Add SMACK support to id, mkdir, mkfifo, mknod utilities

ChrisDryden · ChrisDryden · commit d1808f023ff5 · 2025-12-29T16:20:38.000Z
diff --git a/Cargo.toml b/Cargo.toml
@@ -68,7 +68,13 @@ feat_selinux = [
 # "feat_smack" == enable support for SMACK Security Context (by using `--features feat_smack`)
 # NOTE:
 # * Running a uutils compiled with `feat_smack` requires a SMACK enabled Kernel at run time.
-feat_smack = ["ls/smack"]
+feat_smack = [
+  "id/smack",
+  "ls/smack",
+  "mkdir/smack",
+  "mkfifo/smack",
+  "mknod/smack",
+]
 ##
 ## feature sets
 ## (common/core and Tier1) feature sets
diff --git a/src/uu/id/Cargo.toml b/src/uu/id/Cargo.toml
@@ -29,3 +29,4 @@ path = "src/main.rs"
 
 [features]
 feat_selinux = ["selinux"]
+smack = ["uucore/smack"]
diff --git a/src/uu/id/src/id.rs b/src/uu/id/src/id.rs
@@ -62,9 +62,9 @@ macro_rules! cstr2cow {
 }
 
 fn get_context_help_text() -> String {
-    #[cfg(not(feature = "selinux"))]
+    #[cfg(not(any(feature = "selinux", feature = "smack")))]
     return translate!("id-context-help-disabled");
-    #[cfg(feature = "selinux")]
+    #[cfg(any(feature = "selinux", feature = "smack"))]
     return translate!("id-context-help-enabled");
 }
 
@@ -98,7 +98,10 @@ struct State {
     rflag: bool,  // --real
     zflag: bool,  // --zero
     cflag: bool,  // --context
+    #[cfg(feature = "selinux")]
     selinux_supported: bool,
+    #[cfg(feature = "smack")]
+    smack_supported: bool,
     ids: Option<Ids>,
     // The behavior for calling GNU's `id` and calling GNU's `id $USER` is similar but different.
     // * The SELinux context is only displayed without a specified user.
@@ -136,16 +139,10 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
         zflag: matches.get_flag(options::OPT_ZERO),
         cflag: matches.get_flag(options::OPT_CONTEXT),
 
-        selinux_supported: {
-            #[cfg(feature = "selinux")]
-            {
-                uucore::selinux::is_selinux_enabled()
-            }
-            #[cfg(not(feature = "selinux"))]
-            {
-                false
-            }
-        },
+        #[cfg(feature = "selinux")]
+        selinux_supported: uucore::selinux::is_selinux_enabled(),
+        #[cfg(feature = "smack")]
+        smack_supported: uucore::smack::is_smack_enabled(),
         user_specified: !users.is_empty(),
         ids: None,
     };
@@ -179,26 +176,43 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
     let line_ending = LineEnding::from_zero_flag(state.zflag);
 
     if state.cflag {
-        return if state.selinux_supported {
-            // print SElinux context and exit
-            #[cfg(all(any(target_os = "linux", target_os = "android"), feature = "selinux"))]
+        // SELinux context
+        #[cfg(feature = "selinux")]
+        if state.selinux_supported {
             if let Ok(context) = selinux::SecurityContext::current(false) {
                 let bytes = context.as_bytes();
                 print!("{}{line_ending}", String::from_utf8_lossy(bytes));
+                return Ok(());
             } else {
-                // print error because `cflag` was explicitly requested
                 return Err(USimpleError::new(
                     1,
                     translate!("id-error-cannot-get-context"),
                 ));
             }
-            Ok(())
-        } else {
-            Err(USimpleError::new(
-                1,
-                translate!("id-error-context-selinux-only"),
-            ))
-        };
+        }
+
+        // SMACK label
+        #[cfg(feature = "smack")]
+        if state.smack_supported {
+            match uucore::smack::get_smack_label_for_self() {
+                Ok(label) => {
+                    print!("{label}{line_ending}");
+                    return Ok(());
+                }
+                Err(_) => {
+                    return Err(USimpleError::new(
+                        1,
+                        translate!("id-error-cannot-get-context"),
+                    ));
+                }
+            }
+        }
+
+        // Neither SELinux nor SMACK supported
+        return Err(USimpleError::new(
+            1,
+            translate!("id-error-context-selinux-only"),
+        ));
     }
 
     for i in 0..=users.len() {
@@ -666,7 +680,7 @@ fn id_print(state: &State, groups: &[u32]) {
             .join(",")
     );
 
-    #[cfg(all(any(target_os = "linux", target_os = "android"), feature = "selinux"))]
+    #[cfg(feature = "selinux")]
     if state.selinux_supported
         && !state.user_specified
         && std::env::var_os("POSIXLY_CORRECT").is_none()
@@ -677,6 +691,17 @@ fn id_print(state: &State, groups: &[u32]) {
             print!(" context={}", String::from_utf8_lossy(bytes));
         }
     }
+
+    #[cfg(feature = "smack")]
+    if state.smack_supported
+        && !state.user_specified
+        && std::env::var_os("POSIXLY_CORRECT").is_none()
+    {
+        // print SMACK label (does not depend on "-Z")
+        if let Ok(label) = uucore::smack::get_smack_label_for_self() {
+            print!(" context={label}");
+        }
+    }
 }
 
 #[cfg(not(any(target_os = "linux", target_os = "android", target_os = "openbsd")))]
diff --git a/src/uu/mkdir/Cargo.toml b/src/uu/mkdir/Cargo.toml
@@ -24,6 +24,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mkdir"
diff --git a/src/uu/mkdir/locales/en-US.ftl b/src/uu/mkdir/locales/en-US.ftl
@@ -14,6 +14,7 @@ mkdir-error-empty-directory-name = cannot create directory '': No such file or d
 mkdir-error-file-exists = { $path }: File exists
 mkdir-error-failed-to-create-tree = failed to create whole tree
 mkdir-error-cannot-set-permissions = cannot set permissions { $path }
+mkdir-error-smack-context = failed to set default file creation context to '{ $context }':
 
 # Verbose output
 mkdir-verbose-created-directory = { $util_name }: created directory { $path }
diff --git a/src/uu/mkdir/src/mkdir.rs b/src/uu/mkdir/src/mkdir.rs
@@ -300,6 +300,19 @@ fn create_single_dir(path: &Path, is_parent: bool, config: &Config) -> UResult<(
                 }
             }
 
+            // Apply SMACK context if requested
+            #[cfg(feature = "smack")]
+            if config.set_selinux_context && uucore::smack::is_smack_enabled() {
+                if let Some(ctx) = config.context {
+                    if let Err(_e) = uucore::smack::set_smack_label_for_path(path, ctx) {
+                        let _ = std::fs::remove_dir(path);
+                        return Err(USimpleError::new(
+                            1,
+                            translate!("mkdir-error-smack-context", "context" => ctx.clone()),
+                        ));
+                    }
+                }
+            }
             Ok(())
         }
 
diff --git a/src/uu/mkfifo/Cargo.toml b/src/uu/mkfifo/Cargo.toml
@@ -25,6 +25,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mkfifo"
diff --git a/src/uu/mkfifo/locales/en-US.ftl b/src/uu/mkfifo/locales/en-US.ftl
@@ -11,3 +11,4 @@ mkfifo-error-invalid-mode = invalid mode: { $error }
 mkfifo-error-missing-operand = missing operand
 mkfifo-error-cannot-create-fifo = cannot create fifo { $path }: File exists
 mkfifo-error-cannot-set-permissions = cannot set permissions on { $path }: { $error }
+mkfifo-error-smack-context = failed to set default file creation context to '{ $context }':
diff --git a/src/uu/mkfifo/src/mkfifo.rs b/src/uu/mkfifo/src/mkfifo.rs
@@ -75,6 +75,26 @@ pub fn uumain(args: impl uucore::Args) -> UResult<()> {
                 }
             }
         }
+
+        // Apply SMACK context if requested
+        #[cfg(feature = "smack")]
+        {
+            let set_smack_context = matches.get_flag(options::SELINUX);
+            let context = matches.get_one::<String>(options::CONTEXT);
+
+            if (set_smack_context || context.is_some()) && uucore::smack::is_smack_enabled() {
+                if let Some(ctx) = context {
+                    use std::path::Path;
+                    if let Err(_e) = uucore::smack::set_smack_label_for_path(Path::new(&f), ctx) {
+                        let _ = fs::remove_file(&f);
+                        return Err(USimpleError::new(
+                            1,
+                            translate!("mkfifo-error-smack-context", "context" => ctx.clone()),
+                        ));
+                    }
+                }
+            }
+        }
     }
 
     Ok(())
diff --git a/src/uu/mknod/Cargo.toml b/src/uu/mknod/Cargo.toml
@@ -26,6 +26,7 @@ fluent = { workspace = true }
 
 [features]
 selinux = ["uucore/selinux"]
+smack = ["uucore/smack"]
 
 [[bin]]
 name = "mknod"
diff --git a/src/uu/mknod/locales/en-US.ftl b/src/uu/mknod/locales/en-US.ftl
@@ -32,3 +32,4 @@ mknod-error-invalid-mode = invalid mode ({ $error })
 mknod-error-mode-permission-bits-only = mode must specify only file permission bits
 mknod-error-missing-device-type = missing device type
 mknod-error-invalid-device-type = invalid device type { $type }
+mknod-error-smack-context = failed to set default file creation context to '{ $context }':
diff --git a/src/uu/mknod/src/mknod.rs b/src/uu/mknod/src/mknod.rs
@@ -105,6 +105,25 @@ fn mknod(file_name: &str, config: Config) -> i32 {
             }
         }
 
+        // Apply SMACK context if requested
+        #[cfg(feature = "smack")]
+        if config.set_selinux_context && uucore::smack::is_smack_enabled() {
+            if let Some(ctx) = config.context {
+                if let Err(_e) =
+                    uucore::smack::set_smack_label_for_path(std::path::Path::new(file_name), ctx)
+                {
+                    // if it fails, delete the file
+                    let _ = std::fs::remove_file(file_name);
+                    eprintln!(
+                        "{}: {}",
+                        uucore::util_name(),
+                        translate!("mknod-error-smack-context", "context" => ctx.clone())
+                    );
+                    return 1;
+                }
+            }
+        }
+
         errno
     }
 }
diff --git a/src/uucore/src/lib/features/smack.rs b/src/uucore/src/lib/features/smack.rs
@@ -6,7 +6,8 @@
 // spell-checker:ignore smackfs
 //! SMACK (Simplified Mandatory Access Control Kernel) support
 
-use std::io;
+use std::fs;
+use std::io::{self, Read, Write};
 use std::path::Path;
 use std::sync::OnceLock;
 
@@ -50,6 +51,36 @@ pub fn is_smack_enabled() -> bool {
     *SMACK_ENABLED.get_or_init(|| Path::new("/sys/fs/smackfs").exists())
 }
 
+/// Gets the SMACK label for the current process.
+pub fn get_smack_label_for_self() -> Result<String, SmackError> {
+    if !is_smack_enabled() {
+        return Err(SmackError::SmackNotEnabled);
+    }
+
+    let mut label = String::new();
+    fs::File::open("/proc/self/attr/current")
+        .map_err(SmackError::LabelRetrievalFailure)?
+        .read_to_string(&mut label)
+        .map_err(SmackError::LabelRetrievalFailure)?;
+
+    Ok(label.trim().to_string())
+}
+
+/// Sets the SMACK label for the current process.
+pub fn set_smack_label_for_self(label: &str) -> Result<(), SmackError> {
+    if !is_smack_enabled() {
+        return Err(SmackError::SmackNotEnabled);
+    }
+
+    let label_owned = label.to_string();
+    fs::File::create("/proc/self/attr/current")
+        .map_err(|e| SmackError::LabelSetFailure(label_owned.clone(), e))?
+        .write_all(label.as_bytes())
+        .map_err(|e| SmackError::LabelSetFailure(label_owned, e))?;
+
+    Ok(())
+}
+
 /// Gets the SMACK label for a filesystem path via xattr.
 pub fn get_smack_label_for_path(path: &Path) -> Result<String, SmackError> {
     if !is_smack_enabled() {
diff --git a/util/run-gnu-tests-smack-ci.sh b/util/run-gnu-tests-smack-ci.sh
@@ -72,10 +72,9 @@ poweroff -f
 INIT
 chmod +x "$SMACK_DIR/rootfs/init"
 
-# Build utilities with SMACK support (only ls has SMACK support for now)
-# TODO: When other utilities have SMACK support, build: ls id mkdir mknod mkfifo
+# Build utilities with SMACK support
 echo "Building utilities with SMACK support..."
-cargo build --release --manifest-path="$REPO_DIR/Cargo.toml" --package uu_ls --bin ls --features uu_ls/smack
+cargo build --release --manifest-path="$REPO_DIR/Cargo.toml" --package uu_id --features uu_id/smack --package uu_ls --features uu_ls/smack --package uu_mkdir --features uu_mkdir/smack --package uu_mkfifo --features uu_mkfifo/smack --package uu_mknod --features uu_mknod/smack
 
 # Find SMACK tests
 SMACK_TESTS=$(grep -l 'require_smack_' -r "$GNU_DIR/tests/" 2>/dev/null || true)
@@ -100,11 +99,11 @@ for TEST_PATH in $SMACK_TESTS; do
     rm -rf "$WORK" "$WORK.gz"
     cp -a "$SMACK_DIR/rootfs" "$WORK"
 
-    # Copy built utilities (only ls has SMACK support for now)
-    # TODO: When other utilities have SMACK support, use:
-    # for U in ls id mkdir mknod mkfifo; do cp "$REPO_DIR/target/release/$U" "$WORK/bin/$U"; done
-    rm -f "$WORK/bin/ls"
-    cp "$REPO_DIR/target/release/ls" "$WORK/bin/ls"
+    # Copy built utilities with SMACK support
+    for U in id ls mkdir mkfifo mknod; do
+        rm -f "$WORK/bin/$U"
+        cp "$REPO_DIR/target/release/$U" "$WORK/bin/$U"
+    done
 
     # Set test script path
     sed -i "s|\$TEST_SCRIPT|$TEST_REL|g" "$WORK/init"

Original file line number	Diff line number	Diff line change
`@@ -29,3 +29,4 @@ path = "src/main.rs"`
`29`	`29`
`30`	`30`	`[features]`
`31`	`31`	`feat_selinux = ["selinux"]`
	`32`	`+smack = ["uucore/smack"]`
Original file line number	Diff line number	Diff line change
`@@ -300,6 +300,19 @@ fn create_single_dir(path: &Path, is_parent: bool, config: &Config) -> UResult<(`
`300`	`300`	`}`
`301`	`301`	`}`
`302`	`302`
	`303`	`+ // Apply SMACK context if requested`
	`304`	`+ #[cfg(feature = "smack")]`
	`305`	`+ if config.set_selinux_context && uucore::smack::is_smack_enabled() {`
	`306`	`+ if let Some(ctx) = config.context {`
	`307`	`+ if let Err(_e) = uucore::smack::set_smack_label_for_path(path, ctx) {`
	`308`	`+ let _ = std::fs::remove_dir(path);`
	`309`	`+ return Err(USimpleError::new(`
	`310`	`+ 1,`
	`311`	`+ translate!("mkdir-error-smack-context", "context" => ctx.clone()),`
	`312`	`+ ));`
	`313`	`+ }`
	`314`	`+ }`
	`315`	`+ }`
`303`	`316`	`Ok(())`
`304`	`317`	`}`
`305`	`318`