2 * This file is part of libsmack
4 * Copyright (C) 2010 Nokia Corporation
5 * Copyright (C) 2011 Intel Corporation
6 * Copyright (C) 2012 Samsung Electronics Co.
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1 as published by the Free Software Foundation.
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
23 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
24 * Rafal Krypa <r.krypa@samsung.com>
28 * Smack user space library
34 #include <sys/types.h>
37 * Maximum length of a smack label, excluding terminating null character.
39 #define SMACK_LABEL_LEN 255
41 enum smack_label_type {
45 SMACK_LABEL_TRANSMUTE,
51 * Handle to a in-memory representation of set of Smack rules.
53 struct smack_accesses;
65 * Creates a new empty smack_accesses instance.
67 * @param accesses created instance
68 * @return 0 on success and negative value on failure.
70 int smack_accesses_new(struct smack_accesses **accesses);
73 * Destroy a struct smack_accesses *instance.
75 * @param handle handle to a struct smack_accesses *instance
77 void smack_accesses_free(struct smack_accesses *handle);
80 * Write access rules to a given file.
82 * @param handle handle to a rules
83 * @param fd file descriptor
84 * @return 0 on success and negative value on failure.
86 int smack_accesses_save(struct smack_accesses *handle, int fd);
89 * Write rules to kernel.
91 * @param handle handle to a rules
92 * @return 0 on success and negative value on failure.
94 int smack_accesses_apply(struct smack_accesses *handle);
97 * Clear rules from kernel.
99 * @param handle handle to a rules
100 * @return 0 on success and negative value on failure.
102 int smack_accesses_clear(struct smack_accesses *handle);
105 * Add new rule to a rule set.
107 * @param handle handle to a rule set
108 * @param subject subject of the rule
109 * @param object object of the rule
110 * @param access_type access type
111 * @return Returns 0 on success.
113 int smack_accesses_add(struct smack_accesses *handle, const char *subject,
114 const char *object, const char *access_type);
117 * Add a modification rule to a rule set.
118 * The modification rule will change access permissions for a given subject and
120 * If such rule already existend (in the kernel or earlier in the rule set),
121 * it will be modified. Otherwise a new rule will be created, with permissions
122 * from access_add minus permissions from access_del.
124 * @param handle handle to a rule set
125 * @param subject subject of the rule
126 * @param object object of the rule
127 * @param access_add access type
128 * @param access_del access type
129 * @return Returns 0 on success.
131 int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
132 const char *object, const char *access_add, const char *access_del);
135 * Add rules from file.
137 * @param accesses instance
138 * @param fd file descriptor
139 * @return 0 on success and negative value on failure.
141 int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);
144 * Check for Smack access.
146 * @param subject subject of the rule
147 * @param object object of the rule
148 * @param access_type access type
149 * @return 1 if access, 0 if no access and -1 on error.
151 int smack_have_access(const char *subject, const char *object,
152 const char *access_type);
154 struct smack_cipso *smack_cipso_new(int fd);
156 void smack_cipso_free(struct smack_cipso *cipso);
158 int smack_cipso_apply(struct smack_cipso *cipso);
161 * Get the smackfs directory.
163 const char *smack_smackfs_path(void);
166 * Get the label that is associated with the callers process.
167 * Caller is responsible of freeing the returned label.
169 * @param label returned label
170 * @return 0 on success and negative value on failure.
172 int smack_new_label_from_self(char **label);
175 * Get the label that is associated with a peer on the other end of an
176 * Unix socket (SO_PEERSEC). Caller is responsible of freeing the
179 * @param fd socket file descriptor
180 * @param label returned label
181 * @return 0 on success and negative value on failure.
183 int smack_new_label_from_socket(int fd, char **label);
186 * Set the label associated with the callers process.
187 * Caller must be run by privileged user to succeed.
189 * @param label to set
190 * @return 0 on success and negative value on failure.
192 int smack_set_label_for_self(const char *label);
195 * Revoke all rules for a subject label.
197 * @param subject subject to revoke
198 * @return 0 on success and negative value on failure.
200 int smack_revoke_subject(const char *subject);
203 * Get SMACK label from file.
204 * On successful call label will be stored on allocated memory.
205 * Caller should take care of freeing that memory later.
207 * @param path file system path
208 * @param label returned label
209 * @param type label type to get
210 * @return 0 on success and negative value on failure.
212 int smack_getlabel(const char *path, char** label,
213 enum smack_label_type type);
216 * Get SMACK label from file. If path points to a symbolic link, the
217 * function will return label of the link instead of file it refers to.
218 * On successful call label will be stored on allocated memory.
219 * Caller should take care of freeing that memory later.
221 * @param path file system path
222 * @param label returned label
223 * @param type label type to get
224 * @return 0 on success and negative value on failure.
226 int smack_lgetlabel(const char *path, char** label,
227 enum smack_label_type type);
230 * Get SMACK label from file descriptor.
231 * On successful call label will be stored on allocated memory.
232 * Caller should take care of freeing that memory later.
234 * @param fd file descriptor
235 * @param label returned label
236 * @param type label type to get
237 * @return 0 on success and negative value on failure.
239 int smack_fgetlabel(int fd, char** label,
240 enum smack_label_type type);
243 * Set SMACK label for file.
244 * On successful call label will be stored on allocated memory.
246 * @param path file system path
247 * @param label SMACK label to set
248 * if equal to NULL or "", label will be removed
249 * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
250 * @param type label type to get
251 * @return 0 on success and negative value on failure.
253 int smack_setlabel(const char *path, const char* label,
254 enum smack_label_type type);
257 * Set SMACK label for file. If path points to a symbolic link, the
258 * function will set label of the link instead of file it refers to.
260 * @param path file system path
261 * @param label SMACK label to set
262 * if equal to NULL or "", label will be removed
263 * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
264 * @param type label type to get
265 * @return 0 on success and negative value on failure.
267 int smack_lsetlabel(const char *path, const char* label,
268 enum smack_label_type type);
271 * Get SMACK label from file descriptor.
273 * @param fd file descriptor
274 * @param label SMACK label to set
275 * if equal to NULL or "", label will be removed
276 * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
277 * @param type label type to get
278 * @return 0 on success and negative value on failure.
280 int smack_fsetlabel(int fd, const char* label,
281 enum smack_label_type type);
284 * Validate a SMACK label and calculate its length.
286 * @param label label to verify
287 * @return Returns length of the label on success and negative on failure.
289 ssize_t smack_label_length(const char *label);
292 * Get the SMACK label that is contained in an extended attribute.
293 * Caller is responsible of freeing the returned label.
295 * @param path path of the file
296 * @param xattr the extended attribute containing the SMACK label
297 * @param follow whether or not to follow symbolic link
298 * @param label output variable for the returned label
299 * @return Returns length of the label on success and negative value
302 ssize_t smack_new_label_from_path(const char *path,
308 * Set the SMACK label in an extended attribute.
310 * @param path path of the file
311 * @param xattr the extended attribute containing the SMACK label
312 * @param follow whether or not to follow symbolic link
313 * @param label output variable for the returned label
314 * @return Returns length of the label on success and negative value
317 int smack_set_label_for_path(const char *path,
323 * Remove the SMACK label in an extended attribute.
325 * @param path path of the file
326 * @param xattr the extended attribute containing the SMACK label
327 * @param follow whether or not to follow symbolic link
328 * @return Returns 0 on success and negative on failure.
330 int smack_remove_label_for_path(const char *path,
338 #endif // _SYS_SMACK_H