Jarkko Sakkinen [Tue, 18 Mar 2014 06:49:28 +0000 (08:49 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Mon, 17 Mar 2014 16:09:31 +0000 (17:09 +0100)]
libsmack: fix smack_have_access() (regression in
d7319c71)
Commit
d7319c71 introduced an internal function for opening smackfs files,
when there is a long and short label version. The new function always
opens the file write only, but smack_have access() requires O_RDWR.
The internal function is now extended to take argument with file access
mode.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Mar 2014 17:40:44 +0000 (18:40 +0100)]
libsmack: add function for policy loading at system startup
New function smack_load_policy() is intended to be used by systemd for
policy loading at system startup. It reuses existing code from
utils/common.c, now moved to libsmack/common.c.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 20 Feb 2014 14:04:57 +0000 (15:04 +0100)]
libsmack: add functions for setting and removing labels on files
Jóse Bollo implemented two functions as part of this various
improvements for the chsmack command-line utility:
- smack_set_label_for_path() (see f1dfd85)
- smack_remove_label_for_path() (see 5da1a22)
Since they are generally useful, they should be part of the
API in libsmack 1.1.
This patch migrates these functions to libsmack and exports
the symbols. Also, the chsmack is modified to use the new API
instead of the internal functions.
[jsakkine: rewrote the patch description]
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 20 Feb 2014 11:35:38 +0000 (13:35 +0200)]
Merge branch 'v1.0.x'
Conflicts:
configure.ac
libsmack/Makefile.am
libsmack/libsmack.c
Jarkko Sakkinen [Thu, 20 Feb 2014 11:31:28 +0000 (13:31 +0200)]
Changed library version to 1.0.4
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 20 Feb 2014 11:27:18 +0000 (13:27 +0200)]
Merge remote-tracking branch 'rafal-krypa/issue51' into v1.0.x
Jarkko Sakkinen [Thu, 20 Feb 2014 11:27:06 +0000 (13:27 +0200)]
Merge remote-tracking branch 'jobol/issue94' into v1.0.x
Rafal Krypa [Tue, 18 Feb 2014 11:16:50 +0000 (12:16 +0100)]
libsmack: avoid sprintf() when printing rules in long format
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 14 Feb 2014 14:22:53 +0000 (15:22 +0100)]
libsmack: enable multi-line support for writing to load2 and change-rule
Since Linux 3.12 Smack can handle multiple rules in single write when
loading policy. Libsmack will detect this support and group rules into
blocks of PAGE_SIZE-1 bytes at most. This results in much smaller number
of syscalls and faster loading of large policy.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Tue, 18 Feb 2014 08:34:05 +0000 (10:34 +0200)]
Merge remote-tracking branch 'jobol/addgen' into v1.0.x
José Bollo [Fri, 14 Feb 2014 10:34:26 +0000 (11:34 +0100)]
tests: Improved version of generator
This version use a generating algorithm to ensure
the generator constraints. It has two new options:
- s=N to shuffle or sort the result
- p=N to set the percentage of modification rules
The Makefile now make optimisation and have warning detection.
The make_policies script now use the shuffle option.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jan Cybulski [Thu, 13 Feb 2014 09:41:26 +0000 (10:41 +0100)]
tests: Produce sorted policy with unique rule only
There is no need for tests of sorted policies with non unique rules.
If someone prepares sorted policy, redundancy of rules should also
be removed during sorting.
José Bollo [Thu, 13 Feb 2014 08:31:06 +0000 (09:31 +0100)]
tests: Improved formating of code
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Thu, 13 Feb 2014 08:18:01 +0000 (09:18 +0100)]
tests: Adding a usage function.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 17:31:20 +0000 (18:31 +0100)]
tests: Adding some comments
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 17:01:48 +0000 (18:01 +0100)]
tests: Correcting exit codes
The valid exit code are form 0 to 255. Then using -1 means that the
effective exit code will be 0377==255. It isn't accurate. The exit code
of 1 is merely very often used for failure status.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 15:16:24 +0000 (16:16 +0100)]
tests: Renaming 'r' to 'alea'
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 11:42:20 +0000 (12:42 +0100)]
tests: Changing filenames
Changing two filenames:
- tests/gen.c becomes tests/generator.c
- tests/makefile becomes tests/Makefile
That is obviously better to have the main file of the program
`generator` named `generator.c`.
The default naming of makefiles is Makefile with a capital
letter. Conforming to that rule is better.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jan Cybulski [Fri, 7 Feb 2014 13:58:52 +0000 (14:58 +0100)]
tests: Change program generating test data
-Change program to produce more parametrized output:
*Introduce parameters to set number of unique rules (u) and merges in policy (m).
*Introduce parametr for maximum number of reocurrances of a label in merged policy (L).
*Add possibility of getting list of labels from stdin in addition to generating random ones.
-Some minor style adjustments to libsmack coding style.
Also:
-Add makefile for policies generation
-Add script generating different type of policies
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Fri, 14 Feb 2014 10:41:07 +0000 (11:41 +0100)]
don't allocate memory in accesses_print
Rafal Krypa [Fri, 14 Feb 2014 09:44:26 +0000 (10:44 +0100)]
change type of label_id back to int
Rafal Krypa [Thu, 13 Feb 2014 16:32:29 +0000 (17:32 +0100)]
libsmack: merge rules with the same subject and object before applying them
All rules with the same subject and object will be merged into a single one
before applying rules to kernel or writing them to a file. The result will
consist of smaller number of rules, but they will have the same semantics.
This enhances performance greatly when there are a lot of rules to merge.
The merging code has negligible overhead when there are no merges to
perform.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:22:19 +0000 (14:22 +0100)]
libsmack: change semantics of rule allow_code and deny_code
Fields in struct smack_rule are used to store either set or modify rule.
Set rules used to be distinguished by having deny_code = -1.
It is more convenient to have it differently: allow_code describing bits
that are to be set, deny_code describing bits that are to be cleared.
With that semantics access_code = ~deny_code for set rules. This enables
easy replacement of change rules that can be simplified to a set rule.
Thanks José Bollo for original idea about simplifying modify rules.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:33:20 +0000 (14:33 +0100)]
libsmack: reorganize rule lists for struct smack_accesses
Until now rule list was implemented as single linked list of all rules
added into struct smack_accesses. This patch breaks this list into several
lists, with one list of rules per subject label.
Each element in array of labels describe single label and all rules when it's a
subject are added into this label's list.
This data structure is close to internal kernel data structures for Smack
rules. This allows for slightly better performance because rules are
grouped by subject.
More importantly though, this patch prepares ground for rule merging.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:16:40 +0000 (14:16 +0100)]
libsmack: shrink few rule and label struct fields
Use smaller struct fields to optimize memory usage and speed.
On a 32-bit machine this saves 4 bytes per rule and 4 bytes per label.
Limit label length to 8 bits. It's max value is already limited to 255.
Limit label id to 16 bits. While policy with more than 2^16 labels is
theoretically possible, it would be handled very badly by kernel.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Tue, 28 Jan 2014 12:50:02 +0000 (13:50 +0100)]
libsmack: add possibility of resizing table of labels
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Tue, 28 Jan 2014 11:32:32 +0000 (12:32 +0100)]
libsmack: implement internal hash table of labels
Use hash table implemented internally for dictionary of labels.
Thanks to that some operations are more efficient:
-it is possible to use better hashing function than in hsearch:
DJB2 algorithm is used, which is much better, than hashing function
used in hsearch. Hashing function in hsearch causes, that on 32bit
machines, all labels that have common first eight bytes,
share same bucket and this cause many conflicts in combination of labels
naming convention with domain-based prefixes. This leads to significant
performance degradation in real system. This was not detected on tests
so far, because labels for test policies were generated randomly.
-it is possible to calculate hash during label validation.
-it would not cause drastic complexity growth to have number of labels
near to number of allocated buckets as it happens in hsearch.
-it would be possible to add number of labels exceeding number of
allocated buckets.
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:07:00 +0000 (14:07 +0100)]
libsmack: refactoring of label dictionary code
Commit cd2ce11 introduced label dictionary, with hash table of labels
hidden behind an abstraction layer. This patch drops this layer and merges
the hash table with smack_accesses.
It will enable better handling of data, like storing and accessing
per-label data outside of dict_* functions.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 16:13:43 +0000 (17:13 +0100)]
libsmack: make local function accesses_add() static
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
José Bollo [Wed, 5 Feb 2014 13:27:53 +0000 (14:27 +0100)]
Adding a program generating test data.
The program that generate this gen.c produces
a set of rules to be loaded to load/load2
file system interace of smacke. Or to be used
as input file for smackload.
The count of differents labels (option l=N) and of
different access rights (option r=N) can be specified.
The count of rules produced to the ouput can also
be specified (option o=N). By default, l=5, r=100 and o=500.
The generated labels are made of 4 to 7 random letters.
The standard C function 'rand' is used without seeding it;
what means that same options produces same results.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Mon, 3 Feb 2014 07:56:53 +0000 (09:56 +0200)]
Removed redundant AUTHORS files.
Git log is the AUTHORS file.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
José Bollo [Thu, 23 Jan 2014 10:04:50 +0000 (11:04 +0100)]
Fix bug in cipso written rules
The label (either short or long) was followed by a null character.
It is now followed by a space.
Note that the format for cipso2 smackfs is "%s?%4d%4d..."
where ? stands for any invalid label character.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Tue, 28 Jan 2014 07:39:03 +0000 (09:39 +0200)]
libsmack: lazy initialization for SmackFS mount point
Mount SmackFS only when it is first needed. This enables init
daemons to directly use libsmack.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Tue, 28 Jan 2014 06:30:39 +0000 (08:30 +0200)]
libsmack: close smackfs_mnt_dirfd in the library destructor
Close smackfs_mnt_dirfd in the library destructor. Although kernel
would wipe it anyway it is a good practice to clean up all the
reserved resources.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 23 Jan 2014 12:54:39 +0000 (14:54 +0200)]
Merge remote-tracking branch 'jsakkine/issue83' into v1.0.x
Conflicts:
libsmack/libsmack.c
Jarkko Sakkinen [Mon, 13 Jan 2014 08:13:30 +0000 (10:13 +0200)]
libsmack: fallback to 'cipso' when 'cipso2' is not available
This patch implements fallback to 'cipso' when 'cipso2' is not
available. This is a regression from 79f8e26.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:57:05 +0000 (09:57 +0200)]
libsmack: add a common function for opening long and short label file
Added internal function 'open_smackfs_file()' to open long label
file and as a fallback short label file. This can be used for
load, access and cipso files.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:45:42 +0000 (09:45 +0200)]
libsmack: fix: fail if neither 'load' and 'load2' cannot be opened
accesses_apply() continued even if neither 'load' and 'load2' could
not be opened. For 'change-rule' file such semantics do make sense
for backwards compatibility but there's something seriously wrong
if neither 'load' and 'load2' cannot be opened. That's why the only
right thing to do is to stop immediately.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:39:48 +0000 (09:39 +0200)]
libsmack: fix: 'accesses_print' declaration was in wrong place
Moved 'accesses_print' declaration to a proper location.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 18:05:49 +0000 (20:05 +0200)]
utils: fix error message in smackaccess
perror() reports success when validation fails. This patch makes
the error message explicit. Invalid input is the most probable case.
Also, error message is prefixed with the basename of the utility.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 18:05:13 +0000 (20:05 +0200)]
libsmack: fixed label validation in smack_have_access()
This patch adds subject and object validation to smack_have_access().
It also validates that labels are at most 23 characters when only
short labels are available.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 17:33:59 +0000 (19:33 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Tue, 7 Jan 2014 15:25:32 +0000 (16:25 +0100)]
libsmack: use 16 bits for smack access codes instead of sizeof(int) * 2
There are 6 access bits to be stored in the access field. Special value -1
is used to distinguish set rules from change rules. Shrinking the filed to
8 bits still leaves space for one more future access bit.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 7 Jan 2014 15:21:32 +0000 (16:21 +0100)]
libsmack: change logic for detecting long labels in smack_accesses
Instead of storing label length in each smack_rule, have one integer in
smack_accesses to remember if long labels are used.
This saves few bytes per rule.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Tue, 7 Jan 2014 07:10:54 +0000 (09:10 +0200)]
Merge remote-tracking branch 'rafal-krypa/issue73' into v1.0.x
Rafal Krypa [Sun, 5 Jan 2014 23:13:47 +0000 (00:13 +0100)]
Update .gitignore files to ignore all build-time generated files
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 2 Jan 2014 12:52:17 +0000 (13:52 +0100)]
libsmack: use common code for smack_accesses_apply() and smack_accesses_save().
Centralizing code that changes internal smack_accesses representation to
text. Internal function accesses_print() now generates output for applying
the rules to kernel and saving them to a file. This allows easier changes
to data structures used by libmskack and makes the code shorter.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 20:14:24 +0000 (21:14 +0100)]
libsmack: use common code for smack_accesses_add() and smack_accessess_add_modify()
These API functions were very similar and are now implemented as wrappers
to a single internal function. This allows easier changes to data structures
used by libmskack and makes the code shorter.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 20:11:35 +0000 (21:11 +0100)]
utils: use common code for apply_rules and apply_cipso
Code for apply_rules() has been rewritten to use opendir() and readdir(),
but apply_cipso() remained implemented with nftw().
This patch implements both applying functions with opendir() and readdir()
using a common internal function apply_path(). The common function can
handle both directory and single file, so apply_rules_file() and
apply_cipso_file() are dropped.
The resulting code is 69 lines shorter and keeps directory traversal logic
in single place. It's side effect is applying CIPSO rules in one shot, just
like regular Smack rules.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 17:04:56 +0000 (18:04 +0100)]
libsmack: don't define __GNU_SOURCE in the code
__GNU_SOURCE is a glibc internal and should not be used directly.
It was already provided by AC_USE_SYSTEM_EXTENSIONS in configure.ac, so
it can be safely dropped.
Use more explicit AC_GNU_SOURCE in configure.ac instead (on Linux systems
they should be equivalent).
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 15:08:43 +0000 (16:08 +0100)]
utils: fix build warnings related to smack_smackfs_path()
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 15:07:55 +0000 (16:07 +0100)]
Compile for the C99 standard.
The code already uses C99 constructs, but appropriate compiler options
were not set.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 31 Dec 2013 15:03:17 +0000 (16:03 +0100)]
autogen.sh: fix passing arguments to configure
Fixing error when arguments to autogen.sh contain white space, i.e.:
./autogen.sh CFLAGS='-Wall -Wextra'
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Fri, 20 Dec 2013 08:03:40 +0000 (10:03 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Fri, 20 Dec 2013 08:02:38 +0000 (10:02 +0200)]
Merge remote-tracking branch 'rafal-krypa/issue84' into v1.0.x
Jarkko Sakkinen [Fri, 20 Dec 2013 08:01:37 +0000 (10:01 +0200)]
Merge branch 'v1.0.x'
José Bollo [Thu, 19 Dec 2013 12:00:09 +0000 (13:00 +0100)]
chsmack: updating to the branch master
The function smack_label_length is available as a library
function provided by libsmack. It is better to use it for
validating labels instead of redefining it in chsmack.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Rafal Krypa [Wed, 18 Dec 2013 23:01:38 +0000 (00:01 +0100)]
utils: drop build dependency on libattr, introduced by 5da1a22.
Use only glibc headers for xattr functions. Use ENODATA instead of ENOATTR.
Jarkko Sakkinen [Wed, 18 Dec 2013 20:02:06 +0000 (22:02 +0200)]
libsmack: fix label validation in smack_new_label_from_path
Off-by-one length was returned from the function. This patch fixes
the regression by doing full validation for the SMACK label.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Wed, 18 Dec 2013 19:40:47 +0000 (21:40 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Tue, 3 Dec 2013 14:58:57 +0000 (15:58 +0100)]
Avoid memory allocation while opening smackfs files.
Using openat() on pre-opened smackfs directory eliminates need to
construct absolute path to a smackfs file before opening it.
Other than it improves availability because file descriptor is kept
open to the mount point throughout the life-cycle of the process.
And it also improves security because as long as the file descriptor
is valid, files really come from SmackFS.
[jsakkine: updated commit message]
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Wed, 18 Dec 2013 19:09:25 +0000 (21:09 +0200)]
Merge branch 'v1.0.x'
Jan Cybulski [Tue, 3 Dec 2013 08:43:41 +0000 (09:43 +0100)]
Add dictionary for labels
Add dictionary for labels to avoid memory allocation
for the same label for multilple times.
Dictionary is common to all labels in a single rules set.
Each rule only keeps ids of labels in a dictionary
instead of whole label as a string.
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
José Bollo [Tue, 17 Dec 2013 12:25:47 +0000 (13:25 +0100)]
libsmack: fix a bug in validation of labels
The function `get_label` didn't handle the characters below
' ' and above '~' correctly.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 17 Dec 2013 10:49:44 +0000 (11:49 +0100)]
chsmack: update of the manual
This new version of the manual includes the options
the dereferencing symbolic links and for removing
smack's labels.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 14:33:13 +0000 (15:33 +0100)]
chsmack: refusing repeated labels
Refusing to set many time a label is important for
security. If a label is set more than one time, wich
label is to use? Wich is the good?
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 14:29:14 +0000 (15:29 +0100)]
chsmack: add option to remove labels
Adding that option allow chsmack to remove the smack labels.
It is really important to have it.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 14:22:15 +0000 (15:22 +0100)]
chsmack: split option scan in two parts
It prepares the futur option to remove smack labels.
It also separate the validation of the labels what can
improve the readability of the code.
Also add a check that the option transmute isn't repeated.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 14:11:41 +0000 (15:11 +0100)]
chsmack: using flags for labels
That modification prepare the addition of the option
to remove Smack labels. It seems also best to be agnostic
on what are valid smack labels (and rely on libsmack in the
futur) that maybe one day could be empty strings!
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 14:01:58 +0000 (15:01 +0100)]
chsmack: checking transmute on directories
The transmute flag is meaningfull only on directories.
The program now check that the transmute flag is set
only on directories.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:47:27 +0000 (14:47 +0100)]
chsmack: add dereference option
Add the options that allow to follow the symbolic
links instead of modifying it. There is no really
need but it may help.
The text of the short option is moved.
It prepares to scan options in two passes. It also
centralize the definition of options, avoiding to have
many lines between the definitions.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:46:18 +0000 (14:46 +0100)]
chsmack: exchanging order of nested blocks if/for
Prepare to add the removing of labels and also reduce
the count of tests.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:43:32 +0000 (14:43 +0100)]
chsmack: use of 'smack_set_label_for_path'
To prepare to the future libsmack that will have a function
for writing Smack labels and to prepare to the handling of
symbolic links, the write of the labels is put in the
function 'smack_set_label_for_path'.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:37:31 +0000 (14:37 +0100)]
chsmack: use of 'smack_new_label_from_path'
The library libsmack offer a function for reading
Smack labels. It is better to use the function of the
library.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:26:40 +0000 (14:26 +0100)]
chsmack: validation of labels
To prepare to the future of libsmack (that will include the
validation function 'smack_label_length'), the validation
of the smack labels is separated from the main function.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:13:23 +0000 (14:13 +0100)]
chsmack: put usage string at head
Setting it at head is a reading improvement for
developpers that can quickly show the usage of the
program. It also makes the main function more readable.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Tue, 10 Dec 2013 13:10:23 +0000 (14:10 +0100)]
chsmack: using linux constants for Smack's names
It is better to rely on the centralisation of names in a
single file: it can avoid errors.
The declarations of <linux/xattr.h> contains the definitions
of the names of the Smack's security attributes.
As Smack only runs on Linux and libsmack doesn't provides
a centralized version of the names of the security attributes
(because it were not needed), using the linux header seems
to be a good choice.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Tue, 10 Dec 2013 11:20:45 +0000 (13:20 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Tue, 10 Dec 2013 11:19:02 +0000 (13:19 +0200)]
tests: starting point for stress testing
This starting point for stress testing. Generates 200 files each
with 10000 random access rules. Does not yet support modify rules.
Next step would be probably making this more parametrized.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Tue, 10 Dec 2013 11:06:46 +0000 (13:06 +0200)]
Merge branch 'v1.0.x'
José Bollo [Tue, 10 Dec 2013 09:23:37 +0000 (10:23 +0100)]
Fix return value of 'smack_new_label_from_path'
Change-Id: Ic5412e9555a64a81bf1a871b30844d73dbed5758
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Thu, 5 Dec 2013 18:18:02 +0000 (20:18 +0200)]
libsmack: clean up redundant stuff
Cleaned up redundant constants and code. Grouped related constants
nearby each other.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
(cherry picked from commit
d6f8c52011013f536b7171c2d1f3e9c5ecfaf2f9)
Jarkko Sakkinen [Mon, 9 Dec 2013 13:08:23 +0000 (15:08 +0200)]
Revert "libsmack: clean up redundant stuff"
This reverts commit
d6f8c52011013f536b7171c2d1f3e9c5ecfaf2f9.
Jarkko Sakkinen [Mon, 9 Dec 2013 13:07:07 +0000 (15:07 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Mon, 9 Dec 2013 13:05:27 +0000 (15:05 +0200)]
Revert "utils: use common code for apply_rules and apply_cipso"
This reverts commit
68e38ff3936597a3189d29f57a68dae5ac08db1e.
Jarkko Sakkinen [Thu, 5 Dec 2013 18:48:19 +0000 (20:48 +0200)]
Bumped version to 1.0.3.
Jarkko Sakkinen [Thu, 5 Dec 2013 18:41:58 +0000 (20:41 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Wed, 4 Dec 2013 15:58:53 +0000 (16:58 +0100)]
utils: use common code for apply_rules and apply_cipso
Code for apply_rules() has been rewritten to use opendir() and readdir(),
but apply_cipso() remained implemented with nftw().
This patch implements both applying functions with opendir() and readdir()
using a common internal function apply_dir().
The resulting code is 45 lines shorter and keeps directory traversal logic
in single place.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Thu, 5 Dec 2013 18:18:02 +0000 (20:18 +0200)]
libsmack: clean up redundant stuff
Cleaned up redundant constants and code. Grouped related constants
nearby each other.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
(cherry picked from commit
d6f8c52011013f536b7171c2d1f3e9c5ecfaf2f9)
Jarkko Sakkinen [Thu, 5 Dec 2013 18:18:02 +0000 (20:18 +0200)]
libsmack: clean up redundant stuff
Cleaned up redundant constants and code. Grouped related constants
nearby each other.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 5 Dec 2013 18:12:18 +0000 (20:12 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Mon, 22 Jul 2013 17:05:09 +0000 (19:05 +0200)]
libsmack: add support for new access mode for setting locks ("l")
This change should be backward compatible for kernels without l-mode support
as long as requested permissions don't contain this mode.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Thu, 5 Dec 2013 17:27:49 +0000 (19:27 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Thu, 5 Dec 2013 17:26:01 +0000 (19:26 +0200)]
utils: common.c: invalid fprintf()
fprintf() has path parameter that was not utilized.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 28 Nov 2013 23:09:22 +0000 (01:09 +0200)]
utils: apply access rules to load/load2 in one shot
Open load/load2 only once. Inside the callback only collect rules
using smack_accessed_add_from_file(). Finally, apply access rules
in a single slot.
This was inspired by feedback from Rafal Krypa <r.krypa@samsung.com>.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Tue, 3 Dec 2013 16:29:34 +0000 (18:29 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Tue, 3 Dec 2013 16:22:55 +0000 (18:22 +0200)]
Do not silently ignore files when applying them in smackload/ctl
Detect unknown file types and non-regular files and fail if they
are found with proper error reporting.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 2 Dec 2013 17:36:06 +0000 (19:36 +0200)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Mon, 2 Dec 2013 17:34:51 +0000 (19:34 +0200)]
Merge remote-tracking branch 'jsakkine/issue60' into v1.0.x