>From a1d8ad1ff3f5993f4e1cb4e0c17b10b1e1da8d43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Tue, 2 Jul 2013 02:40:35 +0100 Subject: [PATCH 1/2] id: don't show smack errors unless -Z is specified * src/id.c (main): Be consistent with the SELinux case, and only show errors in getting the security context when -Z is specified. --- src/id.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/id.c b/src/id.c index c91dbcd..95f361a 100644 --- a/src/id.c +++ b/src/id.c @@ -211,7 +211,8 @@ main (int argc, char **argv) error (EXIT_FAILURE, 0, _("can't get process context")); #ifdef HAVE_SMACK else if (smack_enabled - && smack_new_label_from_self ((char **) &context) < 0) + && smack_new_label_from_self ((char **) &context) < 0 + && just_context) error (EXIT_FAILURE, 0, _("can't get process context")); #endif } -- 1.7.7.6 >From 018d36158d896b84d42f25bce36cda3d4adf430a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Tue, 2 Jul 2013 03:42:20 +0100 Subject: [PATCH 2/2] maint: refactor smack interface to a separate module Consolidate all smack routines and checks in a module. We replace and wrap the most commonly used smack routines, which allows removing ifdefs throughout the code. * gl/lib/smack.h: A new header containing the implementation of the wrapped and replacement routines. Note the is_smack_enabled() routine should be optimized out at compile time when compiled on a system without libsmack. * gl/modules/smack: Describe the new module and move the configure time code here from ... * m4/jm-macros.m4: ... here. * bootstrap.conf: Reference the new module. * src/id.c: Use the routines without ifdefs where possible. * src/ls.c: Likewise. * src/mkdir.c: Likewise. * src/mkfifo.c: Likewise. * src/mknod.c: Likewise. --- bootstrap.conf | 1 + gl/lib/smack.h | 46 ++++++++++++++++++++++++++++++++++++++++++++++ gl/modules/smack | 42 ++++++++++++++++++++++++++++++++++++++++++ m4/jm-macros.m4 | 21 --------------------- src/id.c | 19 ++++++------------- src/ls.c | 15 ++++----------- src/mkdir.c | 9 ++------- src/mkfifo.c | 9 ++------- src/mknod.c | 9 ++------- 9 files changed, 105 insertions(+), 66 deletions(-) create mode 100644 gl/lib/smack.h create mode 100644 gl/modules/smack diff --git a/bootstrap.conf b/bootstrap.conf index bb6c145..0863590 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -211,6 +211,7 @@ gnulib_modules=" settime sig2str sigaction + smack ssize_t statat stat-macros diff --git a/gl/lib/smack.h b/gl/lib/smack.h new file mode 100644 index 0000000..dea729e --- /dev/null +++ b/gl/lib/smack.h @@ -0,0 +1,46 @@ +/* Include and determine availability of smack routines + Copyright (C) 2013 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . */ + +/* Here we replace or wrap the most common smack functions used by coreutils. + Others will need to be protected by HAVE_SMACK. */ + +#include + +#ifdef HAVE_SMACK +# include +#else +static inline ssize_t +smack_new_label_from_self (char **label) +{ + return -1; +} + +static inline int +smack_set_label_for_self (const char *label) +{ + return -1; +} +#endif + +static inline bool +is_smack_enabled (void) +{ +#ifdef HAVE_SMACK + return smack_smackfs_path () != NULL; +#else + return false; +#endif +} diff --git a/gl/modules/smack b/gl/modules/smack new file mode 100644 index 0000000..a6dcbaa --- /dev/null +++ b/gl/modules/smack @@ -0,0 +1,42 @@ +Description: +Include and determine the availability of smack routines + +Files: +lib/smack.h + +Depends-on: + +configure.ac: +# Check whether libsmack is available +LIB_SMACK= +AC_ARG_ENABLE([libsmack], + AC_HELP_STRING([--disable-libsmack], [disable libsmack support])) +if test "X$enable_libsmack" != "Xno"; then + AC_CHECK_LIB([smack], [smack_new_label_from_self], + [AC_CHECK_LIB([smack], [smack_new_label_from_path], + [AC_CHECK_HEADER([sys/smack.h], + [LIB_SMACK=-lsmack + AC_DEFINE([HAVE_SMACK], [1], [libsmack usability])] + )])]) + if test "X$LIB_SMACK" = "X"; then + if test "X$enable_libsmack" = "Xyes"; then + AC_MSG_ERROR([libsmack library was not found or not usable]) + fi + fi +else + AC_MSG_WARN([libsmack support disabled by user]) +fi +AC_SUBST([LIB_SMACK]) + + +Makefile.am: +lib_SOURCES += smack.h + +Include: +"smack.h" + +License: +LGPL + +Maintainer: +Pádraig Brady diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4 index 649a344..3f95def 100644 --- a/m4/jm-macros.m4 +++ b/m4/jm-macros.m4 @@ -141,27 +141,6 @@ AC_DEFUN([coreutils_MACROS], fi AC_SUBST([LIB_CAP]) - # Check whether libsmack is available - LIB_SMACK= - AC_ARG_ENABLE([libsmack], - AC_HELP_STRING([--disable-libsmack], [disable libsmack support])) - if test "X$enable_libsmack" != "Xno"; then - AC_CHECK_LIB([smack], [smack_new_label_from_self], - [AC_CHECK_LIB([smack], [smack_new_label_from_path], - [AC_CHECK_HEADER([sys/smack.h], - [LIB_SMACK=-lsmack - AC_DEFINE([HAVE_SMACK], [1], [libsmack usability])] - )])]) - if test "X$LIB_SMACK" = "X"; then - if test "X$enable_libsmack" = "Xyes"; then - AC_MSG_ERROR([libsmack library was not found or not usable]) - fi - fi - else - AC_MSG_WARN([libsmack support disabled by user]) - fi - AC_SUBST([LIB_SMACK]) - # See if linking 'seq' requires -lm. # It does on nearly every system. The single exception (so far) is # BeOS which has all the math functions in the normal runtime library diff --git a/src/id.c b/src/id.c index 95f361a..bd286e0 100644 --- a/src/id.c +++ b/src/id.c @@ -24,15 +24,13 @@ #include #include #include -#ifdef HAVE_SMACK -# include -#endif #include "system.h" #include "error.h" #include "mgetgroups.h" #include "quote.h" #include "group-list.h" +#include "smack.h" /* The official name of this program (e.g., no 'g' prefix). */ #define PROGRAM_NAME "id" @@ -110,9 +108,7 @@ main (int argc, char **argv) { int optc; int selinux_enabled = (is_selinux_enabled () > 0); -#ifdef HAVE_SMACK - int smack_enabled = (smack_smackfs_path () != NULL); -#endif + bool smack_enabled = is_smack_enabled (); /* If true, output the list of all group IDs. -G */ bool just_group_list = false; @@ -207,14 +203,11 @@ main (int argc, char **argv) || (default_format && ! getenv ("POSIXLY_CORRECT")))) { /* Report failure only if --context (-Z) was explicitly requested. */ - if (selinux_enabled && getcon (&context) && just_context) + if ((selinux_enabled && getcon (&context) && just_context) + || (smack_enabled + && smack_new_label_from_self ((char **) &context) < 0 + && just_context)) error (EXIT_FAILURE, 0, _("can't get process context")); -#ifdef HAVE_SMACK - else if (smack_enabled - && smack_new_label_from_self ((char **) &context) < 0 - && just_context) - error (EXIT_FAILURE, 0, _("can't get process context")); -#endif } if (n_ids == 1) diff --git a/src/ls.c b/src/ls.c index 61324c3..e341c67 100644 --- a/src/ls.c +++ b/src/ls.c @@ -101,6 +101,7 @@ #include "obstack.h" #include "quote.h" #include "quotearg.h" +#include "smack.h" #include "stat-size.h" #include "stat-time.h" #include "strftime.h" @@ -115,10 +116,6 @@ # include #endif -#ifdef HAVE_SMACK -# include -#endif - #define PROGRAM_NAME (ls_mode == LS_LS ? "ls" \ : (ls_mode == LS_MULTI_COL \ ? "dir" : "vdir")) @@ -2762,11 +2759,9 @@ free_ent (struct fileinfo *f) free (f->linkname); if (f->scontext != UNKNOWN_SECURITY_CONTEXT) { -#ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) free (f->scontext); else -#endif freecon (f->scontext); } } @@ -2825,7 +2820,7 @@ getfilecon_cache (char const *file, struct fileinfo *f, bool deref) } int r = 0; #ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) r = smack_new_label_from_path (file, "security.SMACK64", deref, &f->scontext); else @@ -3030,11 +3025,9 @@ gobble_file (char const *name, enum filetype type, ino_t inode, if (err == 0) { -#ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) have_scontext = ! STREQ ("_", f->scontext); else -#endif have_scontext = ! STREQ ("unlabeled", f->scontext); } else diff --git a/src/mkdir.c b/src/mkdir.c index e56b6cb..479faca 100644 --- a/src/mkdir.c +++ b/src/mkdir.c @@ -22,10 +22,6 @@ #include #include -#ifdef HAVE_SMACK -# include -#endif - #include "system.h" #include "error.h" #include "mkdir-p.h" @@ -33,6 +29,7 @@ #include "prog-fprintf.h" #include "quote.h" #include "savewd.h" +#include "smack.h" /* The official name of this program (e.g., no 'g' prefix). */ #define PROGRAM_NAME "mkdir" @@ -201,11 +198,9 @@ main (int argc, char **argv) if (scontext) { -#ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) ret = smack_set_label_for_self (scontext); else -#endif ret = setfscreatecon (scontext); } diff --git a/src/mkfifo.c b/src/mkfifo.c index a87a393..f9fcc0a 100644 --- a/src/mkfifo.c +++ b/src/mkfifo.c @@ -22,14 +22,11 @@ #include #include -#ifdef HAVE_SMACK -# include -#endif - #include "system.h" #include "error.h" #include "modechange.h" #include "quote.h" +#include "smack.h" /* The official name of this program (e.g., no 'g' prefix). */ #define PROGRAM_NAME "mkfifo" @@ -115,11 +112,9 @@ main (int argc, char **argv) if (scontext) { -#ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) ret = smack_set_label_for_self (scontext); else -#endif ret = setfscreatecon (scontext); } diff --git a/src/mknod.c b/src/mknod.c index 9f0afb3..4fd6ed0 100644 --- a/src/mknod.c +++ b/src/mknod.c @@ -22,14 +22,11 @@ #include #include -#ifdef HAVE_SMACK -# include -#endif - #include "system.h" #include "error.h" #include "modechange.h" #include "quote.h" +#include "smack.h" #include "xstrtol.h" /* The official name of this program (e.g., no 'g' prefix). */ @@ -171,11 +168,9 @@ main (int argc, char **argv) if (scontext) { -#ifdef HAVE_SMACK - if (smack_smackfs_path ()) + if (is_smack_enabled ()) ret = smack_set_label_for_self (scontext); else -#endif ret = setfscreatecon (scontext); } -- 1.7.7.6