From 21c03f7275074cb071e089aa13b8ba3cca65b3f9 Mon Sep 17 00:00:00 2001 From: Rafal Krypa Date: Thu, 29 Nov 2012 12:16:27 +0100 Subject: [PATCH] libsmack: add API for revoking all rules for a subject label. --- debian/libsmack1.symbols | 1 + doc/Makefile.am | 1 + doc/smack_accesses_add.3 | 14 ++++++++++++-- doc/smack_revoke_subject.3 | 1 + libsmack/libsmack.c | 19 +++++++++++++++++++ libsmack/libsmack.sym | 1 + libsmack/sys/smack.h | 7 +++++++ 7 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 doc/smack_revoke_subject.3 diff --git a/debian/libsmack1.symbols b/debian/libsmack1.symbols index ae7ca18..f506ae0 100644 --- a/debian/libsmack1.symbols +++ b/debian/libsmack1.symbols @@ -10,3 +10,4 @@ libsmack.so.1 libsmack1 #MINVER# smack_have_access@LIBSMACK 1.0 smack_new_label_from_self@LIBSMACK 1.0 smack_new_label_from_socket@LIBSMACK 1.0 + smack_revoke_subject@LIBSMACK 1.0 diff --git a/doc/Makefile.am b/doc/Makefile.am index 7128afa..bcf212b 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -31,6 +31,7 @@ man_MANS = smackaccess.1 \ smack_have_access.3 \ smack_new_label_from_self.3 \ smack_new_label_from_socket.3 \ + smack_revoke_subject.3 \ chsmack.8 \ smackcipso.8 \ smackctl.8 \ diff --git a/doc/smack_accesses_add.3 b/doc/smack_accesses_add.3 index 7e17062..9bd41e9 100644 --- a/doc/smack_accesses_add.3 +++ b/doc/smack_accesses_add.3 @@ -1,6 +1,7 @@ '\" t .\" This file is part of libsmack .\" Copyright (C) 2012 Intel Corporation +.\" Copyright (C) 2012 Samsung Electronics Co. .\" .\" This library is free software; you can redistribute it and/or .\" modify it under the terms of the GNU Lesser General Public License @@ -18,10 +19,11 @@ .\" .\" Author: .\" Brian McGillion +.\" Rafal Krypa .\" -.TH "SMACK_ACCESSES_ADD" "3" "08/05/2012" "Libsmack 1\&.0" +.TH "SMACK_ACCESSES_ADD" "3" "14/06/2012" "Libsmack 1\&.0" .SH NAME -smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file \- Manipulate Smack rules +smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file, smack_revoke_subject \- Manipulate Smack rules .SH SYNOPSIS .B #include .sp @@ -42,6 +44,9 @@ smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_app .BI "int smack_accesses_clear(struct smack_accesses *" handle ");" .br +.BI "int smack_revoke_subject(const char *" subject ");" +.br + .SH DESCRIPTION These methods provide a means to create properly formatted smack rules that can be stored to file or loaded directly into the kernel. For loading and unloading rules directly into the kernel the calling process must have the CAP_MAC_ADMIN capability. Most users will generally store the rules to a file that can be read by .BR smackload (8). @@ -85,6 +90,11 @@ directly to the kernel. The calling process must have the CAP_MAC_ADMIN capabil remove the rules pointed to by .I handle directly from the kernel. The calling process must have the CAP_MAC_ADMIN capability. + +.BR smack_revoke_subject () +Sets the access to '-' (no access allowed) for all access rules with given +.I subject +label directly in the kernel. The calling process must have the CAP_MAC_ADMIN capability. .SH RETURN VALUE All methods, except .IR smack_accesses_free , diff --git a/doc/smack_revoke_subject.3 b/doc/smack_revoke_subject.3 new file mode 100644 index 0000000..7b93ba0 --- /dev/null +++ b/doc/smack_revoke_subject.3 @@ -0,0 +1 @@ +.so man3/smack_accesses_add.3 diff --git a/libsmack/libsmack.c b/libsmack/libsmack.c index 9d51391..4604e6d 100644 --- a/libsmack/libsmack.c +++ b/libsmack/libsmack.c @@ -3,6 +3,7 @@ * * Copyright (C) 2010 Nokia Corporation * Copyright (C) 2011 Intel Corporation + * Copyright (C) 2012 Samsung Electronics Co. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public License @@ -22,6 +23,7 @@ * Jarkko Sakkinen * Brian McGillion * Passion Zhao + * Rafal Krypa */ #include "sys/smack.h" @@ -493,6 +495,23 @@ int smack_new_label_from_socket(int fd, char **label) return 0; } +int smack_revoke_subject(const char *subject) +{ + int ret; + int fd; + char path[PATH_MAX]; + + snprintf(path, sizeof path, "%s/revoke-subject", smack_mnt); + fd = open(path, O_WRONLY); + if (fd < 0) + return -1; + + ret = write(fd, subject, strnlen(subject, SMACK_LABEL_LEN)); + close(fd); + + return (ret < 0) ? -1 : 0; +} + static int accesses_apply(struct smack_accesses *handle, int clear) { char buf[LOAD_LEN + 1]; diff --git a/libsmack/libsmack.sym b/libsmack/libsmack.sym index f1b3cc1..ecf14b2 100644 --- a/libsmack/libsmack.sym +++ b/libsmack/libsmack.sym @@ -14,6 +14,7 @@ global: smack_smackfs_path; smack_new_label_from_self; smack_new_label_from_socket; + smack_revoke_subject; local: *; }; diff --git a/libsmack/sys/smack.h b/libsmack/sys/smack.h index 66b8f29..de4aef2 100644 --- a/libsmack/sys/smack.h +++ b/libsmack/sys/smack.h @@ -155,6 +155,13 @@ int smack_new_label_from_self(char **label); */ int smack_new_label_from_socket(int fd, char **label); +/*! + * Revoke all rules for a subject label. + * + * @param subject subject to revoke + * @return 0 on success and negative value on failure. + */ +int smack_revoke_subject(const char *subject); #ifdef __cplusplus } -- 2.7.4