From a9c33f694019e865480431991f4f66919edc4b66 Mon Sep 17 00:00:00 2001 From: weishu Date: Sat, 1 Jul 2023 16:50:10 +0800 Subject: [PATCH] ksud: load profile sepolicy rules when boot --- userspace/ksud/src/event.rs | 4 ++++ userspace/ksud/src/profile.rs | 28 ++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/userspace/ksud/src/event.rs b/userspace/ksud/src/event.rs index ab48b01c..20074b95 100644 --- a/userspace/ksud/src/event.rs +++ b/userspace/ksud/src/event.rs @@ -158,6 +158,10 @@ pub fn on_post_data_fs() -> Result<()> { warn!("load sepolicy.rule failed"); } + if let Err(e) = crate::profile::apply_sepolies() { + warn!("apply root profile sepolicy failed: {}", e); + } + // exec modules post-fs-data scripts // TODO: Add timeout if let Err(e) = crate::module::exec_post_fs_data() { diff --git a/userspace/ksud/src/profile.rs b/userspace/ksud/src/profile.rs index 3ec26f87..7ae98aad 100644 --- a/userspace/ksud/src/profile.rs +++ b/userspace/ksud/src/profile.rs @@ -1,6 +1,6 @@ -use crate::defs; +use crate::{defs, sepolicy}; use crate::utils::ensure_dir_exists; -use anyhow::Result; +use anyhow::{Context, Result}; use std::path::Path; pub fn set_sepolicy(pkg: String, policy: String) -> Result<()> { @@ -44,3 +44,27 @@ pub fn list_templates() -> Result<()> { } Ok(()) } + +pub fn apply_sepolies() -> Result<()> { + let path = Path::new(defs::PROFILE_SELINUX_DIR); + if !path.exists() { + log::info!("profile sepolicy dir not exists."); + return Ok(()); + } + + let sepolicies = + std::fs::read_dir(path).with_context(|| "profile sepolicy dir open failed.".to_string())?; + for sepolicy in sepolicies { + let Ok(sepolicy) = sepolicy else { + log::info!("profile sepolicy dir read failed."); + continue; + }; + let sepolicy = sepolicy.path(); + if sepolicy::apply_file(&sepolicy).is_ok() { + log::info!("profile sepolicy applied: {:?}", sepolicy); + } else { + log::info!("profile sepolicy apply failed: {:?}", sepolicy); + } + } + Ok(()) +}