diff options
| author | Colin Walters <walters@verbum.org> | 2017-02-21 13:58:40 -0500 |
|---|---|---|
| committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-02-22 14:37:19 +0000 |
| commit | 3ec509c89b07efbfc4b4d007327609b6dee77dd3 (patch) | |
| tree | 6c97e13c25bc66bf03f412c4c02839189b5f963a | |
| parent | 515f83206785bd9fb50b77df17b48bbed2827cff (diff) | |
| download | ostree-3ec509c89b07efbfc4b4d007327609b6dee77dd3.tar.gz | |
build: Add --with-smack, use it to reset contexts for writing objects
At some point we'll want to follow what systemd is doing and add
better support for smack, along the lines of `OstreeSePolicy`. However,
short term this patch fixes AGL which uses Smack.
See: https://jira.automotivelinux.org/browse/SPEC-386
See: https://github.com/ostreedev/ostree/pull/698
Closes: #698
Approved by: OYTIS
| -rw-r--r-- | configure.ac | 8 | ||||
| -rw-r--r-- | src/libostree/ostree-repo-commit.c | 26 |
2 files changed, 34 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 3448ab6e..c5940c9f 100644 --- a/configure.ac +++ b/configure.ac @@ -273,6 +273,14 @@ AS_IF([ test x$with_selinux != xno ], [ if test x$with_selinux != xno; then OSTREE_FEATURES="$OSTREE_FEATURES +selinux"; fi AM_CONDITIONAL(USE_SELINUX, test $with_selinux != no) +AC_ARG_WITH(smack, +AS_HELP_STRING([--with-smack], [Enable smack]), +:, with_smack=no) +AS_IF([ test x$with_smack = xyes], [ + AC_DEFINE([WITH_SMACK], 1, [Define if we have smack.pc]) +]) +AM_CONDITIONAL(USE_SMACK, test $with_smack != no) + dnl This is what is in RHEL7.2 right now, picking it arbitrarily LIBMOUNT_DEPENDENCY="mount >= 2.23.0" diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c index 07940f48..f6129ca6 100644 --- a/src/libostree/ostree-repo-commit.c +++ b/src/libostree/ostree-repo-commit.c @@ -110,6 +110,30 @@ write_file_metadata_to_xattr (int fd, return TRUE; } +/* See https://github.com/ostreedev/ostree/pull/698 */ +#ifdef WITH_SMACK +#define XATTR_NAME_SMACK "security.SMACK64" +#endif + +static void +ot_security_smack_reset_dfd_name (int dfd, const char *name) +{ +#ifdef WITH_SMACK + char buf[PATH_MAX]; + /* See glnx-xattrs.c */ + snprintf (buf, sizeof (buf), "/proc/self/fd/%d/%s", dfd, name); + (void) lremovexattr (buf, XATTR_NAME_SMACK); +#endif +} + +static void +ot_security_smack_reset_fd (int fd) +{ +#ifdef WITH_SMACK + (void) fremovexattr (fd, XATTR_NAME_SMACK); +#endif +} + gboolean _ostree_repo_commit_loose_final (OstreeRepo *self, const char *checksum, @@ -221,6 +245,7 @@ commit_loose_object_trusted (OstreeRepo *self, if (xattrs != NULL) { + ot_security_smack_reset_dfd_name (self->tmp_dir_fd, temp_filename); if (!glnx_dfd_name_set_all_xattrs (self->tmp_dir_fd, temp_filename, xattrs, cancellable, error)) goto out; @@ -252,6 +277,7 @@ commit_loose_object_trusted (OstreeRepo *self, if (xattrs) { + ot_security_smack_reset_fd (fd); if (!glnx_fd_set_all_xattrs (fd, xattrs, cancellable, error)) goto out; } |