Add SMACK support to id, mkdir, mkfifo, mknod utilities

ChrisDryden · ChrisDryden · commit a34b2f054bc3 · 2025-12-30T22:44:39.000Z
diff --git a/Cargo.toml b/Cargo.toml
@@ -68,7 +68,13 @@ feat_selinux = [
 # "feat_smack" == enable support for SMACK Security Context (by using `--features feat_smack`)
 # NOTE:
 # * Running a uutils compiled with `feat_smack` requires a SMACK enabled Kernel at run time.
-feat_smack = ["ls/smack"]
+feat_smack = [
+  "id/smack",
+  "ls/smack",
+  "mkdir/smack",
+  "mkfifo/smack",
+  "mknod/smack",
+]
 ##
 ## feature sets
 ## (common/core and Tier1) feature sets
diff --git a/src/uu/id/Cargo.toml b/src/uu/id/Cargo.toml
@@ -29,3 +29,4 @@ path = "src/main.rs"
 
 [features]
 feat_selinux = ["selinux"]
+smack = ["uucore/smack"]
diff --git a/src/uu/id/src/id.rs b/src/uu/id/src/id.rs
@@ -62,9 +62,9 @@ macro_rules! cstr2cow {
 }
 
 fn get_context_help_text() -> String {
-    #[cfg(not(feature = "selinux"))]
+    #[cfg(not(any(feature = "selinux", feature = "smack")))]
     return translate!("id-context-help-disabled");
-    #[cfg(feature = "selinux")]
+    #[cfg(any(feature = "selinux", feature = "smack"))]
     return translate!("id-context-help-enabled");
 }
 
@@ -98,7 +98,10 @@ struct State {
     rflag: bool,  // --real
     zflag: bool,  // --zero
     cflag: bool,  // --context
+    #[cfg(feature = "selinux")]
     selinux_supported: bool,
+    #[cfg(feature = "smack")]
+    smack_supported: bool,
     ids: Option<Ids>,
     // The behavior for calling GNU's `id` and calling GNU's `id $USER` is similar but different.
     // * The SELinux context is only displayed without a specified user.
@@ -136,16 +139,10 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
         zflag: matches.get_flag(options::OPT_ZERO),
         cflag: matches.get_flag(options::OPT_CONTEXT),
 
-        selinux_supported: {
-            #[cfg(feature = "selinux")]
-            {
-                uucore::selinux::is_selinux_enabled()
-            }
-            #[cfg(not(feature = "selinux"))]
-            {
-                false
-            }
-        },
+        #[cfg(feature = "selinux")]
+        selinux_supported: uucore::selinux::is_selinux_enabled(),
+        #[cfg(feature = "smack")]
+        smack_supported: uucore::smack::is_smack_enabled(),
         user_specified: !users.is_empty(),
         ids: None,
     };
@@ -179,26 +176,42 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
     let line_ending = LineEnding::from_zero_flag(state.zflag);
 
     if state.cflag {
-        return if state.selinux_supported {
-            // print SElinux context and exit
-            #[cfg(all(any(target_os = "linux", target_os = "android"), feature = "selinux"))]
+        // SELinux context
+        #[cfg(feature = "selinux")]
+        if state.selinux_supported {
             if let Ok(context) = selinux::SecurityContext::current(false) {
                 let bytes = context.as_bytes();
                 print!("{}{line_ending}", String::from_utf8_lossy(bytes));
-            } else {
-                // print error because `cflag` was explicitly requested
-                return Err(USimpleError::new(
-                    1,
-                    translate!("id-error-cannot-get-context"),
-                ));
+                return Ok(());
             }
-            Ok(())
-        } else {
-            Err(USimpleError::new(
+            return Err(USimpleError::new(
                 1,
-                translate!("id-error-context-selinux-only"),
-            ))
-        };
+                translate!("id-error-cannot-get-context"),
+            ));
+        }
+
+        // SMACK label
+        #[cfg(feature = "smack")]
+        if state.smack_supported {
+            match uucore::smack::get_smack_label_for_self() {
+                Ok(label) => {
+                    print!("{label}{line_ending}");
+                    return Ok(());
+                }
+                Err(_) => {
+                    return Err(USimpleError::new(
+                        1,
+                        translate!("id-error-cannot-get-context"),
+                    ));
+                }
+            }
+        }
+
+        // Neither SELinux nor SMACK supported
+        return Err(USimpleError::new(
+            1,
+            translate!("id-error-context-selinux-only"),
+        ));
     }
 
     for i in 0..=users.len() {
@@ -666,7 +679,7 @@ fn id_print(state: &State, groups: &[u32]) {
             .join(",")
     );
 
-    #[cfg(all(any(target_os = "linux", target_os = "android"), feature = "selinux"))]
+    #[cfg(feature = "selinux")]
     if state.selinux_supported
         && !state.user_specified
         && std::env::var_os("POSIXLY_CORRECT").is_none()
@@ -677,6 +690,17 @@ fn id_print(state: &State, groups: &[u32]) {
             print!(" context={}", String::from_utf8_lossy(bytes));
         }
     }
+
+    #[cfg(feature = "smack")]
+    if state.smack_supported
+        && !state.user_specified
+        && std::env::var_os("POSIXLY_CORRECT").is_none()
+    {
+        // print SMACK label (does not depend on "-Z")
+        if let Ok(label) = uucore::smack::get_smack_label_for_self() {
+            print!(" context={label}");
+        }
+    }
 }
 
 #[cfg(not(any(target_os = "linux", target_os = "android", target_os = "openbsd")))]
diff --git a/src/uu/mkdir/Cargo.toml b/src/uu/mkdir/Cargo.toml
@@ -24,6 +24,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mkdir"
diff --git a/src/uu/mkdir/src/mkdir.rs b/src/uu/mkdir/src/mkdir.rs
@@ -300,6 +300,16 @@ fn create_single_dir(path: &Path, is_parent: bool, config: &Config) -> UResult<(
                 }
             }
 
+            // Apply SMACK context if requested
+            #[cfg(feature = "smack")]
+            if config.set_selinux_context && uucore::smack::is_smack_enabled() {
+                if let Some(ctx) = config.context {
+                    if let Err(e) = uucore::smack::set_smack_label_for_path(path, ctx) {
+                        let _ = std::fs::remove_dir(path);
+                        return Err(USimpleError::new(1, e.to_string()));
+                    }
+                }
+            }
             Ok(())
         }
 
diff --git a/src/uu/mkfifo/Cargo.toml b/src/uu/mkfifo/Cargo.toml
@@ -25,6 +25,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mkfifo"
diff --git a/src/uu/mkfifo/src/mkfifo.rs b/src/uu/mkfifo/src/mkfifo.rs
@@ -75,6 +75,23 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
                 }
             }
         }
+
+        // Apply SMACK context if requested
+        #[cfg(feature = "smack")]
+        {
+            let set_smack_context = matches.get_flag(options::SELINUX);
+            let context = matches.get_one::<String>(options::CONTEXT);
+
+            if (set_smack_context || context.is_some()) && uucore::smack::is_smack_enabled() {
+                if let Some(ctx) = context {
+                    use std::path::Path;
+                    if let Err(e) = uucore::smack::set_smack_label_for_path(Path::new(&f), ctx) {
+                        let _ = fs::remove_file(&f);
+                        return Err(USimpleError::new(1, e.to_string()));
+                    }
+                }
+            }
+        }
     }
 
     Ok(())
diff --git a/src/uu/mknod/Cargo.toml b/src/uu/mknod/Cargo.toml
@@ -26,6 +26,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mknod"
diff --git a/src/uu/mknod/src/mknod.rs b/src/uu/mknod/src/mknod.rs
@@ -105,6 +105,21 @@ fn mknod(file_name: &str, config: Config) -> i32 {
             }
         }
 
+        // Apply SMACK context if requested
+        #[cfg(feature = "smack")]
+        if config.set_selinux_context && uucore::smack::is_smack_enabled() {
+            if let Some(ctx) = config.context {
+                if let Err(e) =
+                    uucore::smack::set_smack_label_for_path(std::path::Path::new(file_name), ctx)
+                {
+                    // if it fails, delete the file
+                    let _ = std::fs::remove_file(file_name);
+                    eprintln!("{}: {}", uucore::util_name(), e);
+                    return 1;
+                }
+            }
+        }
+
         errno
     }
 }
diff --git a/src/uucore/locales/en-US.ftl b/src/uucore/locales/en-US.ftl
@@ -46,6 +46,11 @@ selinux-error-context-retrieval-failure = failed to retrieve the security contex
 selinux-error-context-set-failure = failed to set default file creation context to '{ $context }': { $error }
 selinux-error-context-conversion-failure = failed to set default file creation context to '{ $context }': { $error }
 
+# SMACK error messages
+smack-error-not-enabled = SMACK is not enabled on this system
+smack-error-label-retrieval-failure = failed to get security context: { $error }
+smack-error-label-set-failure = failed to set default file creation context to '{ $context }': { $error }
+smack-error-no-label-set = no security context set
 
 # Safe traversal error messages
 safe-traversal-error-path-contains-null = path contains null byte
diff --git a/src/uucore/src/lib/features/smack.rs b/src/uucore/src/lib/features/smack.rs
@@ -6,7 +6,8 @@
 // spell-checker:ignore smackfs
 //! SMACK (Simplified Mandatory Access Control Kernel) support
 
-use std::io;
+use std::fs;
+use std::io::{self, Read, Write};
 use std::path::Path;
 use std::sync::OnceLock;
 
@@ -50,6 +51,36 @@ pub fn is_smack_enabled() -> bool {
     *SMACK_ENABLED.get_or_init(|| Path::new("/sys/fs/smackfs").exists())
 }
 
+/// Gets the SMACK label for the current process.
+pub fn get_smack_label_for_self() -> Result<String, SmackError> {
+    if !is_smack_enabled() {
+        return Err(SmackError::SmackNotEnabled);
+    }
+
+    let mut label = String::new();
+    fs::File::open("/proc/self/attr/current")
+        .map_err(SmackError::LabelRetrievalFailure)?
+        .read_to_string(&mut label)
+        .map_err(SmackError::LabelRetrievalFailure)?;
+
+    Ok(label.trim().to_string())
+}
+
+/// Sets the SMACK label for the current process.
+pub fn set_smack_label_for_self(label: &str) -> Result<(), SmackError> {
+    if !is_smack_enabled() {
+        return Err(SmackError::SmackNotEnabled);
+    }
+
+    let label_owned = label.to_string();
+    fs::File::create("/proc/self/attr/current")
+        .map_err(|e| SmackError::LabelSetFailure(label_owned.clone(), e))?
+        .write_all(label.as_bytes())
+        .map_err(|e| SmackError::LabelSetFailure(label_owned, e))?;
+
+    Ok(())
+}
+
 /// Gets the SMACK label for a filesystem path via xattr.
 pub fn get_smack_label_for_path(path: &Path) -> Result<String, SmackError> {
     if !is_smack_enabled() {
diff --git a/util/run-gnu-tests-smack-ci.sh b/util/run-gnu-tests-smack-ci.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 # Run GNU SMACK tests in QEMU with SMACK-enabled kernel
 # Usage: run-gnu-tests-smack-ci.sh [GNU_DIR] [OUTPUT_DIR]
-# spell-checker:ignore rootfs zstd unzstd cpio newc nographic smackfs devtmpfs tmpfs poweroff libm libgcc libpthread libdl librt sysfs rwxat
+# spell-checker:ignore rootfs zstd unzstd cpio newc nographic smackfs devtmpfs tmpfs poweroff libm libgcc libpthread libdl librt sysfs rwxat setuidgid
 set -e
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
@@ -65,17 +65,22 @@ ln -sf /proc/mounts /etc/mtab
 mkdir -p /tmp && mount -t tmpfs tmpfs /tmp
 chmod 1777 /tmp
 export PATH="/bin:$PATH" srcdir="/gnu" LD_LIBRARY_PATH="/lib64"
-cd /gnu/tests
-sh "$TEST_SCRIPT"
+if [ -n "$RUN_AS_USER" ]; then
+    # Run in /tmp so non-root user can create temp directories
+    cd /tmp
+    setuidgid "$RUN_AS_USER" sh "/gnu/tests/$TEST_SCRIPT"
+else
+    cd /gnu/tests
+    sh "$TEST_SCRIPT"
+fi
 echo "EXIT:$?"
 poweroff -f
 INIT
 chmod +x "$SMACK_DIR/rootfs/init"
 
-# Build utilities with SMACK support (only ls has SMACK support for now)
-# TODO: When other utilities have SMACK support, build: ls id mkdir mknod mkfifo
+# Build utilities with SMACK support
 echo "Building utilities with SMACK support..."
-cargo build --release --manifest-path="$REPO_DIR/Cargo.toml" --package uu_ls --bin ls --features uu_ls/smack
+cargo build --release --manifest-path="$REPO_DIR/Cargo.toml" --package uu_id --features uu_id/smack --package uu_ls --features uu_ls/smack --package uu_mkdir --features uu_mkdir/smack --package uu_mkfifo --features uu_mkfifo/smack --package uu_mknod --features uu_mknod/smack
 
 # Find SMACK tests
 SMACK_TESTS=$(grep -l 'require_smack_' -r "$GNU_DIR/tests/" 2>/dev/null || true)
@@ -95,19 +100,30 @@ for TEST_PATH in $SMACK_TESTS; do
 
     echo "Running: $TEST_REL"
 
+    # Determine if test needs non-root user
+    RUN_AS_USER=""
+    if echo "$TEST_REL" | grep -q "no-root"; then
+        RUN_AS_USER="nobody"
+    fi
+
     # Create working copy
     WORK="/tmp/smack-test-$$"
     rm -rf "$WORK" "$WORK.gz"
     cp -a "$SMACK_DIR/rootfs" "$WORK"
 
-    # Copy built utilities (only ls has SMACK support for now)
-    # TODO: When other utilities have SMACK support, use:
-    # for U in ls id mkdir mknod mkfifo; do cp "$REPO_DIR/target/release/$U" "$WORK/bin/$U"; done
-    rm -f "$WORK/bin/ls"
-    cp "$REPO_DIR/target/release/ls" "$WORK/bin/ls"
+    # Copy built utilities with SMACK support
+    for U in id ls mkdir mkfifo mknod; do
+        rm -f "$WORK/bin/$U"
+        cp "$REPO_DIR/target/release/$U" "$WORK/bin/$U"
+    done
 
-    # Set test script path
+    # Set test script path and user
     sed -i "s|\$TEST_SCRIPT|$TEST_REL|g" "$WORK/init"
+    if [ -n "$RUN_AS_USER" ]; then
+        sed -i "s|\$RUN_AS_USER|$RUN_AS_USER|g" "$WORK/init"
+    else
+        sed -i "s|\$RUN_AS_USER||g" "$WORK/init"
+    fi
 
     # Build initramfs and run
     (cd "$WORK" && find . | cpio -o -H newc 2>/dev/null | gzip > "$WORK.gz")

Original file line number	Diff line number	Diff line change
`@@ -29,3 +29,4 @@ path = "src/main.rs"`
`29`	`29`
`30`	`30`	`[features]`
`31`	`31`	`feat_selinux = ["selinux"]`
	`32`	`+smack = ["uucore/smack"]`
Original file line number	Diff line number	Diff line change
`@@ -300,6 +300,16 @@ fn create_single_dir(path: &Path, is_parent: bool, config: &Config) -> UResult<(`
`300`	`300`	`}`
`301`	`301`	`}`
`302`	`302`
	`303`	`+ // Apply SMACK context if requested`
	`304`	`+ #[cfg(feature = "smack")]`
	`305`	`+ if config.set_selinux_context && uucore::smack::is_smack_enabled() {`
	`306`	`+ if let Some(ctx) = config.context {`
	`307`	`+ if let Err(e) = uucore::smack::set_smack_label_for_path(path, ctx) {`
	`308`	`+ let _ = std::fs::remove_dir(path);`
	`309`	`+ return Err(USimpleError::new(1, e.to_string()));`
	`310`	`+ }`
	`311`	`+ }`
	`312`	`+ }`
`303`	`313`	`Ok(())`
`304`	`314`	`}`
`305`	`315`
Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,23 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {`
`75`	`75`	`}`
`76`	`76`	`}`
`77`	`77`	`}`
	`78`	`+`
	`79`	`+ // Apply SMACK context if requested`
	`80`	`+ #[cfg(feature = "smack")]`
	`81`	`+ {`
	`82`	`+ let set_smack_context = matches.get_flag(options::SELINUX);`
	`83`	`+ let context = matches.get_one::<String>(options::CONTEXT);`
	`84`	`+`
	`85`	`+ if (set_smack_context \|\| context.is_some()) && uucore::smack::is_smack_enabled() {`
	`86`	`+ if let Some(ctx) = context {`
	`87`	`+ use std::path::Path;`
	`88`	`+ if let Err(e) = uucore::smack::set_smack_label_for_path(Path::new(&f), ctx) {`
	`89`	`+ let _ = fs::remove_file(&f);`
	`90`	`+ return Err(USimpleError::new(1, e.to_string()));`
	`91`	`+ }`
	`92`	`+ }`
	`93`	`+ }`
	`94`	`+ }`
`78`	`95`	`}`
`79`	`96`
`80`	`97`	`Ok(())`
Original file line number	Diff line number	Diff line change
`@@ -105,6 +105,21 @@ fn mknod(file_name: &str, config: Config) -> i32 {`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`
	`108`	`+ // Apply SMACK context if requested`
	`109`	`+ #[cfg(feature = "smack")]`
	`110`	`+ if config.set_selinux_context && uucore::smack::is_smack_enabled() {`
	`111`	`+ if let Some(ctx) = config.context {`
	`112`	`+ if let Err(e) =`
	`113`	`+ uucore::smack::set_smack_label_for_path(std::path::Path::new(file_name), ctx)`
	`114`	`+ {`
	`115`	`+ // if it fails, delete the file`
	`116`	`+ let _ = std::fs::remove_file(file_name);`
	`117`	`+ eprintln!("{}: {}", uucore::util_name(), e);`
	`118`	`+ return 1;`
	`119`	`+ }`
	`120`	`+ }`
	`121`	`+ }`
	`122`	`+`
`108`	`123`	`errno`
`109`	`124`	`}`
`110`	`125`	`}`