static void test_condition_test_security(void) {
Condition *condition;
condition = condition_new(CONDITION_SECURITY, "garbage oifdsjfoidsjoj", false, false);
assert_se(!condition_test(condition));
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
assert_se(condition_test(condition) != mac_selinux_have());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "ima", false, false);
assert_se(condition_test(condition) == use_ima());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "apparmor", false, false);
assert_se(condition_test(condition) == mac_apparmor_use());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "smack", false, false);
assert_se(condition_test(condition) == mac_smack_use());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "audit", false, false);
assert_se(condition_test(condition) == use_audit());
condition_free(condition);
}
int mac_smack_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
#ifdef HAVE_SMACK
struct stat st;
#endif
int r = 0;
assert(path);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
/*
* Path must be in /dev and must exist
*/
if (!path_startswith(path, "/dev"))
return 0;
r = lstat(path, &st);
if (r >= 0) {
const char *label;
/*
* Label directories and character devices "*".
* Label symlinks "_".
* Don't change anything else.
*/
if (S_ISDIR(st.st_mode))
label = SMACK_STAR_LABEL;
else if (S_ISLNK(st.st_mode))
label = SMACK_FLOOR_LABEL;
else if (S_ISCHR(st.st_mode))
label = SMACK_STAR_LABEL;
else
return 0;
r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
/* If the FS doesn't support labels, then exit without warning */
if (r < 0 && errno == ENOTSUP)
return 0;
}
if (r < 0) {
/* Ignore ENOENT in some cases */
if (ignore_enoent && errno == ENOENT)
return 0;
if (ignore_erofs && errno == EROFS)
return 0;
r = log_debug_errno(errno, "Unable to fix SMACK label of %s: %m", path);
}
#endif
return r;
}
int mac_smack_read_fd(int fd, SmackAttr attr, char **label) {
assert(fd >= 0);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
assert(label);
if (!mac_smack_use())
return 0;
return fgetxattr_malloc(fd, smack_attr_to_string(attr), label);
}
int mac_smack_read(const char *path, SmackAttr attr, char **label) {
assert(path);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
assert(label);
if (!mac_smack_use())
return 0;
return getxattr_malloc(path, smack_attr_to_string(attr), label, true);
}
int mac_smack_apply_pid(pid_t pid, const char *label) {
const char *p;
int r = 0;
assert(label);
if (!mac_smack_use())
return 0;
p = procfs_file_alloca(pid, "attr/current");
r = write_string_file(p, label, 0);
if (r < 0)
return r;
return r;
}
static bool condition_test_security(Condition *c) {
assert(c);
assert(c->parameter);
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
return mac_selinux_use() == !c->negate;
if (streq(c->parameter, "smack"))
return mac_smack_use() == !c->negate;
if (streq(c->parameter, "apparmor"))
return mac_apparmor_use() == !c->negate;
if (streq(c->parameter, "ima"))
return use_ima() == !c->negate;
return c->negate;
}
static int condition_test_security(Condition *c) {
assert(c);
assert(c->parameter);
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
return mac_selinux_use();
if (streq(c->parameter, "smack"))
return mac_smack_use();
if (streq(c->parameter, "apparmor"))
return mac_apparmor_use();
if (streq(c->parameter, "audit"))
return use_audit();
if (streq(c->parameter, "ima"))
return use_ima();
return false;
}
int mac_smack_apply_fd(int fd, SmackAttr attr, const char *label) {
int r;
assert(fd >= 0);
assert(attr >= 0 && attr < _SMACK_ATTR_MAX);
if (!mac_smack_use())
return 0;
if (label)
r = fsetxattr(fd, smack_attr_to_string(attr), label, strlen(label), 0);
else
r = fremovexattr(fd, smack_attr_to_string(attr));
if (r < 0)
return -errno;
return 0;
}
int mac_smack_apply_ip_out_fd(int fd, const char *label) {
int r = 0;
assert(fd >= 0);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = fsetxattr(fd, "security.SMACK64IPOUT", label, strlen(label), 0);
else
r = fremovexattr(fd, "security.SMACK64IPOUT");
if (r < 0)
return -errno;
#endif
return r;
}
int mac_smack_apply(const char *path, const char *label) {
int r = 0;
assert(path);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
if (label)
r = lsetxattr(path, "security.SMACK64", label, strlen(label), 0);
else
r = lremovexattr(path, "security.SMACK64");
if (r < 0)
return -errno;
#endif
return r;
}
int mac_smack_apply_pid(pid_t pid, const char *label) {
#ifdef HAVE_SMACK
const char *p;
#endif
int r = 0;
assert(label);
#ifdef HAVE_SMACK
if (!mac_smack_use())
return 0;
p = procfs_file_alloca(pid, "attr/current");
r = write_string_file(p, label);
if (r < 0)
return r;
#endif
return r;
}
