2 * This file is part of libsmack
4 * Copyright (C) 2010, 2011 Nokia Corporation
5 * Copyright (C) 2011, 2012, 2013 Intel Corporation
6 * Copyright (C) 2012, 2013 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
25 #include "sys/smack.h"
31 #include <sys/socket.h>
33 #include <sys/types.h>
36 #include <sys/xattr.h>
38 #define SELF_LABEL_FILE "/proc/self/attr/current"
40 #define SHORT_LABEL_LEN 23
42 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
43 #define KERNEL_LONG_FORMAT "%s %s %s"
44 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5.5s"
45 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
50 #define CAT_MAX_COUNT 240
51 #define CAT_MAX_VALUE 63
52 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
53 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
54 #define CIPSO_NUM_LEN_STR "%-4d"
56 #define ACCESS_TYPE_R 0x01
57 #define ACCESS_TYPE_W 0x02
58 #define ACCESS_TYPE_X 0x04
59 #define ACCESS_TYPE_A 0x08
60 #define ACCESS_TYPE_T 0x10
61 #define ACCESS_TYPE_L 0x20
63 #define DICT_HASH_SIZE 4096
65 extern char *smackfs_mnt;
70 struct hsearch_data *htab;
80 struct smack_rule *next;
83 struct smack_accesses {
84 struct smack_rule *first;
85 struct smack_rule *last;
86 struct label_dict *dict;
89 struct cipso_mapping {
90 char label[SMACK_LABEL_LEN + 1];
91 int cats[CAT_MAX_VALUE];
94 struct cipso_mapping *next;
98 struct cipso_mapping *first;
99 struct cipso_mapping *last;
102 static int accesses_apply(struct smack_accesses *handle, int clear);
103 static inline ssize_t get_label(char *dest, const char *src);
104 static inline int str_to_access_code(const char *str);
105 static inline void access_code_to_str(unsigned code, char *str);
106 static int dict_create(struct label_dict **dict);
107 static int dict_free(struct label_dict *dict);
108 static const char *dict_get_label(const struct label_dict *dict, int id);
109 static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *src);
111 int smack_accesses_new(struct smack_accesses **accesses)
113 struct smack_accesses *result;
115 result = calloc(sizeof(struct smack_accesses), 1);
119 if (dict_create(&(result->dict)))
125 void smack_accesses_free(struct smack_accesses *handle)
130 struct smack_rule *rule = handle->first;
131 struct smack_rule *next_rule = NULL;
133 while (rule != NULL) {
134 next_rule = rule->next;
139 dict_free(handle->dict);
143 int smack_accesses_save(struct smack_accesses *handle, int fd)
145 struct smack_rule *rule = handle->first;
146 char allow_str[ACC_LEN + 1];
147 char deny_str[ACC_LEN + 1];
156 file = fdopen(newfd, "w");
163 access_code_to_str(rule->allow_code, allow_str);
165 if (rule->deny_code != -1) /* modify? */ {
166 access_code_to_str(rule->deny_code, deny_str);
168 ret = fprintf(file, "%s %s %s %s\n",
169 dict_get_label(handle->dict, rule->subject_id),
170 dict_get_label(handle->dict, rule->object_id),
171 allow_str, deny_str);
173 ret = fprintf(file, "%s %s %s\n",
174 dict_get_label(handle->dict, rule->subject_id),
175 dict_get_label(handle->dict, rule->object_id),
191 int smack_accesses_apply(struct smack_accesses *handle)
193 return accesses_apply(handle, 0);
196 int smack_accesses_clear(struct smack_accesses *handle)
198 return accesses_apply(handle, 1);
201 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
202 const char *object, const char *access_type)
204 struct smack_rule *rule = NULL;
206 rule = calloc(sizeof(struct smack_rule), 1);
210 rule->subject_len = dict_add_label(handle->dict, &(rule->subject_id), subject);
211 rule->object_len = dict_add_label(handle->dict, &(rule->object_id), object);
212 if (rule->subject_len < 0 || rule->object_len < 0) {
217 rule->allow_code = str_to_access_code(access_type);
218 rule->deny_code = -1; /* no modify */
219 if (rule->allow_code == -1) {
224 if (handle->first == NULL) {
225 handle->first = handle->last = rule;
227 handle->last->next = rule;
234 int smack_accesses_add_modify(struct smack_accesses *handle,
237 const char *allow_access_type,
238 const char *deny_access_type)
240 struct smack_rule *rule = NULL;
242 rule = calloc(sizeof(struct smack_rule), 1);
246 rule->subject_len = dict_add_label(handle->dict, &(rule->subject_id), subject);
247 rule->object_len = dict_add_label(handle->dict, &(rule->object_id), object);
248 if (rule->subject_len < 0 || rule->object_len < 0) {
253 rule->allow_code = str_to_access_code(allow_access_type);
254 rule->deny_code = str_to_access_code(deny_access_type);
255 if (rule->allow_code == -1 || rule->deny_code == -1) {
260 if (handle->first == NULL) {
261 handle->first = handle->last = rule;
263 handle->last->next = rule;
270 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
273 char buf[LOAD_LEN + 1];
275 const char *subject, *object, *access, *access2;
283 file = fdopen(newfd, "r");
289 while (fgets(buf, LOAD_LEN + 1, file) != NULL) {
290 if (strcmp(buf, "\n") == 0)
292 subject = strtok_r(buf, " \t\n", &ptr);
293 object = strtok_r(NULL, " \t\n", &ptr);
294 access = strtok_r(NULL, " \t\n", &ptr);
295 access2 = strtok_r(NULL, " \t\n", &ptr);
297 if (subject == NULL || object == NULL || access == NULL ||
298 strtok_r(NULL, " \t\n", &ptr) != NULL) {
304 ret = smack_accesses_add(accesses, subject, object, access);
306 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
323 int smack_have_access(const char *subject, const char *object,
324 const char *access_type)
326 char buf[LOAD_LEN + 1];
327 char str[ACC_LEN + 1];
337 snprintf(path, sizeof path, "%s/access2", smackfs_mnt);
338 fd = open(path, O_RDWR);
343 snprintf(path, sizeof path, "%s/access", smackfs_mnt);
344 fd = open(path, O_RDWR);
350 if ((code = str_to_access_code(access_type)) < 0)
352 access_code_to_str(code, str);
355 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
356 subject, object, str);
358 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
359 subject, object, str);
366 ret = write(fd, buf, strlen(buf));
372 ret = read(fd, buf, 1);
377 return buf[0] == '1';
380 int smack_cipso_new(struct smack_cipso **cipso)
382 struct smack_cipso *result;
384 result = calloc(sizeof(struct smack_cipso), 1);
392 void smack_cipso_free(struct smack_cipso *cipso)
397 struct cipso_mapping *mapping = cipso->first;
398 struct cipso_mapping *next_mapping = NULL;
400 while (mapping != NULL) {
401 next_mapping = mapping->next;
403 mapping = next_mapping;
409 int smack_cipso_apply(struct smack_cipso *cipso)
411 struct cipso_mapping *m = NULL;
412 char buf[CIPSO_MAX_SIZE];
421 snprintf(path, sizeof path, "%s/cipso2", smackfs_mnt);
422 fd = open(path, O_WRONLY);
426 memset(buf,0,CIPSO_MAX_SIZE);
427 for (m = cipso->first; m != NULL; m = m->next) {
428 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
429 offset = strlen(buf) + 1;
431 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
434 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
437 for (i = 0; i < m->ncats; i++){
438 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
442 if (write(fd, buf, offset) < 0) {
452 int smack_cipso_add_from_file(struct smack_cipso *cipso, int fd)
454 struct cipso_mapping *mapping = NULL;
457 char *label, *level, *cat, *ptr;
466 file = fdopen(newfd, "r");
472 while (fgets(buf, BUF_SIZE, file) != NULL) {
473 mapping = calloc(sizeof(struct cipso_mapping), 1);
477 label = strtok_r(buf, " \t\n", &ptr);
478 level = strtok_r(NULL, " \t\n", &ptr);
479 cat = strtok_r(NULL, " \t\n", &ptr);
481 if (level == NULL || get_label(mapping->label, label) < 0)
485 val = strtol(level, NULL, 10);
489 if (val < 0 || val > LEVEL_MAX)
492 mapping->level = val;
494 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
496 val = strtol(cat, NULL, 10);
500 if (val < 0 || val > CAT_MAX_VALUE)
503 mapping->cats[i] = val;
505 cat = strtok_r(NULL, " \t\n", &ptr);
510 if (cipso->first == NULL) {
511 cipso->first = cipso->last = mapping;
513 cipso->last->next = mapping;
514 cipso->last = mapping;
529 const char *smack_smackfs_path(void)
534 ssize_t smack_new_label_from_self(char **label)
540 result = calloc(SMACK_LABEL_LEN + 1, 1);
544 fd = open(SELF_LABEL_FILE, O_RDONLY);
550 ret = read(fd, result, SMACK_LABEL_LEN);
561 ssize_t smack_new_label_from_socket(int fd, char **label)
565 socklen_t length = 1;
568 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
569 if (ret < 0 && errno != ERANGE)
572 result = calloc(length + 1, 1);
576 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
586 ssize_t smack_new_label_from_path(const char *path, const char *xattr,
587 int follow, char **label)
593 getxattr(path, xattr, NULL, 0) :
594 lgetxattr(path, xattr, NULL, 0);
595 if (ret < 0 && errno != ERANGE)
598 result = calloc(ret + 1, 1);
603 getxattr(path, xattr, result, ret) :
604 lgetxattr(path, xattr, result, ret);
614 int smack_set_label_for_self(const char *label)
620 len = get_label(NULL, label);
624 fd = open(SELF_LABEL_FILE, O_WRONLY);
628 ret = write(fd, label, len);
631 return (ret < 0) ? -1 : 0;
634 int smack_revoke_subject(const char *subject)
641 len = get_label(NULL, subject);
645 snprintf(path, sizeof path, "%s/revoke-subject", smackfs_mnt);
646 fd = open(path, O_WRONLY);
650 ret = write(fd, subject, len);
653 return (ret < 0) ? -1 : 0;
656 static int accesses_apply(struct smack_accesses *handle, int clear)
658 char buf[LOAD_LEN + 1];
659 char allow_str[ACC_LEN + 1];
660 char deny_str[ACC_LEN + 1];
661 struct smack_rule *rule;
672 snprintf(path, sizeof path, "%s/load2", smackfs_mnt);
673 load_fd = open(path, O_WRONLY);
678 snprintf(path, sizeof path, "%s/load", smackfs_mnt);
679 load_fd = open(path, O_WRONLY);
680 /* Try to continue if the file doesn't exist, we might not need it. */
681 if (load_fd < 0 && errno != ENOENT)
686 snprintf(path, sizeof path, "%s/change-rule", smackfs_mnt);
687 change_fd = open(path, O_WRONLY);
688 /* Try to continue if the file doesn't exist, we might not need it. */
689 if (change_fd < 0 && errno != ENOENT) {
694 for (rule = handle->first; rule != NULL; rule = rule->next) {
695 /* Fail immediately without doing any further processing
696 if modify rules are not supported. */
697 if (rule->deny_code >= 0 && change_fd < 0) {
702 access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
704 if (rule->deny_code != -1 && !clear) {
705 access_code_to_str(rule->deny_code, deny_str);
708 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
709 dict_get_label(handle->dict, rule->subject_id),
710 dict_get_label(handle->dict, rule->object_id),
716 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
717 dict_get_label(handle->dict, rule->subject_id),
718 dict_get_label(handle->dict, rule->object_id),
721 if (rule->subject_len > SHORT_LABEL_LEN ||
722 rule->object_len > SHORT_LABEL_LEN) {
727 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
728 dict_get_label(handle->dict, rule->subject_id),
729 dict_get_label(handle->dict, rule->object_id),
739 ret = write(fd, buf, ret);
755 static inline ssize_t get_label(char *dest, const char *src)
759 if (!src || src[0] == '\0' || src[0] == '-')
762 for (i = 0; i < (SMACK_LABEL_LEN + 1) && src[i]; i++) {
763 if (src[i] <= ' ' || src[i] > '~')
779 if (dest && i < (SMACK_LABEL_LEN + 1))
782 return i < (SMACK_LABEL_LEN + 1) ? i : -1;
786 static inline int str_to_access_code(const char *str)
789 unsigned int code = 0;
791 for (i = 0; str[i] != '\0'; i++) {
795 code |= ACCESS_TYPE_R;
799 code |= ACCESS_TYPE_W;
803 code |= ACCESS_TYPE_X;
807 code |= ACCESS_TYPE_A;
811 code |= ACCESS_TYPE_T;
815 code |= ACCESS_TYPE_L;
827 static inline void access_code_to_str(unsigned int code, char *str)
829 str[0] = ((code & ACCESS_TYPE_R) != 0) ? 'r' : '-';
830 str[1] = ((code & ACCESS_TYPE_W) != 0) ? 'w' : '-';
831 str[2] = ((code & ACCESS_TYPE_X) != 0) ? 'x' : '-';
832 str[3] = ((code & ACCESS_TYPE_A) != 0) ? 'a' : '-';
833 str[4] = ((code & ACCESS_TYPE_T) != 0) ? 't' : '-';
834 str[5] = ((code & ACCESS_TYPE_L) != 0) ? 'l' : '-';
838 static int dict_create(struct label_dict **dict)
840 *dict = calloc(1, sizeof(struct label_dict));
843 (*dict)->htab = calloc(1, sizeof(struct hsearch_data));
846 (*dict)->labels = calloc(DICT_HASH_SIZE, sizeof(char *));
847 if (!(*dict)->labels)
849 if (hcreate_r(DICT_HASH_SIZE, (*dict)->htab) == 0)
854 free((*dict)->labels);
863 static int dict_free(struct label_dict *dict)
866 for (i = 0; i < (dict->nof_labels); i++)
867 free((dict->labels)[i]);
869 hdestroy_r(dict->htab);
875 static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *label)
880 ret = get_label(NULL, label);
882 if (dict->nof_labels == DICT_HASH_SIZE)
887 e.key = (char *)label;
888 e.data = (void *)(&(dict->labels[dict->nof_labels]));
890 search = hsearch_r(e, ENTER, &ep, dict->htab);
893 if (e.data != ep->data) {/*found an existing entry*/
894 *id = (int)((char **)(ep->data) - dict->labels);
895 } else {/*new entry added*/
896 ep->key = malloc(ret + 1);
900 memcpy(ep->key, label, ret);
901 dict->labels[dict->nof_labels] = ep->key;
902 *id = dict->nof_labels++;
907 static const char *dict_get_label(const struct label_dict *dict, int id)
909 if (id < dict->nof_labels)
910 return dict->labels[id];