| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We have two distinct implementations of the post hook.
1. For SELinux we just reset the selinux label we told the kernel
earlier to use for new inodes.
2. For SMACK we might apply an xattr to the specified file.
The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
|
| |
|
|
|
|
|
|
|
| |
By default, label_ops is initialized with a NULL pointer which translates
to noop labelling operations. In mac_selinux_init() and the new mac_smack_init(),
we initialize label_ops with a MAC specific LabelOps pointer.
We also introduce mac_init() to initialize any configured MACs and replace all
usages of mac_selinux_init() with mac_init().
|
| | |
|
| |
|
|
|
| |
Also add mac_smack_apply_at() as its a requirement for
renameat_and_apply_smack_floor_label().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This merges the various labelling calls into a single label_fix_full(),
which can operate on paths, on inode fds, and in a dirfd/fname style
(i.e. like openat()). It also systematically separates the path to look
up in the db from the path we actually use to reference the inode to
relabel.
This then ports tmpfiles over to labelling by fd. This should make the
code a bit less racy, as we'll try hard to always operate on the very
same inode, pinning it via an fd.
User-visibly the behaviour should not change.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Commit a7fdc6c introduced a regression where file descriptors are opened
using O_PATH option. mac_smack_apply_fd() calls fsetxattr() and would fail
with a -EBADF (Bad file descriptor) error.
Use FORMAT_PROC_FD_PATH(fd) to convert the fd back into a full path and
call setxattr() or setfilecon() instead.
Signed-off-by: Donald Chan <hoiho@amazon.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
getxattr_at_malloc() + listxattr_at_malloc()
Unfortunately fgetxattr() and flistxattr() don't work via O_PATH fds.
Let's thus add fallbacks to go via /proc/self/fd/ in these cases.
Also, let's merge all the various flavours we have here into singular
implementations that can do everything we need:
1. malloc() loop handling
2. by fd, by path, or combination (i.e. a proper openat() like API)
3. work on O_PATH
|
| | |
|
| |
|
|
|
|
|
| |
The function was in basic/fileio.c, but it's more appropriate to
keep it out of src/basic.
Fixes compilation with -Dsmack-run-label= set.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The goal is to move everything that requires selinux or smack
away from src/basic/. This means that src/basic/label.[ch] must move,
which implies btrfs-util.[ch], copy.[ch], and a bunch of other files
which form a cluster of internal use.
This is just moving text around, so there should be no functional difference.
test-blockdev-util is new, because path_is_encrypted() is moved to
blockdev-util.c, and so far we didn't have any tests for code there.
|
| |
|
|
|
|
|
|
|
|
| |
basic/ can be used by everything
cannot use anything outside of basic/
libsystemd/ can use basic/
cannot use shared/
shared/ can use libsystemd/
|
| | |
|
| |
|
|
| |
Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.
Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'
Plus some whitespace, linewrap, and indent adjustments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.
[zj: reword man page]
|
| | |
|
| |
|
|
| |
of the matching selinux code
|
| |
|
|
|
|
|
| |
previously mac_smack_apply(path, NULL) would operate on the symlink
itself while mac_smack_apply(path, "foo") would follow the symlink.
Let's clean this up an always operate on the symlink, which appears to
be the safer option.
|
| |
|
|
|
|
| |
a) always return negative errno error codes
b) always become a noop if smack is off
c) always take a NULL label as a request to remove it
|
| |
|
|
|
|
|
| |
and all that reset it to defaults mac_{selinux|smack}_fix()
Let's clean up the naming schemes a bit and use the same one for SMACK
and for SELINUX.
|
| |
|
|
| |
new mac_{smack,selinux,apparmor}_xyz() convention
|
| | |
|
| |
|
|
| |
move label apis to selinux-util.ch or smack-util.ch appropriately.
|
| | |
|
| | |
|
| |
|
|
|
| |
Always cache the results, and bypass low-level security calls when the
respective subsystem is not enabled.
|
|
|
Since on most systems with xattr systemd will compile with Smack
support enabled, we still attempt to mount various fs's with
Smack-only options.
Before mounting any of these Smack-related filesystems with
Smack specific mount options, check if Smack is functionally
active on the running kernel.
If Smack is really enabled in the kernel, all these Smack mounts
are now *fatal*, as they should be.
We no longer mount smackfs if systemd was compiled without
Smack support. This makes it easier to make smackfs mount
failures a critical error when Smack is enabled.
We no longer mount these filesystems with their Smack specific
options inside containers. There these filesystems will be
mounted with there non-mount smack options for now.
|
