[systemd-devel] [PATCH] Make it possible to disable smack separately from xattr support
Karol Lewandowski
k.lewandowsk at samsung.com
Thu May 16 01:40:03 PDT 2013
Additionally, compile out rule loading if feature is disabled.
---
configure.ac | 26 ++++++++++++++++++++++++++
src/core/smack-setup.c | 10 ++++++++++
src/core/socket.c | 4 ++--
3 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 65186a4..14a90c5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -445,6 +445,31 @@ AC_SUBST(XATTR_LIBS)
AM_CONDITIONAL([HAVE_XATTR], [test "x$have_xattr" != xno])
# ------------------------------------------------------------------------------
+AC_ARG_ENABLE([smack], AS_HELP_STRING([--disable-smack],[Disable optional SMACK support]),
+ [case "${enableval}" in
+ yes) have_smack=yes ;;
+ no) have_smack=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --disable-smack) ;;
+ esac],
+ [have_smack=auto])
+
+if test "x${have_xattr}" = xno; then
+ if test "x${have_smack}" = xyes; then
+ AC_MSG_ERROR(SMACK requires xattr support)
+ else
+ have_smack=no
+ fi
+else
+ if test "x${have_smack}" = xauto; then
+ have_smack=yes
+ fi
+fi
+
+if test "x${have_smack}" = xyes ; then
+ AC_DEFINE(HAVE_SMACK, 1, [Define if SMACK is available])
+fi
+
+# ------------------------------------------------------------------------------
AC_ARG_ENABLE([gcrypt],
AS_HELP_STRING([--disable-gcrypt],[Disable optional GCRYPT support]),
[case "${enableval}" in
@@ -915,6 +940,7 @@ AC_MSG_RESULT([
AUDIT: ${have_audit}
IMA: ${have_ima}
SELinux: ${have_selinux}
+ SMACK: ${have_smack}
XZ: ${have_xz}
ACL: ${have_acl}
XATTR: ${have_xattr}
diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 73eeb04..d67a84a 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -42,6 +42,8 @@
#define SMACK_CONFIG "/etc/smack/accesses.d/"
#define CIPSO_CONFIG "/etc/smack/cipso/"
+#ifdef HAVE_SMACK
+
static int write_rules(const char* dstpath, const char* srcdir) {
_cleanup_fclose_ FILE *dst = NULL;
_cleanup_closedir_ DIR *dir = NULL;
@@ -111,8 +113,12 @@ static int write_rules(const char* dstpath, const char* srcdir) {
return r;
}
+#endif
int smack_setup(void) {
+
+#ifdef HAVE_SMACK
+
int r;
r = write_rules("/sys/fs/smackfs/load2", SMACK_CONFIG);
@@ -148,4 +154,8 @@ int smack_setup(void) {
strerror(abs(r)));
return 0;
}
+
+#endif
+
+ return 0;
}
diff --git a/src/core/socket.c b/src/core/socket.c
index 1b08f0a..37ca228 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -788,7 +788,7 @@ static void socket_apply_socket_options(Socket *s, int fd) {
if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0)
log_warning_unit(UNIT(s)->id, "TCP_CONGESTION failed: %m");
-#ifdef HAVE_XATTR
+#ifdef HAVE_SMACK
if (s->smack_ip_in)
if (fsetxattr(fd, "security.SMACK64IPIN", s->smack_ip_in, strlen(s->smack_ip_in), 0) < 0)
log_error_unit(UNIT(s)->id,
@@ -810,7 +810,7 @@ static void socket_apply_fifo_options(Socket *s, int fd) {
log_warning_unit(UNIT(s)->id,
"F_SETPIPE_SZ: %m");
-#ifdef HAVE_XATTR
+#ifdef HAVE_SMACK
if (s->smack)
if (fsetxattr(fd, "security.SMACK64", s->smack, strlen(s->smack), 0) < 0)
log_error_unit(UNIT(s)->id,
--
1.7.10.4
More information about the systemd-devel
mailing list