2 * This file is part of libsmack
4 * Copyright (C) 2011 Intel Corporation
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public License
8 * version 2.1 as published by the Free Software Foundation.
10 * This library is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
21 * Brian McGillion <brian.mcgillion@intel.com>
34 #include <sys/inotify.h>
35 #include <sys/select.h>
38 #define PID_FILE "/var/run/smackd.pid"
39 #define BUF_SIZE (4 * (sizeof(struct inotify_event) + NAME_MAX + 1))
44 int notify_handles[2];
45 static volatile sig_atomic_t terminate = 0;
46 static volatile sig_atomic_t restart = 0;
54 static void clear_all_rules()
57 syslog(LOG_ERR, "Failed to clear all rules");
60 static void load_all_rules()
62 if (apply_rules(ACCESSES_D_PATH, 0))
63 syslog(LOG_DEBUG, "Failed to load all rules");
66 static void signal_handler(int sig)
76 syslog(LOG_DEBUG, "Unrequested signal : %d", sig);
81 static int lockPidFile()
87 fd = open(PID_FILE, O_RDWR | O_CREAT | O_CLOEXEC,
88 S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
90 syslog(LOG_ERR, "Failed to open (%s) : %m", PID_FILE);
96 lock.l_type = F_WRLCK;
97 lock.l_whence = SEEK_SET;
99 if (fcntl(fd, F_SETLK, &lock) < 0) {
100 if (errno == EACCES || errno == EAGAIN) {
101 syslog(LOG_ERR, "Daemon is already running (%s) : %m", PID_FILE);
104 syslog(LOG_ERR, "Could not lock PID_FILE (%s) : %m", PID_FILE);
110 if (ftruncate(fd, 0) < 0) {
111 syslog(LOG_ERR, "Could not truncate PID_FILE (%s) : %m", PID_FILE);
116 snprintf(buf, BUF_SIZE, "%ld\n", (long)getpid());
117 if (write(fd, buf, strlen(buf)) != strlen(buf)) {
118 syslog(LOG_ERR, "Could not write to PID_FILE (%s) : %m", PID_FILE);
126 static int daemonize()
132 syslog(LOG_ERR, "Failed to fork : %m");
143 //do not regain a terminal
146 syslog(LOG_ERR, "Failed to fork (2) : %m");
157 syslog(LOG_ERR, "Failed to chdir '/' : %m");
159 maxfd = sysconf(_SC_OPEN_MAX);
160 maxfd = maxfd != -1 ? maxfd : 4096;
162 for (fd = 0; fd < maxfd; fd++)
165 if (!freopen("/dev/null", "r", stdin))
166 syslog(LOG_DEBUG, "Failed to reopen stdin : %m");
167 if(!freopen("/dev/null", "w", stdout))
168 syslog(LOG_DEBUG, "Failed to reopen stout : %m");
169 if(!freopen("/dev/null", "w", stderr))
170 syslog(LOG_DEBUG, "Failed to reopen sterr : %m");
172 return lockPidFile();
175 static int configure_inotify()
179 inotifyFd = inotify_init();
181 syslog(LOG_ERR, "Failed to init inotify : %m");
185 fd = inotify_add_watch(inotifyFd, ACCESSES_D_PATH,
186 IN_DELETE | IN_CLOSE_WRITE | IN_MOVE);
188 syslog(LOG_ERR, "Failed to inotify_add_watch (%s) : %m",
193 notify_handles[ACCESS_FD] = fd;
195 fd = inotify_add_watch(inotifyFd, CIPSO_D_PATH,
196 IN_DELETE | IN_CLOSE_WRITE | IN_MOVE);
198 syslog(LOG_ERR, "Failed to inotify_add_watch (%s) : %m",
203 notify_handles[CIPSO_FD] = fd;
208 static void modify_access_rules(char *file, enum mask_action action)
213 sprintf(path,"%s/%s", ACCESSES_D_PATH, file);
215 if (action == CREATE)
216 ret = apply_rules(path, 0);
217 else if (action == MODIFY) {
218 ret = apply_rules(path, 1);
219 ret = apply_rules(path, 0);
223 syslog(LOG_ERR, "Failed load access rules (%s), action (%d) :%m",
227 static void modify_cipso_rules(char *file)
230 sprintf(path,"%s/%s", CIPSO_D_PATH, file);
232 if (apply_cipso(path))
233 syslog(LOG_ERR, "Failed to load cipso rules (%s) : %m", path);
236 static int handle_inotify_event(int inotifyFd)
238 struct inotify_event *event;
242 enum mask_action action;
244 int size = sizeof(struct inotify_event);
246 num_read = read(inotifyFd, buf, BUF_SIZE);
248 syslog(LOG_ERR, "Error reading inotify event : %m");
252 for (head = buf; head < buf + num_read; head += size + event->len) {
253 event = (struct inotify_event *) head;
255 if (event->mask & IN_MOVED_TO)
257 else if (event->mask & IN_CLOSE_WRITE)
259 else if (event->mask & IN_DELETE || event->mask & IN_MOVED_FROM) {
264 if (event->wd == notify_handles[ACCESS_FD])
265 modify_access_rules(event->name, action);
266 else if (event->wd == notify_handles[CIPSO_FD])
267 modify_cipso_rules(event->name);
271 //at least one file was removed so we should reparse the rules
279 static int monitor(int inotifyFd)
283 FD_SET(inotifyFd, &readSet);
285 return select(inotifyFd + 1, &readSet, NULL, NULL, NULL);
288 int main(int argc, char **argv)
295 sigemptyset(&sa.sa_mask);
296 sa.sa_handler = signal_handler;
297 sa.sa_flags = SA_RESTART;
299 if (sigaction(SIGHUP, &sa, NULL) < 0) {
300 syslog(LOG_ERR, "failed to listen for signal SIGHUP : %m");
304 if (sigaction(SIGTERM, &sa, NULL) < 0) {
305 syslog(LOG_ERR, "failed to listen for signal SIGTERM : %m");
309 pid_fd = daemonize();
316 inotify_fd = configure_inotify();
318 while (inotify_fd >= 0 && !terminate && !restart) {
319 ret = monitor(inotify_fd);
320 if (ret < 0 && errno == EINTR) {
324 syslog(LOG_ERR, "Failed to monitor properly : %m");
328 ret = handle_inotify_event(inotify_fd);
336 if (restart && execv(argv[0], argv))
337 syslog(LOG_ERR, "Failed to restart : %m");
341 syslog(LOG_DEBUG, "Finished %s", argv[0]);
342 exit(terminate == 1 ? EXIT_SUCCESS : EXIT_FAILURE);