[systemd-commits] 5 commits - Makefile.am NEWS README TODO src/bootchart src/core
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Mar 7 11:53:59 PST 2013
Makefile.am | 2
NEWS | 3 +
README | 2
TODO | 2
src/bootchart/bootchart.c | 8 +--
src/bootchart/svg.c | 5 --
src/core/ima-setup.c | 5 --
src/core/main.c | 4 +
src/core/mount-setup.c | 4 +
src/core/selinux-setup.c | 3 -
src/core/smack-setup.c | 98 ++++++++++++++++++++++++++++++++++++++++++++++
src/core/smack-setup.h | 26 ++++++++++++
12 files changed, 144 insertions(+), 18 deletions(-)
New commits:
commit 247c873b421291f711d8a57796011520a6b790af
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Mar 7 20:46:35 2013 +0100
update TODO
diff --git a/TODO b/TODO
index f4c0dd5..1cc69b9 100644
--- a/TODO
+++ b/TODO
@@ -48,6 +48,8 @@ Fedora 19:
Features:
+* safe_atod() is too naive, as it is vulnerable to locale parameters, should be locale independent.
+
* neither pkexec nor sudo initialize environ[] from the PAM environment?
* rework specifier logic so that we can distuingish OOM errors from other errors
commit 1aed45907715ad4dce7dbc84a957cd5de8cca36e
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Mar 7 20:46:27 2013 +0100
update NEWS
diff --git a/NEWS b/NEWS
index fbaf7bd..99fb50f 100644
--- a/NEWS
+++ b/NEWS
@@ -241,6 +241,9 @@ CHANGES WITH 198:
* The pstore file system is now mounted by default, if it is
available.
+ * In addition to the SELinux and IMA policies we will now also
+ load SMACK policies at early boot.
+
Contributions from: Adel Gadllah, Aleksander Morgado, Auke
Kok, Ayan George, Bastien Nocera, Colin Walters, Daniel Buch,
Daniel Wallace, Dave Reisner, David Herrmann, David Strauss,
commit 0ea9530d401827e299c6e04a433e69a7a2a89d80
Author: Nathaniel Chen <nathaniel.chen at intel.com>
Date: Thu Mar 7 11:09:16 2013 -0800
bootchart: use _cleanup_close_
use _cleanup_{close_,fclose_} to close streams and file descriptors
diff --git a/src/bootchart/bootchart.c b/src/bootchart/bootchart.c
index 65f16c5..0ad14dc 100644
--- a/src/bootchart/bootchart.c
+++ b/src/bootchart/bootchart.c
@@ -66,10 +66,10 @@ struct cpu_stat_struct cpustat[MAXCPUS];
int pscount;
int cpus;
double interval;
-FILE *of = NULL;
+FILE _cleanup_fclose_ *of = NULL;
int overrun = 0;
static int exiting = 0;
-int sysfd=-1;
+int _cleanup_close_ sysfd=-1;
/* graph defaults */
bool entropy = false;
@@ -106,7 +106,7 @@ int main(int argc, char *argv[])
char datestr[200];
time_t t = 0;
const char *fn;
- _cleanup_fclose_ FILE *f;
+ _cleanup_fclose_ FILE *f = NULL;
int gind;
int i, r;
char *init = NULL, *output = NULL;
@@ -378,10 +378,8 @@ int main(int argc, char *argv[])
svg_do(build);
fprintf(stderr, "systemd-bootchart wrote %s\n", output_file);
- fclose(of);
closedir(proc);
- close(sysfd);
/* nitpic cleanups */
ps = ps_first;
diff --git a/src/bootchart/svg.c b/src/bootchart/svg.c
index 9fee810..7947671 100644
--- a/src/bootchart/svg.c
+++ b/src/bootchart/svg.c
@@ -150,7 +150,7 @@ static void svg_title(const char *build)
char date[256] = "Unknown";
char cpu[256] = "Unknown";
char *c;
- FILE *f;
+ FILE _cleanup_fclose_ *f = NULL;
time_t t;
int fd;
struct utsname uts;
@@ -161,7 +161,6 @@ static void svg_title(const char *build)
if (f) {
if (!fgets(cmdline, 255, f))
sprintf(cmdline, "Unknown");
- fclose(f);
}
/* extract root fs so we can find disk model name in sysfs */
@@ -176,7 +175,6 @@ static void svg_title(const char *build)
if (f) {
if (!fgets(model, 255, f))
fprintf(stderr, "Error reading disk model for %s\n", rootbdev);
- fclose(f);
}
}
@@ -198,7 +196,6 @@ static void svg_title(const char *build)
break;
}
}
- fclose(f);
}
svg("<text class=\"t1\" x=\"0\" y=\"30\">Bootchart for %s - %s</text>\n",
commit ffbd2c4d45787ba5ba85a32db6551efba66a1ee6
Author: Nathaniel Chen <nathaniel.chen at intel.com>
Date: Thu Mar 7 11:06:58 2013 -0800
core: mount and initialize Smack
SMACK is the Simple Mandatory Access Control Kernel, a minimal
approach to Access Control implemented as a kernel LSM.
The kernel exposes the smackfs filesystem API through which access
rules can be loaded. At boot time, we want to load the access rules
as early as possible to ensure all early boot steps are checked by Smack.
This patch mounts smackfs at the new location at /sys/fs/smackfs for
kernels 3.8 and above. The /smack mountpoint is not supported.
After mounting smackfs, rules are loaded from the usual location.
For more information about Smack see:
http://www.kernel.org/doc/Documentation/security/Smack.txt
diff --git a/Makefile.am b/Makefile.am
index 7e40879..3f64937 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -842,6 +842,8 @@ libsystemd_core_la_SOURCES = \
src/core/selinux-access.h \
src/core/selinux-setup.c \
src/core/selinux-setup.h \
+ src/core/smack-setup.c \
+ src/core/smack-setup.h \
src/core/ima-setup.c \
src/core/ima-setup.h \
src/core/locale-setup.h \
diff --git a/README b/README
index 5649a51..9d7a547 100644
--- a/README
+++ b/README
@@ -44,6 +44,8 @@ REQUIREMENTS:
CONFIG_NET
CONFIG_SYSFS
+ Linux kernel >= 3.8 for Smack support
+
Udev will fail to work with the legacy layout:
CONFIG_SYSFS_DEPRECATED=n
diff --git a/src/core/main.c b/src/core/main.c
index 24d8d3e..727a410 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -67,6 +67,7 @@
#include "selinux-setup.h"
#include "ima-setup.h"
#include "fileio.h"
+#include "smack-setup.h"
static enum {
ACTION_RUN,
@@ -1362,6 +1363,8 @@ int main(int argc, char *argv[]) {
goto finish;
if (ima_setup() < 0)
goto finish;
+ if (smack_setup() < 0)
+ goto finish;
}
if (label_init(NULL) < 0)
diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c
index dab3601..42cdc6d 100644
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@@ -66,7 +66,7 @@ typedef struct MountPoint {
/* The first three entries we might need before SELinux is up. The
* fourth (securityfs) is needed by IMA to load a custom policy. The
* other ones we can delay until SELinux and IMA are loaded. */
-#define N_EARLY_MOUNT 4
+#define N_EARLY_MOUNT 5
static const MountPoint mount_table[] = {
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
@@ -77,6 +77,8 @@ static const MountPoint mount_table[] = {
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "securityfs", "/sys/kernel/security", "securityfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
NULL, MNT_NONE },
+ { "smackfs", "/sys/fs/smackfs", "smackfs", "smackfsdef=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME,
+ NULL, MNT_NONE },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
NULL, MNT_FATAL|MNT_IN_CONTAINER },
{ "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC,
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
new file mode 100644
index 0000000..88e6437
--- /dev/null
+++ b/src/core/smack-setup.c
@@ -0,0 +1,98 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright (C) 2013 Intel Corporation
+ Authors:
+ Nathaniel Chen <nathaniel.chen at intel.com>
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License,
+ or (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/vfs.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/mount.h>
+#include <stdint.h>
+
+#include "macro.h"
+#include "smack-setup.h"
+#include "util.h"
+#include "log.h"
+#include "label.h"
+
+#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
+
+int smack_setup(void) {
+ _cleanup_fclose_ FILE *smack = NULL;
+ _cleanup_closedir_ DIR *dir = NULL;
+ struct dirent *entry;
+ char buf[NAME_MAX];
+ int dfd = -1;
+
+ smack = fopen("/sys/fs/smackfs/load2", "we");
+ if (!smack) {
+ log_info("Smack is not enabled in the kernel, not loading access rules.");
+ return 0;
+ }
+
+ /* write rules to load2 from every file in the directory */
+ dir = opendir(ACCESSES_D_PATH);
+ if (!dir) {
+ log_info("Smack access rules directory not found: " ACCESSES_D_PATH);
+ return 0;
+ }
+
+ dfd = dirfd(dir);
+ if (dfd < 0) {
+ log_error("Smack access rules directory " ACCESSES_D_PATH " not opened: %m");
+ return 0;
+ }
+
+ FOREACH_DIRENT(entry, dir, return 0) {
+ _cleanup_fclose_ FILE *policy = NULL;
+ _cleanup_close_ int pol = -1;
+
+ pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
+ if (pol < 0) {
+ log_error("Smack access rule file %s not opened: %m", entry->d_name);
+ continue;
+ }
+
+ policy = fdopen(pol, "re");
+ if (!policy) {
+ log_error("Smack access rule file %s not opened: %m", entry->d_name);
+ continue;
+ }
+
+ pol = -1;
+
+ /* load2 write rules in the kernel require a line buffered stream */
+ FOREACH_LINE(buf, policy, log_error("Failed to read from Smack access rule file %s: %m", entry->d_name)) {
+ fputs(buf, smack);
+ fflush(smack);
+ }
+ }
+
+ log_info("Successfully loaded Smack policies.");
+
+ return 0;
+}
diff --git a/src/core/smack-setup.h b/src/core/smack-setup.h
new file mode 100644
index 0000000..ffe9184
--- /dev/null
+++ b/src/core/smack-setup.h
@@ -0,0 +1,26 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright (C) 2013 Intel Corporation
+ Authors:
+ Nathaniel Chen <nathaniel.chen at intel.com>
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published
+ by the Free Software Foundation; either version 2.1 of the License,
+ or (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+int smack_setup(void);
commit 8f838d8aab0c5480664de04dce0171de4f4c7b00
Author: Nathaniel Chen <nathaniel.chen at intel.com>
Date: Thu Mar 7 11:06:57 2013 -0800
core: move mount_setup_early() to main.c
move mount_setup_early() call to main.c, before security module setup,
so there are no more repeat calls.
diff --git a/src/core/ima-setup.c b/src/core/ima-setup.c
index e8cc1ba..7f8ec23 100644
--- a/src/core/ima-setup.c
+++ b/src/core/ima-setup.c
@@ -50,11 +50,6 @@ int ima_setup(void) {
int policyfd = -1, imafd = -1;
int result = 0;
-#ifndef HAVE_SELINUX
- /* Mount the securityfs filesystem */
- mount_setup_early();
-#endif
-
if (stat(IMA_POLICY_PATH, &st) < 0)
return 0;
diff --git a/src/core/main.c b/src/core/main.c
index 1c2453c..24d8d3e 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1357,6 +1357,7 @@ int main(int argc, char *argv[]) {
}
if (!skip_setup) {
+ mount_setup_early();
if (selinux_setup(&loaded_policy) < 0)
goto finish;
if (ima_setup() < 0)
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index e9c0de9..0723d7c 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -58,9 +58,6 @@ int selinux_setup(bool *loaded_policy) {
cb.func_log = null_log;
selinux_set_callback(SELINUX_CB_LOG, cb);
- /* Make sure getcon() works, which needs /proc and /sys */
- mount_setup_early();
-
/* Already initialized by somebody else? */
r = getcon_raw(&con);
if (r == 0) {
More information about the systemd-commits
mailing list