id: with -Z, show SMACK security context

Adds an optional dependency on libsmack.

* m4/jm-macros.m4: Look for the smack library/header.
* src/id.c (main): Output the smack context if available.
* src/local.mk: Link with libsmack if available.
* NEWS: Mention the new feature.

NEWS

@@ -20,6 +20,8 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 ** New features
 
+  id -Z reports the SMACK security context where available.
+
   join accepts a new option: --zero-terminated (-z). As with the sort,uniq
   option of the same name, this makes join consume and produce NUL-terminated
   lines rather than newline-terminated lines.

m4/jm-macros.m4

@@ -141,6 +141,26 @@ AC_DEFUN([coreutils_MACROS],
   fi
   AC_SUBST([LIB_CAP])
 
+  # Check whether libsmack is available
+  LIB_SMACK=
+  AC_ARG_ENABLE([libsmack],
+    AC_HELP_STRING([--disable-libsmack], [disable libsmack support]))
+  if test "X$enable_libsmack" != "Xno"; then
+    AC_CHECK_LIB([smack], [smack_smackfs_path],
+      [AC_CHECK_HEADER([sys/smack.h],
+        [LIB_SMACK=-lsmack
+         AC_DEFINE([HAVE_SMACK], [1], [libsmack usability])]
+      )])
+    if test "X$LIB_SMACK" = "X"; then
+      if test "X$enable_libsmack" = "Xyes"; then
+        AC_MSG_ERROR([libsmack library was not found or not usable])
+      fi
+    fi
+  else
+    AC_MSG_WARN([libsmack support disabled by user])
+  fi
+  AC_SUBST([LIB_SMACK])
+
   # See if linking 'seq' requires -lm.
   # It does on nearly every system.  The single exception (so far) is
   # BeOS which has all the math functions in the normal runtime library

src/id.c

@@ -24,6 +24,9 @@
 #include <grp.h>
 #include <getopt.h>
 #include <selinux/selinux.h>
+#ifdef HAVE_SMACK
+# include <sys/smack.h>
+#endif
 
 #include "system.h"
 #include "error.h"
@@ -107,6 +110,9 @@ main (int argc, char **argv)
 {
   int optc;
   int selinux_enabled = (is_selinux_enabled () > 0);
+#ifdef HAVE_SMACK
+  int smack_enabled = (smack_smackfs_path () != NULL);
+#endif
 
   /* If true, output the list of all group IDs. -G */
   bool just_group_list = false;
@@ -134,10 +140,17 @@ main (int argc, char **argv)
           break;
 
         case 'Z':
-          /* politely decline if we're not on a selinux-enabled kernel. */
+          /* politely decline if we're not on a SELinux/SMACK-enabled kernel. */
+#ifdef HAVE_SMACK
+          if (!selinux_enabled && !smack_enabled)
+            error (EXIT_FAILURE, 0,
+                   _("--context (-Z) works only on "
+                     "an SELinux/SMACK-enabled kernel"));
+#else
           if (!selinux_enabled)
             error (EXIT_FAILURE, 0,
                    _("--context (-Z) works only on an SELinux-enabled kernel"));
+#endif
           just_context = 1;
           break;
 
@@ -189,14 +202,17 @@ main (int argc, char **argv)
      and we're not in POSIXLY_CORRECT mode, get our context.  Otherwise,
      leave the context variable alone - it has been initialized to an
      invalid value that will be not displayed in print_full_info().  */
-  if (selinux_enabled
-      && n_ids == 0
+  if (n_ids == 0
       && (just_context
           || (default_format && ! getenv ("POSIXLY_CORRECT"))))
     {
       /* Report failure only if --context (-Z) was explicitly requested.  */
-      if (getcon (&context) && just_context)
+      if (selinux_enabled && getcon (&context) && just_context)
         error (EXIT_FAILURE, 0, _("can't get process context"));
+#ifdef HAVE_SMACK
+      else if (smack_enabled && smack_new_label_from_self ((char **) &context))
+        error (EXIT_FAILURE, 0, _("can't get process context"));
+#endif
     }
 
   if (n_ids == 1)

src/local.mk

@@ -228,6 +228,7 @@ copy_ldadd += $(LIB_SELINUX)
 src_chcon_LDADD += $(LIB_SELINUX)
 src_ginstall_LDADD += $(LIB_SELINUX)
 src_id_LDADD += $(LIB_SELINUX)
+src_id_LDADD += $(LIB_SMACK)
 src_ls_LDADD += $(LIB_SELINUX)
 src_mkdir_LDADD += $(LIB_SELINUX)
 src_mkfifo_LDADD += $(LIB_SELINUX)