SMACK startproc patch

From: Tilman Baumann
Date: Thu Sep 25 2008 - 12:58:06 EST


Sorry if i pollute the wrong list with my stuff. But SMACK does not seem to have it's own list and now lives in the kernel. Though this is userspace related...

The smack howto mentions a not yet implemented smack option for start-stop-daemon.
We mainly use startproc. So i made a patch which adds this functionality to startproc.

It adds the option [-S LABEL] to startproc, which brings the called process up with /proc/self/attr/current = LABEL.
I figured setting the security context should happen after things like pidfiles where written. But this is certainly up for discussion.

This patch applies to killproc version 2.08.

Please enjoy and comment.

Regards
Tilman Baumann

--
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942
diff -Nur killproc-2.08.orig/startproc.c killproc-2.08/startproc.c
--- killproc-2.08.orig/startproc.c 2005-05-25 15:40:58.000000000 +0200
+++ killproc-2.08/startproc.c 2008-09-15 19:49:21.000000000 +0200
@@ -17,6 +17,7 @@
* 1998/05/06 Werner Fink: rework, added "-p" for pid files
* 1999/08/05 Werner Fink: added "-t" for time to sleep, reenable "-e"
* 2000/11/10 Werner Fink: LSB specs, logging
+ * 2008/09/15 Tilman Baumann <tilman.baumann@xxxxxxxxxx>: Smack labels
*/

#include "libinit.h"
@@ -26,12 +27,12 @@
#include <grp.h>

#define USAGE "Usage:\n"\
- "\t%s [-f] [+/-<prio>] [-s] [-u uid] [-g gid] [-v] [-l log_file|-q] /full/path/to/program\n"
+ "\t%s [-f] [+/-<prio>] [-s] [-u uid] [-g gid] [-v] [-l log_file|-q] [-S smacklabel] /full/path/to/program\n"
#define USAGE_SD "Usage:\n"\
"\t%s [-f] [-n +/-<prio>] /full/path/to/program\n"

static int do_fork(const char *name, char *argv[], const char* log_file,
- const int nicelvl, const int env, const char* root, unsigned short flags);
+ const int nicelvl, const int env, const char* root, unsigned short flags, const char *smack);

static int quiet = 1, supprmsg = 0, sess = 0, seconds = 0, force = 0, dialog = 0;
static struct passwd *user = NULL;
@@ -54,6 +55,7 @@
char *fullname = NULL, *basename = NULL;
char *log_file = NULL, *pid_file = NULL, *ignore_file = NULL;
char *root = NULL;
+ char *smack = NULL;
int nicelvl = 0, env = 0;
unsigned short flags = (DAEMON|PIDOF);

@@ -81,7 +83,7 @@
}

opterr = 0;
- while ((c = getopt(argc, argv, "+c:edp:l:hqvsu:g:t:n:fLi:")) != -1) { /* `+' is POSIX correct */
+ while ((c = getopt(argc, argv, "+c:edp:l:hqvsu:S:g:t:n:fLi:")) != -1) { /* `+' is POSIX correct */
switch (c) {
case 'v':
quiet = 0;
@@ -211,6 +213,12 @@
case 'h':
error(0, (strcmp("startproc", we_are) ? USAGE_SD : USAGE), we_are);
break;
+ case 'S':
+ if (optarg && optarg[0] != '/' && optarg[0] != '-') {
+ smack = optarg;
+ } else
+ error(LSB_WRGSYN,"Option -S requires a smack label string\n");
+ break;
default:
break;
}
@@ -310,7 +318,7 @@
exit(LSB_OK); /* Accordingly to LSB we have succeed. */

force:
- (void)do_fork(fullname, argv, log_file, nicelvl, env, root, flags);
+ (void)do_fork(fullname, argv, log_file, nicelvl, env, root, flags, smack);

/* Do we have started it? */

@@ -340,7 +348,7 @@

/* The core function */
static int do_fork(const char *inname, char *argv[], const char* log_file,
- const int nicelvl, const int env, const char* root, unsigned short flags)
+ const int nicelvl, const int env, const char* root, unsigned short flags, const char *smack)
{
extern char * we_are;
int tty = 255;
@@ -474,6 +482,16 @@
close(devnull);
}
}
+ if (smack) {
+ FILE *smack_current;
+ if ((smack_current = fopen("/proc/self/attr/current", "w")) == 0 ) {
+ error(LSB_PROOF," can not set smack label (missing capability?). %s\n", strerror(errno));
+ } else {
+ fprintf(smack_current, "%s", smack);
+ fclose(smack_current);
+ }
+
+ }
fflush(stdout);
fflush(stderr); /* flush stdout and especially stderr */
closelog();