[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] ls: with -Z, show SMACK context for each file (v3)
|
From: |
Jarkko Sakkinen |
|
Subject: |
Re: [PATCH] ls: with -Z, show SMACK context for each file (v3) |
|
Date: |
Mon, 03 Jun 2013 20:24:00 +0300 |
If you still find some blocking issues, please report me, and I will
iterate. In general I think this now much better form to achieve
support for multiple LSMs and easier to extend in future if needed.
/Jarkko
On Mon, Jun 3, 2013, at 20:05, Jarkko Sakkinen wrote:
> Enable showing of file SMACK labels with -Z command-line switch.
>
> * src/ls.c (gobble_file): Output the smack context if available.
> * src/ls.c: New function getsmackcon_cache() for grabbing SMACK label.
> ---
> src/local.mk | 1 +
> src/ls.c | 74
> ++++++++++++++++++++++++++++++++++++++++++++----------------
> 2 files changed, 55 insertions(+), 20 deletions(-)
>
> diff --git a/src/local.mk b/src/local.mk
> index efb0038..626d580 100644
> --- a/src/local.mk
> +++ b/src/local.mk
> @@ -230,6 +230,7 @@ src_ginstall_LDADD += $(LIB_SELINUX)
> src_id_LDADD += $(LIB_SELINUX)
> src_id_LDADD += $(LIB_SMACK)
> src_ls_LDADD += $(LIB_SELINUX)
> +src_ls_LDADD += $(LIB_SMACK)
> src_mkdir_LDADD += $(LIB_SELINUX)
> src_mkfifo_LDADD += $(LIB_SELINUX)
> src_mknod_LDADD += $(LIB_SELINUX)
> diff --git a/src/ls.c b/src/ls.c
> index 72aee99..24e4860 100644
> --- a/src/ls.c
> +++ b/src/ls.c
> @@ -115,6 +115,11 @@
> # include <sys/capability.h>
> #endif
>
> +#ifdef HAVE_SMACK
> +# include <sys/smack.h>
> +# include <attr/xattr.h>
> +#endif
> +
> #define PROGRAM_NAME (ls_mode == LS_LS ? "ls" \
> : (ls_mode == LS_MULTI_COL \
> ? "dir" : "vdir"))
> @@ -350,7 +355,16 @@ static struct pending *pending_dirs;
>
> static struct timespec current_time;
>
> -static bool print_scontext;
> +enum scontext_type
> + {
> + no_context = 0,
> + selinux_context,
> +#ifdef HAVE_SMACK
> + smack_context,
> +#endif
> + };
> +
> +static enum scontext_type print_scontext;
> static char UNKNOWN_SECURITY_CONTEXT[] = "?";
>
> /* Whether any of the files has an ACL. This affects the width of the
> @@ -1371,7 +1385,7 @@ main (int argc, char **argv)
>
> format_needs_stat = sort_type == sort_time || sort_type == sort_size
> || format == long_format
> - || print_scontext
> + || print_scontext != no_context
> || print_block_size;
> format_needs_type = (! format_needs_stat
> && (recursive
> @@ -1573,7 +1587,7 @@ decode_switches (int argc, char **argv)
> ignore_mode = IGNORE_DEFAULT;
> ignore_patterns = NULL;
> hide_patterns = NULL;
> - print_scontext = false;
> + print_scontext = no_context;
>
> /* FIXME: put this in a function. */
> {
> @@ -1949,7 +1963,11 @@ decode_switches (int argc, char **argv)
> break;
>
> case 'Z':
> - print_scontext = true;
> + print_scontext = selinux_context;
> +#ifdef HAVE_SMACK
> + if (smack_smackfs_path ())
> + print_scontext = smack_context;
> +#endif
> break;
>
> case_GETOPT_HELP_CHAR;
> @@ -2801,25 +2819,37 @@ errno_unsupported (int err)
> Like getfilecon/lgetfilecon, but when F's st_dev says it's on a
> known-
> SELinux-challenged file system, fail with ENOTSUP immediately. */
> static int
> -getfilecon_cache (char const *file, struct fileinfo *f, bool deref)
> +getfilecon_cache (char const *file, struct fileinfo *f, bool deref,
> + enum scontext_type scontext)
> {
> /* st_dev of the most recently processed device for which we've
> found that [l]getfilecon fails indicating lack of support. */
> static dev_t unsupported_device;
>
> - if (f->stat.st_dev == unsupported_device)
> + if (f->stat.st_dev == unsupported_device || scontext == no_context)
> + {
> + errno = ENOTSUP;
> + return -1;
> + }
> + int r = 0;
> + if (scontext == selinux_context)
> + r = (deref
> + ? getfilecon (file, &f->scontext)
> + : lgetfilecon (file, &f->scontext));
> + else if (scontext == smack_context)
> + r = smack_new_label_from_path (file, "security.SMACK64", deref,
> + &f->scontext);
> + else
> {
> errno = ENOTSUP;
> return -1;
> }
> - int r = (deref
> - ? getfilecon (file, &f->scontext)
> - : lgetfilecon (file, &f->scontext));
> if (r < 0 && errno_unsupported (errno))
> unsupported_device = f->stat.st_dev;
> return r;
> }
>
> +
> /* Cache file_has_acl failure, when it's trivial to do.
> Like file_has_acl, but when F's st_dev says it's on a file
> system lacking ACL support, return 0 with ENOTSUP immediately. */
> @@ -3003,15 +3033,19 @@ gobble_file (char const *name, enum filetype
> type, ino_t inode,
> && print_with_color && is_colored (C_CAP))
> f->has_capability = has_capability_cache (absolute_name, f);
>
> - if (format == long_format || print_scontext)
> + if (format == long_format || print_scontext != no_context)
> {
> - bool have_selinux = false;
> + bool have_context = false;
> bool have_acl = false;
> - int attr_len = getfilecon_cache (absolute_name, f, do_deref);
> + int attr_len = getfilecon_cache (absolute_name, f, do_deref,
> + print_scontext);
> err = (attr_len < 0);
>
> if (err == 0)
> - have_selinux = ! STREQ ("unlabeled", f->scontext);
> + if (print_scontext == selinux_context)
> + have_context = ! STREQ ("unlabeled", f->scontext);
> + else if (print_scontext == smack_context)
> + have_context = ! STREQ ("_", f->scontext);
> else
> {
> f->scontext = UNKNOWN_SECURITY_CONTEXT;
> @@ -3031,9 +3065,9 @@ gobble_file (char const *name, enum filetype type,
> ino_t inode,
> have_acl = (0 < n);
> }
>
> - f->acl_type = (!have_selinux && !have_acl
> + f->acl_type = (!have_context && !have_acl
> ? ACL_T_NONE
> - : (have_selinux && !have_acl
> + : (have_context && !have_acl
> ? ACL_T_SELINUX_ONLY
> : ACL_T_YES));
> any_has_acl |= f->acl_type != ACL_T_NONE;
> @@ -3119,7 +3153,7 @@ gobble_file (char const *name, enum filetype type,
> ino_t inode,
> }
> }
>
> - if (print_scontext)
> + if (print_scontext != no_context)
> {
> int len = strlen (f->scontext);
> if (scontext_width < len)
> @@ -3854,7 +3888,7 @@ print_long_format (const struct fileinfo *f)
>
> DIRED_INDENT ();
>
> - if (print_owner || print_group || print_author || print_scontext)
> + if (print_owner || print_group || print_author || print_scontext !=
> no_context)
> {
> DIRED_FPUTS (buf, stdout, p - buf);
>
> @@ -3867,7 +3901,7 @@ print_long_format (const struct fileinfo *f)
> if (print_author)
> format_user (f->stat.st_author, author_width, f->stat_ok);
>
> - if (print_scontext)
> + if (print_scontext != no_context)
> format_user_or_group (f->scontext, 0, scontext_width);
>
> p = buf;
> @@ -4215,7 +4249,7 @@ print_file_name_and_frills (const struct fileinfo
> *f, size_t start_col)
> : human_readable (ST_NBLOCKS (f->stat), buf,
> human_output_opts,
> ST_NBLOCKSIZE, output_block_size));
>
> - if (print_scontext)
> + if (print_scontext != no_context)
> printf ("%*s ", format == with_commas ? 0 : scontext_width,
> f->scontext);
>
> size_t width = print_name_with_quoting (f, false, NULL, start_col);
> @@ -4425,7 +4459,7 @@ length_of_file_name_and_frills (const struct
> fileinfo *f)
> output_block_size))
> : block_size_width);
>
> - if (print_scontext)
> + if (print_scontext != no_context)
> len += 1 + (format == with_commas ? strlen (f->scontext) :
> scontext_width);
>
> quote_name (NULL, f->name, filename_quoting_options, &name_width);
> --
> 1.8.1.2
>