[AGL/meta-agl.git] / meta-security / recipes-core / systemd / systemd / 0005-tizen-smack-Handling-network-v216.patch

From c257eade1a39ea00d26c4c297efd654b6ad4edb4 Mon Sep 17 00:00:00 2001
From: Casey Schaufler <casey@schaufler-ca.com>
Date: Fri, 8 Nov 2013 09:42:26 -0800
Subject: [PATCH 5/9] tizen-smack: Handling network

- Set Smack ambient to match run label
- Set Smack netlabel host rules

Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.

A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.

Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.

If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.

Upstream-Status: Pending

---
 src/core/smack-setup.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c
index 59f6832..33dc1ca 100644
--- a/src/core/smack-setup.c
+++ b/src/core/smack-setup.c
@@ -42,6 +42,7 @@
 
 #define SMACK_CONFIG "/etc/smack/accesses.d/"
 #define CIPSO_CONFIG "/etc/smack/cipso.d/"
+#define NETLABEL_CONFIG "/etc/smack/netlabel.d/"
 
 #ifdef HAVE_SMACK
 
@@ -146,6 +147,19 @@ int smack_setup(bool *loaded_policy) {
         if (r)
                 log_warning("Failed to set SMACK label \"%s\" on self: %s",
                             SMACK_RUN_LABEL, strerror(-r));
+        r = write_string_file("/sys/fs/smackfs/ambient", SMACK_RUN_LABEL);
+        if (r)
+                log_warning("Failed to set SMACK ambient label \"%s\": %s",
+                            SMACK_RUN_LABEL, strerror(-r));
+        r = write_string_file("/sys/fs/smackfs/netlabel",
+                            "0.0.0.0/0 " SMACK_RUN_LABEL);
+        if (r)
+                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
+                            "0.0.0.0/0 " SMACK_RUN_LABEL, strerror(-r));
+        r = write_string_file("/sys/fs/smackfs/netlabel", "127.0.0.1 -CIPSO");
+        if (r)
+                log_warning("Failed to set SMACK netlabel rule \"%s\": %s",
+                            "127.0.0.1 -CIPSO", strerror(-r));
 #endif
 
         r = write_rules("/sys/fs/smackfs/cipso2", CIPSO_CONFIG);
@@ -155,14 +169,31 @@ int smack_setup(bool *loaded_policy) {
                 return 0;
         case ENOENT:
                 log_debug("Smack/CIPSO access rules directory " CIPSO_CONFIG " not found");
-                return 0;
+                break;
         case 0:
                 log_info("Successfully loaded Smack/CIPSO policies.");
-                return 0;
+                break;
         default:
                 log_warning("Failed to load Smack/CIPSO access rules: %s, ignoring.",
                             strerror(abs(r)));
+                break;
+        }
+
+        r = write_rules("/sys/fs/smackfs/netlabel", NETLABEL_CONFIG);
+        switch(r) {
+        case -ENOENT:
+                log_debug("Smack/CIPSO is not enabled in the kernel.");
                 return 0;
+        case ENOENT:
+                log_debug("Smack network host rules directory " NETLABEL_CONFIG " not found");
+                break;
+        case 0:
+                log_info("Successfully loaded Smack network host rules.");
+                break;
+        default:
+                log_warning("Failed to load Smack network host rules: %s, ignoring.",
+                            strerror(abs(r)));
+                break;
         }
 
         *loaded_policy = true;
-- 
1.8.4.5