[Toybox] integration of SMACK

José Bollo jobol at nonadev.net
Tue May 5 09:13:11 PDT 2015


Le mardi 05 mai 2015 à 08:53 -0700, enh a écrit :
> a few comments...
> 
> 
> +config MKNOD_SMACK
> 
> 
> 
> 
> we should probably call these something more generic because we know
> i'll be along a day later after the hard part is done adding the
> SELinux variant :-) right now (including your patch) it looks like we
> have TOY_SELINUX, TOY_SMACK, TOY_SECURITY, and TOY_Z all in
> circulation. although i added TOY_Z just the other day, maybe
> TOY_SECURITY is the best choice? anyway, if rob lets us know which he
> prefers, it's probably helpful if we stick to one idiom.

TOY_SECURITY is great. I had the dream that it could be dynamic: you
change the boot to get SELINUX or to get SMACK, the tools adapts itself.
But this idea drives to a kind of nightmare for other people than me 8)

> (using SMACK at least lets me grep for stuff i need to look at, but i
> don't know whether to use SECURITY or Z when i do.)

I also must add stat %C

> + if
> (smack_set_label_for_path(*s, XATTR_NAME_SMACK, 0, TT.arg_context) < 0) {
> 
> 
> + unlink(*s);
> 
> 
> + error_exit("Unable to
> create fifo '%s' with
> '%s' as context.", *s,
> TT.arg_context);
> 
> 
> + }
> 
> 
> 
> 
> this seems to be duplicated a few times, and we'll need the SELinux
> equivalent too. add a set_security_label to lib? you can pass a
> boolean to distinguish unlink from rmdir (or just use rename if we
> don't care since this is the failure case anyway). 

Why not. But I am not sure that the count of use is enough and the use
enough regular to be really needed to be in lib? 

> + if (mknod(*s, S_IFIFO
> | TT.mode, 0) < 0) {
> 
> 
> + perror_msg("%s", *s);
> 
> 
> + }
> 
> 
> + if (CFG_MKFIFO_SMACK)
> {
> 
> 
> i think you missed an 'else' here?

Yes you are right. Thank you. I will change it tomorrow.

Best regards
José Bollo




 1430842391.0


More information about the Toybox mailing list