2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
24 * Brian McGillion <brian.mcgillion@intel.com>
25 * Passion Zhao <passion.zhao@intel.com>
26 * Rafal Krypa <r.krypa@samsung.com>
29 #include "sys/smack.h"
35 #include <sys/socket.h>
37 #include <sys/types.h>
42 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
47 #define CAT_MAX_COUNT 240
48 #define CAT_MAX_VALUE 63
49 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
50 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
51 #define CIPSO_NUM_LEN_STR "%-4d"
53 #define KERNEL_LONG_FORMAT "%s %s %s"
54 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
55 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
56 #define READ_BUF_SIZE LOAD_LEN + 1
57 #define SELF_LABEL_FILE "/proc/self/attr/current"
59 extern char *smack_mnt;
62 char subject[SMACK_LABEL_LEN + 1];
63 char object[SMACK_LABEL_LEN + 1];
65 char access_set[ACC_LEN + 1];
66 char access_add[ACC_LEN + 1];
67 char access_del[ACC_LEN + 1];
68 struct smack_rule *next;
71 struct smack_accesses {
72 struct smack_rule *first;
73 struct smack_rule *last;
76 struct cipso_mapping {
77 char label[SMACK_LABEL_LEN + 1];
78 int cats[CAT_MAX_VALUE];
81 struct cipso_mapping *next;
85 struct cipso_mapping *first;
86 struct cipso_mapping *last;
89 static int accesses_apply(struct smack_accesses *handle, int clear);
90 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
92 int smack_accesses_new(struct smack_accesses **accesses)
94 struct smack_accesses *result;
96 result = calloc(sizeof(struct smack_accesses), 1);
104 void smack_accesses_free(struct smack_accesses *handle)
109 struct smack_rule *rule = handle->first;
110 struct smack_rule *next_rule = NULL;
112 while (rule != NULL) {
113 next_rule = rule->next;
121 int smack_accesses_save(struct smack_accesses *handle, int fd)
123 struct smack_rule *rule = handle->first;
132 file = fdopen(newfd, "w");
139 if (rule->is_modify) {
140 ret = fprintf(file, "%s %s %s %s\n",
141 rule->subject, rule->object,
142 rule->access_add, rule->access_del);
144 ret = fprintf(file, "%s %s %s\n",
145 rule->subject, rule->object,
161 int smack_accesses_apply(struct smack_accesses *handle)
163 return accesses_apply(handle, 0);
166 int smack_accesses_clear(struct smack_accesses *handle)
168 return accesses_apply(handle, 1);
171 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
172 const char *object, const char *access_type)
174 struct smack_rule *rule = NULL;
176 rule = calloc(sizeof(struct smack_rule), 1);
180 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
181 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
182 parse_access_type(access_type, rule->access_set);
184 if (handle->first == NULL) {
185 handle->first = handle->last = rule;
187 handle->last->next = rule;
194 int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
195 const char *object, const char *access_add, const char *access_del)
197 struct smack_rule *rule = NULL;
199 rule = calloc(sizeof(struct smack_rule), 1);
203 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
204 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
205 parse_access_type(access_add, rule->access_add);
206 parse_access_type(access_del, rule->access_del);
209 if (handle->first == NULL) {
210 handle->first = handle->last = rule;
212 handle->last->next = rule;
219 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
222 char buf[READ_BUF_SIZE];
224 const char *subject, *object, *access, *access2;
232 file = fdopen(newfd, "r");
238 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
239 if (strcmp(buf, "\n") == 0)
241 subject = strtok_r(buf, " \t\n", &ptr);
242 object = strtok_r(NULL, " \t\n", &ptr);
243 access = strtok_r(NULL, " \t\n", &ptr);
244 access2 = strtok_r(NULL, " \t\n", &ptr);
246 if (subject == NULL || object == NULL || access == NULL ||
247 strtok_r(NULL, " \t\n", &ptr) != NULL) {
254 ret = smack_accesses_add(accesses, subject, object, access);
256 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
273 int smack_have_access(const char *subject, const char *object,
274 const char *access_type)
276 char buf[LOAD_LEN + 1];
277 char access_type_k[ACC_LEN + 1];
288 snprintf(path, sizeof path, "%s/access2", smack_mnt);
289 fd = open(path, O_RDWR);
294 snprintf(path, sizeof path, "%s/access", smack_mnt);
295 fd = open(path, O_RDWR);
301 parse_access_type(access_type, access_type_k);
304 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
305 subject, object, access_type_k);
307 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
308 subject, object, access_type_k);
315 ret = write(fd, buf, strlen(buf));
321 ret = read(fd, buf, 1);
326 return buf[0] == '1';
328 void smack_cipso_free(struct smack_cipso *cipso)
333 struct cipso_mapping *mapping = cipso->first;
334 struct cipso_mapping *next_mapping = NULL;
336 while (mapping != NULL) {
337 next_mapping = mapping->next;
339 mapping = next_mapping;
343 struct smack_cipso *smack_cipso_new(int fd)
345 struct smack_cipso *cipso = NULL;
346 struct cipso_mapping *mapping = NULL;
349 char *label, *level, *cat, *ptr;
358 file = fdopen(newfd, "r");
364 cipso = calloc(sizeof(struct smack_cipso ), 1);
370 while (fgets(buf, BUF_SIZE, file) != NULL) {
371 mapping = calloc(sizeof(struct cipso_mapping), 1);
375 label = strtok_r(buf, " \t\n", &ptr);
376 level = strtok_r(NULL, " \t\n", &ptr);
377 cat = strtok_r(NULL, " \t\n", &ptr);
378 if (label == NULL || cat == NULL || level == NULL ||
379 strlen(label) > SMACK_LABEL_LEN) {
384 strcpy(mapping->label, label);
387 val = strtol(level, NULL, 10);
391 if (val < 0 || val > LEVEL_MAX) {
396 mapping->level = val;
398 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
400 val = strtol(cat, NULL, 10);
404 if (val < 0 || val > CAT_MAX_VALUE) {
409 mapping->cats[i] = val;
411 cat = strtok_r(NULL, " \t\n", &ptr);
416 if (cipso->first == NULL) {
417 cipso->first = cipso->last = mapping;
419 cipso->last->next = mapping;
420 cipso->last = mapping;
431 smack_cipso_free(cipso);
436 const char *smack_smackfs_path(void)
441 int smack_cipso_apply(struct smack_cipso *cipso)
443 struct cipso_mapping *m = NULL;
444 char buf[CIPSO_MAX_SIZE];
455 snprintf(path, sizeof path, "%s/cipso2", smack_mnt);
456 fd = open(path, O_WRONLY);
460 memset(buf,0,CIPSO_MAX_SIZE);
461 for (m = cipso->first; m != NULL; m = m->next) {
462 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
463 offset += strlen(buf) + 1;
465 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
468 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
471 for (i = 0; i < m->ncats; i++){
472 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
476 if (write(fd, buf, offset) < 0) {
486 int smack_new_label_from_self(char **label)
492 result = calloc(SMACK_LABEL_LEN + 1, 1);
496 fd = open(SELF_LABEL_FILE, O_RDONLY);
502 ret = read(fd, result, SMACK_LABEL_LEN);
513 int smack_new_label_from_socket(int fd, char **label)
517 socklen_t length = 1;
520 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
521 if (ret < 0 && errno != ERANGE)
524 result = calloc(length + 1, 1);
528 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
538 int smack_set_label_for_self(const char *label)
544 len = strnlen(label, SMACK_LABEL_LEN + 1);
545 if (len > SMACK_LABEL_LEN)
548 fd = open(SELF_LABEL_FILE, O_WRONLY);
552 ret = write(fd, label, len);
555 return (ret < 0) ? -1 : 0;
558 int smack_revoke_subject(const char *subject)
565 len = strnlen(subject, SMACK_LABEL_LEN + 1);
566 if (len > SMACK_LABEL_LEN)
569 snprintf(path, sizeof path, "%s/revoke-subject", smack_mnt);
570 fd = open(path, O_WRONLY);
574 ret = write(fd, subject, len);
577 return (ret < 0) ? -1 : 0;
580 static int accesses_apply(struct smack_accesses *handle, int clear)
582 char buf[LOAD_LEN + 1];
583 struct smack_rule *rule;
596 snprintf(path, sizeof path, "%s/load2", smack_mnt);
597 load_fd = open(path, O_WRONLY);
602 snprintf(path, sizeof path, "%s/load", smack_mnt);
603 load_fd = open(path, O_WRONLY);
604 /* Try to continue if the file doesn't exist, we might not need it. */
605 if (load_fd < 0 && errno != ENOENT)
610 snprintf(path, sizeof path, "%s/change-rule", smack_mnt);
611 change_fd = open(path, O_WRONLY);
612 /* Try to continue if the file doesn't exist, we might not need it. */
613 if (change_fd < 0 && errno != ENOENT) {
618 for (rule = handle->first; rule != NULL; rule = rule->next) {
620 strcpy(rule->access_set, "-----");
624 if (rule->is_modify) {
626 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
627 rule->subject, rule->object,
628 rule->access_add, rule->access_del);
632 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
633 rule->subject, rule->object,
636 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
637 rule->subject, rule->object,
641 if (ret < 0 || fd < 0) {
646 ret = write(fd, buf, strlen(buf));
662 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
666 for (i = 0; i < ACC_LEN; ++i)
670 for (i = 0; in[i] != '\0'; i++)
projects / framework / security / smack.git / blob