mount: add new SmackFileSystemRoot= setting for mount unit

This option specifies the label to assign the root of the file system if
it lacks the Smack extended attribute. Note that this option will be
ignored if kernel does not support the Smack feature by runtime
checking.

man/systemd.mount.xml

@@ -323,6 +323,18 @@
         to 0755.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><varname>SmackFileSystemRoot=</varname></term>
+        <listitem><para>Takes a string for the smack label.
+        This option specifies the label to assign the root of the
+        file system if it lacks the Smack extended attribute.
+        Note that this option will be ignored if kernel does not
+        support the Smack feature.
+        See <ulink
+        url="https://www.kernel.org/doc/Documentation/security/Smack.txt">Smack.txt</ulink>
+        for details. </para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><varname>TimeoutSec=</varname></term>
         <listitem><para>Configures the time to wait for the mount

src/core/dbus-mount.c

@@ -117,6 +117,7 @@ const sd_bus_vtable bus_mount_vtable[] = {
         SD_BUS_PROPERTY("ControlPID", "u", bus_property_get_pid, offsetof(Mount, control_pid), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
         SD_BUS_PROPERTY("DirectoryMode", "u", bus_property_get_mode, offsetof(Mount, directory_mode), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("SloppyOptions", "b", bus_property_get_bool, offsetof(Mount, sloppy_options), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("SmackFileSystemRoot", "s", NULL, offsetof(Mount, smack_fs_root), SD_BUS_VTABLE_PROPERTY_CONST),
         SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Mount, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
         BUS_EXEC_COMMAND_VTABLE("ExecMount", offsetof(Mount, exec_command[MOUNT_EXEC_MOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),
         BUS_EXEC_COMMAND_VTABLE("ExecUnmount", offsetof(Mount, exec_command[MOUNT_EXEC_UNMOUNT]), SD_BUS_VTABLE_PROPERTY_EMITS_INVALIDATION),

src/core/load-fragment-gperf.gperf.m4

@@ -319,6 +319,7 @@ Mount.Type,                      config_parse_string,                0,
 Mount.TimeoutSec,                config_parse_sec,                   0,                             offsetof(Mount, timeout_usec)
 Mount.DirectoryMode,             config_parse_mode,                  0,                             offsetof(Mount, directory_mode)
 Mount.SloppyOptions,             config_parse_bool,                  0,                             offsetof(Mount, sloppy_options)
+Mount.SmackFileSystemRoot,       config_parse_string,                0,                             offsetof(Mount, smack_fs_root)
 EXEC_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
 CGROUP_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl
 KILL_CONTEXT_CONFIG_ITEMS(Mount)m4_dnl

src/core/mount.c

@@ -39,6 +39,7 @@
 #include "exit-status.h"
 #include "fstab-util.h"
 #include "formats-util.h"
+#include "smack-util.h"
 
 #define RETRY_UMOUNT_MAX 32
 
@@ -202,6 +203,7 @@ static void mount_done(Unit *u) {
         assert(m);
 
         m->where = mfree(m->where);
+        m->smack_fs_root = mfree(m->smack_fs_root);
 
         mount_parameters_done(&m->parameters_proc_self_mountinfo);
         mount_parameters_done(&m->parameters_fragment);
@@ -666,7 +668,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
                 "%sOptions: %s\n"
                 "%sFrom /proc/self/mountinfo: %s\n"
                 "%sFrom fragment: %s\n"
-                "%sDirectoryMode: %04o\n",
+                "%sDirectoryMode: %04o\n"
+                "%sSmackFileSystemRoot: %s\n",
                 prefix, mount_state_to_string(m->state),
                 prefix, mount_result_to_string(m->result),
                 prefix, m->where,
@@ -675,7 +678,8 @@ static void mount_dump(Unit *u, FILE *f, const char *prefix) {
                 prefix, p ? strna(p->options) : "n/a",
                 prefix, yes_no(m->from_proc_self_mountinfo),
                 prefix, yes_no(m->from_fragment),
-                prefix, m->directory_mode);
+                prefix, m->directory_mode,
+                prefix, strna(m->smack_fs_root));
 
         if (m->control_pid > 0)
                 fprintf(f,
@@ -852,6 +856,31 @@ fail:
         mount_enter_mounted(m, MOUNT_FAILURE_RESOURCES);
 }
 
+static int mount_get_opts(Mount *m, char **_opts) {
+        int r;
+        char *o = NULL, *opts = NULL;
+
+        r = fstab_filter_options(m->parameters_fragment.options,
+                                 "nofail\0" "noauto\0" "auto\0", NULL, NULL, &o);
+        if (r < 0)
+                return r;
+
+        if (mac_smack_use() && m->smack_fs_root) {
+                if (!isempty(o)) {
+                        opts = strjoin(o, ",", "smackfsroot=", m->smack_fs_root, NULL);
+                        free(o);
+                } else
+                        opts = strjoin("smackfsroot=", m->smack_fs_root, NULL);
+
+                if (!opts)
+                        return -ENOMEM;
+        } else
+                opts = o;
+
+        *_opts = opts;
+        return 0;
+}
+
 static void mount_enter_mounting(Mount *m) {
         int r;
         MountParameters *p;
@@ -877,8 +906,7 @@ static void mount_enter_mounting(Mount *m) {
         if (m->from_fragment) {
                 _cleanup_free_ char *opts = NULL;
 
-                r = fstab_filter_options(m->parameters_fragment.options,
-                                         "nofail\0" "noauto\0" "auto\0", NULL, NULL, &opts);
+                r = mount_get_opts(m, &opts);
                 if (r < 0)
                         goto fail;
 

src/core/mount.h

@@ -71,6 +71,7 @@ struct Mount {
         bool reset_cpu_usage:1;
 
         bool sloppy_options;
+        char *smack_fs_root;
 
         MountResult result;
         MountResult reload_result;