int mac_smack_copy(const char *dest, const char *src) {
int r = 0;
_cleanup_free_ char *label = NULL;
assert(dest);
assert(src);
r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
if (r < 0)
return r;
r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
if (r < 0)
return r;
return r;
}
static int node_permissions_apply(struct udev_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
struct udev_list *seclabel_list) {
const char *devnode = udev_device_get_devnode(dev);
dev_t devnum = udev_device_get_devnum(dev);
struct stat stats;
struct udev_list_entry *entry;
int err = 0;
if (streq(udev_device_get_subsystem(dev), "block"))
mode |= S_IFBLK;
else
mode |= S_IFCHR;
if (lstat(devnode, &stats) != 0) {
err = -errno;
log_debug_errno(errno, "can not stat() node '%s' (%m)", devnode);
goto out;
}
if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum)) {
err = -EEXIST;
log_debug("found node '%s' with non-matching devnum %s, skip handling",
udev_device_get_devnode(dev), udev_device_get_id_filename(dev));
goto out;
}
if (apply) {
bool selinux = false;
bool smack = false;
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_debug("set permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
err = chmod(devnode, mode);
if (err < 0)
log_warning_errno(errno, "setting mode of %s to %#o failed: %m", devnode, mode);
err = chown(devnode, uid, gid);
if (err < 0)
log_warning_errno(errno, "setting owner of %s to uid=%u, gid=%u failed: %m", devnode, uid, gid);
} else {
log_debug("preserve permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
}
/* apply SECLABEL{$module}=$label */
udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
const char *name, *label;
int r;
name = udev_list_entry_get_name(entry);
label = udev_list_entry_get_value(entry);
if (streq(name, "selinux")) {
selinux = true;
r = mac_selinux_apply(devnode, label);
if (r < 0)
log_error_errno(r, "SECLABEL: failed to set SELinux label '%s': %m", label);
else
log_debug("SECLABEL: set SELinux label '%s'", label);
} else if (streq(name, "smack")) {
smack = true;
r = mac_smack_apply(devnode, label);
if (r < 0)
log_error_errno(r, "SECLABEL: failed to set SMACK label '%s': %m", label);
else
log_debug("SECLABEL: set SMACK label '%s'", label);
} else
log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
}
/* set the defaults */
if (!selinux)
mac_selinux_fix(devnode, true, false);
if (!smack)
mac_smack_apply(devnode, NULL);
}
/* always update timestamp when we re-use the node, like on media change events */
utimensat(AT_FDCWD, devnode, NULL, 0);
out:
return err;
}
static int node_permissions_apply(sd_device *dev, bool apply,
mode_t mode, uid_t uid, gid_t gid,
Hashmap *seclabel_list) {
const char *devnode, *subsystem, *id_filename = NULL;
struct stat stats;
dev_t devnum;
int r = 0;
assert(dev);
r = sd_device_get_devname(dev, &devnode);
if (r < 0)
return log_device_debug_errno(dev, r, "Failed to get devname: %m");
r = sd_device_get_subsystem(dev, &subsystem);
if (r < 0)
return log_device_debug_errno(dev, r, "Failed to get subsystem: %m");
r = sd_device_get_devnum(dev, &devnum);
if (r < 0)
return log_device_debug_errno(dev, r, "Failed to get devnum: %m");
(void) device_get_id_filename(dev, &id_filename);
if (streq(subsystem, "block"))
mode |= S_IFBLK;
else
mode |= S_IFCHR;
if (lstat(devnode, &stats) < 0)
return log_device_debug_errno(dev, errno, "cannot stat() node '%s' (%m)", devnode);
if (((stats.st_mode & S_IFMT) != (mode & S_IFMT)) || (stats.st_rdev != devnum))
return log_device_debug_errno(dev, EEXIST, "Found node '%s' with non-matching devnum %s, skip handling",
devnode, id_filename);
if (apply) {
bool selinux = false, smack = false;
const char *name, *label;
Iterator i;
if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
log_device_debug(dev, "Setting permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
if (chmod(devnode, mode) < 0)
r = log_device_warning_errno(dev, errno, "Failed to set mode of %s to %#o: %m", devnode, mode);
if (chown(devnode, uid, gid) < 0)
r = log_device_warning_errno(dev, errno, "Failed to set owner of %s to uid=%u, gid=%u: %m", devnode, uid, gid);
} else
log_device_debug(dev, "Preserve permissions of %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
/* apply SECLABEL{$module}=$label */
HASHMAP_FOREACH_KEY(label, name, seclabel_list, i) {
int q;
if (streq(name, "selinux")) {
selinux = true;
q = mac_selinux_apply(devnode, label);
if (q < 0)
log_device_error_errno(dev, q, "SECLABEL: failed to set SELinux label '%s': %m", label);
else
log_device_debug(dev, "SECLABEL: set SELinux label '%s'", label);
} else if (streq(name, "smack")) {
smack = true;
q = mac_smack_apply(devnode, SMACK_ATTR_ACCESS, label);
if (q < 0)
log_device_error_errno(dev, q, "SECLABEL: failed to set SMACK label '%s': %m", label);
else
log_device_debug(dev, "SECLABEL: set SMACK label '%s'", label);
} else
log_device_error(dev, "SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
}
/* set the defaults */
if (!selinux)
(void) mac_selinux_fix(devnode, LABEL_IGNORE_ENOENT);
if (!smack)
(void) mac_smack_apply(devnode, SMACK_ATTR_ACCESS, NULL);
}