id: with -Z, show SMACK security context

Adds an optional dependency on libsmack. * m4/jm-macros.m4: Look for the smack library/header. * src/id.c (main): Output the smack context if available. * src/local.mk: Link with libsmack if available. * NEWS: Mention the new feature. Signed-off-by: Michael Demeter <michael.demeter@intel.com> Conflicts: NEWS Change-Id: I1f6bb85309245b8172e2106f3102e040562109a9
author: Jarkko Sakkinen <jarkko.sakkinen@iki.fi> 2013-05-04 20:44:53 +0300
committer: Michael Demeter <michael.demeter@intel.com> 2013-08-12 15:49:39 -0700
commit: 9ec2f172808b6fe936a4e99675ebdaeb1a372a67 (patch)
tree: f413b1e3eb928590ff9ed4483253ced8d46d8a85
parent: d1774d2a7087770fac4cf93dd4e0ed396e3424d1 (diff)
download: coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.tar.gz
coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.tar.bz2
coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.zip
4 files changed, 43 insertions, 4 deletions
diff --git a/NEWS b/NEWS
index 7122f4105..af45f7c33 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,8 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 ** New features
 
+  id -Z reports the SMACK security context where available.
+
   df now accepts the --output[=FIELD_LIST] option to define the list of columns
   to include in the output, or all available columns if the FIELD_LIST is
   omitted.  Note this enables df to output both block and inode fields together.
diff --git a/m4/jm-macros.m4 b/m4/jm-macros.m4
index 3f95def86..2e0476de3 100644
--- a/m4/jm-macros.m4
+++ b/m4/jm-macros.m4
@@ -141,6 +141,26 @@ AC_DEFUN([coreutils_MACROS],
   fi
   AC_SUBST([LIB_CAP])
 
+  # Check whether libsmack is available
+  LIB_SMACK=
+  AC_ARG_ENABLE([libsmack],
+    AC_HELP_STRING([--disable-libsmack], [disable libsmack support]))
+  if test "X$enable_libsmack" != "Xno"; then
+    AC_CHECK_LIB([smack], [smack_smackfs_path],
+      [AC_CHECK_HEADER([sys/smack.h],
+        [LIB_SMACK=-lsmack
+         AC_DEFINE([HAVE_SMACK], [1], [libsmack usability])]
+      )])
+    if test "X$LIB_SMACK" = "X"; then
+      if test "X$enable_libsmack" = "Xyes"; then
+        AC_MSG_ERROR([libsmack library was not found or not usable])
+      fi
+    fi
+  else
+    AC_MSG_WARN([libsmack support disabled by user])
+  fi
+  AC_SUBST([LIB_SMACK])
+
   # See if linking 'seq' requires -lm.
   # It does on nearly every system.  The single exception (so far) is
   # BeOS which has all the math functions in the normal runtime library
diff --git a/src/id.c b/src/id.c
index b5a7214d3..937b7234d 100644
--- a/src/id.c
+++ b/src/id.c
@@ -24,6 +24,9 @@
 #include <grp.h>
 #include <getopt.h>
 #include <selinux/selinux.h>
+#ifdef HAVE_SMACK
+# include <sys/smack.h>
+#endif
 
 #include "system.h"
 #include "error.h"
@@ -107,6 +110,9 @@ main (int argc, char **argv)
 {
   int optc;
   int selinux_enabled = (is_selinux_enabled () > 0);
+#ifdef HAVE_SMACK
+  int smack_enabled = (smack_smackfs_path () != NULL);
+#endif
 
   /* If true, output the list of all group IDs. -G */
   bool just_group_list = false;
@@ -134,10 +140,17 @@ main (int argc, char **argv)
           break;
 
         case 'Z':
-          /* politely decline if we're not on a selinux-enabled kernel. */
+          /* politely decline if we're not on a SELinux/SMACK-enabled kernel. */
+#ifdef HAVE_SMACK
+          if (!selinux_enabled && !smack_enabled)
+            error (EXIT_FAILURE, 0,
+                   _("--context (-Z) works only on "
+                     "an SELinux/SMACK-enabled kernel"));
+#else
           if (!selinux_enabled)
             error (EXIT_FAILURE, 0,
                    _("--context (-Z) works only on an SELinux-enabled kernel"));
+#endif
           just_context = 1;
           break;
 
@@ -189,14 +202,17 @@ main (int argc, char **argv)
      and we're not in POSIXLY_CORRECT mode, get our context.  Otherwise,
      leave the context variable alone - it has been initialized to an
      invalid value that will be not displayed in print_full_info().  */
-  if (selinux_enabled
-      && n_ids == 0
+  if (n_ids == 0
       && (just_context
           || (default_format && ! getenv ("POSIXLY_CORRECT"))))
     {
       /* Report failure only if --context (-Z) was explicitly requested.  */
-      if (getcon (&context) && just_context)
+      if (selinux_enabled && getcon (&context) && just_context)
+        error (EXIT_FAILURE, 0, _("can't get process context"));
+#ifdef HAVE_SMACK
+      else if (smack_enabled && smack_new_label_from_self ((char **) &context))
         error (EXIT_FAILURE, 0, _("can't get process context"));
+#endif
     }
 
   if (n_ids == 1)
diff --git a/src/local.mk b/src/local.mk
index 982cd4da3..0570d73a9 100644
--- a/src/local.mk
+++ b/src/local.mk
@@ -228,6 +228,7 @@ copy_ldadd += $(LIB_SELINUX)
 src_chcon_LDADD += $(LIB_SELINUX)
 src_ginstall_LDADD += $(LIB_SELINUX)
 src_id_LDADD += $(LIB_SELINUX)
+src_id_LDADD += $(LIB_SMACK)
 src_ls_LDADD += $(LIB_SELINUX)
 src_mkdir_LDADD += $(LIB_SELINUX)
 src_mkfifo_LDADD += $(LIB_SELINUX)
author	Jarkko Sakkinen <jarkko.sakkinen@iki.fi>	2013-05-04 20:44:53 +0300
committer	Michael Demeter <michael.demeter@intel.com>	2013-08-12 15:49:39 -0700
commit	9ec2f172808b6fe936a4e99675ebdaeb1a372a67 (patch)
tree	f413b1e3eb928590ff9ed4483253ced8d46d8a85
parent	d1774d2a7087770fac4cf93dd4e0ed396e3424d1 (diff)
download	coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.tar.gz coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.tar.bz2 coreutils-9ec2f172808b6fe936a4e99675ebdaeb1a372a67.zip