[Toybox] integration of SMACK
José Bollo
jobol at nonadev.net
Tue May 5 09:13:11 PDT 2015
Le mardi 05 mai 2015 à 08:53 -0700, enh a écrit :
> a few comments...
>
>
> +config MKNOD_SMACK
>
>
>
>
> we should probably call these something more generic because we know
> i'll be along a day later after the hard part is done adding the
> SELinux variant :-) right now (including your patch) it looks like we
> have TOY_SELINUX, TOY_SMACK, TOY_SECURITY, and TOY_Z all in
> circulation. although i added TOY_Z just the other day, maybe
> TOY_SECURITY is the best choice? anyway, if rob lets us know which he
> prefers, it's probably helpful if we stick to one idiom.
TOY_SECURITY is great. I had the dream that it could be dynamic: you
change the boot to get SELINUX or to get SMACK, the tools adapts itself.
But this idea drives to a kind of nightmare for other people than me 8)
> (using SMACK at least lets me grep for stuff i need to look at, but i
> don't know whether to use SECURITY or Z when i do.)
I also must add stat %C
> + if
> (smack_set_label_for_path(*s, XATTR_NAME_SMACK, 0, TT.arg_context) < 0) {
>
>
> + unlink(*s);
>
>
> + error_exit("Unable to
> create fifo '%s' with
> '%s' as context.", *s,
> TT.arg_context);
>
>
> + }
>
>
>
>
> this seems to be duplicated a few times, and we'll need the SELinux
> equivalent too. add a set_security_label to lib? you can pass a
> boolean to distinguish unlink from rmdir (or just use rename if we
> don't care since this is the failure case anyway).
Why not. But I am not sure that the count of use is enough and the use
enough regular to be really needed to be in lib?
> + if (mknod(*s, S_IFIFO
> | TT.mode, 0) < 0) {
>
>
> + perror_msg("%s", *s);
>
>
> + }
>
>
> + if (CFG_MKFIFO_SMACK)
> {
>
>
> i think you missed an 'else' here?
Yes you are right. Thank you. I will change it tomorrow.
Best regards
José Bollo
1430842391.0
More information about the Toybox
mailing list