Support SMACK permissive mode in Buxton

If Kernel SMACK module is supporting the permissive mode,
Buxton should also support it.

Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Ib976fa0d5330afbffed09c1e31dc97c4976468d1

diff --git a/Makefile.am b/Makefile.am
index a613e6d..e73892c 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -20,7 +20,8 @@ AM_CPPFLAGS = \
        -D_DEFAULT_CONFIGURATION_FILE=\"$(CONFPATH)\" \
        -D_DB_PATH=\"$(DB_PATH)\" \
        -D_BUXTON_SOCKET=\"$(BUXTON_SOCKET)\" \
-       -D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\"
+       -D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\" \
+       -D_SMACK_PERMISSIVE=\"$(SMACK_PERMISSIVE)\"
 
 AM_LDFLAGS = \
        -rdynamic

diff --git a/Makefile.in b/Makefile.in
index 92e4716..58c1597 100644 (file)
--- a/Makefile.in
+++ b/Makefile.in
@@ -872,6 +872,7 @@ SED = @SED@
 SET_MAKE = @SET_MAKE@
 SHELL = @SHELL@
 SMACK_LOAD_FILE = @SMACK_LOAD_FILE@
+SMACK_PERMISSIVE = @SMACK_PERMISSIVE@
 STRIP = @STRIP@
 SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@
 SYSTEMD_LIBS = @SYSTEMD_LIBS@
@@ -946,7 +947,8 @@ AM_CPPFLAGS = \
        -D_DEFAULT_CONFIGURATION_FILE=\"$(CONFPATH)\" \
        -D_DB_PATH=\"$(DB_PATH)\" \
        -D_BUXTON_SOCKET=\"$(BUXTON_SOCKET)\" \
-       -D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\"
+       -D_SMACK_LOAD_FILE=\"$(SMACK_LOAD_FILE)\" \
+       -D_SMACK_PERMISSIVE=\"$(SMACK_PERMISSIVE)\"
 
 AM_LDFLAGS = \
        -rdynamic

diff --git a/configure b/configure
index d2af2e9..376223a 100755 (executable)
--- a/configure
+++ b/configure
@@ -649,6 +649,7 @@ MANPAGE_FALSE
 MANPAGE_TRUE
 DEBUG_FALSE
 DEBUG_TRUE
+SMACK_PERMISSIVE
 SMACK_LOAD_FILE
 BUXTON_SOCKET
 DB_PATH
@@ -804,6 +805,7 @@ with_config_path
 with_db_path
 with_socket_path
 with_smack_load_file
+with_smack_permissive
 enable_debug
 enable_manpages
 enable_coverage
@@ -1487,6 +1489,8 @@ Optional Packages:
                           path to buxton socket file
   --with-smack-load-file=SMACKLOADFILE
                           path to smack load2 file
+  --with-smack-permissive=SMACKPERMISSIVE
+                          path to smack permissive file
 
 Some influential environment variables:
   CC          C compiler command
@@ -14431,6 +14435,17 @@ fi
 SMACK_LOAD_FILE="${smack_load_file}"
 
 
+
+# Check whether --with-smack-permissive was given.
+if test "${with_smack_permissive+set}" = set; then :
+  withval=$with_smack_permissive; smack_permissive=${withval}
+else
+  smack_permissive="/sys/fs/smackfs/permissive"
+fi
+
+SMACK_PERMISSIVE="${smack_permissive}"
+
+
 # Check whether --enable-debug was given.
 if test "${enable_debug+set}" = set; then :
   enableval=$enable_debug;

diff --git a/configure.ac b/configure.ac
index 1d5aff2..b3ed9c5 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -154,6 +154,12 @@ AC_ARG_WITH([smack-load-file], AS_HELP_STRING([--with-smack-load-file=SMACKLOADF
 SMACK_LOAD_FILE="${smack_load_file}"
 AC_SUBST(SMACK_LOAD_FILE)
 
+AC_ARG_WITH([smack-permissive], AS_HELP_STRING([--with-smack-permissive=SMACKPERMISSIVE],
+       [path to smack permissive file]), [smack_permissive=${withval}],
+       [smack_permissive="/sys/fs/smackfs/permissive"])
+SMACK_PERMISSIVE="${smack_permissive}"
+AC_SUBST(SMACK_PERMISSIVE)
+
 AC_ARG_ENABLE(debug, AS_HELP_STRING([--enable-debug], [enable debug mode @<:@default=no@:>@]),
              [], [enable_debug=no])
 AS_IF([test "x$enable_debug" = "xyes"],

diff --git a/src/security/smack.c b/src/security/smack.c
index 8927236..4a87524 100644 (file)
--- a/src/security/smack.c
+++ b/src/security/smack.c
@@ -30,6 +30,7 @@
 static Hashmap *_smackrules = NULL;
 /* set to true unless Smack support is not detected by the daemon */
 static bool have_smack = true;
+static bool permissive;
 
 #define smack_check() do { if (!have_smack) { return true; } } while (0);
 
@@ -39,6 +40,27 @@ bool buxton_smack_enabled(void)
        return have_smack;
 }
 
+static bool buxton_get_permissive_mode(void)
+{
+       FILE *fp;
+       int d;
+       int r;
+
+       fp = fopen(buxton_smack_permissive(), "r");
+       if (!fp)
+               return false;
+
+       r = fscanf(fp, "%d\n", &d);
+       fclose(fp);
+
+       if (r != 1)
+               return false;
+
+       buxton_log("Smack permissive mode %s\n", d ? "On" : "Off");
+
+       return !!d;
+}
+
 bool buxton_cache_smack_rules(void)
 {
        smack_check();
@@ -66,6 +88,8 @@ bool buxton_cache_smack_rules(void)
                goto end;
        }
 
+       permissive = buxton_get_permissive_mode();
+
        load_file = fopen(buxton_smack_load_file(), "r");
 
        if (!load_file) {
@@ -160,6 +184,10 @@ bool buxton_check_smack_access(BuxtonString *subject, BuxtonString *object, Buxt
        buxton_debug("Subject: %s\n", subject->value);
        buxton_debug("Object: %s\n", object->value);
 
+       /* permissive mode */
+       if (permissive)
+               return true;
+
        /* check the builtin Smack rules first */
        if (streq(subject->value, "*")) {
                return false;
@@ -243,6 +271,10 @@ int buxton_watch_smack_rules(void)
                buxton_log("inotify_add_watch(): %m\n");
                return -1;
        }
+
+       /* If permissive mode is supported */
+       inotify_add_watch(fd, buxton_smack_permissive(), IN_CLOSE_WRITE);
+
        return fd;
 }
 

diff --git a/src/shared/configurator.c b/src/shared/configurator.c
index 7816cd7..289e72e 100644 (file)
--- a/src/shared/configurator.c
+++ b/src/shared/configurator.c
@@ -62,7 +62,8 @@ static const char *KS[CONFIG_MAX] = {
        "BUXTON_MODULE_DIR",
        "BUXTON_DB_PATH",
        "BUXTON_SMACK_LOAD_FILE",
-       "BUXTON_BUXTON_SOCKET"
+       "BUXTON_BUXTON_SOCKET",
+       "BUXTON_SMACK_PERMISSIVE"
 };
 
 /**
@@ -75,7 +76,8 @@ static const char *config_keys[CONFIG_MAX] = {
        "ModuleDirectory",
        "DatabasePath",
        "SmackLoadFile",
-       "SocketPath"
+       "SocketPath",
+       "SmackPermissive"
 };
 
 static const char *COMPILE_DEFAULT[CONFIG_MAX] = {
@@ -84,7 +86,8 @@ static const char *COMPILE_DEFAULT[CONFIG_MAX] = {
        _MODULE_DIRECTORY,
        _DB_PATH,
        _SMACK_LOAD_FILE,
-       _BUXTON_SOCKET
+       _BUXTON_SOCKET,
+       _SMACK_PERMISSIVE
 };
 
 /**
@@ -276,6 +279,12 @@ const char* buxton_smack_load_file(void)
        return (const char*)conf.keys[CONFIG_SMACK_LOAD_FILE];
 }
 
+const char* buxton_smack_permissive(void)
+{
+       initialize();
+       return (const char*)conf.keys[CONFIG_SMACK_PERMISSIVE];
+}
+
 const char* buxton_socket(void)
 {
        initialize();

diff --git a/src/shared/configurator.h b/src/shared/configurator.h
index c2a37ee..fdd274a 100644 (file)
--- a/src/shared/configurator.h
+++ b/src/shared/configurator.h
@@ -27,6 +27,7 @@ typedef enum ConfigKey {
        CONFIG_DB_PATH,
        CONFIG_SMACK_LOAD_FILE,
        CONFIG_BUXTON_SOCKET,
+       CONFIG_SMACK_PERMISSIVE,
        CONFIG_MAX
 } ConfigKey;
 
@@ -96,6 +97,17 @@ const char *buxton_smack_load_file(void)
 
 /**
  * @internal
+ * @brief Get the path of the smack permissive.
+ *
+ *
+ * @return the path of the smack permissive file. Do not free this pointer.
+ * It belongs to configurator.
+ */
+const char *buxton_smack_permissive(void)
+       __attribute__((warn_unused_result));
+
+/**
+ * @internal
  * @brief Get the path of the buxton socket.
  *
  *