diff options
Diffstat (limited to 'src/mknod.c')
| -rw-r--r-- | src/mknod.c | 63 |
1 files changed, 53 insertions, 10 deletions
diff --git a/src/mknod.c b/src/mknod.c index 7cfc708d..8f547e9c 100644 --- a/src/mknod.c +++ b/src/mknod.c @@ -1,5 +1,5 @@ /* mknod -- make special files - Copyright (C) 1990-2013 Free Software Foundation, Inc. + Copyright (C) 1990-2014 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +26,8 @@ #include "error.h" #include "modechange.h" #include "quote.h" +#include "selinux.h" +#include "smack.h" #include "xstrtol.h" /* The official name of this program (e.g., no 'g' prefix). */ @@ -61,7 +63,9 @@ Create the special file NAME of the given TYPE.\n\ -m, --mode=MODE set file permission bits to MODE, not a=rw - umask\n\ "), stdout); fputs (_("\ - -Z, --context=CTX set the SELinux security context of NAME to CTX\n\ + -Z set the SELinux security context to default type\n\ + --context[=CTX] like -Z, or if CTX is specified then set the SELinux\n\ + or SMACK security context to CTX\n\ "), stdout); fputs (HELP_OPTION_DESCRIPTION, stdout); fputs (VERSION_OPTION_DESCRIPTION, stdout); @@ -92,7 +96,8 @@ main (int argc, char **argv) int optc; int expected_operands; mode_t node_type; - security_context_t scontext = NULL; + char const *scontext = NULL; + bool set_security_context = false; initialize_main (&argc, &argv); set_program_name (argv[0]); @@ -102,7 +107,7 @@ main (int argc, char **argv) atexit (close_stdout); - while ((optc = getopt_long (argc, argv, "m:Z:", longopts, NULL)) != -1) + while ((optc = getopt_long (argc, argv, "m:Z", longopts, NULL)) != -1) { switch (optc) { @@ -110,7 +115,24 @@ main (int argc, char **argv) specified_mode = optarg; break; case 'Z': - scontext = optarg; + if (is_smack_enabled ()) + { + /* We don't yet support -Z to restore context with SMACK. */ + scontext = optarg; + } + else if (is_selinux_enabled () > 0) + { + if (optarg) + scontext = optarg; + else + set_security_context = true; + } + else if (optarg) + { + error (0, 0, + _("warning: ignoring --context; " + "it requires an SELinux/SMACK-enabled kernel")); + } break; case_GETOPT_HELP_CHAR; case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS); @@ -122,10 +144,13 @@ main (int argc, char **argv) newmode = MODE_RW_UGO; if (specified_mode) { + mode_t umask_value; struct mode_change *change = mode_compile (specified_mode); if (!change) error (EXIT_FAILURE, 0, _("invalid mode")); - newmode = mode_adjust (newmode, false, umask (0), change, NULL); + umask_value = umask (0); + umask (umask_value); + newmode = mode_adjust (newmode, false, umask_value, change, NULL); free (change); if (newmode & ~S_IRWXUGO) error (EXIT_FAILURE, 0, @@ -161,10 +186,19 @@ main (int argc, char **argv) usage (EXIT_FAILURE); } - if (scontext && setfscreatecon (scontext) < 0) - error (EXIT_FAILURE, errno, - _("failed to set default file creation context to %s"), - quote (scontext)); + if (scontext) + { + int ret = 0; + if (is_smack_enabled ()) + ret = smack_set_label_for_self (scontext); + else + ret = setfscreatecon (se_const (scontext)); + + if (ret < 0) + error (EXIT_FAILURE, errno, + _("failed to set default file creation context to %s"), + quote (scontext)); + } /* Only check the first character, to allow mnemonic usage like 'mknod /dev/rst0 character 18 0'. */ @@ -211,12 +245,17 @@ main (int argc, char **argv) error (EXIT_FAILURE, 0, _("invalid device %s %s"), s_major, s_minor); #endif + if (set_security_context) + defaultcon (argv[optind], node_type); + if (mknod (argv[optind], newmode | node_type, device) != 0) error (EXIT_FAILURE, errno, "%s", quote (argv[optind])); } break; case 'p': /* 'pipe' */ + if (set_security_context) + defaultcon (argv[optind], S_IFIFO); if (mkfifo (argv[optind], newmode) != 0) error (EXIT_FAILURE, errno, "%s", quote (argv[optind])); break; @@ -226,5 +265,9 @@ main (int argc, char **argv) usage (EXIT_FAILURE); } + if (specified_mode && lchmod (argv[optind], newmode) != 0) + error (EXIT_FAILURE, errno, _("cannot set permissions of %s"), + quote (argv[optind])); + exit (EXIT_SUCCESS); } |