2 .\" This file is part of libsmack
3 .\" Copyright (C) 2012 Intel Corporation
4 .\" Copyright (C) 2012 Samsung Electronics Co.
6 .\" This library is free software; you can redistribute it and/or
7 .\" modify it under the terms of the GNU Lesser General Public License
8 .\" version 2.1 as published by the Free Software Foundation.
10 .\" This library is distributed in the hope that it will be useful, but
11 .\" WITHOUT ANY WARRANTY; without even the implied warranty of
12 .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 .\" Lesser General Public License for more details.
15 .\" You should have received a copy of the GNU Lesser General Public
16 .\" License along with this library; if not, write to the Free Software
17 .\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
21 .\" Brian McGillion <brian.mcgillion@intel.com>
22 .\" Rafal Krypa <r.krypa@samsung.com>
24 .TH "SMACK_ACCESSES_ADD" "3" "14/06/2012" "Libsmack 1\&.0"
26 smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file, smack_revoke_subject \- Manipulate Smack rules
28 .B #include <sys/smack.h>
30 .BI "int smack_accesses_new(struct smack_accesses **" accesses ");"
32 .BI "void smack_accesses_free(struct smack_accesses *" handle ");"
35 .BI "int smack_accesses_add(struct smack_accesses *" handle ", const char *" subject ", const char *" object ", const char *" access_type ");"
37 .BI "int smack_accesses_add_modify(struct smack_accesses *" handle ", const char *" subject ", const char *" object ", const char *" access_add ", const char *" access_del ");"
39 .BI "int smack_accesses_add_from_file(struct smack_accesses *" accesses ", int " fd ");"
41 .BI "int smack_accesses_save(struct smack_accesses *" handle ", int " fd ");"
44 .BI "int smack_accesses_apply(struct smack_accesses *" handle ");"
46 .BI "int smack_accesses_clear(struct smack_accesses *" handle ");"
49 .BI "int smack_revoke_subject(const char *" subject ");"
53 These methods provide a means to create properly formatted smack rules that can be stored to file or loaded directly into the kernel. For loading and unloading rules directly into the kernel the calling process must have the CAP_MAC_ADMIN capability. Most users will generally store the rules to a file that can be read by
55 If the rules should be loaded on system reboot then the file should be stored in /etc/smack/accesses.d/<name>.rules.
57 .BR smack_accesses_new ()
58 creates a new empty smack_accesses instance pointed to by
61 .BR smack_accesses_free ()
62 destroys a previously created instance of smack_accesses pointed to by
65 .BR smack_accesses_add ()
66 create a rule allowing a
70 with the type of access defined in
72 and store the result in
74 If a rule for the specified labels already exists it will be overwritten.
76 .BR smack_accesses_add_modify ()
77 create a modification rule for the specified
81 labels allowing the access specified in
83 and disallowing the access defined by
85 The result is stored in
87 If a rule for the specified labels already exists it will be modified, otherwise a new rule will be created with the permissions specified in access_add added and those specified in access_del removed.
89 .BR smack_accesses_add_from_file ()
90 read a set of rules from a file and store them in
92 The file must be a series of lines, 1 per rule, in the format "%s %s %s"
93 .B "(subject object access_type)"
95 .BR smack_accesses_save ()
96 save the smack_accesses instance pointed to by
98 to the file specified by the file-descriptor
101 .BR smack_accesses_apply ()
102 apply the rules pointed to by
104 directly to the kernel. The calling process must have the CAP_MAC_ADMIN capability.
105 .BR smack_accesses_clear ()
106 remove the rules pointed to by
108 directly from the kernel. The calling process must have the CAP_MAC_ADMIN capability.
110 .BR smack_revoke_subject ()
111 Sets the access to '-' (no access allowed) for all access rules with given
113 label directly in the kernel. The calling process must have the CAP_MAC_ADMIN capability.
116 .IR smack_accesses_free ,
117 return 0 on success and a negative value on failure (in which case
119 is set appropriately).
122 #include <sys/smack.h>
124 int apply_rules_file(int fd, int clear)
126 struct smack_accesses *rules = NULL;
129 if (smack_accesses_new(&rules))
132 if (smack_accesses_add_from_file(rules, fd)) {
133 smack_accesses_free(rules);
138 ret = smack_accesses_apply(rules);
140 ret = smack_accesses_clear(rules);
142 smack_accesses_free(rules);
148 .BR smack_have_access (3)