public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Tilman Baumann <tilman.baumann@collax.com>
To: Linux-Kernel <linux-kernel@vger.kernel.org>
Subject: SMACK startproc patch
Date: Thu, 25 Sep 2008 18:27:29 +0200	[thread overview]
Message-ID: <48DBBBF1.3050407@collax.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 940 bytes --]

Sorry if i pollute the wrong list with my stuff. But SMACK does not seem 
to have it's own list and now lives in the kernel. Though this is 
userspace related...

The smack howto mentions a not yet implemented smack option for 
start-stop-daemon.
We mainly use startproc. So i made a patch which adds this functionality 
to startproc.

It adds the option [-S LABEL] to startproc, which brings the called 
process up with /proc/self/attr/current = LABEL.
I figured setting the security context should happen after things like 
pidfiles where written. But this is certainly up for discussion.

This patch applies to killproc version 2.08.

Please enjoy and comment.

Regards
  Tilman Baumann

-- 
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942

[-- Attachment #2: killproc-smack.diff --]
[-- Type: text/x-patch, Size: 3268 bytes --]

diff -Nur killproc-2.08.orig/startproc.c killproc-2.08/startproc.c
--- killproc-2.08.orig/startproc.c	2005-05-25 15:40:58.000000000 +0200
+++ killproc-2.08/startproc.c	2008-09-15 19:49:21.000000000 +0200
@@ -17,6 +17,7 @@
  * 1998/05/06 Werner Fink: rework, added "-p" for pid files
  * 1999/08/05 Werner Fink: added "-t" for time to sleep, reenable "-e"
  * 2000/11/10 Werner Fink: LSB specs, logging
+ * 2008/09/15 Tilman Baumann <tilman.baumann@collax.com>: Smack labels
  */
 
 #include "libinit.h"
@@ -26,12 +27,12 @@
 #include <grp.h>
 
 #define USAGE		"Usage:\n"\
-			"\t%s [-f] [+/-<prio>] [-s] [-u uid] [-g gid] [-v] [-l log_file|-q] /full/path/to/program\n"
+			"\t%s [-f] [+/-<prio>] [-s] [-u uid] [-g gid] [-v] [-l log_file|-q] [-S smacklabel] /full/path/to/program\n"
 #define USAGE_SD	"Usage:\n"\
 			"\t%s [-f] [-n +/-<prio>] /full/path/to/program\n"
 
 static int do_fork(const char *name, char *argv[], const char* log_file,
-		   const int nicelvl, const int env, const char* root, unsigned short flags);
+		   const int nicelvl, const int env, const char* root, unsigned short flags, const char *smack);
 
 static int quiet = 1, supprmsg = 0, sess = 0, seconds = 0, force = 0, dialog = 0;
 static struct passwd *user = NULL;
@@ -54,6 +55,7 @@
     char *fullname = NULL, *basename = NULL;
     char *log_file = NULL, *pid_file = NULL, *ignore_file = NULL;
     char *root = NULL;
+    char *smack = NULL;
     int nicelvl = 0, env = 0;
     unsigned short flags = (DAEMON|PIDOF);
 
@@ -81,7 +83,7 @@
     }
 
     opterr = 0;
-    while ((c = getopt(argc, argv, "+c:edp:l:hqvsu:g:t:n:fLi:")) != -1) { /* `+' is POSIX correct */
+    while ((c = getopt(argc, argv, "+c:edp:l:hqvsu:S:g:t:n:fLi:")) != -1) { /* `+' is POSIX correct */
 	switch (c) {
 	    case 'v':
 		quiet = 0;
@@ -211,6 +213,12 @@
 	    case 'h':
 		error(0, (strcmp("startproc", we_are) ? USAGE_SD : USAGE), we_are);
 		break;
+            case 'S':
+		if (optarg && optarg[0] != '/' && optarg[0] != '-') {
+                    smack = optarg;
+		} else
+                    error(LSB_WRGSYN,"Option -S requires a smack label string\n");
+		break;
 	    default:
 		break;
 	}
@@ -310,7 +318,7 @@
 	exit(LSB_OK);		/* Accordingly to LSB we have succeed. */
 
 force:
-    (void)do_fork(fullname, argv, log_file, nicelvl, env, root, flags);
+    (void)do_fork(fullname, argv, log_file, nicelvl, env, root, flags, smack);
 
     /* Do we have started it? */
 
@@ -340,7 +348,7 @@
 
 /* The core function */
 static int do_fork(const char *inname, char *argv[], const char* log_file,
-		   const int nicelvl, const int env, const char* root, unsigned short flags)
+		   const int nicelvl, const int env, const char* root, unsigned short flags, const char *smack)
 {
     extern char * we_are;
     int tty = 255;
@@ -474,6 +482,16 @@
 		    close(devnull);
 	    }
 	}
+	if (smack) {
+	    FILE *smack_current;
+	    if ((smack_current = fopen("/proc/self/attr/current", "w")) == 0 ) {
+	        error(LSB_PROOF," can not set smack label (missing capability?). %s\n", strerror(errno));
+	    } else {
+	        fprintf(smack_current, "%s", smack);
+		fclose(smack_current);
+	    }
+	    
+	}
 	fflush(stdout);
 	fflush(stderr);		/* flush stdout and especially stderr */
 	closelog();

                 reply	other threads:[~2008-09-25 16:58 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DBBBF1.3050407@collax.com \
    --to=tilman.baumann@collax.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox