CIPSO is the Common IP Security Option, an IETF standard for setting security levels for a process sending packets. In Smack kernels, CIPSO headers are mapped to Smack labels automatically, but can be changed.
This patch writes label/category mappings from /etc/smack/cipso/ to /sys/fs/smackfs/cipso2. The mapping format is "%s%4d%4d"["%4d"]... For more information about Smack and CIPSO, see: https://kernel.org/doc/Documentation/security/Smack.txt --- src/core/smack-setup.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index d0f1ac0..b81b528 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -40,13 +40,19 @@ #include "label.h" #define ACCESSES_D_PATH "/etc/smack/accesses.d/" +#define CIPSO_PATH "/etc/smack/cipso/" int smack_setup(void) { _cleanup_fclose_ FILE *smack = NULL; + _cleanup_fclose_ FILE *cipso = NULL; _cleanup_closedir_ DIR *dir = NULL; + _cleanup_closedir_ DIR *cdir = NULL; struct dirent *entry; + struct dirent *cipsoentry; char buf[NAME_MAX]; + char buf2[NAME_MAX]; int dfd = -1; + int cdfd = -1; smack = fopen("/sys/fs/smackfs/load2", "we"); if (!smack) { @@ -56,6 +62,9 @@ int smack_setup(void) { log_warning("Failed to open /sys/fs/smackfs/load2: %m"); return 0; } + cipso = fopen("/sys/fs/smackfs/cipso2", "we"); + if (!cipso) + log_warning("Failed to open /sys/fs/smackfs/cipso: %m"); /* write rules to load2 from every file in the directory */ dir = opendir(ACCESSES_D_PATH); @@ -100,5 +109,48 @@ int smack_setup(void) { log_info("Successfully loaded Smack policies."); + /* write Smack/CIPSO mapping from every file in the directory */ + cdir = opendir(CIPSO_PATH); + if (!cdir) { + log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, + "Opening Smack/CIPSO mapping directory " + CIPSO_PATH ": %m"); + return 0; + } + + cdfd = dirfd(cdir); + assert(cdfd >= 0); + + FOREACH_DIRENT(cipsoentry, cdir, return 0) { + _cleanup_fclose_ FILE *mapping = NULL; + _cleanup_close_ int map = -1; + + map = openat(cdfd, cipsoentry->d_name, O_RDONLY|O_CLOEXEC); + if (map < 0) { + log_error("Smack/CIPSO mapping at %s not opened: %m", + cipsoentry->d_name); + continue; + } + + mapping = fdopen(map, "re"); + if (!mapping) { + log_error("Smack/CIPSO mapping at %s not opened: %m", + cipsoentry->d_name); + continue; + } + + map = -1; + + /* write line buffered stream to cipso2 */ + FOREACH_LINE(buf2, mapping, + log_error("Failed to read from Smack/CIPSO mapping file %s: %m", + cipsoentry->d_name)) { + fputs(buf2, cipso); + fflush(cipso); + } + } + + log_info("Successfully loaded Smack/CIPSO mappings"); + return 0; } -- 1.8.1.5 _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
