2 * This file is part of libsmack
4 * Copyright (C) 2010, 2011 Nokia Corporation
5 * Copyright (C) 2011, 2012, 2013 Intel Corporation
6 * Copyright (C) 2012, 2013 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 #include "sys/smack.h"
29 #include <sys/socket.h>
31 #include <sys/types.h>
34 #include <sys/xattr.h>
36 #define SHORT_LABEL_LEN 23
38 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
43 #define CAT_MAX_COUNT 240
44 #define CAT_MAX_VALUE 63
45 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
46 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
47 #define CIPSO_NUM_LEN_STR "%-4d"
49 #define KERNEL_LONG_FORMAT "%s %s %s"
50 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5.5s"
51 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
52 #define READ_BUF_SIZE LOAD_LEN + 1
53 #define SELF_LABEL_FILE "/proc/self/attr/current"
54 #define ACC_CLEAR "-----"
56 #define ACCESS_TYPE_R 0x01
57 #define ACCESS_TYPE_W 0x02
58 #define ACCESS_TYPE_X 0x04
59 #define ACCESS_TYPE_A 0x08
60 #define ACCESS_TYPE_T 0x10
61 #define ACCESS_TYPE_L 0x20
63 extern char *smackfs_mnt;
66 char subject[SMACK_LABEL_LEN + 1];
67 char object[SMACK_LABEL_LEN + 1];
72 struct smack_rule *next;
75 struct smack_accesses {
76 struct smack_rule *first;
77 struct smack_rule *last;
80 struct cipso_mapping {
81 char label[SMACK_LABEL_LEN + 1];
82 int cats[CAT_MAX_VALUE];
85 struct cipso_mapping *next;
89 struct cipso_mapping *first;
90 struct cipso_mapping *last;
93 static int accesses_apply(struct smack_accesses *handle, int clear);
94 static ssize_t smack_label_length(const char *label) __attribute__((unused));
95 static inline ssize_t get_label(char *dest, const char *src);
96 static inline int str_to_access_code(const char *str);
97 static inline void access_code_to_str(unsigned code, char *str);
99 int smack_accesses_new(struct smack_accesses **accesses)
101 struct smack_accesses *result;
103 result = calloc(sizeof(struct smack_accesses), 1);
111 void smack_accesses_free(struct smack_accesses *handle)
116 struct smack_rule *rule = handle->first;
117 struct smack_rule *next_rule = NULL;
119 while (rule != NULL) {
120 next_rule = rule->next;
128 int smack_accesses_save(struct smack_accesses *handle, int fd)
130 struct smack_rule *rule = handle->first;
131 char allow_str[ACC_LEN + 1];
132 char deny_str[ACC_LEN + 1];
141 file = fdopen(newfd, "w");
148 access_code_to_str(rule->allow_code, allow_str);
150 if (rule->deny_code != -1) /* modify? */ {
151 access_code_to_str(rule->deny_code, deny_str);
153 ret = fprintf(file, "%s %s %s %s\n",
154 rule->subject, rule->object,
155 allow_str, deny_str);
157 ret = fprintf(file, "%s %s %s\n",
158 rule->subject, rule->object,
174 int smack_accesses_apply(struct smack_accesses *handle)
176 return accesses_apply(handle, 0);
179 int smack_accesses_clear(struct smack_accesses *handle)
181 return accesses_apply(handle, 1);
184 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
185 const char *object, const char *access_type)
187 struct smack_rule *rule = NULL;
189 rule = calloc(sizeof(struct smack_rule), 1);
193 rule->subject_len = get_label(rule->subject, subject);
194 rule->object_len = get_label(rule->object, object);
195 if (rule->subject_len < 0 || rule->object_len < 0) {
200 rule->allow_code = str_to_access_code(access_type);
201 rule->deny_code = -1; /* no modify */
202 if (rule->allow_code == -1) {
207 if (handle->first == NULL) {
208 handle->first = handle->last = rule;
210 handle->last->next = rule;
217 int smack_accesses_add_modify(struct smack_accesses *handle,
220 const char *allow_access_type,
221 const char *deny_access_type)
223 struct smack_rule *rule = NULL;
225 rule = calloc(sizeof(struct smack_rule), 1);
229 rule->subject_len = get_label(rule->subject, subject);
230 rule->object_len = get_label(rule->object, object);
231 if (rule->subject_len < 0 || rule->object_len < 0) {
236 rule->allow_code = str_to_access_code(allow_access_type);
237 rule->deny_code = str_to_access_code(deny_access_type);
238 if (rule->allow_code == -1 || rule->deny_code == -1) {
243 if (handle->first == NULL) {
244 handle->first = handle->last = rule;
246 handle->last->next = rule;
253 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
256 char buf[READ_BUF_SIZE];
258 const char *subject, *object, *access, *access2;
266 file = fdopen(newfd, "r");
272 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
273 if (strcmp(buf, "\n") == 0)
275 subject = strtok_r(buf, " \t\n", &ptr);
276 object = strtok_r(NULL, " \t\n", &ptr);
277 access = strtok_r(NULL, " \t\n", &ptr);
278 access2 = strtok_r(NULL, " \t\n", &ptr);
280 if (subject == NULL || object == NULL || access == NULL ||
281 strtok_r(NULL, " \t\n", &ptr) != NULL) {
287 ret = smack_accesses_add(accesses, subject, object, access);
289 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
306 int smack_have_access(const char *subject, const char *object,
307 const char *access_type)
309 char buf[LOAD_LEN + 1];
310 char str[ACC_LEN + 1];
320 snprintf(path, sizeof path, "%s/access2", smackfs_mnt);
321 fd = open(path, O_RDWR);
326 snprintf(path, sizeof path, "%s/access", smackfs_mnt);
327 fd = open(path, O_RDWR);
333 if ((code = str_to_access_code(access_type)) < 0)
335 access_code_to_str(code, str);
338 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
339 subject, object, str);
341 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
342 subject, object, str);
349 ret = write(fd, buf, strlen(buf));
355 ret = read(fd, buf, 1);
360 return buf[0] == '1';
363 int smack_cipso_new(struct smack_cipso **cipso)
365 struct smack_cipso *result;
367 result = calloc(sizeof(struct smack_cipso), 1);
375 void smack_cipso_free(struct smack_cipso *cipso)
380 struct cipso_mapping *mapping = cipso->first;
381 struct cipso_mapping *next_mapping = NULL;
383 while (mapping != NULL) {
384 next_mapping = mapping->next;
386 mapping = next_mapping;
392 int smack_cipso_apply(struct smack_cipso *cipso)
394 struct cipso_mapping *m = NULL;
395 char buf[CIPSO_MAX_SIZE];
404 snprintf(path, sizeof path, "%s/cipso2", smackfs_mnt);
405 fd = open(path, O_WRONLY);
409 memset(buf,0,CIPSO_MAX_SIZE);
410 for (m = cipso->first; m != NULL; m = m->next) {
411 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
412 offset = strlen(buf) + 1;
414 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
417 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
420 for (i = 0; i < m->ncats; i++){
421 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
425 if (write(fd, buf, offset) < 0) {
435 int smack_cipso_add_from_file(struct smack_cipso *cipso, int fd)
437 struct cipso_mapping *mapping = NULL;
440 char *label, *level, *cat, *ptr;
449 file = fdopen(newfd, "r");
455 while (fgets(buf, BUF_SIZE, file) != NULL) {
456 mapping = calloc(sizeof(struct cipso_mapping), 1);
460 label = strtok_r(buf, " \t\n", &ptr);
461 level = strtok_r(NULL, " \t\n", &ptr);
462 cat = strtok_r(NULL, " \t\n", &ptr);
464 if (level == NULL || get_label(mapping->label, label) < 0)
468 val = strtol(level, NULL, 10);
472 if (val < 0 || val > LEVEL_MAX)
475 mapping->level = val;
477 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
479 val = strtol(cat, NULL, 10);
483 if (val < 0 || val > CAT_MAX_VALUE)
486 mapping->cats[i] = val;
488 cat = strtok_r(NULL, " \t\n", &ptr);
493 if (cipso->first == NULL) {
494 cipso->first = cipso->last = mapping;
496 cipso->last->next = mapping;
497 cipso->last = mapping;
512 const char *smack_smackfs_path(void)
517 ssize_t smack_new_label_from_self(char **label)
523 result = calloc(SMACK_LABEL_LEN + 1, 1);
527 fd = open(SELF_LABEL_FILE, O_RDONLY);
533 ret = read(fd, result, SMACK_LABEL_LEN);
544 ssize_t smack_new_label_from_socket(int fd, char **label)
548 socklen_t length = 1;
551 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
552 if (ret < 0 && errno != ERANGE)
555 result = calloc(length + 1, 1);
559 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
569 ssize_t smack_new_label_from_path(const char *path, const char *xattr,
570 int follow, char **label)
576 getxattr(path, xattr, NULL, 0) :
577 lgetxattr(path, xattr, NULL, 0);
578 if (ret < 0 && errno != ERANGE)
581 result = calloc(ret + 1, 1);
586 getxattr(path, xattr, result, ret) :
587 lgetxattr(path, xattr, result, ret);
597 int smack_set_label_for_self(const char *label)
603 len = get_label(NULL, label);
607 fd = open(SELF_LABEL_FILE, O_WRONLY);
611 ret = write(fd, label, len);
614 return (ret < 0) ? -1 : 0;
617 int smack_revoke_subject(const char *subject)
624 len = get_label(NULL, subject);
628 snprintf(path, sizeof path, "%s/revoke-subject", smackfs_mnt);
629 fd = open(path, O_WRONLY);
633 ret = write(fd, subject, len);
636 return (ret < 0) ? -1 : 0;
639 ssize_t smack_label_length(const char *label)
641 return get_label(NULL, label);
644 static int accesses_apply(struct smack_accesses *handle, int clear)
646 char buf[LOAD_LEN + 1];
647 char allow_str[ACC_LEN + 1];
648 char deny_str[ACC_LEN + 1];
649 struct smack_rule *rule;
660 snprintf(path, sizeof path, "%s/load2", smackfs_mnt);
661 load_fd = open(path, O_WRONLY);
666 snprintf(path, sizeof path, "%s/load", smackfs_mnt);
667 load_fd = open(path, O_WRONLY);
668 /* Try to continue if the file doesn't exist, we might not need it. */
669 if (load_fd < 0 && errno != ENOENT)
674 snprintf(path, sizeof path, "%s/change-rule", smackfs_mnt);
675 change_fd = open(path, O_WRONLY);
676 /* Try to continue if the file doesn't exist, we might not need it. */
677 if (change_fd < 0 && errno != ENOENT) {
682 for (rule = handle->first; rule != NULL; rule = rule->next) {
683 /* Fail immediately without doing any further processing
684 if modify rules are not supported. */
685 if (rule->deny_code >= 0 && change_fd < 0) {
690 access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
692 if (rule->deny_code != -1 && !clear) {
693 access_code_to_str(rule->deny_code, deny_str);
696 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
697 rule->subject, rule->object,
703 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
704 rule->subject, rule->object,
707 if (rule->subject_len > SHORT_LABEL_LEN ||
708 rule->object_len > SHORT_LABEL_LEN) {
713 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
714 rule->subject, rule->object,
724 ret = write(fd, buf, ret);
740 static inline ssize_t get_label(char *dest, const char *src)
744 if (!src || src[0] == '\0' || src[0] == '-')
747 for (i = 0; i < (SMACK_LABEL_LEN + 1) && src[i]; i++) {
763 if (dest && i < (SMACK_LABEL_LEN + 1))
766 return i < (SMACK_LABEL_LEN + 1) ? i : -1;
770 static inline int str_to_access_code(const char *str)
773 unsigned int code = 0;
775 for (i = 0; str[i] != '\0'; i++) {
779 code |= ACCESS_TYPE_R;
783 code |= ACCESS_TYPE_W;
787 code |= ACCESS_TYPE_X;
791 code |= ACCESS_TYPE_A;
795 code |= ACCESS_TYPE_T;
799 code |= ACCESS_TYPE_L;
811 static inline void access_code_to_str(unsigned int code, char *str)
813 str[0] = ((code & ACCESS_TYPE_R) != 0) ? 'r' : '-';
814 str[1] = ((code & ACCESS_TYPE_W) != 0) ? 'w' : '-';
815 str[2] = ((code & ACCESS_TYPE_X) != 0) ? 'x' : '-';
816 str[3] = ((code & ACCESS_TYPE_A) != 0) ? 'a' : '-';
817 str[4] = ((code & ACCESS_TYPE_T) != 0) ? 't' : '-';
818 str[5] = ((code & ACCESS_TYPE_L) != 0) ? 'l' : '-';