2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * version 2.1 as published by the Free Software Foundation.
11 * This library is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
22 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
23 * Brian McGillion <brian.mcgillion@intel.com>
24 * Passion Zhao <passion.zhao@intel.com>
27 #include "sys/smack.h"
33 #include <sys/socket.h>
35 #include <sys/types.h>
40 #define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + ACC_LEN)
45 #define CAT_MAX_COUNT 240
46 #define CAT_MAX_VALUE 63
47 #define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
48 #define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
49 #define CIPSO_NUM_LEN_STR "%-4d"
57 #define KERNEL_LONG_FORMAT "%s %s %s"
58 #define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
59 #define READ_BUF_SIZE LOAD_LEN + 1
60 #define SELF_LABEL_FILE "/proc/self/attr/current"
62 extern char *smack_mnt;
65 char subject[SMACK_LABEL_LEN + 1];
66 char object[SMACK_LABEL_LEN + 1];
68 struct smack_rule *next;
71 struct smack_accesses {
72 struct smack_rule *first;
73 struct smack_rule *last;
76 struct cipso_mapping {
77 char label[SMACK_LABEL_LEN + 1];
78 int cats[CAT_MAX_VALUE];
81 struct cipso_mapping *next;
85 struct cipso_mapping *first;
86 struct cipso_mapping *last;
89 static int accesses_apply(struct smack_accesses *handle, int clear);
90 static inline int access_type_to_int(const char *access_type);
91 static inline void int_to_access_type_c(unsigned ac, char *str);
92 static inline void int_to_access_type_k(unsigned ac, char *str);
94 int smack_accesses_new(struct smack_accesses **accesses)
96 struct smack_accesses *result;
98 result = calloc(sizeof(struct smack_accesses), 1);
106 void smack_accesses_free(struct smack_accesses *handle)
111 struct smack_rule *rule = handle->first;
112 struct smack_rule *next_rule = NULL;
114 while (rule != NULL) {
115 next_rule = rule->next;
123 int smack_accesses_save(struct smack_accesses *handle, int fd)
125 struct smack_rule *rule = handle->first;
126 char access_type[ACC_LEN + 1];
135 file = fdopen(newfd, "w");
142 int_to_access_type_c(rule->access_code, access_type);
144 ret = fprintf(file, "%s %s %s\n",
145 rule->subject, rule->object, access_type);
158 int smack_accesses_apply(struct smack_accesses *handle)
160 return accesses_apply(handle, 0);
163 int smack_accesses_clear(struct smack_accesses *handle)
165 return accesses_apply(handle, 1);
168 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
169 const char *object, const char *access_type)
171 struct smack_rule *rule = NULL;
173 rule = calloc(sizeof(struct smack_rule), 1);
177 strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
178 strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
179 rule->access_code = access_type_to_int(access_type);
181 if (handle->first == NULL) {
182 handle->first = handle->last = rule;
184 handle->last->next = rule;
191 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
194 char buf[READ_BUF_SIZE];
196 const char *subject, *object, *access;
203 file = fdopen(newfd, "r");
209 while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
210 if (strcmp(buf, "\n") == 0)
212 subject = strtok_r(buf, " \t\n", &ptr);
213 object = strtok_r(NULL, " \t\n", &ptr);
214 access = strtok_r(NULL, " \t\n", &ptr);
216 if (subject == NULL || object == NULL || access == NULL ||
217 strtok_r(NULL, " \t\n", &ptr) != NULL) {
223 if (smack_accesses_add(accesses, subject, object, access)) {
238 int smack_have_access(const char *subject, const char *object,
239 const char *access_type)
241 char buf[LOAD_LEN + 1];
242 char access_type_k[ACC_LEN + 1];
243 unsigned access_code;
254 snprintf(path, sizeof path, "%s/access2", smack_mnt);
255 fd = open(path, O_RDWR);
260 snprintf(path, sizeof path, "%s/access", smack_mnt);
261 fd = open(path, O_RDWR);
267 access_code = access_type_to_int(access_type);
268 int_to_access_type_k(access_code, access_type_k);
271 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
272 subject, object, access_type_k);
274 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
275 subject, object, access_type_k);
282 ret = write(fd, buf, strlen(buf));
288 ret = read(fd, buf, 1);
293 return buf[0] == '1';
295 void smack_cipso_free(struct smack_cipso *cipso)
300 struct cipso_mapping *mapping = cipso->first;
301 struct cipso_mapping *next_mapping = NULL;
303 while (mapping != NULL) {
304 next_mapping = mapping->next;
306 mapping = next_mapping;
310 struct smack_cipso *smack_cipso_new(int fd)
312 struct smack_cipso *cipso = NULL;
313 struct cipso_mapping *mapping = NULL;
316 char *label, *level, *cat, *ptr;
325 file = fdopen(newfd, "r");
331 cipso = calloc(sizeof(struct smack_cipso ), 1);
337 while (fgets(buf, BUF_SIZE, file) != NULL) {
338 mapping = calloc(sizeof(struct cipso_mapping), 1);
342 label = strtok_r(buf, " \t\n", &ptr);
343 level = strtok_r(NULL, " \t\n", &ptr);
344 cat = strtok_r(NULL, " \t\n", &ptr);
345 if (label == NULL || cat == NULL || level == NULL ||
346 strlen(label) > SMACK_LABEL_LEN) {
351 strcpy(mapping->label, label);
354 val = strtol(level, NULL, 10);
358 if (val < 0 || val > LEVEL_MAX) {
363 mapping->level = val;
365 for (i = 0; i < CAT_MAX_COUNT && cat != NULL; i++) {
367 val = strtol(cat, NULL, 10);
371 if (val < 0 || val > CAT_MAX_VALUE) {
376 mapping->cats[i] = val;
378 cat = strtok_r(NULL, " \t\n", &ptr);
383 if (cipso->first == NULL) {
384 cipso->first = cipso->last = mapping;
386 cipso->last->next = mapping;
387 cipso->last = mapping;
398 smack_cipso_free(cipso);
403 const char *smack_smackfs_path(void)
408 int smack_cipso_apply(struct smack_cipso *cipso)
410 struct cipso_mapping *m = NULL;
411 char buf[CIPSO_MAX_SIZE];
421 snprintf(path, sizeof path, "%s/cipso2", smack_mnt);
422 fd = open(path, O_WRONLY);
426 for (m = cipso->first; m != NULL; m = m->next) {
427 sprintf(buf, "%s ", m->label);
428 sprintf(&buf[SMACK_LABEL_LEN + 1], CIPSO_NUM_LEN_STR, m->level);
429 sprintf(&buf[SMACK_LABEL_LEN + 1 + NUM_LEN], CIPSO_NUM_LEN_STR, m->ncats);
431 for (i = 0; i < m->ncats; i++)
432 sprintf(&buf[CIPSO_POS(i)], CIPSO_NUM_LEN_STR, m->cats[i]);
434 if (write(fd, buf, strlen(buf)) < 0) {
444 int smack_new_label_from_self(char **label)
450 result = calloc(SMACK_LABEL_LEN + 1, 1);
454 fd = open(SELF_LABEL_FILE, O_RDONLY);
460 ret = read(fd, result, SMACK_LABEL_LEN);
471 int smack_new_label_from_socket(int fd, char **label)
475 socklen_t length = 1;
478 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, &dummy, &length);
479 if (ret < 0 && errno != ERANGE)
482 result = calloc(length + 1, 1);
486 ret = getsockopt(fd, SOL_SOCKET, SO_PEERSEC, result, &length);
496 static int accesses_apply(struct smack_accesses *handle, int clear)
498 char buf[LOAD_LEN + 1];
499 char access_type[ACC_LEN + 1];
500 struct smack_rule *rule;
511 snprintf(path, sizeof path, "%s/load2", smack_mnt);
512 fd = open(path, O_WRONLY);
517 snprintf(path, sizeof path, "%s/load", smack_mnt);
518 fd = open(path, O_WRONLY);
525 strcpy(access_type, "-----");
527 for (rule = handle->first; rule != NULL; rule = rule->next) {
529 int_to_access_type_k(rule->access_code, access_type);
532 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
533 rule->subject, rule->object,
536 ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
537 rule->subject, rule->object,
544 ret = write(fd, buf, strlen(buf));
555 static inline int access_type_to_int(const char *access_type)
561 for (i = 0; i < ACC_LEN && access_type[i] != '\0'; i++)
562 switch (access_type[i]) {
590 static inline void int_to_access_type_c(unsigned access, char *str)
594 if ((access & ACC_R) != 0)
596 if ((access & ACC_W) != 0)
598 if ((access & ACC_X) != 0)
600 if ((access & ACC_A) != 0)
602 if ((access & ACC_T) != 0)
607 static inline void int_to_access_type_k(unsigned access, char *str)
609 str[0] = ((access & ACC_R) != 0) ? 'r' : '-';
610 str[1] = ((access & ACC_W) != 0) ? 'w' : '-';
611 str[2] = ((access & ACC_X) != 0) ? 'x' : '-';
612 str[3] = ((access & ACC_A) != 0) ? 'a' : '-';
613 str[4] = ((access & ACC_T) != 0) ? 't' : '-';