2 * This file is part of libsmack
4 * Copyright (C) 2010, 2011 Nokia Corporation
5 * Copyright (C) 2011, 2012, 2013 Intel Corporation
6 * Copyright (C) 2012, 2013 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 #include "sys/smack.h"
29 #include <sys/socket.h>
31 #include <sys/types.h>
34 #include <sys/xattr.h>
37 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
42 #define CAT_MAX_COUNT 240
43 #define CAT_MAX_VALUE 63
44 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
45 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
46 #define CIPSO_NUM_LEN_STR "%-4d"
48 #define KERNEL_LONG_FORMAT "%s %s %s"
49 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
50 #define KERNEL_MODIFY_FORMAT "%s %s %s %s"
51 #define READ_BUF_SIZE LOAD_LEN + 1
52 #define SELF_LABEL_FILE "/proc/self/attr/current"
53 #define ACC_CLEAR "-----"
55 extern char *smackfs_mnt;
58 char subject[SMACK_LABEL_LEN + 1];
59 char object[SMACK_LABEL_LEN + 1];
61 char access_type[ACC_LEN + 1];
62 char allow_access_type[ACC_LEN + 1];
63 char deny_access_type[ACC_LEN + 1];
64 struct smack_rule *next;
67 struct smack_accesses {
68 struct smack_rule *first;
69 struct smack_rule *last;
72 struct cipso_mapping {
73 char label[SMACK_LABEL_LEN + 1];
74 int cats[CAT_MAX_VALUE];
77 struct cipso_mapping *next;
81 struct cipso_mapping *first;
82 struct cipso_mapping *last;
85 static int accesses_apply(struct smack_accesses *handle, int clear);
86 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
87 static ssize_t smack_label_length(const char *label) __attribute__((unused));
88 static inline ssize_t get_label(char *dest, const char *src);
90 int smack_accesses_new(struct smack_accesses **accesses)
92 struct smack_accesses *result;
94 result = calloc(sizeof(struct smack_accesses), 1);
102 void smack_accesses_free(struct smack_accesses *handle)
107 struct smack_rule *rule = handle->first;
108 struct smack_rule *next_rule = NULL;
110 while (rule != NULL) {
111 next_rule = rule->next;
119 int smack_accesses_save(struct smack_accesses *handle, int fd)
121 struct smack_rule *rule = handle->first;
130 file = fdopen(newfd, "w");
137 if (rule->is_modify) {
138 ret = fprintf(file, "%s %s %s %s\n",
139 rule->subject, rule->object,
140 rule->allow_access_type,
141 rule->deny_access_type);
143 ret = fprintf(file, "%s %s %s\n",
144 rule->subject, rule->object,
160 int smack_accesses_apply(struct smack_accesses *handle)
162 return accesses_apply(handle, 0);
165 int smack_accesses_clear(struct smack_accesses *handle)
167 return accesses_apply(handle, 1);
170 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
171 const char *object, const char *access_type)
173 struct smack_rule *rule = NULL;
175 if (smack_label_length(subject) < 0 ||
176 smack_label_length(object) < 0)
179 rule = calloc(sizeof(struct smack_rule), 1);
183 strncpy(rule->subject, subject, SMACK_LABEL_LEN);
184 strncpy(rule->object, object, SMACK_LABEL_LEN);
185 parse_access_type(access_type, rule->access_type);
187 if (handle->first == NULL) {
188 handle->first = handle->last = rule;
190 handle->last->next = rule;
197 int smack_accesses_add_modify(struct smack_accesses *handle,
200 const char *allow_access_type,
201 const char *deny_access_type)
203 struct smack_rule *rule = NULL;
205 if (smack_label_length(subject) < 0 ||
206 smack_label_length(object) < 0)
209 rule = calloc(sizeof(struct smack_rule), 1);
213 strncpy(rule->subject, subject, SMACK_LABEL_LEN);
214 strncpy(rule->object, object, SMACK_LABEL_LEN);
215 parse_access_type(allow_access_type, rule->allow_access_type);
216 parse_access_type(deny_access_type, rule->deny_access_type);
219 if (handle->first == NULL) {
220 handle->first = handle->last = rule;
222 handle->last->next = rule;
229 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
232 char buf[READ_BUF_SIZE];
234 const char *subject, *object, *access, *access2;
242 file = fdopen(newfd, "r");
248 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
249 if (strcmp(buf, "\n") == 0)
251 subject = strtok_r(buf, " \t\n", &ptr);
252 object = strtok_r(NULL, " \t\n", &ptr);
253 access = strtok_r(NULL, " \t\n", &ptr);
254 access2 = strtok_r(NULL, " \t\n", &ptr);
256 if (subject == NULL || object == NULL || access == NULL ||
257 strtok_r(NULL, " \t\n", &ptr) != NULL) {
263 ret = smack_accesses_add(accesses, subject, object, access);
265 ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
282 int smack_have_access(const char *subject, const char *object,
283 const char *access_type)
285 char buf[LOAD_LEN + 1];
286 char access_type_k[ACC_LEN + 1];
295 snprintf(path, sizeof path, "%s/access2", smackfs_mnt);
296 fd = open(path, O_RDWR);
301 snprintf(path, sizeof path, "%s/access", smackfs_mnt);
302 fd = open(path, O_RDWR);
308 parse_access_type(access_type, access_type_k);
311 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
312 subject, object, access_type_k);
314 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
315 subject, object, access_type_k);
322 ret = write(fd, buf, strlen(buf));
328 ret = read(fd, buf, 1);
333 return buf[0] == '1';
336 int smack_cipso_new(struct smack_cipso **cipso)
338 struct smack_cipso *result;
340 result = calloc(sizeof(struct smack_cipso), 1);
348 void smack_cipso_free(struct smack_cipso *cipso)
353 struct cipso_mapping *mapping = cipso->first;
354 struct cipso_mapping *next_mapping = NULL;
356 while (mapping != NULL) {
357 next_mapping = mapping->next;
359 mapping = next_mapping;
363 int smack_cipso_apply(struct smack_cipso *cipso)
365 struct cipso_mapping *m = NULL;
366 char buf[CIPSO_MAX_SIZE];
375 snprintf(path, sizeof path, "%s/cipso2", smackfs_mnt);
376 fd = open(path, O_WRONLY);
380 memset(buf,0,CIPSO_MAX_SIZE);
381 for (m = cipso->first; m != NULL; m = m->next) {
382 snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
383 offset += strlen(buf) + 1;
385 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
388 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->ncats);
391 for (i = 0; i < m->ncats; i++){
392 sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->cats[i]);
396 if (write(fd, buf, offset) < 0) {
406 int smack_cipso_add_from_file(struct smack_cipso *cipso, int fd)
408 struct cipso_mapping *mapping = NULL;
411 char *label, *level, *cat, *ptr;
420 file = fdopen(newfd, "r");
426 while (fgets(buf, BUF_SIZE, file) != NULL) {
427 mapping = calloc(sizeof(struct cipso_mapping), 1);
431 label = strtok_r(buf, " \t\n", &ptr);
432 level = strtok_r(NULL, " \t\n", &ptr);
433 cat = strtok_r(NULL, " \t\n", &ptr);
434 if (smack_label_length(label) < 0 || level == NULL)
437 strncpy(mapping->label, label, SMACK_LABEL_LEN);
440 val = strtol(level, NULL, 10);
444 if (val < 0 || val > LEVEL_MAX)
447 mapping->level = val;
449 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
451 val = strtol(cat, NULL, 10);
455 if (val < 0 || val > CAT_MAX_VALUE)
458 mapping->cats[i] = val;
460 cat = strtok_r(NULL, " \t\n", &ptr);
465 if (cipso->first == NULL) {
466 cipso->first = cipso->last = mapping;
468 cipso->last->next = mapping;
469 cipso->last = mapping;
484 const char *smack_smackfs_path(void)
489 ssize_t smack_new_label_from_self(char **label)
495 result = calloc(SMACK_LABEL_LEN + 1, 1);
499 fd = open(SELF_LABEL_FILE, O_RDONLY);
505 ret = read(fd, result, SMACK_LABEL_LEN);
516 ssize_t smack_new_label_from_socket(int fd, char **label)
520 socklen_t length = 1;
523 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
524 if (ret < 0 && errno != ERANGE)
527 result = calloc(length + 1, 1);
531 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
541 ssize_t smack_new_label_from_path(const char *path, const char *xattr,
542 int follow, char **label)
548 getxattr(path, xattr, NULL, 0) :
549 lgetxattr(path, xattr, NULL, 0);
550 if (ret < 0 && errno != ERANGE)
553 result = calloc(ret + 1, 1);
558 getxattr(path, xattr, result, ret) :
559 lgetxattr(path, xattr, result, ret);
569 int smack_set_label_for_self(const char *label)
575 len = smack_label_length(label);
579 fd = open(SELF_LABEL_FILE, O_WRONLY);
583 ret = write(fd, label, len);
586 return (ret < 0) ? -1 : 0;
589 int smack_revoke_subject(const char *subject)
596 len = smack_label_length(subject);
600 snprintf(path, sizeof path, "%s/revoke-subject", smackfs_mnt);
601 fd = open(path, O_WRONLY);
605 ret = write(fd, subject, len);
608 return (ret < 0) ? -1 : 0;
611 ssize_t smack_label_length(const char *label)
613 return get_label(NULL, label);
616 static int accesses_apply(struct smack_accesses *handle, int clear)
618 char buf[LOAD_LEN + 1];
619 struct smack_rule *rule;
630 snprintf(path, sizeof path, "%s/load2", smackfs_mnt);
631 load_fd = open(path, O_WRONLY);
636 snprintf(path, sizeof path, "%s/load", smackfs_mnt);
637 load_fd = open(path, O_WRONLY);
638 /* Try to continue if the file doesn't exist, we might not need it. */
639 if (load_fd < 0 && errno != ENOENT)
644 snprintf(path, sizeof path, "%s/change-rule", smackfs_mnt);
645 change_fd = open(path, O_WRONLY);
646 /* Try to continue if the file doesn't exist, we might not need it. */
647 if (change_fd < 0 && errno != ENOENT) {
652 for (rule = handle->first; rule != NULL; rule = rule->next) {
653 if (rule->is_modify && !clear) {
655 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
656 rule->subject, rule->object,
657 rule->allow_access_type,
658 rule->deny_access_type);
662 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
663 rule->subject, rule->object,
664 clear ? ACC_CLEAR : rule->access_type);
666 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
667 rule->subject, rule->object,
668 clear ? ACC_CLEAR : rule->access_type);
671 if (ret < 0 || fd < 0) {
676 ret = write(fd, buf, strlen(buf));
692 static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
696 for (i = 0; i < ACC_LEN; ++i)
700 for (i = 0; in[i] != '\0'; i++)
727 static inline ssize_t get_label(char *dest, const char *src)
731 if (!src || src[0] == '\0' || src[0] == '-')
734 for (i = 0; i < (SMACK_LABEL_LEN + 1) && src[i]; i++) {
750 if (i < (SMACK_LABEL_LEN + 1))
753 return i < (SMACK_LABEL_LEN + 1) ? i : -1;
projects / framework / security / smack.git / blob