[systemd-devel] [PATCH] smack_setup: enable Smack/CIPSO mapping

Tue Mar 12 16:16:44 PDT 2013

CIPSO is the Common IP Security Option, an IETF standard for setting
security levels for a process sending packets. In Smack kernels,
CIPSO headers are mapped to Smack labels automatically, but can be changed.

This patch writes label/category mappings from /etc/smack/cipso/ to
/sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]...

For more information about Smack and CIPSO, see:
  https://kernel.org/doc/Documentation/security/Smack.txt
---
 src/core/smack-setup.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index d0f1ac0..b81b528 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -40,13 +40,19 @@
 #include "label.h"
 
 #define ACCESSES_D_PATH "/etc/smack/accesses.d/"
+#define CIPSO_PATH "/etc/smack/cipso/"
 
 int smack_setup(void) {
         _cleanup_fclose_ FILE *smack = NULL;
+        _cleanup_fclose_ FILE *cipso = NULL;
         _cleanup_closedir_ DIR *dir = NULL;
+        _cleanup_closedir_ DIR *cdir = NULL;
         struct dirent *entry;
+        struct dirent *cipsoentry;
         char buf[NAME_MAX];
+        char buf2[NAME_MAX];
         int dfd = -1;
+        int cdfd = -1;
 
         smack = fopen("/sys/fs/smackfs/load2", "we");
         if (!smack)  {
@@ -56,6 +62,9 @@ int smack_setup(void) {
                         log_warning("Failed to open /sys/fs/smackfs/load2: %m");
                 return 0;
         }
+        cipso = fopen("/sys/fs/smackfs/cipso2", "we");
+        if (!cipso)
+                log_warning("Failed to open /sys/fs/smackfs/cipso: %m");
 
         /* write rules to load2 from every file in the directory */
         dir = opendir(ACCESSES_D_PATH);
@@ -100,5 +109,48 @@ int smack_setup(void) {
 
         log_info("Successfully loaded Smack policies.");
 
+        /* write Smack/CIPSO mapping from every file in the directory */
+        cdir = opendir(CIPSO_PATH);
+        if (!cdir) {
+                log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING,
+                        "Opening Smack/CIPSO mapping directory "
+                        CIPSO_PATH ": %m");
+		return 0;
+        }
+
+        cdfd = dirfd(cdir);
+        assert(cdfd >= 0);
+
+        FOREACH_DIRENT(cipsoentry, cdir, return 0) {
+                _cleanup_fclose_ FILE *mapping = NULL;
+                _cleanup_close_ int map = -1;
+
+                map = openat(cdfd, cipsoentry->d_name, O_RDONLY|O_CLOEXEC);
+                if (map < 0) {
+                        log_error("Smack/CIPSO mapping at %s not opened: %m",
+                                  cipsoentry->d_name);
+                        continue;
+                }
+
+                mapping = fdopen(map, "re");
+                if (!mapping) {
+                        log_error("Smack/CIPSO mapping at %s not opened: %m",
+                                  cipsoentry->d_name);
+                        continue;
+                }
+
+                map = -1;
+
+		/* write line buffered stream to cipso2 */
+                FOREACH_LINE(buf2, mapping,
+                            log_error("Failed to read from Smack/CIPSO mapping file %s: %m",
+                                      cipsoentry->d_name)) {
+                        fputs(buf2, cipso);
+                        fflush(cipso);
+                }
+        }
+
+        log_info("Successfully loaded Smack/CIPSO mappings");
+
         return 0;
 }
-- 
1.8.1.5

