Rafał Krypa [Mon, 17 Oct 2016 14:21:05 +0000 (16:21 +0200)]
Merge pull request #124 from grzelewski/master
Unify smack function behaviour and fix description in headers.
Bartlomiej Grzelewski [Tue, 14 Jun 2016 10:08:32 +0000 (12:08 +0200)]
Unify implementation of smack functions
The new implementation does not count NULL char to string length.
Bartlomiej Grzelewski [Thu, 16 Jun 2016 10:07:31 +0000 (12:07 +0200)]
Fix descriptions in header file
Description of this function has been changed:
* smack_set_label_for_path
* smack_set_label_for_file
Both functions return 0 on success and negative
value on error.
Rafal Krypa [Fri, 13 May 2016 09:32:09 +0000 (11:32 +0200)]
debian: adapt to version 1.2.x
Fix debian changelog and library symbols information.
Change-Id: I3803edabb995dc0579a40751857253c63e88574f
Rafał Krypa [Fri, 13 May 2016 09:10:41 +0000 (11:10 +0200)]
Merge pull request #122 from jpeach/check-file-dtype
Support filesystems that don't fill in d_type.
Rafał Krypa [Fri, 13 May 2016 09:05:57 +0000 (11:05 +0200)]
Merge pull request #121 from jobol/master
this closes #103 issue
José Bollo [Mon, 4 Apr 2016 10:26:53 +0000 (12:26 +0200)]
chsmack: integrates remarks from review
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Mon, 4 Apr 2016 10:02:41 +0000 (12:02 +0200)]
chsmack: linux formating of code
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 16:41:21 +0000 (17:41 +0100)]
chsmack: add recursive option
The option if set will enter the directories
and apply the settings of properties or just
list properties of files.
The symbolic links will not be followed except
if present in the command line.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 15:53:38 +0000 (16:53 +0100)]
chsmack: make option -d obsolete
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 15:43:23 +0000 (16:43 +0100)]
chsmack: use functions for processing
This commit prepares implementation of
recursive processing.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 15:29:56 +0000 (16:29 +0100)]
chsmack: use function to check arguments
The function 'set_state' greatly improves the
readability of the code.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 15:01:50 +0000 (16:01 +0100)]
chsmack: use global variables and cosmetics
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 14:39:46 +0000 (15:39 +0100)]
chsmack: add more option for dropping properties
4 new options allow to drop Smack properties
either in the same time that others are set
or specifically.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 14:08:52 +0000 (15:08 +0100)]
chsmack: adds 'drop' option
This option allows to drop any property that
is not explicitely set. This option is intended
to prevent to call chsmack times.
By eample, the following sequence:
chsmack -d file
chsmask -a User::Item file
becomes
chsmack -D -a User::Item file
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 11:49:25 +0000 (12:49 +0100)]
chsmack: merge modification loops
The two separate loops, one for deleting,
one for setting are now merged in only
one loop.
It prepares implementation of future
options.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 11:23:55 +0000 (12:23 +0100)]
chsmack: better naming
The name 'option_flag' wasn't very good.
The new name 'modify' is more explicit.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 11:14:04 +0000 (12:14 +0100)]
chsmack: implement the state logic
The state for attribute now reflects the expected
action: positive for adding attribute, negative for
removing it.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 10:54:25 +0000 (11:54 +0100)]
chsmack: less error printing
Is it really an error to remove an attribute
that doesn't exists? I don't think so because
the final result is the expected result.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 10:36:29 +0000 (11:36 +0100)]
chsmack: minor refactor of structures
This is an intermediate commits that prepare
the evolution of how settings and removings
are handled.
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
José Bollo [Thu, 7 Jan 2016 10:03:42 +0000 (11:03 +0100)]
chsmack: removing of 'option_map'
The array 'option_map' is mostly needed for
printing errors.
Thus why to loose very little time
for setting it if it will not be needed?
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
James Peach [Tue, 15 Mar 2016 16:15:55 +0000 (09:15 -0700)]
Support filesystems that don't fill in d_type.
If the filesystem doesn't fill in the d_type dirent field, stat the name
to figure out the inode type. This can happen on older XFS filesystems
created with old mkfs options.
Signed-off-by: James Peach <jpeach@apache.org>
Rafał Krypa [Thu, 31 Dec 2015 15:53:42 +0000 (16:53 +0100)]
Merge pull request #120 from v14dz/master
Ends the smackcipso usage with a newline
Rafal Krypa [Tue, 17 Nov 2015 19:18:22 +0000 (20:18 +0100)]
libsmack: add function for configuring relabel-self interface
Implement smack_set_relabel_self() libsmack function for updating list
of labels to which the current process will be allowed to switch.
The caller must hold CAP_MAC_ADMIN capability, but if it drops
capabilities later, it will be permitted to change its label only to one
of labels permitted.
Bump the library version to 1.2.0 and put the new function there.
Change-Id: I9bb252baa9e8238781c66fa60111997c79047439
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
vladz [Tue, 28 Jul 2015 18:38:17 +0000 (20:38 +0200)]
Ends the smackcipso usage with a newline
Rafał Krypa [Thu, 21 May 2015 16:31:05 +0000 (18:31 +0200)]
Merge pull request #119 from doughdemon/master
libsmack/common.c: Include <limits.h> for PATH_MAX
Felix Janda [Wed, 20 May 2015 19:25:22 +0000 (21:25 +0200)]
libsmack/common.c: Include <limits.h> for PATH_MAX
Signed-off-by: Felix Janda <felix.janda@posteo.de>
Rafał Krypa [Mon, 13 Apr 2015 14:24:26 +0000 (16:24 +0200)]
Merge pull request #118 from JanCybulski/master
chsmack: print error message if obtaining access label fails
Jan Cybulski [Thu, 2 Apr 2015 13:35:59 +0000 (15:35 +0200)]
chsmack: print error message if obtaining access label fails
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Mon, 16 Feb 2015 16:06:45 +0000 (17:06 +0100)]
build: Ignore and clean up generated file doc/doxygen_sqlite3.db
Rafal Krypa [Mon, 16 Feb 2015 15:53:52 +0000 (16:53 +0100)]
Update maintainer and copyright information
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafał Krypa [Mon, 16 Feb 2015 15:45:57 +0000 (16:45 +0100)]
Merge pull request #114 from jobol/goto-1.1
Going to a delivery of version 1.1
Rafał Krypa [Sun, 28 Dec 2014 10:56:42 +0000 (10:56 +0000)]
Merge pull request #117 from JanCybulski/master
smackcipso: usage update
Rafał Krypa [Sun, 28 Dec 2014 10:56:06 +0000 (10:56 +0000)]
Merge pull request #116 from rafal-krypa/issue116
libsmack: fix parsing of CIPSO settings
Rafal Krypa [Fri, 26 Dec 2014 12:53:43 +0000 (12:53 +0000)]
libsmack: use bit array to reduce the size of struct cipso_mapping
To decrease size of struct cipso_mapping, categories are now stored in a
bit array. This reduces the size of the whole struct.
On a i386 machine it will occupy 292 bytes instead of 1004.
Change-Id: I5e9119ee822131cd0adcb479359a0693f094aee6
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 26 Dec 2014 12:33:54 +0000 (12:33 +0000)]
libsmack: fix parsing of CIPSO settings
Adjust CIPSO parsing to expected kernel format:
- maximum number of categories is 184
- each category value must be between 1 and 184
Change-Id: Ic5e4ccd2104ed3284a873087339bf792536b2125
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Mon, 22 Dec 2014 10:07:58 +0000 (11:07 +0100)]
smackcipso: usage update
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
José Bollo [Tue, 15 Apr 2014 07:12:45 +0000 (09:12 +0200)]
smackctl: Adding reliable usage
Adding help text providing usage information for smackctl utility.
Minor improvement of the manual page for smackctl.
Change-Id: I31f8fd4a4c866284255e4865bf7bb9512e3c793f
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Thu, 9 Oct 2014 07:04:41 +0000 (09:04 +0200)]
libsmack: New functions handling file's attributes
The new functions are:
- smack_new_label_from_file
- smack_set_label_for_file
- smack_remove_label_for_file
This functions allow to operate on opened
files using their linux file descritor for
reading, writing or destroying the named
file attribute given.
Change-Id: I454e96ca2eeb21e08a40c39c830e5b903875580b
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Thu, 5 Jun 2014 16:24:46 +0000 (19:24 +0300)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Thu, 5 Jun 2014 16:24:17 +0000 (19:24 +0300)]
Merge remote-tracking branch 'penszo/v1.0.x' into v1.0.x
Jarkko Sakkinen [Thu, 5 Jun 2014 16:22:23 +0000 (19:22 +0300)]
Revert "libsmack: Terminate attribute string"
This reverts commit
cbdd52af82bce9d2ab79e43e0757c4d077d08907.
Zbigniew Jasinski [Thu, 29 May 2014 09:57:12 +0000 (11:57 +0200)]
libsmack: fix memory leak
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Casey Schaufler [Fri, 2 May 2014 23:34:24 +0000 (16:34 -0700)]
libsmack: Terminate attribute string
The smack_new_label_from_path function reads an xattr
that may not be null byte terminated. This occurs in the
SMACK64TRANSMUTE case. Technically, the transmute attribute
isn't a label, so this function shouldn't be used to fetch
the value, but we'll let that go. This is just good string
hygiene in any case.
This is an issue because chsmack prints transmute="TRUE0"
without this fix.
Signed-off-by: Casey Schaufler <casey.schaufler@intel.com>
Jarkko Sakkinen [Thu, 24 Apr 2014 05:08:37 +0000 (08:08 +0300)]
Merge branch 'v1.0.x'
Conflicts:
utils/smackctl.c
Jarkko Sakkinen [Thu, 24 Apr 2014 04:22:29 +0000 (07:22 +0300)]
Merge remote-tracking branch 'rafal-krypa/issue108' into v1.0.x
Jarkko Sakkinen [Mon, 14 Apr 2014 22:37:21 +0000 (01:37 +0300)]
utils: add options for version and usage information
Added option -v/--version for displaying version information
and -h/--help for displaying usage information.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Rafal Krypa [Tue, 15 Apr 2014 15:24:19 +0000 (17:24 +0200)]
libsmack: fix smack_new_label_from_path() (regression in
e6890752)
Function smack_new_label_from_path failed to null-terminate xattr value
before passing it to get_label.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Mon, 14 Apr 2014 22:24:00 +0000 (01:24 +0300)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Mon, 14 Apr 2014 22:09:00 +0000 (01:09 +0300)]
utils/smackaccess: added missing include libgen.h
libgen.h must be included for basename()
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 14 Apr 2014 21:22:21 +0000 (00:22 +0300)]
Merge branch 'v1.0.x'
Jarkko Sakkinen [Mon, 14 Apr 2014 21:20:23 +0000 (00:20 +0300)]
utils/chsmack: added missing include libgen.h
libgen.h must be included for basename()
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
jsakkine [Sun, 30 Mar 2014 16:17:32 +0000 (19:17 +0300)]
Merge pull request #105 from jobol/issue105
libsmack: `verify_smackfs_mnt` wrongly expects smackfs to be writable
José Bollo [Thu, 27 Mar 2014 14:47:02 +0000 (15:47 +0100)]
libsmack: Removes checking smackfs isn't read only
Assuming that smack is available only if the filesystem
smackfs is mounted without being set to read-only have
negative side effects on tools like 'id', 'ls', 'ps'.
In effect, these tools are using libsmack to detect
availability of Smack and to tune their output to
print contexts.
This fixes smack-team/smack#105
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Tue, 18 Mar 2014 06:49:28 +0000 (08:49 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Mon, 17 Mar 2014 16:09:31 +0000 (17:09 +0100)]
libsmack: fix smack_have_access() (regression in
d7319c71)
Commit
d7319c71 introduced an internal function for opening smackfs files,
when there is a long and short label version. The new function always
opens the file write only, but smack_have access() requires O_RDWR.
The internal function is now extended to take argument with file access
mode.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Mar 2014 17:40:44 +0000 (18:40 +0100)]
libsmack: add function for policy loading at system startup
New function smack_load_policy() is intended to be used by systemd for
policy loading at system startup. It reuses existing code from
utils/common.c, now moved to libsmack/common.c.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 20 Feb 2014 14:04:57 +0000 (15:04 +0100)]
libsmack: add functions for setting and removing labels on files
Jóse Bollo implemented two functions as part of this various
improvements for the chsmack command-line utility:
- smack_set_label_for_path() (see f1dfd85)
- smack_remove_label_for_path() (see 5da1a22)
Since they are generally useful, they should be part of the
API in libsmack 1.1.
This patch migrates these functions to libsmack and exports
the symbols. Also, the chsmack is modified to use the new API
instead of the internal functions.
[jsakkine: rewrote the patch description]
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 20 Feb 2014 11:35:38 +0000 (13:35 +0200)]
Merge branch 'v1.0.x'
Conflicts:
configure.ac
libsmack/Makefile.am
libsmack/libsmack.c
Jarkko Sakkinen [Thu, 20 Feb 2014 11:31:28 +0000 (13:31 +0200)]
Changed library version to 1.0.4
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 20 Feb 2014 11:27:18 +0000 (13:27 +0200)]
Merge remote-tracking branch 'rafal-krypa/issue51' into v1.0.x
Jarkko Sakkinen [Thu, 20 Feb 2014 11:27:06 +0000 (13:27 +0200)]
Merge remote-tracking branch 'jobol/issue94' into v1.0.x
Rafal Krypa [Tue, 18 Feb 2014 11:16:50 +0000 (12:16 +0100)]
libsmack: avoid sprintf() when printing rules in long format
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Fri, 14 Feb 2014 14:22:53 +0000 (15:22 +0100)]
libsmack: enable multi-line support for writing to load2 and change-rule
Since Linux 3.12 Smack can handle multiple rules in single write when
loading policy. Libsmack will detect this support and group rules into
blocks of PAGE_SIZE-1 bytes at most. This results in much smaller number
of syscalls and faster loading of large policy.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Tue, 18 Feb 2014 08:34:05 +0000 (10:34 +0200)]
Merge remote-tracking branch 'jobol/addgen' into v1.0.x
José Bollo [Fri, 14 Feb 2014 10:34:26 +0000 (11:34 +0100)]
tests: Improved version of generator
This version use a generating algorithm to ensure
the generator constraints. It has two new options:
- s=N to shuffle or sort the result
- p=N to set the percentage of modification rules
The Makefile now make optimisation and have warning detection.
The make_policies script now use the shuffle option.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jan Cybulski [Thu, 13 Feb 2014 09:41:26 +0000 (10:41 +0100)]
tests: Produce sorted policy with unique rule only
There is no need for tests of sorted policies with non unique rules.
If someone prepares sorted policy, redundancy of rules should also
be removed during sorting.
José Bollo [Thu, 13 Feb 2014 08:31:06 +0000 (09:31 +0100)]
tests: Improved formating of code
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Thu, 13 Feb 2014 08:18:01 +0000 (09:18 +0100)]
tests: Adding a usage function.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 17:31:20 +0000 (18:31 +0100)]
tests: Adding some comments
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 17:01:48 +0000 (18:01 +0100)]
tests: Correcting exit codes
The valid exit code are form 0 to 255. Then using -1 means that the
effective exit code will be 0377==255. It isn't accurate. The exit code
of 1 is merely very often used for failure status.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 15:16:24 +0000 (16:16 +0100)]
tests: Renaming 'r' to 'alea'
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
José Bollo [Wed, 12 Feb 2014 11:42:20 +0000 (12:42 +0100)]
tests: Changing filenames
Changing two filenames:
- tests/gen.c becomes tests/generator.c
- tests/makefile becomes tests/Makefile
That is obviously better to have the main file of the program
`generator` named `generator.c`.
The default naming of makefiles is Makefile with a capital
letter. Conforming to that rule is better.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jan Cybulski [Fri, 7 Feb 2014 13:58:52 +0000 (14:58 +0100)]
tests: Change program generating test data
-Change program to produce more parametrized output:
*Introduce parameters to set number of unique rules (u) and merges in policy (m).
*Introduce parametr for maximum number of reocurrances of a label in merged policy (L).
*Add possibility of getting list of labels from stdin in addition to generating random ones.
-Some minor style adjustments to libsmack coding style.
Also:
-Add makefile for policies generation
-Add script generating different type of policies
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Fri, 14 Feb 2014 10:41:07 +0000 (11:41 +0100)]
don't allocate memory in accesses_print
Rafal Krypa [Fri, 14 Feb 2014 09:44:26 +0000 (10:44 +0100)]
change type of label_id back to int
Rafal Krypa [Thu, 13 Feb 2014 16:32:29 +0000 (17:32 +0100)]
libsmack: merge rules with the same subject and object before applying them
All rules with the same subject and object will be merged into a single one
before applying rules to kernel or writing them to a file. The result will
consist of smaller number of rules, but they will have the same semantics.
This enhances performance greatly when there are a lot of rules to merge.
The merging code has negligible overhead when there are no merges to
perform.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:22:19 +0000 (14:22 +0100)]
libsmack: change semantics of rule allow_code and deny_code
Fields in struct smack_rule are used to store either set or modify rule.
Set rules used to be distinguished by having deny_code = -1.
It is more convenient to have it differently: allow_code describing bits
that are to be set, deny_code describing bits that are to be cleared.
With that semantics access_code = ~deny_code for set rules. This enables
easy replacement of change rules that can be simplified to a set rule.
Thanks José Bollo for original idea about simplifying modify rules.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:33:20 +0000 (14:33 +0100)]
libsmack: reorganize rule lists for struct smack_accesses
Until now rule list was implemented as single linked list of all rules
added into struct smack_accesses. This patch breaks this list into several
lists, with one list of rules per subject label.
Each element in array of labels describe single label and all rules when it's a
subject are added into this label's list.
This data structure is close to internal kernel data structures for Smack
rules. This allows for slightly better performance because rules are
grouped by subject.
More importantly though, this patch prepares ground for rule merging.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:16:40 +0000 (14:16 +0100)]
libsmack: shrink few rule and label struct fields
Use smaller struct fields to optimize memory usage and speed.
On a 32-bit machine this saves 4 bytes per rule and 4 bytes per label.
Limit label length to 8 bits. It's max value is already limited to 255.
Limit label id to 16 bits. While policy with more than 2^16 labels is
theoretically possible, it would be handled very badly by kernel.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jan Cybulski [Tue, 28 Jan 2014 12:50:02 +0000 (13:50 +0100)]
libsmack: add possibility of resizing table of labels
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Jan Cybulski [Tue, 28 Jan 2014 11:32:32 +0000 (12:32 +0100)]
libsmack: implement internal hash table of labels
Use hash table implemented internally for dictionary of labels.
Thanks to that some operations are more efficient:
-it is possible to use better hashing function than in hsearch:
DJB2 algorithm is used, which is much better, than hashing function
used in hsearch. Hashing function in hsearch causes, that on 32bit
machines, all labels that have common first eight bytes,
share same bucket and this cause many conflicts in combination of labels
naming convention with domain-based prefixes. This leads to significant
performance degradation in real system. This was not detected on tests
so far, because labels for test policies were generated randomly.
-it is possible to calculate hash during label validation.
-it would not cause drastic complexity growth to have number of labels
near to number of allocated buckets as it happens in hsearch.
-it would be possible to add number of labels exceeding number of
allocated buckets.
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 13:07:00 +0000 (14:07 +0100)]
libsmack: refactoring of label dictionary code
Commit cd2ce11 introduced label dictionary, with hash table of labels
hidden behind an abstraction layer. This patch drops this layer and merges
the hash table with smack_accesses.
It will enable better handling of data, like storing and accessing
per-label data outside of dict_* functions.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Thu, 13 Feb 2014 16:13:43 +0000 (17:13 +0100)]
libsmack: make local function accesses_add() static
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
José Bollo [Wed, 5 Feb 2014 13:27:53 +0000 (14:27 +0100)]
Adding a program generating test data.
The program that generate this gen.c produces
a set of rules to be loaded to load/load2
file system interace of smacke. Or to be used
as input file for smackload.
The count of differents labels (option l=N) and of
different access rights (option r=N) can be specified.
The count of rules produced to the ouput can also
be specified (option o=N). By default, l=5, r=100 and o=500.
The generated labels are made of 4 to 7 random letters.
The standard C function 'rand' is used without seeding it;
what means that same options produces same results.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Mon, 3 Feb 2014 07:56:53 +0000 (09:56 +0200)]
Removed redundant AUTHORS files.
Git log is the AUTHORS file.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
José Bollo [Thu, 23 Jan 2014 10:04:50 +0000 (11:04 +0100)]
Fix bug in cipso written rules
The label (either short or long) was followed by a null character.
It is now followed by a space.
Note that the format for cipso2 smackfs is "%s?%4d%4d..."
where ? stands for any invalid label character.
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
Jarkko Sakkinen [Tue, 28 Jan 2014 07:39:03 +0000 (09:39 +0200)]
libsmack: lazy initialization for SmackFS mount point
Mount SmackFS only when it is first needed. This enables init
daemons to directly use libsmack.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Tue, 28 Jan 2014 06:30:39 +0000 (08:30 +0200)]
libsmack: close smackfs_mnt_dirfd in the library destructor
Close smackfs_mnt_dirfd in the library destructor. Although kernel
would wipe it anyway it is a good practice to clean up all the
reserved resources.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Thu, 23 Jan 2014 12:54:39 +0000 (14:54 +0200)]
Merge remote-tracking branch 'jsakkine/issue83' into v1.0.x
Conflicts:
libsmack/libsmack.c
Jarkko Sakkinen [Mon, 13 Jan 2014 08:13:30 +0000 (10:13 +0200)]
libsmack: fallback to 'cipso' when 'cipso2' is not available
This patch implements fallback to 'cipso' when 'cipso2' is not
available. This is a regression from 79f8e26.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:57:05 +0000 (09:57 +0200)]
libsmack: add a common function for opening long and short label file
Added internal function 'open_smackfs_file()' to open long label
file and as a fallback short label file. This can be used for
load, access and cipso files.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:45:42 +0000 (09:45 +0200)]
libsmack: fix: fail if neither 'load' and 'load2' cannot be opened
accesses_apply() continued even if neither 'load' and 'load2' could
not be opened. For 'change-rule' file such semantics do make sense
for backwards compatibility but there's something seriously wrong
if neither 'load' and 'load2' cannot be opened. That's why the only
right thing to do is to stop immediately.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Mon, 13 Jan 2014 07:39:48 +0000 (09:39 +0200)]
libsmack: fix: 'accesses_print' declaration was in wrong place
Moved 'accesses_print' declaration to a proper location.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 18:05:49 +0000 (20:05 +0200)]
utils: fix error message in smackaccess
perror() reports success when validation fails. This patch makes
the error message explicit. Invalid input is the most probable case.
Also, error message is prefixed with the basename of the utility.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 18:05:13 +0000 (20:05 +0200)]
libsmack: fixed label validation in smack_have_access()
This patch adds subject and object validation to smack_have_access().
It also validates that labels are at most 23 characters when only
short labels are available.
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Jarkko Sakkinen [Fri, 10 Jan 2014 17:33:59 +0000 (19:33 +0200)]
Merge branch 'v1.0.x'
Rafal Krypa [Tue, 7 Jan 2014 15:25:32 +0000 (16:25 +0100)]
libsmack: use 16 bits for smack access codes instead of sizeof(int) * 2
There are 6 access bits to be stored in the access field. Special value -1
is used to distinguish set rules from change rules. Shrinking the filed to
8 bits still leaves space for one more future access bit.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Rafal Krypa [Tue, 7 Jan 2014 15:21:32 +0000 (16:21 +0100)]
libsmack: change logic for detecting long labels in smack_accesses
Instead of storing label length in each smack_rule, have one integer in
smack_accesses to remember if long labels are used.
This saves few bytes per rule.
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Jarkko Sakkinen [Tue, 7 Jan 2014 07:10:54 +0000 (09:10 +0200)]
Merge remote-tracking branch 'rafal-krypa/issue73' into v1.0.x