rules(path, 0);
216 else if (action == MODIFY) {
217 ret = apply_rules(path, 1);
218 ret = apply_rules(path, 0);
222 syslog(LOG_ERR, "Failed load access rules (%s), action (%d) :%m",
226 static void modify_cipso_rules(char *file)
229 sprintf(path,"%s/%s", CIPSO_D_PATH, file);
231 if (apply_cipso(path))
232 syslog(LOG_ERR, "Failed to load cipso rules (%s) : %m", path);
235 static int handle_inotify_event(int inotifyFd)
237 struct inotify_event *event;
241 enum mask_action action;
243 int size = sizeof(struct inotify_event);
245 num_read = read(inotifyFd, buf, BUF_SIZE);
247 syslog(LOG_ERR, "Error reading inotify event : %m");
251 for (head = buf; head < buf + num_read; head += size + event->len) {
252 event = (struct inotify_event *) head;
254 if (event->mask & IN_MOVED_TO)
256 else if (event->mask & IN_CLOSE_WRITE)
258 else if (event->mask & IN_DELETE || event->mask & IN_MOVED_FROM) {
263 if (event->wd == notify_handles[ACCESS_FD])
264 modify_access_rules(event->name, action);
265 else if (event->wd == notify_handles[CIPSO_FD])
266 modify_cipso_rules(event->name);
270 //at least one file was removed so we should reparse the rules
278 static int monitor(int inotifyFd)
282 FD_SET(inotifyFd, &readSet);
284 return select(inotifyFd + 1, &readSet, NULL, NULL, NULL);
287 void main(int argc, char **argv)
294 sigemptyset(&sa.sa_mask);
295 sa.sa_handler = signal_handler;
296 sa.sa_flags = SA_RESTART;
298 if (sigaction(SIGHUP, &sa, NULL) < 0) {
299 syslog(LOG_ERR, "failed to listen for signal SIGHUP : %m");
303 if (sigaction(SIGTERM, &sa, NULL) < 0) {
304 syslog(LOG_ERR, "failed to listen for signal SIGTERM : %m");
308 pid_fd = daemonize();
315 inotify_fd = configure_inotify();
317 while (inotify_fd >= 0 && !terminate && !restart) {
318 ret = monitor(inotify_fd);
319 if (ret < 0 && errno == EINTR) {
323 syslog(LOG_ERR, "Failed to monitor properly : %m");
327 ret = handle_inotify_event(inotify_fd);
335 if (restart && execv(argv[0], argv))
336 syslog(LOG_ERR, "Failed to restart : %m");
340 syslog(LOG_DEBUG, "Finished %s", argv[0]);
341 exit(terminate == 1 ? EXIT_SUCCESS : EXIT_FAILURE);