2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 #include "sys/smack.h"
29 #include <sys/socket.h>
31 #include <sys/types.h>
33 #include <sys/xattr.h>
36 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
41 #define CAT_MAX_COUNT 240
42 #define CAT_MAX_VALUE 63
43 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
44 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
45 #define CIPSO_NUM_LEN_STR "%-4d"
47 #define KERNEL_LONG_FORMAT "%s %s %s"
48 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
49 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
50 #define READ_BUF_SIZE LOAD_LEN + 1
51 #define SELF_LABEL_FILE "/proc/self/attr/current"
53 extern char *smack_mnt;
54 extern int smack_mnt_dirfd;
57 char subject[SMACK_LABEL_LEN + 1];
58 char object[SMACK_LABEL_LEN + 1];
60 char access_set[ACC_LEN + 1];
61 char access_add[ACC_LEN + 1];
62 char access_del[ACC_LEN + 1];
63 struct smack_rule *next;
66 struct smack_accesses {
67 struct smack_rule *first;
68 struct smack_rule *last;
71 struct cipso_mapping {
72 char label[SMACK_LABEL_LEN + 1];
73 int cats[CAT_MAX_VALUE];
76 struct cipso_mapping *next;
80 struct cipso_mapping *first;
81 struct cipso_mapping *last;
84 static int accesses_apply(struct smack_accesses *handle, int clear);
85 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
87 int smack_accesses_new(struct smack_accesses **accesses)
89 struct smack_accesses *result;
91 result = calloc(sizeof(struct smack_accesses), 1);
99 void smack_accesses_free(struct smack_accesses *handle)
104 struct smack_rule *rule = handle->first;
105 struct smack_rule *next_rule = NULL;
107 while (rule != NULL) {
108 next_rule = rule->next;
116 int smack_accesses_save(struct smack_accesses *handle, int fd)
118 struct smack_rule *rule = handle->first;
127 file = fdopen(newfd, "w");
134 if (rule->is_modify) {
135 ret = fprintf(file, "%s %s %s %s\n",
136 rule->subject, rule->object,
137 rule->access_add, rule->access_del);
139 ret = fprintf(file, "%s %s %s\n",
140 rule->subject, rule->object,
156 int smack_accesses_apply(struct smack_accesses *handle)
158 return accesses_apply(handle, 0);
161 int smack_accesses_clear(struct smack_accesses *handle)
163 return accesses_apply(handle, 1);
166 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
167 const char *object, const char *access_type)
169 struct smack_rule *rule = NULL;
171 if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN ||
172 strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) {
177 rule = calloc(sizeof(struct smack_rule), 1);
181 strcpy(rule->subject, subject);
182 strcpy(rule->object, object);
183 parse_access_type(access_type, rule->access_set);
185 if (handle->first == NULL) {
186 handle->first = handle->last = rule;
188 handle->last->next = rule;
195 int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
196 const char *object, const char *access_add, const char *access_del)
198 struct smack_rule *rule = NULL;
200 if (strnlen(subject, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN ||
201 strnlen(object, SMACK_LABEL_LEN + 1) > SMACK_LABEL_LEN) {
206 rule = calloc(sizeof(struct smack_rule), 1);
210 strcpy(rule->subject, subject);
211 strcpy(rule->object, object);
212 parse_access_type(access_add, rule->access_add);
213 parse_access_type(access_del, rule->access_del);
216 if (handle->first == NULL) {
217 handle->first = handle->last = rule;
219 handle->last->next = rule;
226 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
229 char buf[READ_BUF_SIZE];
231 const char *subject, *object, *access, *access2;
239 file = fdopen(newfd, "r");
245 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
246 if (strcmp(buf, "\n") == 0)
248 subject = strtok_r(buf, " \t\n", &ptr);
249 object = strtok_r(NULL, " \t\n", &ptr);
250 access = strtok_r(NULL, " \t\n", &ptr);
251 access2 = strtok_r(NULL, " \t\n", &ptr);
253 if (subject == NULL || object == NULL || access == NULL ||
254 strtok_r(NULL, " \t\n", &ptr) != NULL) {
261 ret = smack_accesses_add(accesses, subject, object, access);
263 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
280 int smack_have_access(const char *subject, const char *object,
281 const char *access_type)
283 char buf[LOAD_LEN + 1];
284 char access_type_k[ACC_LEN + 1];
289 if (smack_mnt_dirfd < 0) {
294 fd = openat(smack_mnt_dirfd, "access2", O_RDWR);
299 fd = openat(smack_mnt_dirfd, "access", O_RDWR);
305 parse_access_type(access_type, access_type_k);
308 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
309 subject, object, access_type_k);
311 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
312 subject, object, access_type_k);
319 ret = write(fd, buf, strlen(buf));
325 ret = read(fd, buf, 1);
330 return buf[0] == '1';
333 int smack_cipso_new(struct smack_cipso **cipso)
335 struct smack_cipso *result;
337 result = calloc(sizeof(struct smack_cipso), 1);
345 void smack_cipso_free(struct smack_cipso *cipso)
350 struct cipso_mapping *mapping = cipso->first;
351 struct cipso_mapping *next_mapping = NULL;
353 while (mapping != NULL) {
354 next_mapping = mapping->next;
356 mapping = next_mapping;
360 int smack_cipso_apply(struct smack_cipso *cipso)
362 struct cipso_mapping *m = NULL;
363 char buf[CIPSO_MAX_SIZE];
368 if (smack_mnt_dirfd < 0) {
373 fd = openat(smack_mnt_dirfd, "cipso2", O_WRONLY);
377 memset(buf,0,CIPSO_MAX_SIZE);
378 for (m = cipso->first; m != NULL; m = m->next) {
379 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
380 offset += strlen(buf) + 1;
382 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
385 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
388 for (i = 0; i < m->ncats; i++){
389 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
393 if (write(fd, buf, offset) < 0) {
403 int smack_cipso_add_from_file(struct smack_cipso *cipso, int fd)
405 struct cipso_mapping *mapping = NULL;
408 char *label, *level, *cat, *ptr;
417 file = fdopen(newfd, "r");
423 while (fgets(buf, BUF_SIZE, file) != NULL) {
424 mapping = calloc(sizeof(struct cipso_mapping), 1);
428 label = strtok_r(buf, " \t\n", &ptr);
429 level = strtok_r(NULL, " \t\n", &ptr);
430 cat = strtok_r(NULL, " \t\n", &ptr);
431 if (label == NULL || cat == NULL || level == NULL ||
432 strlen(label) > SMACK_LABEL_LEN) {
437 strcpy(mapping->label, label);
440 val = strtol(level, NULL, 10);
444 if (val < 0 || val > LEVEL_MAX) {
449 mapping->level = val;
451 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
453 val = strtol(cat, NULL, 10);
457 if (val < 0 || val > CAT_MAX_VALUE) {
462 mapping->cats[i] = val;
464 cat = strtok_r(NULL, " \t\n", &ptr);
469 if (cipso->first == NULL) {
470 cipso->first = cipso->last = mapping;
472 cipso->last->next = mapping;
473 cipso->last = mapping;
488 const char *smack_smackfs_path(void)
493 ssize_t smack_new_label_from_self(char **label)
499 result = calloc(SMACK_LABEL_LEN + 1, 1);
503 fd = open(SELF_LABEL_FILE, O_RDONLY);
509 ret = read(fd, result, SMACK_LABEL_LEN);
520 ssize_t smack_new_label_from_socket(int fd, char **label)
524 socklen_t length = 1;
527 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
528 if (ret < 0 && errno != ERANGE)
531 result = calloc(length + 1, 1);
535 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
545 ssize_t smack_new_label_from_path(const char *path, const char *xattr,
546 int follow, char **label)
552 getxattr(path, xattr, NULL, 0) :
553 lgetxattr(path, xattr, NULL, 0);
554 if (ret < 0 && errno != ERANGE)
557 result = calloc(ret + 1, 1);
562 getxattr(path, xattr, result, ret) :
563 lgetxattr(path, xattr, result, ret);
573 int smack_set_label_for_self(const char *label)
579 len = strnlen(label, SMACK_LABEL_LEN + 1);
580 if (len > SMACK_LABEL_LEN)
583 fd = open(SELF_LABEL_FILE, O_WRONLY);
587 ret = write(fd, label, len);
590 return (ret < 0) ? -1 : 0;
593 int smack_revoke_subject(const char *subject)
599 if (smack_mnt_dirfd < 0) {
604 len = strnlen(subject, SMACK_LABEL_LEN + 1);
605 if (len > SMACK_LABEL_LEN)
608 fd = openat(smack_mnt_dirfd, "revoke-subject", O_WRONLY);
612 ret = write(fd, subject, len);
615 return (ret < 0) ? -1 : 0;
618 static int accesses_apply(struct smack_accesses *handle, int clear)
620 char buf[LOAD_LEN + 1];
621 struct smack_rule *rule;
628 if (smack_mnt_dirfd < 0) {
633 load_fd = openat(smack_mnt_dirfd, "load2", O_WRONLY);
638 load_fd = openat(smack_mnt_dirfd, "load", O_WRONLY);
639 /* Try to continue if the file doesn't exist, we might not need it. */
640 if (load_fd < 0 && errno != ENOENT)
645 change_fd = openat(smack_mnt_dirfd, "change-rule", O_WRONLY);
646 /* Try to continue if the file doesn't exist, we might not need it. */
647 if (change_fd < 0 && errno != ENOENT) {
652 for (rule = handle->first; rule != NULL; rule = rule->next) {
654 strcpy(rule->access_set, "-----");
658 if (rule->is_modify) {
660 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
661 rule->subject, rule->object,
662 rule->access_add, rule->access_del);
666 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
667 rule->subject, rule->object,
670 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
671 rule->subject, rule->object,
675 if (ret < 0 || fd < 0) {
680 ret = write(fd, buf, strlen(buf));
696 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
700 for (i = 0; i < ACC_LEN; ++i)
704 for (i = 0; in[i] != '\0'; i++)