2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
24 * Brian McGillion <brian.mcgillion@intel.com>
25 * Rafal Krypa <r.krypa@samsung.com>
28 #include "sys/smack.h"
34 #include <sys/socket.h>
36 #include <sys/types.h>
37 #include <sys/xattr.h>
41 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
43 #define KERNEL_FORMAT "%s %s %s"
44 #define KERNEL_FORMAT_MODIFY "%s %s %s %s"
45 #define READ_BUF_SIZE LOAD_LEN + 10
46 #define SMACKFS_MNT "/smack"
47 #define SELF_LABEL_FILE "/proc/self/attr/current"
49 typedef int (*getxattr_func)(void*, const char*, void*, size_t);
50 typedef int (*setxattr_func)(const void*, const char*, const void*, size_t, int);
51 typedef int (*removexattr_func)(void*, const char*);
54 char subject[SMACK_LABEL_LEN + 1];
55 char object[SMACK_LABEL_LEN + 1];
57 char access_set[ACC_LEN + 1];
58 char access_add[ACC_LEN + 1];
59 char access_del[ACC_LEN + 1];
60 struct smack_rule *next;
63 struct smack_accesses {
64 struct smack_rule *first;
65 struct smack_rule *last;
68 static int accesses_apply(struct smack_accesses *handle, int clear);
69 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
70 static inline char* get_xattr_name(enum smack_label_type type);
72 int smack_accesses_new(struct smack_accesses **accesses)
74 struct smack_accesses *result;
76 result = calloc(sizeof(struct smack_accesses), 1);
84 void smack_accesses_free(struct smack_accesses *handle)
89 struct smack_rule *rule = handle->first;
90 struct smack_rule *next_rule = NULL;
92 while (rule != NULL) {
93 next_rule = rule->next;
101 int smack_accesses_save(struct smack_accesses *handle, int fd)
103 struct smack_rule *rule = handle->first;
112 file = fdopen(newfd, "w");
119 if (rule->is_modify) {
120 ret = fprintf(file, "%s %s %s %s\n",
121 rule->subject, rule->object,
122 rule->access_add, rule->access_del);
124 ret = fprintf(file, "%s %s %s\n",
125 rule->subject, rule->object,
141 int smack_accesses_apply(struct smack_accesses *handle)
143 return accesses_apply(handle, 0);
146 int smack_accesses_clear(struct smack_accesses *handle)
148 return accesses_apply(handle, 1);
151 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
152 const char *object, const char *access_type)
154 struct smack_rule *rule = NULL;
156 rule = calloc(sizeof(struct smack_rule), 1);
160 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
161 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
162 parse_access_type(access_type, rule->access_set);
164 if (handle->first == NULL) {
165 handle->first = handle->last = rule;
167 handle->last->next = rule;
174 int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
175 const char *object, const char *access_add, const char *access_del)
177 struct smack_rule *rule = NULL;
179 rule = calloc(sizeof(struct smack_rule), 1);
183 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
184 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
185 parse_access_type(access_add, rule->access_add);
186 parse_access_type(access_del, rule->access_del);
189 if (handle->first == NULL) {
190 handle->first = handle->last = rule;
192 handle->last->next = rule;
199 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
202 char buf[READ_BUF_SIZE];
204 const char *subject, *object, *access, *access2;
212 file = fdopen(newfd, "r");
218 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
219 if (strcmp(buf, "\n") == 0)
221 subject = strtok_r(buf, " \t\n", &ptr);
222 object = strtok_r(NULL, " \t\n", &ptr);
223 access = strtok_r(NULL, " \t\n", &ptr);
224 access2 = strtok_r(NULL, " \t\n", &ptr);
226 if (subject == NULL || object == NULL || access == NULL ||
227 strtok_r(NULL, " \t\n", &ptr) != NULL) {
234 ret = smack_accesses_add(accesses, subject, object, access);
236 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
253 int smack_have_access(const char *subject, const char *object,
254 const char *access_type)
256 char buf[LOAD_LEN + 1];
257 char access_type_k[ACC_LEN + 1];
261 parse_access_type(access_type, access_type_k);
263 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT, subject, object,
268 fd = open(SMACKFS_MNT "/access2", O_RDWR);
272 ret = write(fd, buf, LOAD_LEN);
278 ret = read(fd, buf, 1);
283 return buf[0] == '1';
286 int smack_new_label_from_self(char **label)
292 result = calloc(SMACK_LABEL_LEN + 1, 1);
296 fd = open(SELF_LABEL_FILE, O_RDONLY);
302 ret = read(fd, result, SMACK_LABEL_LEN);
313 int smack_new_label_from_socket(int fd, char **label)
317 socklen_t length = 1;
320 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
321 if (ret < 0 && errno != ERANGE)
324 result = calloc(length + 1, 1);
328 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
338 int smack_set_label_for_self(const char *label)
344 len = strnlen(label, SMACK_LABEL_LEN + 1);
345 if (len > SMACK_LABEL_LEN)
348 fd = open(SELF_LABEL_FILE, O_WRONLY);
352 ret = write(fd, label, len);
355 return (ret < 0) ? -1 : 0;
358 int smack_revoke_subject(const char *subject)
363 fd = open(SMACKFS_MNT "/revoke-subject", O_RDWR);
367 ret = write(fd, subject, strnlen(subject, SMACK_LABEL_LEN));
370 return (ret < 0) ? -1 : 0;
373 static int internal_getlabel(void* file, char** label,
374 enum smack_label_type type,
375 getxattr_func getfunc)
377 char* xattr_name = get_xattr_name(type);
378 char value[SMACK_LABEL_LEN + 1];
381 ret = getfunc(file, xattr_name, value, SMACK_LABEL_LEN + 1);
383 if (errno == ENODATA) {
391 *label = calloc(ret + 1, 1);
394 strncpy(*label, value, ret);
398 static int internal_setlabel(void* file, const char* label,
399 enum smack_label_type type,
400 setxattr_func setfunc, removexattr_func removefunc)
402 char* xattr_name = get_xattr_name(type);
405 /* Check validity of labels for LABEL_TRANSMUTE */
406 if (type == SMACK_LABEL_TRANSMUTE && label != NULL) {
407 if (!strcmp(label, "0"))
409 else if (!strcmp(label, "1"))
415 if (label == NULL || label[0] == '\0') {
416 ret = removefunc(file, xattr_name);
417 if (ret == -1 && errno == ENODATA)
421 int len = strnlen(label, SMACK_LABEL_LEN + 1);
422 if (len > SMACK_LABEL_LEN)
424 return setfunc(file, xattr_name, label, len, 0);
428 int smack_getlabel(const char *path, char** label,
429 enum smack_label_type type)
431 return internal_getlabel((void*) path, label, type,
432 (getxattr_func) getxattr);
435 int smack_lgetlabel(const char *path, char** label,
436 enum smack_label_type type)
438 return internal_getlabel((void*) path, label, type,
439 (getxattr_func) lgetxattr);
442 int smack_fgetlabel(int fd, char** label,
443 enum smack_label_type type)
445 return internal_getlabel((void*) fd, label, type,
446 (getxattr_func) fgetxattr);
449 int smack_setlabel(const char *path, const char* label,
450 enum smack_label_type type)
452 return internal_setlabel((void*) path, label, type,
453 (setxattr_func) setxattr, (removexattr_func) removexattr);
456 int smack_lsetlabel(const char *path, const char* label,
457 enum smack_label_type type)
459 return internal_setlabel((void*) path, label, type,
460 (setxattr_func) lsetxattr, (removexattr_func) lremovexattr);
463 int smack_fsetlabel(int fd, const char* label,
464 enum smack_label_type type)
466 return internal_setlabel((void*) fd, label, type,
467 (setxattr_func) fsetxattr, (removexattr_func) fremovexattr);
470 static int accesses_apply(struct smack_accesses *handle, int clear)
472 char buf[LOAD_LEN + 1];
473 struct smack_rule *rule;
480 load_fd = open(SMACKFS_MNT "/load2", O_WRONLY);
481 change_fd = open(SMACKFS_MNT "/change-rule", O_WRONLY);
483 for (rule = handle->first; rule != NULL; rule = rule->next) {
486 size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT, rule->subject, rule->object, "-----");
489 if (rule->is_modify) {
491 size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT_MODIFY,
492 rule->subject, rule->object, rule->access_add, rule->access_del);
495 size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT,
496 rule->subject, rule->object, rule->access_set);
500 if (size == -1 || size > LOAD_LEN || fd == -1) {
505 ret = write(fd, buf, size);
521 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
525 for (i = 0; i < ACC_LEN; ++i)
529 for (i = 0; in[i] != '\0'; i++)
556 static inline char* get_xattr_name(enum smack_label_type type)
559 case SMACK_LABEL_ACCESS:
560 return "security.SMACK64";
561 case SMACK_LABEL_EXEC:
562 return "security.SMACK64EXEC";
563 case SMACK_LABEL_MMAP:
564 return "security.SMACK64MMAP";
565 case SMACK_LABEL_TRANSMUTE:
566 return "security.SMACK64TRANSMUTE";
567 case SMACK_LABEL_IPIN:
568 return "security.SMACK64IPIN";
569 case SMACK_LABEL_IPOUT:
570 return "security.SMACK64IPOUT";
572 /* Should not reach this point */