[systemd-commits] 4 commits - TODO src/core src/shared
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Feb 24 08:49:17 PST 2014
TODO | 16 ++++--
src/core/main.c | 2
src/core/smack-setup.c | 6 ++
src/core/smack-setup.h | 2
src/shared/label.c | 114 ++++++++++++++++++++++++++++++++++++++++++------
src/shared/smack-util.h | 4 +
6 files changed, 122 insertions(+), 22 deletions(-)
New commits:
commit b9c1bc28eb538fa25ad03437489dab7434dcd592
Author: Åukasz Stelmach <l.stelmach at samsung.com>
Date: Wed Feb 19 16:56:34 2014 +0100
smack: rework security labeling for multiple frameworks
diff --git a/src/shared/label.c b/src/shared/label.c
index 3632e3e..70e5c85 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -27,41 +27,41 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
+#ifdef HAVE_XATTR
+#include <sys/xattr.h>
+#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#endif
#include "label.h"
#include "strv.h"
#include "util.h"
#include "path-util.h"
-
-#ifdef HAVE_SELINUX
#include "selinux-util.h"
-#include <selinux/selinux.h>
-#include <selinux/label.h>
+#include "smack-util.h"
+#ifdef HAVE_SELINUX
static struct selabel_handle *label_hnd = NULL;
-
#endif
-#ifdef HAVE_SMACK
-#include <sys/xattr.h>
-#include <string.h>
-#define FLOOR_LABEL "_"
-#define STAR_LABEL "*"
-static void smack_relabel_in_dev(const char *path) {
+static int smack_relabel_in_dev(const char *path) {
+ int r = 0;
+
+#ifdef HAVE_SMACK
struct stat sb;
const char *label;
- int r;
/*
* Path must be in /dev and must exist
*/
- if (!path_equal(path, "/dev") &&
- !path_startswith(path, "/dev"))
- return;
+ if (!path_startswith(path, "/dev"))
+ return 0;
r = lstat(path, &sb);
if (r < 0)
- return;
+ return -errno;
/*
* Label directories and character devices "*".
@@ -69,21 +69,24 @@ static void smack_relabel_in_dev(const char *path) {
* Don't change anything else.
*/
if (S_ISDIR(sb.st_mode))
- label = STAR_LABEL;
+ label = SMACK_STAR_LABEL;
else if (S_ISLNK(sb.st_mode))
- label = FLOOR_LABEL;
+ label = SMACK_FLOOR_LABEL;
else if (S_ISCHR(sb.st_mode))
- label = STAR_LABEL;
+ label = SMACK_STAR_LABEL;
else
- return;
+ return 0;
r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
- if (r < 0)
+ if (r < 0) {
log_error("Smack relabeling \"%s\" %s", path, strerror(errno));
- return;
-}
+ return -errno;
+ }
#endif
+ return r;
+}
+
int label_init(const char *prefix) {
int r = 0;
@@ -131,14 +134,14 @@ int label_init(const char *prefix) {
return r;
}
-int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
+static int label_fix_selinux(const char *path, bool ignore_enoent, bool ignore_erofs) {
int r = 0;
#ifdef HAVE_SELINUX
struct stat st;
security_context_t fcon;
- if (!use_selinux() || !label_hnd)
+ if (!label_hnd)
return 0;
r = lstat(path, &st);
@@ -172,9 +175,24 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
-#ifdef HAVE_SMACK
- smack_relabel_in_dev(path);
-#endif
+
+ return r;
+}
+
+int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
+ int r = 0;
+
+ if (use_selinux()) {
+ r = label_fix_selinux(path, ignore_enoent, ignore_erofs);
+ if (r < 0)
+ return r;
+ }
+
+ if (use_smack()) {
+ r = smack_relabel_in_dev(path);
+ if (r < 0)
+ return r;
+ }
return r;
}
@@ -252,9 +270,6 @@ int label_context_set(const char *path, mode_t mode) {
if (r < 0 && security_getenforce() == 0)
r = 0;
#endif
-#ifdef HAVE_SMACK
- smack_relabel_in_dev(path);
-#endif
return r;
}
@@ -307,15 +322,15 @@ void label_free(const char *label) {
#endif
}
-int label_mkdir(const char *path, mode_t mode) {
- int r;
+static int label_mkdir_selinux(const char *path, mode_t mode) {
+ int r = 0;
#ifdef HAVE_SELINUX
/* Creates a directory and labels it according to the SELinux policy */
security_context_t fcon = NULL;
- if (!use_selinux() || !label_hnd)
- goto skipped;
+ if (!label_hnd)
+ return 0;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
@@ -348,17 +363,34 @@ int label_mkdir(const char *path, mode_t mode) {
finish:
setfscreatecon(NULL);
freecon(fcon);
+#endif
return r;
+}
+
+int label_mkdir(const char *path, mode_t mode) {
+ int r;
+
+ if (use_selinux()) {
+ r = label_mkdir_selinux(path, mode);
+ if (r < 0)
+ return r;
+ }
+
+ if (use_smack()) {
+ r = mkdir(path, mode);
+ if (r < 0 && errno != EEXIST)
+ return -errno;
+
+ r = smack_relabel_in_dev(path);
+ if (r < 0)
+ return r;
+ }
-skipped:
-#endif
r = mkdir(path, mode);
- if (r)
+ if (r < 0 && errno != EEXIST)
return -errno;
-#ifdef HAVE_SMACK
- smack_relabel_in_dev(path);
-#endif
+
return 0;
}
diff --git a/src/shared/smack-util.h b/src/shared/smack-util.h
index 42895ff..7370ae3 100644
--- a/src/shared/smack-util.h
+++ b/src/shared/smack-util.h
@@ -25,7 +25,11 @@
#include <stdbool.h>
+#define SMACK_FLOOR_LABEL "_"
+#define SMACK_STAR_LABEL "*"
+
bool use_smack(void);
+
int smack_label_path(const char *path, const char *label);
int smack_label_fd(int fd, const char *label);
int smack_label_ip_in_fd(int fd, const char *label);
commit e49d3c016751c03e544697656e8e596af8a664d7
Author: Åukasz Stelmach <l.stelmach at samsung.com>
Date: Thu Dec 19 15:15:54 2013 +0100
smack: set loaded_policy in smack_setup()
With loaded_policy set to true mount_setup() relabels /dev properly.
diff --git a/src/core/main.c b/src/core/main.c
index 086e283..4e24f85 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1310,7 +1310,7 @@ int main(int argc, char *argv[]) {
goto finish;
if (ima_setup() < 0)
goto finish;
- if (smack_setup() < 0)
+ if (smack_setup(&loaded_policy) < 0)
goto finish;
dual_timestamp_get(&security_finish_timestamp);
}
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 611bfdb..a68605c 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -116,12 +116,14 @@ static int write_rules(const char* dstpath, const char* srcdir) {
#endif
-int smack_setup(void) {
+int smack_setup(bool *loaded_policy) {
#ifdef HAVE_SMACK
int r;
+ assert(loaded_policy);
+
r = write_rules("/sys/fs/smackfs/load2", SMACK_CONFIG);
switch(r) {
case -ENOENT:
@@ -163,6 +165,8 @@ int smack_setup(void) {
return 0;
}
+ *loaded_policy = true;
+
#endif
return 0;
diff --git a/src/core/smack-setup.h b/src/core/smack-setup.h
index ffe9184..8927096 100644
--- a/src/core/smack-setup.h
+++ b/src/core/smack-setup.h
@@ -23,4 +23,4 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-int smack_setup(void);
+int smack_setup(bool *loaded_policy);
commit 2453d7e447057f2652114c1822bfc8c5600236fe
Author: Åukasz Stelmach <l.stelmach at samsung.com>
Date: Wed Feb 19 16:39:04 2014 +0100
smack: relabel directories and files created by systemd
Systemd creates directories in /dev. These directories will
get the label of systemd, which is the label of the System
domain, which is not accessable to everyone. Relabel the
directories, files and symlinks created so that they can be
generally used.
Based on a patch by Casey Schaufler <casey at schaufler-ca.com>.
diff --git a/src/shared/label.c b/src/shared/label.c
index 92f10f9..3632e3e 100644
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -41,6 +41,48 @@
static struct selabel_handle *label_hnd = NULL;
#endif
+#ifdef HAVE_SMACK
+#include <sys/xattr.h>
+#include <string.h>
+#define FLOOR_LABEL "_"
+#define STAR_LABEL "*"
+
+static void smack_relabel_in_dev(const char *path) {
+ struct stat sb;
+ const char *label;
+ int r;
+
+ /*
+ * Path must be in /dev and must exist
+ */
+ if (!path_equal(path, "/dev") &&
+ !path_startswith(path, "/dev"))
+ return;
+
+ r = lstat(path, &sb);
+ if (r < 0)
+ return;
+
+ /*
+ * Label directories and character devices "*".
+ * Label symlinks "_".
+ * Don't change anything else.
+ */
+ if (S_ISDIR(sb.st_mode))
+ label = STAR_LABEL;
+ else if (S_ISLNK(sb.st_mode))
+ label = FLOOR_LABEL;
+ else if (S_ISCHR(sb.st_mode))
+ label = STAR_LABEL;
+ else
+ return;
+
+ r = setxattr(path, "security.SMACK64", label, strlen(label), 0);
+ if (r < 0)
+ log_error("Smack relabeling \"%s\" %s", path, strerror(errno));
+ return;
+}
+#endif
int label_init(const char *prefix) {
int r = 0;
@@ -130,6 +172,9 @@ int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
r = security_getenforce() == 1 ? -errno : 0;
}
#endif
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
return r;
}
@@ -207,6 +252,9 @@ int label_context_set(const char *path, mode_t mode) {
if (r < 0 && security_getenforce() == 0)
r = 0;
#endif
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
return r;
}
@@ -260,11 +308,11 @@ void label_free(const char *label) {
}
int label_mkdir(const char *path, mode_t mode) {
+ int r;
- /* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
+ /* Creates a directory and labels it according to the SELinux policy */
security_context_t fcon = NULL;
- int r;
if (!use_selinux() || !label_hnd)
goto skipped;
@@ -305,7 +353,13 @@ finish:
skipped:
#endif
- return mkdir(path, mode) < 0 ? -errno : 0;
+ r = mkdir(path, mode);
+ if (r)
+ return -errno;
+#ifdef HAVE_SMACK
+ smack_relabel_in_dev(path);
+#endif
+ return 0;
}
int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
commit 650264033f2f98f6319513958d94d59078654af8
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Feb 24 17:34:37 2014 +0100
update TODO
diff --git a/TODO b/TODO
index 51dee2c..a57de11 100644
--- a/TODO
+++ b/TODO
@@ -27,11 +27,17 @@ External:
Features:
-* machined: provide calls GetMachineByAddress() on the manager interface to get the machine for a local IP address, and GetAddress() on the Machine interface to get the Address for a machine. Implement via forking off child process which quickly joins the cotnainer and passes data to parent. Show this in "machinectl status", and use it to implement NSS module to provide automatic name resolution for containers.
-
-* add generator that pulls in systemd-network from containers when CAP_NET_ADMIN is set, more than the loopback device is defined, even when it is otherwise off
-
-* logind: avoid suspending on SW_LID if SW_DOCK is set
+* machined: provide calls GetMachineByAddress() on the manager
+ interface to get the machine for a local IP address, and
+ GetAddress() on the Machine interface to get the Address for a
+ machine. Implement via forking off child process which quickly joins
+ the cotnainer and passes data to parent. Show this in "machinectl
+ status", and use it to implement NSS module to provide automatic
+ name resolution for containers.
+
+* add generator that pulls in systemd-network from containers when
+ CAP_NET_ADMIN is set, more than the loopback device is defined, even
+ when it is otherwise off
* MessageQueueMessageSize= and RLimitFSIZE= (and suchlike) should use parse_iec_size().
More information about the systemd-commits
mailing list