[systemd-devel] [PATCH 1/2] smack-setup: extract rule writing into a separate function
Chen, Nathaniel
nathaniel.chen at intel.com
Fri Mar 15 11:15:12 PDT 2013
> -----Original Message-----
> From: Zbigniew Jędrzejewski-Szmek [mailto:zbyszek at in.waw.pl]
> Sent: Wednesday, March 13, 2013 8:40 PM
> To: Chen, Nathaniel
> Cc: systemd-devel at lists.freedesktop.org; Zbigniew Jędrzejewski-Szmek
> Subject: [PATCH 1/2] smack-setup: extract rule writing into a separate
> function
>
> Check all errors. Return the first error if looping.
> ---
> Hi Nathaniel,
> your patches duplicate the same code paths (within one function!).
> Also, if cipsco is not available, a warning would be printed, which
> we don't want.
>
> Can you check if the following two replacement patches work for you?
> Please make sure that both a Smack kernel without configuration,
> and a kernel with cipsco but not documentation doesn't confuse
> systemd. I haven't checked them, I don't have Smack.
>
> Zbyszek
Tested, they both look good to go!
Thanks,
--Nathaniel
>
> src/core/smack-setup.c | 91 +++++++++++++++++++++++++++++++++-----
> ------------
> 1 file changed, 60 insertions(+), 31 deletions(-)
>
> diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
> index d0f1ac0..804678d 100644
> --- a/src/core/smack-setup.c
> +++ b/src/core/smack-setup.c
> @@ -39,66 +39,95 @@
> #include "log.h"
> #include "label.h"
>
> -#define ACCESSES_D_PATH "/etc/smack/accesses.d/"
> +#define SMACK_CONFIG "/etc/smack/accesses.d/"
>
> -int smack_setup(void) {
> - _cleanup_fclose_ FILE *smack = NULL;
> +static int write_rules(const char* dstpath, const char* srcdir) {
> + _cleanup_fclose_ FILE *dst = NULL;
> _cleanup_closedir_ DIR *dir = NULL;
> struct dirent *entry;
> char buf[NAME_MAX];
> int dfd = -1;
> + int r = 0;
>
> - smack = fopen("/sys/fs/smackfs/load2", "we");
> - if (!smack) {
> - if (errno == ENOENT)
> - log_debug("Smack is not enabled in the kernel, not loading
> access rules.");
> - else
> - log_warning("Failed to open /sys/fs/smackfs/load2: %m");
> - return 0;
> + dst = fopen(dstpath, "we");
> + if (!dst) {
> + if (errno != ENOENT)
> + log_warning("Failed to open %s: %m", dstpath);
> + return -errno; /* negative error */
> }
>
> - /* write rules to load2 from every file in the directory */
> - dir = opendir(ACCESSES_D_PATH);
> + /* write rules to dst from every file in the directory */
> + dir = opendir(srcdir);
> if (!dir) {
> - log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING,
> - "Opening Smack access rules directory "
> - ACCESSES_D_PATH ": %m");
> - return 0;
> + if (errno != ENOENT)
> + log_warning("Failed to opendir %s: %m", srcdir);
> + return errno; /* positive on purpose */
> }
>
> dfd = dirfd(dir);
> assert(dfd >= 0);
>
> FOREACH_DIRENT(entry, dir, return 0) {
> + int fd;
> _cleanup_fclose_ FILE *policy = NULL;
> - _cleanup_close_ int pol = -1;
>
> - pol = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
> - if (pol < 0) {
> - log_error("Smack access rule file %s not opened: %m",
> - entry->d_name);
> + fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC);
> + if (fd < 0) {
> + if (r == 0)
> + r = -errno;
> + log_warning("Failed to open %s: %m", entry->d_name);
> continue;
> }
>
> - policy = fdopen(pol, "re");
> + policy = fdopen(fd, "re");
> if (!policy) {
> - log_error("Smack access rule file %s not opened: %m",
> - entry->d_name);
> + if (r == 0)
> + r = -errno;
> + close_nointr_nofail(fd);
> + log_error("Failed to open %s: %m", entry->d_name);
> continue;
> }
>
> - pol = -1;
> -
> /* load2 write rules in the kernel require a line buffered stream */
> FOREACH_LINE(buf, policy,
> - log_error("Failed to read from Smack access rule file %s: %m",
> + log_error("Failed to read line from %s: %m",
> entry->d_name)) {
> - fputs(buf, smack);
> - fflush(smack);
> + if (!fputs(buf, dst)) {
> + if (r == 0)
> + r = -EINVAL;
> + log_error("Failed to write line to %s", dstpath);
> + break;
> + }
> + if (fflush(dst)) {
> + if (r == 0)
> + r = -errno;
> + log_error("Failed to flush writes to %s: %m", dstpath);
> + break;
> + }
> }
> }
>
> - log_info("Successfully loaded Smack policies.");
> + return r;
> +}
> +
>
> - return 0;
> +int smack_setup(void) {
> + int r;
> +
> + r = write_rules("/sys/fs/smackfs/load2", SMACK_CONFIG);
> + switch(r) {
> + case -ENOENT:
> + log_debug("Smack is not enabled in the kernel.");
> + return 0;
> + case ENOENT:
> + log_debug("Smack access rules directory " SMACK_CONFIG " not
> found");
> + return 0;
> + case 0:
> + log_info("Successfully loaded Smack policies.");
> + return 0;
> + default:
> + log_warning("Failed to load smack access rules: %s, ignoring.",
> + strerror(abs(r)));
> + return 0;
> + }
> }
> --
> 1.8.1.4
More information about the systemd-devel
mailing list