* 02110-1301 USA
*/
+#define __GNU_SOURCE
+#include <search.h>
#include "sys/smack.h"
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <sys/xattr.h>
+#define SELF_LABEL_FILE "/proc/self/attr/current"
+
#define SHORT_LABEL_LEN 23
-#define ACC_LEN 5
+#define ACC_LEN 6
#define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
+#define KERNEL_LONG_FORMAT "%s %s %s"
+#define KERNEL_SHORT_FORMAT "%-23s %-23s %5.5s"
+#define KERNEL_MODIFY_FORMAT "%s %s %s %s"
#define LEVEL_MAX 255
#define NUM_LEN 4
#define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
#define CIPSO_NUM_LEN_STR "%-4d"
-#define KERNEL_LONG_FORMAT "%s %s %s"
-#define KERNEL_SHORT_FORMAT "%-23s %-23s %5s"
-#define KERNEL_MODIFY_FORMAT "%s %s %s %s"
-#define READ_BUF_SIZE LOAD_LEN + 1
-#define SELF_LABEL_FILE "/proc/self/attr/current"
-#define ACC_CLEAR "-----"
-
#define ACCESS_TYPE_R 0x01
#define ACCESS_TYPE_W 0x02
#define ACCESS_TYPE_X 0x04
#define ACCESS_TYPE_A 0x08
#define ACCESS_TYPE_T 0x10
+#define ACCESS_TYPE_L 0x20
+
+#define DICT_HASH_SIZE 4096
extern char *smackfs_mnt;
+struct label_dict {
+ char **labels;
+ int nof_labels;
+ struct hsearch_data *htab;
+};
+
struct smack_rule {
- char subject[SMACK_LABEL_LEN + 1];
- char object[SMACK_LABEL_LEN + 1];
+ int subject_id;
+ int object_id;
int subject_len;
int object_len;
int allow_code;
struct smack_accesses {
struct smack_rule *first;
struct smack_rule *last;
+ struct label_dict *dict;
};
struct cipso_mapping {
};
static int accesses_apply(struct smack_accesses *handle, int clear);
-static ssize_t smack_label_length(const char *label) __attribute__((unused));
static inline ssize_t get_label(char *dest, const char *src);
static inline int str_to_access_code(const char *str);
static inline void access_code_to_str(unsigned code, char *str);
+static int dict_create(struct label_dict **dict);
+static int dict_free(struct label_dict *dict);
+static const char *dict_get_label(const struct label_dict *dict, int id);
+static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *src);
int smack_accesses_new(struct smack_accesses **accesses)
{
if (result == NULL)
return -1;
+ if (dict_create(&(result->dict)))
+ return -1;
*accesses = result;
return 0;
}
rule = next_rule;
}
+ dict_free(handle->dict);
free(handle);
}
access_code_to_str(rule->deny_code, deny_str);
ret = fprintf(file, "%s %s %s %s\n",
- rule->subject, rule->object,
+ dict_get_label(handle->dict, rule->subject_id),
+ dict_get_label(handle->dict, rule->object_id),
allow_str, deny_str);
} else {
ret = fprintf(file, "%s %s %s\n",
- rule->subject, rule->object,
+ dict_get_label(handle->dict, rule->subject_id),
+ dict_get_label(handle->dict, rule->object_id),
allow_str);
}
if (rule == NULL)
return -1;
- rule->subject_len = get_label(rule->subject, subject);
- rule->object_len = get_label(rule->object, object);
+ rule->subject_len = dict_add_label(handle->dict, &(rule->subject_id), subject);
+ rule->object_len = dict_add_label(handle->dict, &(rule->object_id), object);
if (rule->subject_len < 0 || rule->object_len < 0) {
free(rule);
return -1;
if (rule == NULL)
return -1;
- rule->subject_len = get_label(rule->subject, subject);
- rule->object_len = get_label(rule->object, object);
+ rule->subject_len = dict_add_label(handle->dict, &(rule->subject_id), subject);
+ rule->object_len = dict_add_label(handle->dict, &(rule->object_id), object);
if (rule->subject_len < 0 || rule->object_len < 0) {
free(rule);
return -1;
int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd)
{
FILE *file = NULL;
- char buf[READ_BUF_SIZE];
+ char buf[LOAD_LEN + 1];
char *ptr;
const char *subject, *object, *access, *access2;
int newfd;
return -1;
}
- while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
+ while (fgets(buf, LOAD_LEN + 1, file) != NULL) {
if (strcmp(buf, "\n") == 0)
continue;
subject = strtok_r(buf, " \t\n", &ptr);
int fd;
int i;
char path[PATH_MAX];
- int offset=0;
+ int offset;
if (!smackfs_mnt)
return -1;
memset(buf,0,CIPSO_MAX_SIZE);
for (m = cipso->first; m != NULL; m = m->next) {
snprintf(buf, SMACK_LABEL_LEN + 1, "%s", m->label);
- offset += strlen(buf) + 1;
+ offset = strlen(buf) + 1;
sprintf(&buf[offset], CIPSO_NUM_LEN_STR, m->level);
offset += NUM_LEN;
}
*label = result;
- return 0;
+ return ret;
}
int smack_set_label_for_self(const char *label)
return (ret < 0) ? -1 : 0;
}
-ssize_t smack_label_length(const char *label)
-{
- return get_label(NULL, label);
-}
-
static int accesses_apply(struct smack_accesses *handle, int clear)
{
char buf[LOAD_LEN + 1];
access_code_to_str(clear ? 0 : rule->allow_code, allow_str);
if (rule->deny_code != -1 && !clear) {
- access_code_to_str(clear ? 0 : rule->deny_code, deny_str);
+ access_code_to_str(rule->deny_code, deny_str);
fd = change_fd;
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_MODIFY_FORMAT,
- rule->subject, rule->object,
+ dict_get_label(handle->dict, rule->subject_id),
+ dict_get_label(handle->dict, rule->object_id),
allow_str,
deny_str);
} else {
fd = load_fd;
if (load2)
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_LONG_FORMAT,
- rule->subject, rule->object,
+ dict_get_label(handle->dict, rule->subject_id),
+ dict_get_label(handle->dict, rule->object_id),
allow_str);
else {
if (rule->subject_len > SHORT_LABEL_LEN ||
}
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_SHORT_FORMAT,
- rule->subject, rule->object,
+ dict_get_label(handle->dict, rule->subject_id),
+ dict_get_label(handle->dict, rule->object_id),
allow_str);
}
}
goto err_out;
}
- ret = write(fd, buf, strlen(buf));
+ ret = write(fd, buf, ret);
if (ret < 0) {
ret = -1;
goto err_out;
return -1;
for (i = 0; i < (SMACK_LABEL_LEN + 1) && src[i]; i++) {
+ if (src[i] <= ' ' || src[i] > '~')
+ return -1;
switch (src[i]) {
- case ' ':
case '/':
case '"':
case '\\':
dest[i] = src[i];
}
- if (i < (SMACK_LABEL_LEN + 1))
+ if (dest && i < (SMACK_LABEL_LEN + 1))
dest[i] = '\0';
return i < (SMACK_LABEL_LEN + 1) ? i : -1;
int i;
unsigned int code = 0;
- for (i = 0; i < ACC_LEN && str[i] != '\0'; i++) {
+ for (i = 0; str[i] != '\0'; i++) {
switch (str[i]) {
case 'r':
case 'R':
case 'T':
code |= ACCESS_TYPE_T;
break;
+ case 'l':
+ case 'L':
+ code |= ACCESS_TYPE_L;
+ break;
case '-':
break;
default:
str[2] = ((code & ACCESS_TYPE_X) != 0) ? 'x' : '-';
str[3] = ((code & ACCESS_TYPE_A) != 0) ? 'a' : '-';
str[4] = ((code & ACCESS_TYPE_T) != 0) ? 't' : '-';
- str[5] = '\0';
+ str[5] = ((code & ACCESS_TYPE_L) != 0) ? 'l' : '-';
+ str[6] = '\0';
+}
+
+static int dict_create(struct label_dict **dict)
+{
+ *dict = calloc(1, sizeof(struct label_dict));
+ if (!*dict)
+ goto err;
+ (*dict)->htab = calloc(1, sizeof(struct hsearch_data));
+ if (!(*dict)->htab)
+ goto free_dict;
+ (*dict)->labels = calloc(DICT_HASH_SIZE, sizeof(char *));
+ if (!(*dict)->labels)
+ goto free_htab;
+ if (hcreate_r(DICT_HASH_SIZE, (*dict)->htab) == 0)
+ goto free_labels;
+ return 0;
+
+free_labels:
+ free((*dict)->labels);
+free_htab:
+ free((*dict)->htab);
+free_dict:
+ free(*dict);
+err:
+ return -1;
+}
+
+static int dict_free(struct label_dict *dict)
+{
+ int i;
+ for (i = 0; i < (dict->nof_labels); i++)
+ free((dict->labels)[i]);
+ free(dict->labels);
+ hdestroy_r(dict->htab);
+ free(dict->htab);
+ free(dict);
+ return 0;
+}
+
+static ssize_t dict_add_label(struct label_dict *dict, int *id, const char *label)
+{
+ ENTRY e, *ep;
+ int ret, search;
+
+ ret = get_label(NULL, label);
+
+ if (dict->nof_labels == DICT_HASH_SIZE)
+ return -2;
+ if (ret == -1)
+ return -1;
+
+ e.key = (char *)label;
+ e.data = (void *)(&(dict->labels[dict->nof_labels]));
+
+ search = hsearch_r(e, ENTER, &ep, dict->htab);
+ if (search == 0)
+ return -2;
+ if (e.data != ep->data) {/*found an existing entry*/
+ *id = (int)((char **)(ep->data) - dict->labels);
+ } else {/*new entry added*/
+ ep->key = malloc(ret + 1);
+ if (!ep->key)
+ return -3;
+ ep->key[ret] = '\0';
+ memcpy(ep->key, label, ret);
+ dict->labels[dict->nof_labels] = ep->key;
+ *id = dict->nof_labels++;
+ }
+ return ret;
+}
+
+static const char *dict_get_label(const struct label_dict *dict, int id)
+{
+ if (id < dict->nof_labels)
+ return dict->labels[id];
+ else
+ return NULL;
}