2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
24 * Brian McGillion <brian.mcgillion@intel.com>
25 * Passion Zhao <passion.zhao@intel.com>
26 * Rafal Krypa <r.krypa@samsung.com>
29 #include "sys/smack.h"
35 #include <sys/socket.h>
37 #include <sys/types.h>
42 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + ACC_LEN)
47 #define CAT_MAX_COUNT 240
48 #define CAT_MAX_VALUE 63
49 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
50 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
51 #define CIPSO_NUM_LEN_STR "%-4d"
59 #define KERNEL_LONG_FORMAT "%s %s %s"
60 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
61 #define READ_BUF_SIZE LOAD_LEN + 1
62 #define SELF_LABEL_FILE "/proc/self/attr/current"
64 extern char *smack_mnt;
67 char subject[SMACK_LABEL_LEN + 1];
68 char object[SMACK_LABEL_LEN + 1];
70 struct smack_rule *next;
73 struct smack_accesses {
74 struct smack_rule *first;
75 struct smack_rule *last;
78 struct cipso_mapping {
79 char label[SMACK_LABEL_LEN + 1];
80 int cats[CAT_MAX_VALUE];
83 struct cipso_mapping *next;
87 struct cipso_mapping *first;
88 struct cipso_mapping *last;
91 static int accesses_apply(struct smack_accesses *handle, int clear);
92 static inline int access_type_to_int(const char *access_type);
93 static inline void int_to_access_type_c(unsigned ac, char *str);
94 static inline void int_to_access_type_k(unsigned ac, char *str);
96 int smack_accesses_new(struct smack_accesses **accesses)
98 struct smack_accesses *result;
100 result = calloc(sizeof(struct smack_accesses), 1);
108 void smack_accesses_free(struct smack_accesses *handle)
113 struct smack_rule *rule = handle->first;
114 struct smack_rule *next_rule = NULL;
116 while (rule != NULL) {
117 next_rule = rule->next;
125 int smack_accesses_save(struct smack_accesses *handle, int fd)
127 struct smack_rule *rule = handle->first;
128 char access_type[ACC_LEN + 1];
137 file = fdopen(newfd, "w");
144 int_to_access_type_c(rule->access_code, access_type);
146 ret = fprintf(file, "%s %s %s\n",
147 rule->subject, rule->object, access_type);
160 int smack_accesses_apply(struct smack_accesses *handle)
162 return accesses_apply(handle, 0);
165 int smack_accesses_clear(struct smack_accesses *handle)
167 return accesses_apply(handle, 1);
170 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
171 const char *object, const char *access_type)
173 struct smack_rule *rule = NULL;
175 rule = calloc(sizeof(struct smack_rule), 1);
179 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
180 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
181 rule->access_code = access_type_to_int(access_type);
183 if (handle->first == NULL) {
184 handle->first = handle->last = rule;
186 handle->last->next = rule;
193 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
196 char buf[READ_BUF_SIZE];
198 const char *subject, *object, *access;
205 file = fdopen(newfd, "r");
211 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
212 if (strcmp(buf, "\n") == 0)
214 subject = strtok_r(buf, " \t\n", &ptr);
215 object = strtok_r(NULL, " \t\n", &ptr);
216 access = strtok_r(NULL, " \t\n", &ptr);
218 if (subject == NULL || object == NULL || access == NULL ||
219 strtok_r(NULL, " \t\n", &ptr) != NULL) {
225 if (smack_accesses_add(accesses, subject, object, access)) {
240 int smack_have_access(const char *subject, const char *object,
241 const char *access_type)
243 char buf[LOAD_LEN + 1];
244 char access_type_k[ACC_LEN + 1];
245 unsigned access_code;
256 snprintf(path, sizeof path, "%s/access2", smack_mnt);
257 fd = open(path, O_RDWR);
262 snprintf(path, sizeof path, "%s/access", smack_mnt);
263 fd = open(path, O_RDWR);
269 access_code = access_type_to_int(access_type);
270 int_to_access_type_k(access_code, access_type_k);
273 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
274 subject, object, access_type_k);
276 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
277 subject, object, access_type_k);
284 ret = write(fd, buf, strlen(buf));
290 ret = read(fd, buf, 1);
295 return buf[0] == '1';
297 void smack_cipso_free(struct smack_cipso *cipso)
302 struct cipso_mapping *mapping = cipso->first;
303 struct cipso_mapping *next_mapping = NULL;
305 while (mapping != NULL) {
306 next_mapping = mapping->next;
308 mapping = next_mapping;
312 struct smack_cipso *smack_cipso_new(int fd)
314 struct smack_cipso *cipso = NULL;
315 struct cipso_mapping *mapping = NULL;
318 char *label, *level, *cat, *ptr;
327 file = fdopen(newfd, "r");
333 cipso = calloc(sizeof(struct smack_cipso ), 1);
339 while (fgets(buf, BUF_SIZE, file) != NULL) {
340 mapping = calloc(sizeof(struct cipso_mapping), 1);
344 label = strtok_r(buf, " \t\n", &ptr);
345 level = strtok_r(NULL, " \t\n", &ptr);
346 cat = strtok_r(NULL, " \t\n", &ptr);
347 if (label == NULL || cat == NULL || level == NULL ||
348 strlen(label) > SMACK_LABEL_LEN) {
353 strcpy(mapping->label, label);
356 val = strtol(level, NULL, 10);
360 if (val < 0 || val > LEVEL_MAX) {
365 mapping->level = val;
367 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
369 val = strtol(cat, NULL, 10);
373 if (val < 0 || val > CAT_MAX_VALUE) {
378 mapping->cats[i] = val;
380 cat = strtok_r(NULL, " \t\n", &ptr);
385 if (cipso->first == NULL) {
386 cipso->first = cipso->last = mapping;
388 cipso->last->next = mapping;
389 cipso->last = mapping;
400 smack_cipso_free(cipso);
405 const char *smack_smackfs_path(void)
410 int smack_cipso_apply(struct smack_cipso *cipso)
412 struct cipso_mapping *m = NULL;
413 char buf[CIPSO_MAX_SIZE];
424 snprintf(path, sizeof path, "%s/cipso2", smack_mnt);
425 fd = open(path, O_WRONLY);
429 memset(buf,0,CIPSO_MAX_SIZE);
430 for (m = cipso->first; m != NULL; m = m->next) {
431 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
432 offset += strlen(buf) + 1;
434 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
437 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
440 for (i = 0; i < m->ncats; i++){
441 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
445 if (write(fd, buf, offset) < 0) {
455 int smack_new_label_from_self(char **label)
461 result = calloc(SMACK_LABEL_LEN + 1, 1);
465 fd = open(SELF_LABEL_FILE, O_RDONLY);
471 ret = read(fd, result, SMACK_LABEL_LEN);
482 int smack_new_label_from_socket(int fd, char **label)
486 socklen_t length = 1;
489 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
490 if (ret < 0 && errno != ERANGE)
493 result = calloc(length + 1, 1);
497 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
507 int smack_set_label_for_self(const char *label)
513 len = strnlen(label, SMACK_LABEL_LEN + 1);
514 if (len > SMACK_LABEL_LEN)
517 fd = open(SELF_LABEL_FILE, O_WRONLY);
521 ret = write(fd, label, len);
524 return (ret < 0) ? -1 : 0;
527 int smack_revoke_subject(const char *subject)
534 len = strnlen(subject, SMACK_LABEL_LEN + 1);
535 if (len > SMACK_LABEL_LEN)
538 snprintf(path, sizeof path, "%s/revoke-subject", smack_mnt);
539 fd = open(path, O_WRONLY);
543 ret = write(fd, subject, len);
546 return (ret < 0) ? -1 : 0;
549 static int accesses_apply(struct smack_accesses *handle, int clear)
551 char buf[LOAD_LEN + 1];
552 char access_type[ACC_LEN + 1];
553 struct smack_rule *rule;
564 snprintf(path, sizeof path, "%s/load2", smack_mnt);
565 fd = open(path, O_WRONLY);
570 snprintf(path, sizeof path, "%s/load", smack_mnt);
571 fd = open(path, O_WRONLY);
578 strcpy(access_type, "-----");
580 for (rule = handle->first; rule != NULL; rule = rule->next) {
582 int_to_access_type_k(rule->access_code, access_type);
585 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
586 rule->subject, rule->object,
589 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
590 rule->subject, rule->object,
597 ret = write(fd, buf, strlen(buf));
608 static inline int access_type_to_int(const char *access_type)
614 for (i = 0; access_type[i] != '\0'; i++)
615 switch (access_type[i]) {
643 static inline void int_to_access_type_c(unsigned access, char *str)
647 if ((access & ACC_R) != 0)
649 if ((access & ACC_W) != 0)
651 if ((access & ACC_X) != 0)
653 if ((access & ACC_A) != 0)
655 if ((access & ACC_T) != 0)
660 static inline void int_to_access_type_k(unsigned access, char *str)
662 str[0] = ((access & ACC_R) != 0) ? 'r' : '-';
663 str[1] = ((access & ACC_W) != 0) ? 'w' : '-';
664 str[2] = ((access & ACC_X) != 0) ? 'x' : '-';
665 str[3] = ((access & ACC_A) != 0) ? 'a' : '-';
666 str[4] = ((access & ACC_T) != 0) ? 't' : '-';