[systemd-devel] [PATCH] smack_setup: enable Smack/CIPSO mapping
Nathaniel Chen
nathaniel.chen at intel.com
Tue Mar 12 16:16:44 PDT 2013
CIPSO is the Common IP Security Option, an IETF standard for setting
security levels for a process sending packets. In Smack kernels,
CIPSO headers are mapped to Smack labels automatically, but can be changed.
This patch writes label/category mappings from /etc/smack/cipso/ to
/sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]...
For more information about Smack and CIPSO, see:
https://kernel.org/doc/Documentation/security/Smack.txt
---
src/core/smack-setup.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index d0f1ac0..b81b528 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -40,13 +40,19 @@
#include "label.h"
#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
+#define CIPSO_PATH "/etc/smack/cipso/"
int smack_setup(void) {
_cleanup_fclose_ FILE *smack = NULL;
+ _cleanup_fclose_ FILE *cipso = NULL;
_cleanup_closedir_ DIR *dir = NULL;
+ _cleanup_closedir_ DIR *cdir = NULL;
struct dirent *entry;
+ struct dirent *cipsoentry;
char buf[NAME_MAX];
+ char buf2[NAME_MAX];
int dfd = -1;
+ int cdfd = -1;
smack = fopen("/sys/fs/smackfs/load2", "we");
if (!smack) {
@@ -56,6 +62,9 @@ int smack_setup(void) {
log_warning("Failed to open /sys/fs/smackfs/load2: %m");
return 0;
}
+ cipso = fopen("/sys/fs/smackfs/cipso2", "we");
+ if (!cipso)
+ log_warning("Failed to open /sys/fs/smackfs/cipso: %m");
/* write rules to load2 from every file in the directory */
dir = opendir(ACCESSES_D_PATH);
@@ -100,5 +109,48 @@ int smack_setup(void) {
log_info("Successfully loaded Smack policies.");
+ /* write Smack/CIPSO mapping from every file in the directory */
+ cdir = opendir(CIPSO_PATH);
+ if (!cdir) {
+ log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING,
+ "Opening Smack/CIPSO mapping directory "
+ CIPSO_PATH ": %m");
+ return 0;
+ }
+
+ cdfd = dirfd(cdir);
+ assert(cdfd >= 0);
+
+ FOREACH_DIRENT(cipsoentry, cdir, return 0) {
+ _cleanup_fclose_ FILE *mapping = NULL;
+ _cleanup_close_ int map = -1;
+
+ map = openat(cdfd, cipsoentry->d_name, O_RDONLY|O_CLOEXEC);
+ if (map < 0) {
+ log_error("Smack/CIPSO mapping at %s not opened: %m",
+ cipsoentry->d_name);
+ continue;
+ }
+
+ mapping = fdopen(map, "re");
+ if (!mapping) {
+ log_error("Smack/CIPSO mapping at %s not opened: %m",
+ cipsoentry->d_name);
+ continue;
+ }
+
+ map = -1;
+
+ /* write line buffered stream to cipso2 */
+ FOREACH_LINE(buf2, mapping,
+ log_error("Failed to read from Smack/CIPSO mapping file %s: %m",
+ cipsoentry->d_name)) {
+ fputs(buf2, cipso);
+ fflush(cipso);
+ }
+ }
+
+ log_info("Successfully loaded Smack/CIPSO mappings");
+
return 0;
}
--
1.8.1.5
More information about the systemd-devel
mailing list