2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
24 * Brian McGillion <brian.mcgillion@intel.com>
25 * Passion Zhao <passion.zhao@intel.com>
26 * Rafal Krypa <r.krypa@samsung.com>
29 #include "sys/smack.h"
35 #include <sys/socket.h>
37 #include <sys/types.h>
38 #include <sys/xattr.h>
43 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
48 #define CAT_MAX_COUNT 240
49 #define CAT_MAX_VALUE 63
50 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
51 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
52 #define CIPSO_NUM_LEN_STR "%-4d"
54 #define KERNEL_LONG_FORMAT "%s %s %s"
55 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
56 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
57 #define READ_BUF_SIZE LOAD_LEN + 1
58 #define SELF_LABEL_FILE "/proc/self/attr/current"
60 extern char *smack_mnt;
62 typedef int (*getxattr_func)(void*, const char*, void*, size_t);
63 typedef int (*setxattr_func)(const void*, const char*, const void*, size_t, int);
64 typedef int (*removexattr_func)(void*, const char*);
67 char subject[SMACK_LABEL_LEN + 1];
68 char object[SMACK_LABEL_LEN + 1];
70 char access_set[ACC_LEN + 1];
71 char access_add[ACC_LEN + 1];
72 char access_del[ACC_LEN + 1];
73 struct smack_rule *next;
76 struct smack_accesses {
77 struct smack_rule *first;
78 struct smack_rule *last;
81 struct cipso_mapping {
82 char label[SMACK_LABEL_LEN + 1];
83 int cats[CAT_MAX_VALUE];
86 struct cipso_mapping *next;
90 struct cipso_mapping *first;
91 struct cipso_mapping *last;
94 static int accesses_apply(struct smack_accesses *handle, int clear);
95 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
96 static inline char* get_xattr_name(enum smack_label_type type);
98 int smack_accesses_new(struct smack_accesses **accesses)
100 struct smack_accesses *result;
102 result = calloc(sizeof(struct smack_accesses), 1);
110 void smack_accesses_free(struct smack_accesses *handle)
115 struct smack_rule *rule = handle->first;
116 struct smack_rule *next_rule = NULL;
118 while (rule != NULL) {
119 next_rule = rule->next;
127 int smack_accesses_save(struct smack_accesses *handle, int fd)
129 struct smack_rule *rule = handle->first;
138 file = fdopen(newfd, "w");
145 if (rule->is_modify) {
146 ret = fprintf(file, "%s %s %s %s\n",
147 rule->subject, rule->object,
148 rule->access_add, rule->access_del);
150 ret = fprintf(file, "%s %s %s\n",
151 rule->subject, rule->object,
167 int smack_accesses_apply(struct smack_accesses *handle)
169 return accesses_apply(handle, 0);
172 int smack_accesses_clear(struct smack_accesses *handle)
174 return accesses_apply(handle, 1);
177 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
178 const char *object, const char *access_type)
180 struct smack_rule *rule = NULL;
182 rule = calloc(sizeof(struct smack_rule), 1);
186 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
187 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
188 parse_access_type(access_type, rule->access_set);
190 if (handle->first == NULL) {
191 handle->first = handle->last = rule;
193 handle->last->next = rule;
200 int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
201 const char *object, const char *access_add, const char *access_del)
203 struct smack_rule *rule = NULL;
205 rule = calloc(sizeof(struct smack_rule), 1);
209 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
210 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
211 parse_access_type(access_add, rule->access_add);
212 parse_access_type(access_del, rule->access_del);
215 if (handle->first == NULL) {
216 handle->first = handle->last = rule;
218 handle->last->next = rule;
225 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
228 char buf[READ_BUF_SIZE];
230 const char *subject, *object, *access, *access2;
238 file = fdopen(newfd, "r");
244 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
245 if (strcmp(buf, "\n") == 0)
247 subject = strtok_r(buf, " \t\n", &ptr);
248 object = strtok_r(NULL, " \t\n", &ptr);
249 access = strtok_r(NULL, " \t\n", &ptr);
250 access2 = strtok_r(NULL, " \t\n", &ptr);
252 if (subject == NULL || object == NULL || access == NULL ||
253 strtok_r(NULL, " \t\n", &ptr) != NULL) {
260 ret = smack_accesses_add(accesses, subject, object, access);
262 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
279 int smack_have_access(const char *subject, const char *object,
280 const char *access_type)
282 char buf[LOAD_LEN + 1];
283 char access_type_k[ACC_LEN + 1];
294 snprintf(path, sizeof path, "%s/access2", smack_mnt);
295 fd = open(path, O_RDWR);
300 snprintf(path, sizeof path, "%s/access", smack_mnt);
301 fd = open(path, O_RDWR);
307 parse_access_type(access_type, access_type_k);
310 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
311 subject, object, access_type_k);
313 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
314 subject, object, access_type_k);
321 ret = write(fd, buf, strlen(buf));
327 ret = read(fd, buf, 1);
332 return buf[0] == '1';
334 void smack_cipso_free(struct smack_cipso *cipso)
339 struct cipso_mapping *mapping = cipso->first;
340 struct cipso_mapping *next_mapping = NULL;
342 while (mapping != NULL) {
343 next_mapping = mapping->next;
345 mapping = next_mapping;
349 struct smack_cipso *smack_cipso_new(int fd)
351 struct smack_cipso *cipso = NULL;
352 struct cipso_mapping *mapping = NULL;
355 char *label, *level, *cat, *ptr;
364 file = fdopen(newfd, "r");
370 cipso = calloc(sizeof(struct smack_cipso ), 1);
376 while (fgets(buf, BUF_SIZE, file) != NULL) {
377 mapping = calloc(sizeof(struct cipso_mapping), 1);
381 label = strtok_r(buf, " \t\n", &ptr);
382 level = strtok_r(NULL, " \t\n", &ptr);
383 cat = strtok_r(NULL, " \t\n", &ptr);
384 if (label == NULL || cat == NULL || level == NULL ||
385 strlen(label) > SMACK_LABEL_LEN) {
390 strcpy(mapping->label, label);
393 val = strtol(level, NULL, 10);
397 if (val < 0 || val > LEVEL_MAX) {
402 mapping->level = val;
404 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
406 val = strtol(cat, NULL, 10);
410 if (val < 0 || val > CAT_MAX_VALUE) {
415 mapping->cats[i] = val;
417 cat = strtok_r(NULL, " \t\n", &ptr);
422 if (cipso->first == NULL) {
423 cipso->first = cipso->last = mapping;
425 cipso->last->next = mapping;
426 cipso->last = mapping;
437 smack_cipso_free(cipso);
442 const char *smack_smackfs_path(void)
447 int smack_cipso_apply(struct smack_cipso *cipso)
449 struct cipso_mapping *m = NULL;
450 char buf[CIPSO_MAX_SIZE];
461 snprintf(path, sizeof path, "%s/cipso2", smack_mnt);
462 fd = open(path, O_WRONLY);
466 memset(buf,0,CIPSO_MAX_SIZE);
467 for (m = cipso->first; m != NULL; m = m->next) {
468 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
469 offset += strlen(buf) + 1;
471 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
474 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
477 for (i = 0; i < m->ncats; i++){
478 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
482 if (write(fd, buf, offset) < 0) {
492 int smack_new_label_from_self(char **label)
498 result = calloc(SMACK_LABEL_LEN + 1, 1);
502 fd = open(SELF_LABEL_FILE, O_RDONLY);
508 ret = read(fd, result, SMACK_LABEL_LEN);
519 int smack_new_label_from_socket(int fd, char **label)
523 socklen_t length = 1;
526 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
527 if (ret < 0 && errno != ERANGE)
530 result = calloc(length + 1, 1);
534 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
544 int smack_set_label_for_self(const char *label)
550 len = strnlen(label, SMACK_LABEL_LEN + 1);
551 if (len > SMACK_LABEL_LEN)
554 fd = open(SELF_LABEL_FILE, O_WRONLY);
558 ret = write(fd, label, len);
561 return (ret < 0) ? -1 : 0;
564 int smack_revoke_subject(const char *subject)
571 len = strnlen(subject, SMACK_LABEL_LEN + 1);
572 if (len > SMACK_LABEL_LEN)
575 snprintf(path, sizeof path, "%s/revoke-subject", smack_mnt);
576 fd = open(path, O_WRONLY);
580 ret = write(fd, subject, len);
583 return (ret < 0) ? -1 : 0;
586 static int internal_getlabel(void* file, char** label,
587 enum smack_label_type type,
588 getxattr_func getfunc)
590 char* xattr_name = get_xattr_name(type);
591 char value[SMACK_LABEL_LEN + 1];
594 ret = getfunc(file, xattr_name, value, SMACK_LABEL_LEN + 1);
596 if (errno == ENODATA) {
604 *label = calloc(ret + 1, 1);
607 strncpy(*label, value, ret);
611 static int internal_setlabel(void* file, const char* label,
612 enum smack_label_type type,
613 setxattr_func setfunc, removexattr_func removefunc)
615 char* xattr_name = get_xattr_name(type);
618 /* Check validity of labels for LABEL_TRANSMUTE */
619 if (type == SMACK_LABEL_TRANSMUTE && label != NULL) {
620 if (!strcmp(label, "0"))
622 else if (!strcmp(label, "1"))
628 if (label == NULL || label[0] == '\0') {
629 ret = removefunc(file, xattr_name);
630 if (ret == -1 && errno == ENODATA)
634 int len = strnlen(label, SMACK_LABEL_LEN + 1);
635 if (len > SMACK_LABEL_LEN)
637 return setfunc(file, xattr_name, label, len, 0);
641 int smack_getlabel(const char *path, char** label,
642 enum smack_label_type type)
644 return internal_getlabel((void*) path, label, type,
645 (getxattr_func) getxattr);
648 int smack_lgetlabel(const char *path, char** label,
649 enum smack_label_type type)
651 return internal_getlabel((void*) path, label, type,
652 (getxattr_func) lgetxattr);
655 int smack_fgetlabel(int fd, char** label,
656 enum smack_label_type type)
658 return internal_getlabel((void*) fd, label, type,
659 (getxattr_func) fgetxattr);
662 int smack_setlabel(const char *path, const char* label,
663 enum smack_label_type type)
665 return internal_setlabel((void*) path, label, type,
666 (setxattr_func) setxattr, (removexattr_func) removexattr);
669 int smack_lsetlabel(const char *path, const char* label,
670 enum smack_label_type type)
672 return internal_setlabel((void*) path, label, type,
673 (setxattr_func) lsetxattr, (removexattr_func) lremovexattr);
676 int smack_fsetlabel(int fd, const char* label,
677 enum smack_label_type type)
679 return internal_setlabel((void*) fd, label, type,
680 (setxattr_func) fsetxattr, (removexattr_func) fremovexattr);
683 static int accesses_apply(struct smack_accesses *handle, int clear)
685 char buf[LOAD_LEN + 1];
686 struct smack_rule *rule;
699 snprintf(path, sizeof path, "%s/load2", smack_mnt);
700 load_fd = open(path, O_WRONLY);
705 snprintf(path, sizeof path, "%s/load", smack_mnt);
706 load_fd = open(path, O_WRONLY);
707 /* Try to continue if the file doesn't exist, we might not need it. */
708 if (load_fd < 0 && errno != ENOENT)
713 snprintf(path, sizeof path, "%s/change-rule", smack_mnt);
714 change_fd = open(path, O_WRONLY);
715 /* Try to continue if the file doesn't exist, we might not need it. */
716 if (change_fd < 0 && errno != ENOENT) {
721 for (rule = handle->first; rule != NULL; rule = rule->next) {
723 strcpy(rule->access_set, "-----");
727 if (rule->is_modify) {
729 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
730 rule->subject, rule->object,
731 rule->access_add, rule->access_del);
735 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
736 rule->subject, rule->object,
739 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
740 rule->subject, rule->object,
744 if (ret < 0 || fd < 0) {
749 ret = write(fd, buf, strlen(buf));
765 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
769 for (i = 0; i < ACC_LEN; ++i)
773 for (i = 0; in[i] != '\0'; i++)
800 static inline char* get_xattr_name(enum smack_label_type type)
803 case SMACK_LABEL_ACCESS:
804 return "security.SMACK64";
805 case SMACK_LABEL_EXEC:
806 return "security.SMACK64EXEC";
807 case SMACK_LABEL_MMAP:
808 return "security.SMACK64MMAP";
809 case SMACK_LABEL_TRANSMUTE:
810 return "security.SMACK64TRANSMUTE";
811 case SMACK_LABEL_IPIN:
812 return "security.SMACK64IPIN";
813 case SMACK_LABEL_IPOUT:
814 return "security.SMACK64IPOUT";
816 /* Should not reach this point */