packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

build: Add --with-smack, use it to reset contexts for writing objects 

At some point we'll want to follow what systemd is doing and add
better support for smack, along the lines of `OstreeSePolicy`.  However,
short term this patch fixes AGL which uses Smack.

See: https://jira.automotivelinux.org/browse/SPEC-386
See: https://github.com/ostreedev/ostree/pull/698

Closes: #698
Approved by: OYTIS
This commit is contained in:
Colin Walters 2017-02-21 13:58:40 -05:00 committed by Atomic Bot
parent 515f832067
commit 3ec509c89b
2 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
configure.ac
View File

@ -273,6 +273,14 @@ AS_IF([ test x$with_selinux != xno ], [
if test x$with_selinux != xno; then OSTREE_FEATURES="$OSTREE_FEATURES +selinux"; fi if test x$with_selinux != xno; then OSTREE_FEATURES="$OSTREE_FEATURES +selinux"; fi
AM_CONDITIONAL(USE_SELINUX, test $with_selinux != no) AM_CONDITIONAL(USE_SELINUX, test $with_selinux != no)
AC_ARG_WITH(smack,
AS_HELP_STRING([--with-smack], [Enable smack]),
:, with_smack=no)
AS_IF([ test x$with_smack = xyes], [
AC_DEFINE([WITH_SMACK], 1, [Define if we have smack.pc])
])
AM_CONDITIONAL(USE_SMACK, test $with_smack != no)
dnl This is what is in RHEL7.2 right now, picking it arbitrarily dnl This is what is in RHEL7.2 right now, picking it arbitrarily
LIBMOUNT_DEPENDENCY="mount >= 2.23.0" LIBMOUNT_DEPENDENCY="mount >= 2.23.0"

26
src/libostree/ostree-repo-commit.c
View File

@ -110,6 +110,30 @@ write_file_metadata_to_xattr (int fd,
return TRUE; return TRUE;
} }
/* See https://github.com/ostreedev/ostree/pull/698 */
#ifdef WITH_SMACK
#define XATTR_NAME_SMACK "security.SMACK64"
#endif
static void
ot_security_smack_reset_dfd_name (int dfd, const char *name)
{
#ifdef WITH_SMACK
char buf[PATH_MAX];
/* See glnx-xattrs.c */
snprintf (buf, sizeof (buf), "/proc/self/fd/%d/%s", dfd, name);
(void) lremovexattr (buf, XATTR_NAME_SMACK);
#endif
}
static void
ot_security_smack_reset_fd (int fd)
{
#ifdef WITH_SMACK
(void) fremovexattr (fd, XATTR_NAME_SMACK);
#endif
}
gboolean gboolean
_ostree_repo_commit_loose_final (OstreeRepo *self, _ostree_repo_commit_loose_final (OstreeRepo *self,
const char *checksum, const char *checksum,
@ -221,6 +245,7 @@ commit_loose_object_trusted (OstreeRepo *self,
if (xattrs != NULL) if (xattrs != NULL)
{ {
ot_security_smack_reset_dfd_name (self->tmp_dir_fd, temp_filename);
if (!glnx_dfd_name_set_all_xattrs (self->tmp_dir_fd, temp_filename, if (!glnx_dfd_name_set_all_xattrs (self->tmp_dir_fd, temp_filename,
xattrs, cancellable, error)) xattrs, cancellable, error))
goto out; goto out;
@ -252,6 +277,7 @@ commit_loose_object_trusted (OstreeRepo *self,
if (xattrs) if (xattrs)
{ {
ot_security_smack_reset_fd (fd);
if (!glnx_fd_set_all_xattrs (fd, xattrs, cancellable, error)) if (!glnx_fd_set_all_xattrs (fd, xattrs, cancellable, error))
goto out; goto out;
} }