2 * This file is part of libsmack
4 * Copyright (C) 2010, 2011 Nokia Corporation
5 * Copyright (C) 2011, 2012, 2013 Intel Corporation
6 * Copyright (C) 2012, 2013 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
24 #include "sys/smack.h"
31 #include <sys/socket.h>
33 #include <sys/types.h>
35 #include <sys/xattr.h>
37 #define SELF_LABEL_FILE "/proc/self/attr/current"
39 #define SHORT_LABEL_LEN 23
41 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
42 #define KERNEL_LONG_FORMAT "%s %s %s"
43 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5.5s"
44 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
49 #define CAT_MAX_COUNT 240
50 #define CAT_MAX_VALUE 63
51 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
52 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
53 #define CIPSO_NUM_LEN_STR "%-4d"
55 #define ACCESS_TYPE_R 0x01
56 #define ACCESS_TYPE_W 0x02
57 #define ACCESS_TYPE_X 0x04
58 #define ACCESS_TYPE_A 0x08
59 #define ACCESS_TYPE_T 0x10
60 #define ACCESS_TYPE_L 0x20
62 #define DICT_HASH_SIZE 4096
64 extern char *smackfs_mnt;
65 extern int smackfs_mnt_dirfd;
70 struct hsearch_data *htab;
78 struct smack_rule *next;
81 struct smack_accesses {
83 struct smack_rule *first;
84 struct smack_rule *last;
85 struct label_dict *dict;
88 struct cipso_mapping {
89 char label[SMACK_LABEL_LEN + 1];
90 int cats[CAT_MAX_VALUE];
93 struct cipso_mapping *next;
98 struct cipso_mapping *first;
99 struct cipso_mapping *last;
102 static int open_smackfs_file(const char *long_name, const char *short_name,
104 static int accesses_apply(struct smack_accesses *handle, int clear);
105 static int accesses_print(struct smack_accesses *handle, int clear,
106 int load_fd, int change_fd, int use_long, int add_lf);
107 static inline ssize_t get_label(char *dest, const char *src);
108 static inline int str_to_access_code(const char *str);
109 static inline void access_code_to_str(unsigned code, char *str);
110 static int dict_create(struct label_dict **dict);
111 static int dict_free(struct label_dict *dict);
112 static const char *dict_get_label(const struct label_dict *dict, int id);
113 static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *src);
115 int smack_accesses_new(struct smack_accesses **accesses)
117 struct smack_accesses *result;
119 result = calloc(sizeof(struct smack_accesses), 1);
123 if (dict_create(&(result->dict)))
129 void smack_accesses_free(struct smack_accesses *handle)
134 struct smack_rule *rule = handle->first;
135 struct smack_rule *next_rule = NULL;
137 while (rule != NULL) {
138 next_rule = rule->next;
143 dict_free(handle->dict);
147 int smack_accesses_save(struct smack_accesses *handle, int fd)
149 return accesses_print(handle, 0, fd, fd, 1, 1);
152 int smack_accesses_apply(struct smack_accesses *handle)
154 return accesses_apply(handle, 0);
157 int smack_accesses_clear(struct smack_accesses *handle)
159 return accesses_apply(handle, 1);
162 int accesses_add(struct smack_accesses *handle, const char *subject,
163 const char *object, const char *allow_access_type,
164 const char *deny_access_type)
166 struct smack_rule *rule = NULL;
169 rule = calloc(sizeof(struct smack_rule), 1);
173 ret = dict_add_label(handle->dict, &(rule->subject_id), subject);
176 if (ret > SHORT_LABEL_LEN)
177 handle->has_long = 1;
179 ret = dict_add_label(handle->dict, &(rule->object_id), object);
182 if (ret > SHORT_LABEL_LEN)
183 handle->has_long = 1;
185 rule->allow_code = str_to_access_code(allow_access_type);
186 if (rule->allow_code == -1)
189 if (deny_access_type != NULL) {
190 rule->deny_code = str_to_access_code(deny_access_type);
191 if (rule->deny_code == -1)
194 rule->deny_code = -1; /* no modify */
196 if (handle->first == NULL) {
197 handle->first = handle->last = rule;
199 handle->last->next = rule;
209 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
210 const char *object, const char *access_type)
212 return accesses_add(handle, subject, object, access_type, NULL);
215 int smack_accesses_add_modify(struct smack_accesses *handle,
218 const char *allow_access_type,
219 const char *deny_access_type)
221 return accesses_add(handle, subject, object,
222 allow_access_type, deny_access_type);
225 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
228 char buf[LOAD_LEN + 1];
230 const char *subject, *object, *access, *access2;
238 file = fdopen(newfd, "r");
244 while (fgets(buf, LOAD_LEN + 1, file) != NULL) {
245 if (strcmp(buf, "\n") == 0)
247 subject = strtok_r(buf, " \t\n", &ptr);
248 object = strtok_r(NULL, " \t\n", &ptr);
249 access = strtok_r(NULL, " \t\n", &ptr);
250 access2 = strtok_r(NULL, " \t\n", &ptr);
252 if (subject == NULL || object == NULL || access == NULL ||
253 strtok_r(NULL, " \t\n", &ptr) != NULL) {
259 ret = smack_accesses_add(accesses, subject, object, access);
261 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
278 int smack_have_access(const char *subject, const char *object,
279 const char *access_type)
281 char buf[LOAD_LEN + 1];
282 char str[ACC_LEN + 1];
288 if (smackfs_mnt_dirfd < 0)
291 fd = open_smackfs_file("access2", "access", &use_long);
295 if ((code = str_to_access_code(access_type)) < 0)
297 access_code_to_str(code, str);
300 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
301 subject, object, str);
303 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
304 subject, object, str);
311 ret = write(fd, buf, strlen(buf));
317 ret = read(fd, buf, 1);
322 return buf[0] == '1';
325 int smack_cipso_new(struct smack_cipso **cipso)
327 struct smack_cipso *result;
329 result = calloc(sizeof(struct smack_cipso), 1);
337 void smack_cipso_free(struct smack_cipso *cipso)
342 struct cipso_mapping *mapping = cipso->first;
343 struct cipso_mapping *next_mapping = NULL;
345 while (mapping != NULL) {
346 next_mapping = mapping->next;
348 mapping = next_mapping;
354 int smack_cipso_apply(struct smack_cipso *cipso)
356 struct cipso_mapping *m = NULL;
357 char buf[CIPSO_MAX_SIZE];
363 if (smackfs_mnt_dirfd < 0)
366 fd = open_smackfs_file("cipso2", "cipso", &use_long);
370 if (!use_long && cipso->has_long)
373 memset(buf,0,CIPSO_MAX_SIZE);
374 for (m = cipso->first; m != NULL; m = m->next) {
375 snprintf(buf, SMACK_LABEL_LEN + 1, use_long ? "%s" : "%-23s",
377 offset = strlen(buf) + 1;
379 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
382 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
385 for (i = 0; i < m->ncats; i++){
386 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
390 if (write(fd, buf, offset) < 0) {
400 int smack_cipso_add_from_file(struct smack_cipso *cipso, int fd)
402 struct cipso_mapping *mapping = NULL;
405 char *label, *level, *cat, *ptr;
414 file = fdopen(newfd, "r");
420 while (fgets(buf, BUF_SIZE, file) != NULL) {
421 mapping = calloc(sizeof(struct cipso_mapping), 1);
425 label = strtok_r(buf, " \t\n", &ptr);
426 level = strtok_r(NULL, " \t\n", &ptr);
427 cat = strtok_r(NULL, " \t\n", &ptr);
432 val = get_label(mapping->label, label);
435 if (val > SHORT_LABEL_LEN)
439 val = strtol(level, NULL, 10);
443 if (val < 0 || val > LEVEL_MAX)
446 mapping->level = val;
448 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
450 val = strtol(cat, NULL, 10);
454 if (val < 0 || val > CAT_MAX_VALUE)
457 mapping->cats[i] = val;
459 cat = strtok_r(NULL, " \t\n", &ptr);
464 if (cipso->first == NULL) {
465 cipso->first = cipso->last = mapping;
467 cipso->last->next = mapping;
468 cipso->last = mapping;
483 const char *smack_smackfs_path(void)
488 ssize_t smack_new_label_from_self(char **label)
494 result = calloc(SMACK_LABEL_LEN + 1, 1);
498 fd = open(SELF_LABEL_FILE, O_RDONLY);
504 ret = read(fd, result, SMACK_LABEL_LEN);
515 ssize_t smack_new_label_from_socket(int fd, char **label)
519 socklen_t length = 1;
522 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
523 if (ret < 0 && errno != ERANGE)
526 result = calloc(length + 1, 1);
530 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
540 ssize_t smack_new_label_from_path(const char *path, const char *xattr,
541 int follow, char **label)
543 char buf[SMACK_LABEL_LEN + 1];
548 getxattr(path, xattr, buf, SMACK_LABEL_LEN + 1) :
549 lgetxattr(path, xattr, buf, SMACK_LABEL_LEN + 1);
553 result = calloc(ret + 1, 1);
557 ret = get_label(result, buf);
567 int smack_set_label_for_self(const char *label)
573 len = get_label(NULL, label);
577 fd = open(SELF_LABEL_FILE, O_WRONLY);
581 ret = write(fd, label, len);
584 return (ret < 0) ? -1 : 0;
587 int smack_revoke_subject(const char *subject)
593 if (smackfs_mnt_dirfd < 0)
596 len = get_label(NULL, subject);
600 fd = openat(smackfs_mnt_dirfd, "revoke-subject", O_WRONLY);
604 ret = write(fd, subject, len);
607 return (ret < 0) ? -1 : 0;
610 static int open_smackfs_file(const char *long_name, const char *short_name,
615 fd = openat(smackfs_mnt_dirfd, long_name, O_WRONLY);
620 fd = openat(smackfs_mnt_dirfd, short_name, O_WRONLY);
632 static int accesses_apply(struct smack_accesses *handle, int clear)
639 if (smackfs_mnt_dirfd < 0)
642 load_fd = open_smackfs_file("load2", "load", &use_long);
646 change_fd = openat(smackfs_mnt_dirfd, "change-rule", O_WRONLY);
647 /* Try to continue if the file doesn't exist, we might not need it. */
648 if (change_fd < 0 && errno != ENOENT) {
653 ret = accesses_print(handle, clear, load_fd, change_fd, use_long, 0);
663 static int accesses_print(struct smack_accesses *handle, int clear,
664 int load_fd, int change_fd, int use_long, int add_lf)
666 char buf[LOAD_LEN + 1];
667 char allow_str[ACC_LEN + 1];
668 char deny_str[ACC_LEN + 1];
669 struct smack_rule *rule;
675 if (!use_long && handle->has_long)
678 for (rule = handle->first; rule != NULL; rule = rule->next) {
679 /* Fail immediately without doing any further processing
680 if modify rules are not supported. */
681 if (rule->deny_code >= 0 && change_fd < 0)
684 access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
686 if (rule->deny_code != -1 && !clear) {
687 access_code_to_str(rule->deny_code, deny_str);
690 cnt = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
691 dict_get_label(handle->dict, rule->subject_id),
692 dict_get_label(handle->dict, rule->object_id),
698 cnt = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
699 dict_get_label(handle->dict, rule->subject_id),
700 dict_get_label(handle->dict, rule->object_id),
703 cnt = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
704 dict_get_label(handle->dict, rule->subject_id),
705 dict_get_label(handle->dict, rule->object_id),
715 for (i = 0; i < cnt; ) {
716 ret = write(fd, buf + i, cnt - i);
729 static inline ssize_t get_label(char *dest, const char *src)
733 if (!src || src[0] == '\0' || src[0] == '-')
736 for (i = 0; i < (SMACK_LABEL_LEN + 1) && src[i]; i++) {
737 if (src[i] <= ' ' || src[i] > '~')
753 if (dest && i < (SMACK_LABEL_LEN + 1))
756 return i < (SMACK_LABEL_LEN + 1) ? i : -1;
760 static inline int str_to_access_code(const char *str)
763 unsigned int code = 0;
765 for (i = 0; str[i] != '\0'; i++) {
769 code |= ACCESS_TYPE_R;
773 code |= ACCESS_TYPE_W;
777 code |= ACCESS_TYPE_X;
781 code |= ACCESS_TYPE_A;
785 code |= ACCESS_TYPE_T;
789 code |= ACCESS_TYPE_L;
801 static inline void access_code_to_str(unsigned int code, char *str)
803 str[0] = ((code & ACCESS_TYPE_R) != 0) ? 'r' : '-';
804 str[1] = ((code & ACCESS_TYPE_W) != 0) ? 'w' : '-';
805 str[2] = ((code & ACCESS_TYPE_X) != 0) ? 'x' : '-';
806 str[3] = ((code & ACCESS_TYPE_A) != 0) ? 'a' : '-';
807 str[4] = ((code & ACCESS_TYPE_T) != 0) ? 't' : '-';
808 str[5] = ((code & ACCESS_TYPE_L) != 0) ? 'l' : '-';
812 static int dict_create(struct label_dict **dict)
814 *dict = calloc(1, sizeof(struct label_dict));
817 (*dict)->htab = calloc(1, sizeof(struct hsearch_data));
820 (*dict)->labels = calloc(DICT_HASH_SIZE, sizeof(char *));
821 if (!(*dict)->labels)
823 if (hcreate_r(DICT_HASH_SIZE, (*dict)->htab) == 0)
828 free((*dict)->labels);
837 static int dict_free(struct label_dict *dict)
840 for (i = 0; i < (dict->nof_labels); i++)
841 free((dict->labels)[i]);
843 hdestroy_r(dict->htab);
849 static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *label)
854 ret = get_label(NULL, label);
856 if (dict->nof_labels == DICT_HASH_SIZE)
861 e.key = (char *)label;
862 e.data = (void *)(&(dict->labels[dict->nof_labels]));
864 search = hsearch_r(e, ENTER, &ep, dict->htab);
867 if (e.data != ep->data) {/*found an existing entry*/
868 *id = (int)((char **)(ep->data) - dict->labels);
869 } else {/*new entry added*/
870 ep->key = malloc(ret + 1);
874 memcpy(ep->key, label, ret);
875 dict->labels[dict->nof_labels] = ep->key;
876 *id = dict->nof_labels++;
881 static const char *dict_get_label(const struct label_dict *dict, int id)
883 if (id < dict->nof_labels)
884 return dict->labels[id];