+++ /dev/null
-CMAKE_MINIMUM_REQUIRED(VERSION 2.6)
-PROJECT(smack C)
-
-SET(PREFIX ${CMAKE_INSTALL_PREFIX})
-SET(EXEC_PREFIX "\${prefix}")
-SET(LIBDIR "\${prefix}/lib")
-SET(INCLUDEDIR "\${prefix}/include")
-SET(VERSION_MAJOR 1)
-SET(VERSION ${VERSION_MAJOR}.0.0)
-
-SET(smack_dir "./")
-SET(libsmack_dir "./libsmack")
-SET(smackutils_dir "./utils")
-
-SET(EXTRA_CFLAGS "${EXTRA_CFLAGS}")
-SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS}")
-
-###################################################################################################
-## for libsmack.so (library)
-SET(libsmack_LDFLAGS " -version-info 1:0:0 -Wl,--version-script=${libsmack_dir}/libsmack.sym ")
-SET(libsmack_CFLAGS " ${CFLAGS} -fPIC -I${libsmack_dir}/sys ")
-ADD_LIBRARY(smack SHARED ${libsmack_dir}/libsmack.c)
-SET_TARGET_PROPERTIES(smack PROPERTIES COMPILE_FLAGS ${libsmack_LDFLAGS})
-SET_TARGET_PROPERTIES(smack PROPERTIES SOVERSION ${VERSION_MAJOR})
-SET_TARGET_PROPERTIES(smack PROPERTIES VERSION ${VERSION})
-SET_TARGET_PROPERTIES(smack PROPERTIES COMPILE_FLAGS "${libsmack_CFLAGS}")
-###################################################################################################
-
-###################################################################################################
-## for smack-utils (binary)
-SET(smackctl_SOURCES ${smackutils_dir}/smackctl.c ${smackutils_dir}/common.c)
-SET(smackctl_CFLAGS " -I${libsmack_dir} -I${smackutils_dir} -D_GNU_SOURCE ")
-ADD_EXECUTABLE(smackctl ${smackctl_SOURCES})
-TARGET_LINK_LIBRARIES(smackctl smack)
-SET_TARGET_PROPERTIES(smackctl PROPERTIES COMPILE_FLAGS "${smackctl_CFLAGS}")
-
-SET(smackaccess_SOURCES ${smackutils_dir}/smackaccess.c)
-SET(smackaccess_CFLAGS " -I${libsmack_dir} ")
-ADD_EXECUTABLE(smackaccess ${smackaccess_SOURCES})
-TARGET_LINK_LIBRARIES(smackaccess smack)
-SET_TARGET_PROPERTIES(smackaccess PROPERTIES COMPILE_FLAGS "${smackaccess_CFLAGS}")
-
-SET(smackload_SOURCES ${smackutils_dir}/smackload.c ${smackutils_dir}/common.c)
-SET(smackload_CFLAGS " -I${libsmack_dir} -I${smackutils_dir} -D_GNU_SOURCE")
-ADD_EXECUTABLE(smackload ${smackload_SOURCES})
-TARGET_LINK_LIBRARIES(smackload smack)
-SET_TARGET_PROPERTIES(smackload PROPERTIES COMPILE_FLAGS "${smackload_CFLAGS}")
-
-SET(smackcipso_SOURCES ${smackutils_dir}/smackcipso.c ${smackutils_dir}/common.c)
-SET(smackcipso_CFLAGS " -I${libsmack_dir} -I${smackutils_dir} -D_GNU_SOURCE ")
-ADD_EXECUTABLE(smackcipso ${smackcipso_SOURCES})
-TARGET_LINK_LIBRARIES(smackcipso smack)
-SET_TARGET_PROPERTIES(smackcipso PROPERTIES COMPILE_FLAGS "${smackcipso_CFLAGS}")
-
-SET(smackd_SOURCES ${smackutils_dir}/smackd.c ${smackutils_dir}/common.c)
-SET(smackd_CFLAGS " -I${libsmack_dir} -I${smackutils_dir} -D_GNU_SOURCE ")
-ADD_EXECUTABLE(smackd ${smackd_SOURCES})
-TARGET_LINK_LIBRARIES(smackd smack)
-SET_TARGET_PROPERTIES(smackd PROPERTIES COMPILE_FLAGS "${smackd_CFLAGS}")
-
-SET(chsmack_SOURCES ${smackutils_dir}/chsmack.c)
-SET(chsmack_CFLAGS " -I${libsmack_dir} ")
-ADD_EXECUTABLE(chsmack ${chsmack_SOURCES})
-TARGET_LINK_LIBRARIES(chsmack smack)
-SET_TARGET_PROPERTIES(chsmack PROPERTIES COMPILE_FLAGS "${chsmack_CFLAGS}")
-####################################################################################################
-
-CONFIGURE_FILE(libsmack.pc.in libsmack.pc @ONLY)
-
-INSTALL(TARGETS smack DESTINATION lib)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/smackctl DESTINATION bin)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/smackaccess DESTINATION bin)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/smackload DESTINATION /sbin)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/smackcipso DESTINATION /sbin)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/smackd DESTINATION bin)
-INSTALL(PROGRAMS ${CMAKE_BINARY_DIR}/chsmack DESTINATION /bin)
-INSTALL(FILES ${CMAKE_CURRENT_BINARY_DIR}/libsmack.pc DESTINATION lib/pkgconfig)
-INSTALL(FILES ${CMAKE_CURRENT_SOURCE_DIR}/libsmack/sys/smack.h DESTINATION include/sys/)
-INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/smack-def DESTINATION /etc/rc.d/init.d)
-INSTALL(PROGRAMS ${CMAKE_CURRENT_SOURCE_DIR}/smack-app DESTINATION /etc/rc.d/init.d)
--- /dev/null
+ACLOCAL_AMFLAGS = -I m4 ${ACLOCAL_FLAGS}
+AM_MAKEFLAGS = --no-print-directory
+
+DISTCHECK_CONFIGURE_FLAGS = \
+ --with-systemdsystemunitdir=$$dc_install_base/$(systemdsystemunitdir)
+
+SUBDIRS = libsmack utils doc init
--- /dev/null
+#!/bin/sh -e
+
+autoreconf --install --symlink
+./configure --prefix="/usr" $@
--- /dev/null
+config.guess
+config.sub
+depcomp
+install-sh
+ltmain.sh
+missing
--- /dev/null
+AC_PREREQ(2.60)
+AC_INIT([libsmack],
+ [1.0],
+ [jarkko.sakkinen@intel.com],
+ [libsmack],
+ [https://github.com/organizations/smack-team/smack])
+AC_CONFIG_SRCDIR([libsmack/libsmack.c])
+AC_CONFIG_AUX_DIR([build-aux])
+AM_INIT_AUTOMAKE([-Wall -Werror dist-bzip2 foreign])
+AC_USE_SYSTEM_EXTENSIONS
+AC_CONFIG_MACRO_DIR([m4])
+AM_SILENT_RULES([yes])
+LT_INIT([disable-static])
+AC_PREFIX_DEFAULT([/usr])
+
+AC_CHECK_PROG([DOXYGEN], [doxygen], [doxygen], [])
+AC_MSG_CHECKING([for doxygen])
+if test ! -z "$DOXYGEN"; then
+ AC_MSG_RESULT([yes])
+else
+ AC_MSG_RESULT([no])
+fi
+AM_CONDITIONAL([ENABLE_DOXYGEN],[test ! -z "$DOXYGEN"], [Build API documentation.])
+AC_SUBST([DOXYGEN], [$DOXYGEN])
+
+# systemd
+AC_ARG_WITH([systemdsystemunitdir],
+ AS_HELP_STRING([--with-systemdsystemunitdir=DIR], [Directory for systemd service files]),
+ [],
+ [with_systemdsystemunitdir=$(pkg-config --silence-errors --variable=systemdsystemunitdir systemd)])
+AC_SUBST([systemdsystemunitdir], [$with_systemdsystemunitdir])
+AM_CONDITIONAL(HAVE_SYSTEMD, [test -n "$with_systemdsystemunitdir"])
+
+AC_CONFIG_FILES([Makefile libsmack/Makefile libsmack/libsmack.pc utils/Makefile doc/Makefile init/Makefile])
+
+AC_OUTPUT
-smack (1.0-rc4slp2+s3) unstable; urgency=low
+smack (1.0slp2+s4) unstable; urgency=low
- * change build method: automake -> cmake
- * Git: slp/pkgs/s/smack
- * Tag: smack_1.0-rc4slp2+s3
+ * Rebuild, no source changes.
- -- Kidong Kim <kd0228.kim@samsung.com> Tue, 13 Mar 2012 14:45:03 +0900
+ -- Rafal Krypa <r.krypa@samsung.com> Thu, 30 Jul 2012 11:43:03 +0200
-smack (1.0-rc4slp2+s2) unstable; urgency=low
+smack (1.0slp2+s3) unstable; urgency=low
- * add booting scripts
- * Git: slp/pkgs/s/smack
- * Tag: smack_1.0-rc4slp2+s2
+ * Rebuilding the package in OBS. No source changes has been made.
+
+ -- Rafal Krypa <r.krypa@samsung.com> Thu, 19 Jul 2012 15:17:03 +0200
+
+smack (1.0slp2+s2) unstable; urgency=low
+
+ * Merge with upstream master branch.
+ * Fix inconsistent init script names.
+ * Install missing manual page links for library functions.
+ * libsmack: add API for revoking all rules for a subject label.
+ * libsmack: add support for modification rules.
+ * libsmack: add function for setting current process label.
+ * Move definition of max label length to a single place and export it in libsmack header file.
+ * debian: fix paths to upstream repositories.
+ * Fix three compilation warnings.
+ * libsmack: add functions for getting and setting labels from files.
+
+ -- Rafal Krypa <r.krypa@samsung.com> Wed, 11 Jul 2012 14:36:56 +0200
- -- Kidong Kim <kd0228.kim@samsung.com> Thu, 08 Mar 2012 11:31:08 +0900
+smack (1.0slp2+s1) unstable; urgency=low
-smack (1.0-rc4slp2+s1) unstable; urgency=low
+ * debian: set myself as Tizen package maintainer.
+ * debian: move configuration directories to /opt/etc, as in Tizen directory structure.
+ * debian: symlink the init script to proper init directories for Tizen.
+ * debian: rename libsmack to libsmack1 according to Debian policy.
- * Initial release
* Git: slp/pkgs/s/smack
- * Tag: smack_1.0-rc4slp2+s1
+ * Tag: smack_1.0slp2+s1
- -- Kidong Kim <kd0228.kim@samsung.com> Tue, 06 Mar 2012 09:44:59 +0900
+ -- Rafal Krypa <r.krypa@samsung.com> Mon, 07 May 2012 19:27:23 +0200
-smack (1.0-rc4) unstable; urgency=low
+smack (1.0) unstable; urgency=low
* Initial package release for debian
- -- Brian McGillion <brian.mcgillion@intel.com> Thu, 23 Feb 2012 14:00:09 +0900
+ -- Brian McGillion <brian.mcgillion@intel.com> Wed, 25 Apr 2012 11:00:09 +0900
Source: smack
-Section: Administration
-Priority: Optional
-Maintainer: Brian McGillion <brian.mcgillion@intel.com>
-Uploaders: Kidong Kim <kd0228.kim@samsung.com>
-Build-Depends: debhelper (>= 7.0.50~), autoconf, libtool, dh-autoreconf
-Standards-Version: 3.9.1
-Vcs-Git: git://github.com/brianmcgillion/smack.git
-Vcs-Browser: https://github.com/brianmcgillion/smack
+Section: admin
+Priority: optional
+X-Original-Maintainer: Brian McGillion <brian.mcgillion@intel.com>
+Maintainer: Rafal Krypa <r.krypa@samsung.com>
+Build-Depends: debhelper (>= 8),
+ pkg-config, autoconf,
+ libtool, dh-autoreconf
+Standards-Version: 3.9.3
+Vcs-Git: git://github.com/smack-team/smack.git
+Vcs-Browser: https://github.com/smack-team/smack
-Package: libsmack
-Architecture: any
+Package: libsmack1
+Section: libs
+Architecture: linux-any
Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: Package to interact with SMACK.
- Library allows applications to work with SMACK.
+Provides: libsmack
+Conflicts: libsmack
+Replaces: libsmack
+Description: Shared libraries for interaction with SMACK
+ Library allows applications to work with the smack kernel interface.
+ .
+ The Simplified Mandatory Access Control Kernel (SMACK) provides a
+ complete Linux kernel based mechanism for protecting processes and
+ data from inappropriate manipulation. Smack uses process, file, and
+ network labels combined with an easy to understand and manipulate
+ way to identify the kind of accesses that should be allowed.
-Package: libsmack-dev
-Section: devel
-Architecture: any
-Depends: ${misc:Depends}, libsmack (= ${binary:Version})
-Description: Developmnent headers and libs libsmack
+Package: libsmack1-dbg
+Section: debug
+Priority: extra
+Architecture: linux-any
+Depends: ${misc:Depends}, libsmack1 (= ${binary:Version})
+Provides: libsmack-dbg
+Replaces: libsmack-dbg
+Conflicts: libsmack-dbg
+Description: Debug symbols for shared libraries in libsmack1
+ Library for SMACK which allows applications to work with the smack
+ kernel interface. This package contains standard debug symbols.
+ .
+ The Simplified Mandatory Access Control Kernel (SMACK) provides a
+ complete Linux kernel based mechanism for protecting processes and
+ data from inappropriate manipulation. Smack uses process, file, and
+ network labels combined with an easy to understand and manipulate
+ way to identify the kind of accesses that should be allowed.
-Package: libsmack-dbg
-Section: devel
-Architecture: any
-Depends: ${misc:Depends}, libsmack (= ${binary:Version})
-Description: Debug symbols for libsmack
+Package: libsmack-dev
+Section: libdevel
+Architecture: linux-any
+Depends: ${misc:Depends}, libsmack1 (= ${binary:Version})
+Description: Development headers of shared libraries in libsmack1
+ Library for SMACK which allows applications to work with the smack
+ kernel interface. This package includes development header files.
+ .
+ The Simplified Mandatory Access Control Kernel (SMACK) provides a
+ complete Linux kernel based mechanism for protecting processes and
+ data from inappropriate manipulation. Smack uses process, file, and
+ network labels combined with an easy to understand and manipulate
+ way to identify the kind of accesses that should be allowed.
Package: smack-utils
Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}, libsmack (= ${binary:Version})
-Description: A selection of tools for developers working with SMACK.
+Depends: ${shlibs:Depends}, ${misc:Depends}, libsmack1 (= ${binary:Version})
+Description: Administration tools for using SMACK
+ A selection of administration tools for using the smack kernel
+ interface. This package includes some tools and the init script
+ for loading and unloading rules and query the policy.
+ .
+ The Simplified Mandatory Access Control Kernel (SMACK) provides a
+ complete Linux kernel based mechanism for protecting processes and
+ data from inappropriate manipulation. Smack uses process, file, and
+ network labels combined with an easy to understand and manipulate
+ way to identify the kind of accesses that should be allowed.
+
+Package: smack-utils-dbg
+Section: debug
+Priority: extra
+Architecture: linux-any
+Depends: ${misc:Depends}, smack-utils (= ${binary:Version})
+Description: Debug symbols for administration tools in smack-utils
+ A selection of administration tools for using the smack kernel
+ interface. This package includes a standard set of debug symbols.
+ .
+ The Simplified Mandatory Access Control Kernel (SMACK) provides a
+ complete Linux kernel based mechanism for protecting processes and
+ data from inappropriate manipulation. Smack uses process, file, and
+ network labels combined with an easy to understand and manipulate
+ way to identify the kind of accesses that should be allowed.
-Format: http://dep.debian.net/deps/dep5
-Upstream-Name: libsmack
-Source: https://meego.gitorious.org/meego-platform-security/libsmack
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: smack
+Upstream-Contact: Brian McGillion <brian.mcgillion@intel.com>
+Source: https://github.com/smack-team/smack
-Files: debian/../*
-Copyright: 2011 Intel Corperation
-License: LGPL-V2
- This package is free software; you can redistribute it and/or modify
- it under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; version 2 of the License.
+Files: *
+Copyright: 2011-2012 Intel Corperation
+License: LGPL-2.1
+ This package is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
+ GNU Lesser General Public License for more details.
.
You should have received a copy of the GNU Lesser General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>
+ along with this package. If not, see <http://www.gnu.org/licenses/>.
.
- On Debian systems, the complete text of the GNU Lesser General
- Public License version 2 can be found in "/usr/share/common-licenses/LGPL-2".
+ On Debian systems, the complete text of the GNU Lesser General Public
+ License can be found in "/usr/share/common-licenses/LGPL-2.1".
usr/include/sys/*.h
+usr/lib/libsmack.so
usr/lib/pkgconfig/*
--- /dev/null
+doc/smack_have_access.3
+doc/smack_accesses_add.3
+doc/smack_accesses_add_from_file.3
+doc/smack_accesses_apply.3
+doc/smack_accesses_clear.3
+doc/smack_accesses_free.3
+doc/smack_accesses_new.3
+doc/smack_accesses_save.3
+doc/smack_new_label_from_self.3
+doc/smack_new_label_from_socket.3
+++ /dev/null
-usr/lib/libsmack.so
-usr/lib/libsmack.so.1
-usr/lib/libsmack.so.1.0.0
--- /dev/null
+usr/lib/libsmack.so.*
--- /dev/null
+#!/bin/sh
+# postinst script for libsmack1
+#
+# see: dh_installdeb(1)
+
+set -e
+
+case "$1" in
+ configure|abort-upgrade|abort-remove|abort-deconfigure)
+ test ! -d /smack && mkdir /smack
+ ;;
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+#!/bin/sh
+# postrm script for libsmack1
+#
+# see: dh_installdeb(1)
+
+set -e
+
+case "$1" in
+ purge|abort-install|remove|upgrade|failed-upgrade|abort-upgrade|disappear)
+ if [ -d /smack ] ; then
+ if mountpoint -q "/smack" ; then
+ umount /smack
+ fi
+ rm -rf /smack
+ fi
+ ;;
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+libsmack.so.1 libsmack1 #MINVER#
+ LIBSMACK@LIBSMACK 1.0
+ smack_accesses_add@LIBSMACK 1.0
+ smack_accesses_add_from_file@LIBSMACK 1.0
+ smack_accesses_apply@LIBSMACK 1.0
+ smack_accesses_clear@LIBSMACK 1.0
+ smack_accesses_free@LIBSMACK 1.0
+ smack_accesses_new@LIBSMACK 1.0
+ smack_accesses_save@LIBSMACK 1.0
+ smack_have_access@LIBSMACK 1.0
+ smack_new_label_from_self@LIBSMACK 1.0
+ smack_new_label_from_socket@LIBSMACK 1.0
+ smack_revoke_subject@LIBSMACK 1.0
+ smack_accesses_add_modify@LIBSMACK 1.0
+ smack_set_label_for_self@LIBSMACK 1.0
+ smack_getlabel@LIBSMACK 1.0
+ smack_lgetlabel@LIBSMACK 1.0
+ smack_fgetlabel@LIBSMACK 1.0
+ smack_setlabel@LIBSMACK 1.0
+ smack_lsetlabel@LIBSMACK 1.0
+ smack_fsetlabel@LIBSMACK 1.0
#!/usr/bin/make -f
# -*- makefile -*-
-# Sample debian/rules that uses debhelper.
-# This file was originally written by Joey Hess and Craig Small.
-# As a special exception, when this file is copied by dh-make into a
-# dh-make output file, you may use that output file without restriction.
-# This special exception was added by Craig Small in version 0.37 of dh-make.
# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1
-CFLAGS ?= -Wall -g
-CXXFLAGS ?= -Wall -g
-LDFLAGS ?=
-PREFIX ?= /usr
-DATADIR ?= /opt
+%:
+ dh $@ --with autoreconf
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
- CXXFLAGS += -O0
-else
- CFLAGS += -O2
- CXXFLAGS += -O2
-endif
+override_dh_strip:
+ dh_strip -plibsmack1 --dbg-package=libsmack1-dbg
+ dh_strip -psmack-utils --dbg-package=smack-utils-dbg
-LDFLAGS += -Wl,--rpath=$(PREFIX)/lib -Wl,--as-needed
-
-configure: configure-stamp
-configure-stamp:
- dh_testdir
- # Add here commands to configure the package.
- CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" LDFLAGS="$(LDFLAGS)" cmake . -DCMAKE_INSTALL_PREFIX=$(PREFIX)
-
- touch configure-stamp
-
-build: build-stamp
-
-build-stamp: configure-stamp
- dh_testdir
-
- # Add here commands to compile the package.
- $(MAKE)
- #docbook-to-man debian/wavplayer.sgml > wavplayer.1
-
- for f in `find $(CURDIR)/debian/ -name "*.in"`; do \
- cat $$f > $${f%.in}; \
- sed -i -e "s#@PREFIX@#$(PREFIX)#g" $${f%.in}; \
- sed -i -e "s#@DATADIR@#$(DATADIR)#g" $${f%.in}; \
- done
-
-
- touch $@
-
-clean:
- dh_testdir
- dh_testroot
- rm -f build-stamp configure-stamp
-
- # Add here commands to clean up after the build process.
- -$(MAKE) clean
- rm -rf CMakeCache.txt
- rm -rf CMakeFiles
- rm -rf cmake_install.cmake
- rm -rf Makefile
- rm -rf install_manifest.txt
- rm -rf *.so
- rm -rf *.pc
- rm -rf *.service
-
- for f in `find $(CURDIR)/debian/ -name "*.in"`; do \
- rm -f $${f%.in}; \
- done
-
- dh_clean
-
-install: build
- dh_testdir
- dh_testroot
- dh_clean -k
- dh_installdirs
-
- # Add here commands to install the package into debian/wavplayer.
- $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
-
- mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/
- mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc4.d/
- mkdir -p $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/
- ln -s ../init.d/smack-def $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S07smack-def
- ln -s ../init.d/smack-app $(CURDIR)/debian/tmp/etc/rc.d/rc3.d/S08smack-app
- ln -s ../init.d/smack-def $(CURDIR)/debian/tmp/etc/rc.d/rc4.d/S07smack-def
- ln -s ../init.d/smack-app $(CURDIR)/debian/tmp/etc/rc.d/rc5.d/S08smack-app
-
-# Build architecture-independent files here.
-binary-indep: build install
-# We have nothing to do by default.
-
-# Build architecture-dependent files here.
-binary-arch: build install
- dh_testdir
- dh_testroot
- dh_installchangelogs
- dh_installdocs
- dh_installexamples
- dh_install --sourcedir=debian/tmp
-# dh_installmenu
-# dh_installdebconf
-# dh_installlogrotate
-# dh_installemacsen
-# dh_installpam
-# dh_installmime
-# dh_python
-# dh_installinit
-# dh_installcron
-# dh_installinfo
- dh_installman
- dh_link
- dh_strip --dbg-package=libsmack-dbg
-# dh_strip
- dh_compress
- dh_fixperms
-# dh_perl
- dh_makeshlibs
- dh_installdeb
- dh_shlibdeps
- dh_gencontrol
- dh_md5sums
- dh_builddeb
-
-binary: binary-indep binary-arch
-.PHONY: build clean binary-indep binary-arch binary install configure
+.PHONY: override_dh_strip
--- /dev/null
+opt/etc/smack/accesses.d
+opt/etc/smack/cipso.d
--- /dev/null
+../init/smack.rc
\ No newline at end of file
-/bin/chsmack
-/usr/bin/smackaccess
-/sbin/smackcipso
-/usr/bin/smackctl
-/sbin/smackload
-/usr/bin/smackd
-/etc/rc.d/init.d/smack-def
-/etc/rc.d/init.d/smack-app
+usr/bin/*
--- /dev/null
+/opt/etc/smack /etc/smack
+/etc/init.d/smack-utils /etc/rc.d/rc3.d/S07smack
+/etc/init.d/smack-utils /etc/rc.d/rc4.d/S07smack
--- /dev/null
+doc/chsmack.8
+doc/smackaccess.1
+doc/smackctl.8
+doc/smackload.8
+doc/smackcipso.8
+doc/smackd.8
+++ /dev/null
-#!/bin/sh
-
-mkdir -p /smack
-mkdir -p /opt/etc/smack
-mkdir -p /opt/etc/smack/accesses.d
-mkdir -p /opt/etc/smack/cipso.d
-
-if [ ! -e /opt/etc/smack/accesses ] ; then
- touch /opt/etc/smack/accesses
-fi
-if [ ! -e /opt/etc/smack/cipso ] ; then
- touch /opt/etc/smack/cipso
-fi
-
-if [ ! -e /etc/smack ] ; then
- ln -s /opt/etc/smack /etc/smack
-fi
-
-ln -s /etc/rc.d/init.d/smack-def /etc/rc.d/rc3.d/S07smack-def
-ln -s /etc/rc.d/init.d/smack-app /etc/rc.d/rc3.d/S08smack-app
-ln -s /etc/rc.d/init.d/smack-def /etc/rc.d/rc4.d/S07smack-def
-ln -s /etc/rc.d/init.d/smack-app /etc/rc.d/rc5.d/S08smack-app
--- /dev/null
+doxygen.stamp
+html/
+libsmack-doxygen*.tar.gz
rm -rf html
endif
+
+man_MANS = smackaccess.1 \
+ smack_accesses_add.3 \
+ smack_accesses_add_from_file.3 \
+ smack_accesses_add_modify.3 \
+ smack_accesses_apply.3 \
+ smack_accesses_clear.3 \
+ smack_accesses_free.3 \
+ smack_accesses_new.3 \
+ smack_accesses_save.3 \
+ smack_have_access.3 \
+ smack_new_label_from_self.3 \
+ smack_new_label_from_socket.3 \
+ smack_set_label_for_self.3 \
+ smack_revoke_subject.3 \
+ smack_fgetlabel.3 \
+ smack_fsetlabel.3 \
+ smack_getlabel.3 \
+ smack_lgetlabel.3 \
+ smack_lsetlabel.3 \
+ smack_setlabel.3 \
+ chsmack.8 \
+ smackcipso.8 \
+ smackctl.8 \
+ smackd.8 \
+ smackload.8
+
+EXTRA_DIST += $(man_MANS)
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "CHSMACK" "8" "03/05/2012" "smack-utils 1\&.0"
+.SH NAME
+chsmack \- Change the Smack properties of a filesystem object
+.SH SYNOPSIS
+.B chsmack [\-a|\-\-access=] [-e|--exec=|--execute=] [-m|--mmap=]
+.I <context>
+.B [-t|--transmute]
+.SH DESCRIPTION
+.B chsmack
+can be used to query or change the Smack context of a file. Depending on the state and type of the file the different labels, which are stored as xattrs on the file, have a different effect. If the file is a process binary then the
+.I exec
+label will take effect when the process is launched and this label will be assigned as the context of the running process. Whereas the
+.I transmute
+flag only affects directories and ensures that all files created beneath it have their label set to the label of the directory on which the transmute bit is set. This process needs to be launched with CAP_MAC_ADMIN capabilities in order to change any of the contexts.
+.SH OPTIONS
+.TP
+.B \-a\fR, \-\-access=
+Set the access context for this file. This context is used to confine the access modes, which are defined by the set "rwaxt", which refer to read, write, append, execute and transmute. The exec here is not to be confused with the
+.B \-e
+option listed below. This access mode "exec" specifies restrictions on who is allowed to launch this process. A common rule for this might look like
+.B (launcher application rx)
+where the
+.B \-\-access
+label is set to
+.BR "application" .
+This would ensure that the process with context
+.B launcher
+would be able to read and execute the binary from the
+.B application
+context.
+This label is stored in the
+.B security.SMACK64
+extended attribute.
+.TP
+.B \-e\fR, \-\-exec=
+If this file is an application binary, this flag defines the context that it will be launched in. It is accessible from the
+.B security.SMACK64EXEC
+extended attribute.
+.TP
+.B \-m\fR, \-\-mmap=
+A file with the mmap attribute set can only be mapped by processes with access to all of the labels that a process with the mmap label would have access to. the label is set and retrieved from the
+.B security.SMACK64MMAP
+extended attribute.
+.TP
+.I context
+The context to assign to label for the file
+.TP
+.B \-t\fR, \-\-transmute
+When used this will set the transmute flag of a directory to True. This will mean that all files and directories created under it will have the same label as the directory. By default all files created by a process are created with the same context label as the process. Transmute provides a very useful feature for sharing access to resources. The common example would be a Docs directory where all documents created by word processors and text editors can be stored. Each of the text editors can open the files and edit them in a shared fashion, while still ensuring that the config files of the editor remain protected. The label is stored in the
+.B security.SMACK64TRANSMUTE
+extended attribute.
+.SH RETURN VALUE
+The current values for the labels will be printed to stdout on success.
+.SH EXIT STATUS
+A successful call will return 0, where as a non zero value will be returned on error.
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\" Copyright (C) 2012 Samsung Electronics Co.
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Authors:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\" Rafal Krypa <r.krypa@samsung.com>
+.\"
+.TH "SMACK_ACCESSES_ADD" "3" "14/06/2012" "Libsmack 1\&.0"
+.SH NAME
+smack_accesses_new, smack_accesses_free, smack_accesses_save, smack_accesses_apply, smack_accesses_clear, smack_accesses_add, smack_accesses_add_from_file, smack_revoke_subject \- Manipulate Smack rules
+.SH SYNOPSIS
+.B #include <sys/smack.h>
+.sp
+.BI "int smack_accesses_new(struct smack_accesses **" accesses ");"
+.br
+.BI "void smack_accesses_free(struct smack_accesses *" handle ");"
+.br
+
+.BI "int smack_accesses_add(struct smack_accesses *" handle ", const char *" subject ", const char *" object ", const char *" access_type ");"
+.br
+.BI "int smack_accesses_add_modify(struct smack_accesses *" handle ", const char *" subject ", const char *" object ", const char *" access_add ", const char *" access_del ");"
+.br
+.BI "int smack_accesses_add_from_file(struct smack_accesses *" accesses ", int " fd ");"
+.br
+.BI "int smack_accesses_save(struct smack_accesses *" handle ", int " fd ");"
+.br
+
+.BI "int smack_accesses_apply(struct smack_accesses *" handle ");"
+.br
+.BI "int smack_accesses_clear(struct smack_accesses *" handle ");"
+.br
+
+.BI "int smack_revoke_subject(const char *" subject ");"
+.br
+
+.SH DESCRIPTION
+These methods provide a means to create properly formatted smack rules that can be stored to file or loaded directly into the kernel. For loading and unloading rules directly into the kernel the calling process must have the CAP_MAC_ADMIN capability. Most users will generally store the rules to a file that can be read by
+.BR smackload (8).
+If the rules should be loaded on system reboot then the file should be stored in /etc/smack/accesses.d/<name>.rules.
+
+.BR smack_accesses_new ()
+creates a new empty smack_accesses instance pointed to by
+.IR accesses .
+
+.BR smack_accesses_free ()
+destroys a previously created instance of smack_accesses pointed to by
+.IR handle .
+
+.BR smack_accesses_add ()
+create a rule allowing a
+.I subject
+to access an
+.I object
+with the type of access defined in
+.I access_type
+and store the result in
+.IR handle .
+If a rule for the specified labels already exists it will be overwritten.
+
+.BR smack_accesses_add_modify ()
+create a modification rule for the specified
+.I subject
+and
+.I object
+labels allowing the access specified in
+.I access_add
+and disallowing the access defined by
+.IR access_del .
+The result is stored in
+.IR handle .
+If a rule for the specified labels already exists it will be modified, otherwise a new rule will be created with the permissions specified in access_add added and those specified in access_del removed.
+
+.BR smack_accesses_add_from_file ()
+read a set of rules from a file and store them in
+.IR handle .
+The file must be a series of lines, 1 per rule, in the format "%s %s %s"
+.B "(subject object access_type)"
+
+.BR smack_accesses_save ()
+save the smack_accesses instance pointed to by
+.I handle
+to the file specified by the file-descriptor
+.IR fd .
+
+.BR smack_accesses_apply ()
+apply the rules pointed to by
+.I handle
+directly to the kernel. The calling process must have the CAP_MAC_ADMIN capability.
+.BR smack_accesses_clear ()
+remove the rules pointed to by
+.I handle
+directly from the kernel. The calling process must have the CAP_MAC_ADMIN capability.
+
+.BR smack_revoke_subject ()
+Sets the access to '-' (no access allowed) for all access rules with given
+.I subject
+label directly in the kernel. The calling process must have the CAP_MAC_ADMIN capability.
+.SH RETURN VALUE
+All methods, except
+.IR smack_accesses_free ,
+return 0 on success and a negative value on failure (in which case
+.I errno
+is set appropriately).
+.SH EXAMPLES
+.nf
+#include <sys/smack.h>
+
+int apply_rules_file(int fd, int clear)
+{
+ struct smack_accesses *rules = NULL;
+ int ret = 0;
+
+ if (smack_accesses_new(&rules))
+ return \-1;
+
+ if (smack_accesses_add_from_file(rules, fd)) {
+ smack_accesses_free(rules);
+ return \-1;
+ }
+
+ if (!clear)
+ ret = smack_accesses_apply(rules);
+ else
+ ret = smack_accesses_clear(rules);
+
+ smack_accesses_free(rules);
+
+ return ret;
+}
+.fi
+.SH SEE ALSO
+.BR smack_have_access (3)
--- /dev/null
+.so man3/smack_access_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_getlabel.3
--- /dev/null
+.so man3/smack_getlabel.3
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Samsung Electronics Co.
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Rafal Krypa <r.krypa@samsung.com>
+.\"
+.TH "SMACK_GETLABEL" "3" "07/05/2012" "Libsmack 1\&.0"
+.SH NAME
+smack_getlabel, smack_lgetlabel, smack_fgetlabel, smack_setlabel, smack_lsetlabel, smack_fsetlabel \- Manipulation of Smack labels for files
+.SH SYNOPSIS
+.B #include <sys/smack.h>
+.sp
+.BI "int smack_getlabel(const char *" path ", char **" label ", enum smack_label_type " type ");"
+.br
+.BI "int smack_lgetlabel(const char *" path ", char **" label ", enum smack_label_type " type ");"
+.br
+.BI "int smack_fgetlabel(int " fd ", char **" label ", enum smack_label_type " type ");"
+.br
+
+.BI "int smack_setlabel(const char *" path ", const char *" label ", enum smack_label_type " type ");"
+.br
+.BI "int smack_lsetlabel(const char *" path ", const char *" label ", enum smack_label_type " type ");"
+.br
+.BI "int smack_fsetlabel(int " fd ", const char *" label ", enum smack_label_type " type ");"
+.sp
+.SH DESCRIPTION
+Smack uses extended attributes (xattrs) to store labels on filesystem objects. The attributes are stored in the extended attribute security name space. A process must have CAP_MAC_ADMIN to change any of these attributes.
+These functions provide an interface for Smack label manipulation on files and file descriptors.
+.SS "Label types"
+There are several types of labels and not all of them are valid for every object. All valid types are defined in enum smack_label_type:
+.IP \[bu] 2
+.BR SMACK_LABEL_ACCESS :
+Label used as the object label for Smack access checks when a labeled file is accessed.
+.IP \[bu]
+.BR SMACK_LABEL_EXEC :
+Label used as the subject label for processes executed from a labeled file by means of
+.BR exec (3)
+functions family.
+.IP \[bu]
+.BR SMACK_LABEL_MMAP :
+Label used as the object label for Smack access checks when a labeled file is mmap-ed (see
+.BR mmap (2)).
+.IP \[bu]
+.BR SMACK_LABEL_TRANSMUTE :
+Special purpose label for directories. In contrast with all other label types, this one is of boolean type. If set to true on a directory, all files and directories created in that directory will inherit the directory's
+.BR SMACK_LABEL_ACCESS
+label. Created subdirectories will also have
+.BR SMACK_LABEL_ACCESS
+set to true. The described behavior works only if a subject creating those files and directories has "t" (transmute) permission on the directory's
+.BR SMACK_LABEL_ACCESS
+label.
+.IP \[bu]
+.BR SMACK_LABEL_IPIN :
+Valid only for socket file descriptors. Used as the object label for packets incoming from the socket.
+.IP \[bu]
+.BR SMACK_LABEL_IPOUT :
+Valid only for socket file descriptors. Used as the Smack label transmitted with outgoing packets.
+.SS "Get functions"
+All of these functions allocate memory for the label contents and assign the pointer to
+.IR label .
+The caller is responsible for freeing the memory.
+.PP
+.BR smack_getlabel ()
+retrieves the label of specified
+.I type
+from the given
+.I path
+in the filesystem.
+.PP
+.BR smack_lgetlabel ()
+is identical to
+.BR smack_getlabel (),
+except in the case of a symbolic link, where the link itself is interrogated, not the file that it refers to.
+.PP
+.BR smack_fgetlabel ()
+is identical to
+.BR smack_getlabel (),
+only the open file pointed to by
+.I fd
+(as returned by
+.BR open(2))
+is interrogated in place of
+.IR path .
+.SS "Set functions"
+These functions work with files and file descriptors in the same way as the get functions described above.
+They set the label to the value passed in
+.I value
+argument. Valid values are:
+.IP \[bu] 2
+NULL or empty string - will cause removal of the label, if any was present on a file.
+.IP \[bu]
+"1" or "0" for the
+.BR SMACK_LABEL_TRANSMUTE
+label type on a directory will turn transmute on or off.
+.IP \[bu]
+Any string not longer than
+.BR SMACK_LABEL_LEN
+for other label types.
+.SH RETURN VALUE
+On success, zero is returned. On failure, \-1 is returned and
+.I errno
+is set appropriately.
+.SH SEE ALSO
+.BR smack_have_access (3),
+.BR attr (5),
+.BR open (2).
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\" Copyright (C) 2012 Samsung Electronics Co.
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\" Rafal Krypa <r.krypa@samsung.com>
+.\"
+.TH "SMACK_HAVE_ACCESS" "3" "06/20/2012" "Libsmack 1\&.0"
+.SH NAME
+smack_have_access, smack_new_label_from_self, smack_new_label_from_socket \- Userspace interaction with Smack
+.SH SYNOPSIS
+.B #include <sys/smack.h>
+.sp
+.BI "int smack_have_access(const char *" subject ", const char *" object ", const char *" access ");"
+.br
+.BI "int smack_new_label_from_self(char **" label ");"
+.br
+.BI "int smack_set_label_for_self(char **" label ");"
+.br
+.BI "int smack_new_label_from_socket(int " fd ", char **" label ");"
+.sp
+.SH DESCRIPTION
+Smack is a Mandatory Access Control (MAC) based security mechanism for the Linux kernel. It works on the basis of context, which is stored as a label in the extended attributes (xattr) of a file. When a process is started the kernel ensures that this context is assigned to the running process. By default a process can only interact with processes and filesystem objects that have the same context as itself and is denied access to all other contexts. Rules can be created to grant access to other contexts, these are generally created on package installation and can only be modified by a process that has the CAP_MAC_ADMIN capability.
+.PP
+As with most actor based models the entity that initiates the interaction is called the
+.I subject
+and the item that is being accessed is called the
+.IR "object" .
+The type of interaction that is being performed is known as the
+.I access
+and is based on the standard filesystem access types "R","W","X" etc. The functions presented here provide a way for a process to determine the Smack context of the the system in which it is running and that of a process that is connected to it over a socket connection.
+.PP
+The function
+.BR smack_have_access ()
+takes a
+.I subject
+context, and the context of the item that it is interacting with, the
+.IR "object" ,
+along with the type of
+.I access
+that is requested. The kernel is queried about the access rules and informs the the caller it that access request is allowed. This method is generally used to allow more fine grained access control to be enforced in userspace processes.
+.PP
+.BR smack_new_label_from_self ()
+determines the context of the current process and creates a new storage for this which it assigns to
+.I label
+to this upon return. It is the responsibility of the caller to free
+.I label
+when it is no longer required.
+.PP
+.BR smack_set_label_for_self ()
+sets the context of the current process to
+.IR label .
+The calling process must have the CAP_MAC_ADMIN capability.
+.PP
+.BR smack_new_label_from_socket ()
+takes the file descriptor,
+.IR "fd" ,
+of the socket and determines it's context and creates a new storage for this which it assigns to
+.I label
+on return. It is the callers responsibility to free
+.I label
+when it is no longer required.
+.SH RETURN VALUE
+.BR smack_new_label_from_self ()
+and
+.BR smack_new_label_from_socket ()
+return 0 on success or \-1 on error (in which case,
+.I errno
+is set appropriately).
+
+.BR smack_have_access ()
+returns 1 if allowed, 0 if no access and \-1 on error (in which case,
+.I errno
+is set appropriately).
--- /dev/null
+.so man3/smack_getlabel.3
--- /dev/null
+.so man3/smack_getlabel.3
--- /dev/null
+.so man3/smack_have_access.3
--- /dev/null
+.so man3/smack_have_access.3
--- /dev/null
+.so man3/smack_accesses_add.3
--- /dev/null
+.so man3/smack_have_access.3
--- /dev/null
+.so man3/smack_getlabel.3
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "SMACKACCESS" "1" "03/05/2012" "smack-utils 1\&.0"
+.SH NAME
+smackaccess \- Determine if a rule is permitted by the current Smack policy
+.SH SYNOPSIS
+.B smackaccess <subject> <object> <access_type>
+.SH DESCRIPTION
+.B smackaccess
+allows for the caller to test if a process has access to another object and the type of access that is granted.
+.SH OPTIONS
+.IP subject
+The context of the process that will be doing the access request
+.IP object
+The context of the filesystem object or process that is going to be accessed
+.IP access_type
+The type of access that will be requested e.g. "rwaxt", which respectively refer to read, write, append, execute and transmute.
+.SH RETURN VALUE
+On success the result of the test will be printed, 1 indicates that the rule is permitted by the policy and 0 indicates that such an action would fail.
+.SH EXIT STATUS
+On success
+.B smackaccess
+returns 0 and 1 on failure.
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "SMACKCIPSO" "8" "07/05/2012" "smack-utils 1\&.0"
+.SH NAME
+smackcipso \- Load Smack cipso rules into the kernel
+.SH SYNOPSIS
+.B smackcipso
+.I <path>
+
+.SH DESCRIPTION
+.B smackcipso
+is a tool that can be used to load cipso rules into the kernel. The general use of
+.B smackcipso
+is to read a set of rules from a file, but it also supports the convenience of loading rules from the command line. This process needs to be started with CAP_MAC_ADMIN capability otherwise it will not have sufficient permission to make the changes. Launching
+.B smackcipso
+without a path name will allow you to enter rules on the command line, these take the format "%s%4d%4d[%4d]...\\n"
+.B (subject lvl cnt c1 c2 ...)
+with ^D terminating the session and writing the rules to the kernel.
+.IP path
+The path to the file from which to read the rules
+.SH EXIT STATUS
+On success
+.B smackload
+returns 0 and 1 on failure.
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "SMACKCTL" "8" "03/05/2012" "smack-utils 1\&.0"
+.SH NAME
+smackctl \- Load and unload the system Smack rules files
+.SH SYNOPSIS
+.B smackctl ['apply'] ['clear'] ['status']
+
+.SH DESCRIPTION
+.B smackctl
+is a program to load and unload the Smack context configurations. It is generally called by an init process on startup and shutdown of the system when it is needed to change the Smack rules in the kernel. The Smack system configuration files are all store in see FILES below.
+.SH OPTIONS
+.IP apply
+Apply all the rules found in the configuration directory's
+.IP clear
+Remove all system rules from the kernel
+.IP status
+Show the status of the Smack system, specifically if /smack is mounted
+.SH EXIT STATUS
+On success
+.B smackctl
+returns 0 and 1 on failure.
+.SH FILES
+/smack
+.br
+/etc/smack/acceses.d
+.br
+/etc/smack/cipso.d
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "SMACKD" "8" "07/05/2012" "smack-utils 1\&.0"
+.SH NAME
+smackd \- Experimental daemon to manage the Smack policy
+.SH DESCRIPTION
+.BR smackd ,
+it is currently not recommended to use this process.
+.SH SEE ALSO
+.BR smackctl (8)
--- /dev/null
+'\" t
+.\" This file is part of libsmack
+.\" Copyright (C) 2012 Intel Corporation
+.\"
+.\" This library is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU Lesser General Public License
+.\" version 2.1 as published by the Free Software Foundation.
+.\"
+.\" This library is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+.\" Lesser General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Lesser General Public
+.\" License along with this library; if not, write to the Free Software
+.\" Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+.\" 02110-1301 USA
+.\"
+.\" Author:
+.\" Brian McGillion <brian.mcgillion@intel.com>
+.\"
+.TH "SMACKLOAD" "8" "03/05/2012" "smack-utils 1\&.0"
+.SH NAME
+smackload \- Load and unload Smack rules from the kernel
+.SH SYNOPSIS
+.B smackload [\-c]
+.I <path>
+
+.SH DESCRIPTION
+.B smackload
+is a tool that can be used to load Smack rules into the kernel or to remove rules that have already been loaded. The general use of
+.B smackload
+is to read a set of rules from a file, but it also supports the convenience of loading rules from the command line. This process needs to be started with CAP_MAC_ADMIN capability otherwise it will not have sufficient permission to make the changes. Launching
+.B smackload
+without a path name will allow you to enter rules on the command line, these take the format "%s %s %s\\n"
+.B (subject object access_type)
+with ^D terminating the session and writing the rules to the kernel. The
+.B access_type
+refers to the access modes that are from the set "rwaxt", which refer to read, write, append, execute and transmute access respectively
+.SH OPTIONS
+.IP \-c
+Clear the specified rules from the kernel
+.IP path
+The path to the file from which to read the rules
+
+.SH EXIT STATUS
+On success
+.B smackload
+returns 0 and 1 on failure.
-initdir = /lib/systemd/system
-init_DATA = smack.mount smack.service
+if HAVE_SYSTEMD
+systemdsystemunit_DATA = \
+ smack.mount \
+ smack.service
+endif
[Unit]
Description=Smack filesystem mounting
-Before=local-fs.target
+WantedBy=local-fs.target
[Mount]
What=smackfs
--- /dev/null
+#!/bin/sh
+#
+# Copyright (c) 2012 Intel Corporation
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 2.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+# 02110-1301 USA
+#
+# Authors:
+# Brian McGillion <brian.mcgillion@intel.com>
+#
+# Description: Initialize Smack policy
+#
+### BEGIN INIT INFO
+# Provides: smack-utils
+# Required-Start: $remote_fs $local_fs
+# Required-Stop: $remote_fs $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Utility to set up SMACK policy
+# Description: SMACK is a simplified mandatory access control \
+# framework using an the LSM interface of the kernel. \
+# The access control rules are loaded using smackfs \
+# pseudo-filesystem.
+### END INIT INFO
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+PROG=smack-utils
+DESC="Simplified MAC Kernel (SMACK)"
+SMACKCTL=/usr/bin/smackctl
+
+# Check kernel whether smack is supported
+[ `grep -c smack /proc/filesystems` -eq 1 ] || exit 0
+
+#
+# Mount smackfs in /smack
+#
+mount_smack() {
+ if [ ! -d /smack ] ; then
+ test -e /smack && rm -f /smack
+ mkdir /smack
+ fi
+ if ! grep -E -qs smackfs /etc/mtab; then
+ mount -t smackfs smackfs /smack > /dev/null 2>&1
+ fi
+}
+
+case "$1" in
+ start)
+ echo -n "Starting $DESC ..."
+ mount_smack
+ /usr/bin/smackctl apply
+ echo " done."
+ ;;
+ status)
+ if [ ! -e /smack/load2 ] ; then
+ exit -1
+ fi
+ ;;
+ reload|force-reload|restart|try-restart)
+ echo -n "Reloading $DESC ..."
+ /usr/bin/smackctl clear
+ /usr/bin/smackctl apply
+ echo " done."
+ ;;
+ stop)
+ echo -n "Stopping $DESC ..."
+ /usr/bin/smackctl clear
+ echo " done."
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|reload|force-reload|restart|try-restart|status}"
+ exit 3
+ ;;
+esac
+
+exit 0
[Unit]
Description=Smack
+DefaultDependencies=no
+After=smack.mount
+Requires=smack.mount
After=basic.target
[Service]
+++ /dev/null
-prefix=@PREFIX@
-exec_prefix=@EXEC_PREFIX@
-libdir=@LIBDIR@
-includedir=@INCLUDEDIR@
-
-Name: smack
-Description: Smack LSM module userspace library
-Requires:
-Version: @VERSION@
-Libs: -L${libdir} -lsmack
-Cflags: -I${includedir}
--- /dev/null
+.deps/
+.libs/
+libsmack.la
+libsmack.lo
--- /dev/null
+ACLOCAL_AMFLAGS = -I m4
+AM_MAKEFLAGS = --no-print-directory
+
+AM_CFLAGS = -Wall -Wextra
+
+EXTRA_DIST = libsmack.sym
+
+lib_LTLIBRARIES = libsmack.la
+
+libsmack_la_LDFLAGS = \
+ -version-info 1:0:0 \
+ -Wl,--version-script=$(top_srcdir)/libsmack/libsmack.sym
+libsmack_la_SOURCES = libsmack.c
+
+pkgconfigdir = $(libdir)/pkgconfig
+pkgconfig_DATA = libsmack.pc
+
+library_includedir=$(includedir)/sys
+library_include_HEADERS=sys/smack.h
+
*
* Copyright (C) 2010 Nokia Corporation
* Copyright (C) 2011 Intel Corporation
+ * Copyright (C) 2012 Samsung Electronics Co.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* Authors:
* Jarkko Sakkinen <jarkko.sakkinen@intel.com>
* Brian McGillion <brian.mcgillion@intel.com>
+ * Rafal Krypa <r.krypa@samsung.com>
*/
#include "sys/smack.h"
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <sys/xattr.h>
#include <unistd.h>
-#define LABEL_LEN 23
-#define LOAD_LEN (2 * (LABEL_LEN + 1) + ACC_LEN)
#define ACC_LEN 5
+#define LOAD_LEN (2 * (SMACK_LABEL_LEN + 1) + 2 * ACC_LEN + 1)
-#define ACC_R 0x01
-#define ACC_W 0x02
-#define ACC_X 0x04
-#define ACC_A 0x08
-#define ACC_T 0x10
-
-#define KERNEL_FORMAT "%-23s %-23s %5s"
-#define READ_BUF_SIZE 512
+#define KERNEL_FORMAT "%s %s %s"
+#define KERNEL_FORMAT_MODIFY "%s %s %s %s"
+#define READ_BUF_SIZE LOAD_LEN + 10
#define SMACKFS_MNT "/smack"
#define SELF_LABEL_FILE "/proc/self/attr/current"
+typedef int (*getxattr_func)(void*, const char*, void*, size_t);
+typedef int (*setxattr_func)(const void*, const char*, const void*, size_t, int);
+typedef int (*removexattr_func)(void*, const char*);
+
struct smack_rule {
- char subject[LABEL_LEN + 1];
- char object[LABEL_LEN + 1];
- int access_code;
+ char subject[SMACK_LABEL_LEN + 1];
+ char object[SMACK_LABEL_LEN + 1];
+ int is_modify;
+ char access_set[ACC_LEN + 1];
+ char access_add[ACC_LEN + 1];
+ char access_del[ACC_LEN + 1];
struct smack_rule *next;
};
};
static int accesses_apply(struct smack_accesses *handle, int clear);
-static inline int access_type_to_int(const char *access_type);
-static inline void int_to_access_type_c(unsigned ac, char *str);
-static inline void int_to_access_type_k(unsigned ac, char *str);
+static inline void parse_access_type(const char *in, char out[ACC_LEN + 1]);
+static inline char* get_xattr_name(enum smack_label_type type);
int smack_accesses_new(struct smack_accesses **accesses)
{
int smack_accesses_save(struct smack_accesses *handle, int fd)
{
struct smack_rule *rule = handle->first;
- char access_type[ACC_LEN + 1];
FILE *file;
int ret;
int newfd;
}
while (rule) {
- int_to_access_type_c(rule->access_code, access_type);
+ if (rule->is_modify) {
+ ret = fprintf(file, "%s %s %s %s\n",
+ rule->subject, rule->object,
+ rule->access_add, rule->access_del);
+ } else {
+ ret = fprintf(file, "%s %s %s\n",
+ rule->subject, rule->object,
+ rule->access_set);
+ }
- ret = fprintf(file, "%s %s %s\n",
- rule->subject, rule->object, access_type);
if (ret < 0) {
fclose(file);
return -1;
if (rule == NULL)
return -1;
- strncpy(rule->subject, subject, LABEL_LEN + 1);
- strncpy(rule->object, object, LABEL_LEN + 1);
- rule->access_code = access_type_to_int(access_type);
+ strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
+ strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
+ parse_access_type(access_type, rule->access_set);
+
+ if (handle->first == NULL) {
+ handle->first = handle->last = rule;
+ } else {
+ handle->last->next = rule;
+ handle->last = rule;
+ }
+
+ return 0;
+}
+
+int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
+ const char *object, const char *access_add, const char *access_del)
+{
+ struct smack_rule *rule = NULL;
+
+ rule = calloc(sizeof(struct smack_rule), 1);
+ if (rule == NULL)
+ return -1;
+
+ strncpy(rule->subject, subject, SMACK_LABEL_LEN + 1);
+ strncpy(rule->object, object, SMACK_LABEL_LEN + 1);
+ parse_access_type(access_add, rule->access_add);
+ parse_access_type(access_del, rule->access_del);
+ rule->is_modify = 1;
if (handle->first == NULL) {
handle->first = handle->last = rule;
FILE *file = NULL;
char buf[READ_BUF_SIZE];
char *ptr;
- const char *subject, *object, *access;
+ const char *subject, *object, *access, *access2;
int newfd;
+ int ret;
newfd = dup(fd);
if (newfd == -1)
}
while (fgets(buf, READ_BUF_SIZE, file) != NULL) {
+ if (strcmp(buf, "\n") == 0)
+ continue;
subject = strtok_r(buf, " \t\n", &ptr);
object = strtok_r(NULL, " \t\n", &ptr);
access = strtok_r(NULL, " \t\n", &ptr);
+ access2 = strtok_r(NULL, " \t\n", &ptr);
if (subject == NULL || object == NULL || access == NULL ||
strtok_r(NULL, " \t\n", &ptr) != NULL) {
return -1;
}
- if (smack_accesses_add(accesses, subject, object, access)) {
+ if (access2 == NULL)
+ ret = smack_accesses_add(accesses, subject, object, access);
+ else
+ ret = smack_accesses_add_modify(accesses, subject, object, access, access2);
+
+ if (ret) {
fclose(file);
return -1;
}
{
char buf[LOAD_LEN + 1];
char access_type_k[ACC_LEN + 1];
- unsigned access_code;
int ret;
int fd;
- access_code = access_type_to_int(access_type);
- int_to_access_type_k(access_code, access_type_k);
+ parse_access_type(access_type, access_type_k);
ret = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT, subject, object,
access_type_k);
if (ret < 0)
return -1;
- fd = open(SMACKFS_MNT "/access", O_RDWR);
+ fd = open(SMACKFS_MNT "/access2", O_RDWR);
if (fd < 0)
return -1;
int fd;
int ret;
- result = calloc(LABEL_LEN + 1, 1);
+ result = calloc(SMACK_LABEL_LEN + 1, 1);
if (result == NULL)
return -1;
return -1;
}
- ret = read(fd, result, LABEL_LEN);
+ ret = read(fd, result, SMACK_LABEL_LEN);
close(fd);
if (ret < 0) {
free(result);
return 0;
}
+int smack_set_label_for_self(const char *label)
+{
+ int len;
+ int fd;
+ int ret;
+
+ len = strnlen(label, SMACK_LABEL_LEN + 1);
+ if (len > SMACK_LABEL_LEN)
+ return -1;
+
+ fd = open(SELF_LABEL_FILE, O_WRONLY);
+ if (fd < 0)
+ return -1;
+
+ ret = write(fd, label, len);
+ close(fd);
+
+ return (ret < 0) ? -1 : 0;
+}
+
+int smack_revoke_subject(const char *subject)
+{
+ int ret;
+ int fd;
+
+ fd = open(SMACKFS_MNT "/revoke-subject", O_RDWR);
+ if (fd < 0)
+ return -1;
+
+ ret = write(fd, subject, strnlen(subject, SMACK_LABEL_LEN));
+ close(fd);
+
+ return (ret < 0) ? -1 : 0;
+}
+
+static int internal_getlabel(void* file, char** label,
+ enum smack_label_type type,
+ getxattr_func getfunc)
+{
+ char* xattr_name = get_xattr_name(type);
+ char value[SMACK_LABEL_LEN + 1];
+ int ret;
+
+ ret = getfunc(file, xattr_name, value, SMACK_LABEL_LEN + 1);
+ if (ret == -1) {
+ if (errno == ENODATA) {
+ *label = NULL;
+ return 0;
+ }
+ return -1;
+ }
+
+ value[ret] = '\0';
+ *label = calloc(ret + 1, 1);
+ if (*label == NULL)
+ return -1;
+ strncpy(*label, value, ret);
+ return 0;
+}
+
+static int internal_setlabel(void* file, const char* label,
+ enum smack_label_type type,
+ setxattr_func setfunc, removexattr_func removefunc)
+{
+ char* xattr_name = get_xattr_name(type);
+
+ /* Check validity of labels for LABEL_TRANSMUTE */
+ if (type == SMACK_LABEL_TRANSMUTE && label != NULL) {
+ if (!strcmp(label, "0"))
+ label = NULL;
+ else if (!strcmp(label, "1"))
+ label = "TRUE";
+ else
+ return -1;
+ }
+
+ if (label == NULL || label[0] == '\0') {
+ return removefunc(file, label);
+ } else {
+ int len = strnlen(label, SMACK_LABEL_LEN + 1);
+ if (len > SMACK_LABEL_LEN)
+ return -1;
+ return setfunc(file, xattr_name, label, len, 0);
+ }
+}
+
+int smack_getlabel(const char *path, char** label,
+ enum smack_label_type type)
+{
+ return internal_getlabel((void*) path, label, type,
+ (getxattr_func) getxattr);
+}
+
+int smack_lgetlabel(const char *path, char** label,
+ enum smack_label_type type)
+{
+ return internal_getlabel((void*) path, label, type,
+ (getxattr_func) lgetxattr);
+}
+
+int smack_fgetlabel(int fd, char** label,
+ enum smack_label_type type)
+{
+ return internal_getlabel((void*) fd, label, type,
+ (getxattr_func) fgetxattr);
+}
+
+int smack_setlabel(const char *path, const char* label,
+ enum smack_label_type type)
+{
+ return internal_setlabel((void*) path, label, type,
+ (setxattr_func) setxattr, (removexattr_func) removexattr);
+}
+
+int smack_lsetlabel(const char *path, const char* label,
+ enum smack_label_type type)
+{
+ return internal_setlabel((void*) path, label, type,
+ (setxattr_func) lsetxattr, (removexattr_func) lremovexattr);
+}
+
+int smack_fsetlabel(int fd, const char* label,
+ enum smack_label_type type)
+{
+ return internal_setlabel((void*) fd, label, type,
+ (setxattr_func) fsetxattr, (removexattr_func) fremovexattr);
+}
+
static int accesses_apply(struct smack_accesses *handle, int clear)
{
char buf[LOAD_LEN + 1];
- char access_type[ACC_LEN + 1];
struct smack_rule *rule;
int ret;
int fd;
+ int load_fd;
+ int change_fd;
+ int size;
- fd = open(SMACKFS_MNT "/load", O_WRONLY);
- if (fd < 0)
+ load_fd = open(SMACKFS_MNT "/load2", O_WRONLY);
+ if (load_fd < 0)
return -1;
- if (clear)
- strcpy(access_type, "-----");
+ change_fd = open(SMACKFS_MNT "/change-rule", O_WRONLY);
+ if (change_fd < 0) {
+ close(load_fd);
+ return -1;
+ }
for (rule = handle->first; rule != NULL; rule = rule->next) {
- if (!clear)
- int_to_access_type_k(rule->access_code, access_type);
+ fd = load_fd;
+ if (clear) {
+ size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT, rule->subject, rule->object, "-----");
+ } else {
+
+ if (rule->is_modify) {
+ fd = change_fd;
+ size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT_MODIFY,
+ rule->subject, rule->object, rule->access_add, rule->access_del);
+
+ } else {
+ size = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT,
+ rule->subject, rule->object, rule->access_set);
+ }
+ }
- ret = snprintf(buf, LOAD_LEN + 1, KERNEL_FORMAT, rule->subject, rule->object, access_type);
- if (ret < 0) {
- close(fd);
+ if (size == -1 || size > LOAD_LEN) {
+ close(load_fd);
+ close(change_fd);
return -1;
}
- ret = write(fd, buf, LOAD_LEN);
+ ret = write(fd, buf, size);
if (ret < 0) {
- close(fd);
+ close(load_fd);
+ close(change_fd);
return -1;
}
}
- close(fd);
+ close(load_fd);
+ close(change_fd);
return 0;
}
-static inline int access_type_to_int(const char *access_type)
+static inline void parse_access_type(const char *in, char out[ACC_LEN + 1])
{
int i;
- unsigned access;
- access = 0;
- for (i = 0; i < ACC_LEN && access_type[i] != '\0'; i++)
- switch (access_type[i]) {
+ for (i = 0; i < ACC_LEN; ++i)
+ out[i] = '-';
+ out[ACC_LEN] = '\0';
+
+ for (i = 0; i < ACC_LEN && in[i] != '\0'; i++)
+ switch (in[i]) {
case 'r':
case 'R':
- access |= ACC_R;
+ out[0] = 'r';
break;
case 'w':
case 'W':
- access |= ACC_W;
+ out[1] = 'w';
break;
case 'x':
case 'X':
- access |= ACC_X;
+ out[2] = 'x';
break;
case 'a':
case 'A':
- access |= ACC_A;
+ out[3] = 'a';
break;
case 't':
case 'T':
- access |= ACC_T;
+ out[4] = 't';
break;
default:
break;
}
-
- return access;
}
-static inline void int_to_access_type_c(unsigned access, char *str)
+static inline char* get_xattr_name(enum smack_label_type type)
{
- int i;
- i = 0;
- if ((access & ACC_R) != 0)
- str[i++] = 'r';
- if ((access & ACC_W) != 0)
- str[i++] = 'w';
- if ((access & ACC_X) != 0)
- str[i++] = 'x';
- if ((access & ACC_A) != 0)
- str[i++] = 'a';
- if ((access & ACC_T) != 0)
- str[i++] = 't';
- str[i] = '\0';
-}
+ switch (type) {
+ case SMACK_LABEL_ACCESS:
+ return "security.SMACK64";
+ case SMACK_LABEL_EXEC:
+ return "security.SMACK64EXEC";
+ case SMACK_LABEL_MMAP:
+ return "security.SMACK64MMAP";
+ case SMACK_LABEL_TRANSMUTE:
+ return "security.SMACK64TRANSMUTE";
+ case SMACK_LABEL_IPIN:
+ return "security.SMACK64IPIN";
+ case SMACK_LABEL_IPOUT:
+ return "security.SMACK64IPOUT";
+ default:
+ /* Should not reach this point */
+ return NULL;
+ }
-static inline void int_to_access_type_k(unsigned access, char *str)
-{
- str[0] = ((access & ACC_R) != 0) ? 'r' : '-';
- str[1] = ((access & ACC_W) != 0) ? 'w' : '-';
- str[2] = ((access & ACC_X) != 0) ? 'x' : '-';
- str[3] = ((access & ACC_A) != 0) ? 'a' : '-';
- str[4] = ((access & ACC_T) != 0) ? 't' : '-';
- str[5] = '\0';
}
-
--- /dev/null
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: @PACKAGE_NAME@
+Description: Smack LSM module userspace library
+Requires:
+Version: @PACKAGE_VERSION@
+Libs: -L${libdir} -lsmack
+Cflags: -I${includedir}
-LIBSMACK_1.0 {
+LIBSMACK {
global:
smack_accesses_new;
smack_accesses_free;
smack_accesses_apply;
smack_accesses_clear;
smack_accesses_add;
+ smack_accesses_add_modify;
smack_accesses_add_from_file;
smack_have_access;
smack_new_label_from_self;
smack_new_label_from_socket;
+ smack_set_label_for_self;
+ smack_revoke_subject;
+ smack_getlabel;
+ smack_lgetlabel;
+ smack_fgetlabel;
+ smack_setlabel;
+ smack_lsetlabel;
+ smack_fsetlabel;
local:
*;
};
*
* Copyright (C) 2010 Nokia Corporation
* Copyright (C) 2011 Intel Corporation
+ * Copyright (C) 2012 Samsung Electronics Co.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
*
* Authors:
* Jarkko Sakkinen <jarkko.sakkinen@intel.com>
+ * Rafal Krypa <r.krypa@samsung.com>
*/
/*!
#include <sys/types.h>
/*!
+ * Maximum length of a smack label, excluding terminating null character.
+ */
+#define SMACK_LABEL_LEN 255
+
+enum smack_label_type {
+ SMACK_LABEL_ACCESS,
+ SMACK_LABEL_EXEC,
+ SMACK_LABEL_MMAP,
+ SMACK_LABEL_TRANSMUTE,
+ SMACK_LABEL_IPIN,
+ SMACK_LABEL_IPOUT,
+};
+
+/*!
* Handle to a in-memory representation of set of Smack rules.
*/
struct smack_accesses;
const char *object, const char *access_type);
/*!
+ * Add a modification rule to a rule set.
+ * The modification rule will change access permissions for a given subject and
+ * object.
+ * If such rule already existend (in the kernel or earlier in the rule set),
+ * it will be modified. Otherwise a new rule will be created, with permissions
+ * from access_add minus permissions from access_del.
+ *
+ * @param handle handle to a rule set
+ * @param subject subject of the rule
+ * @param object object of the rule
+ * @param access_add access type
+ * @param access_del access type
+ * @return Returns 0 on success.
+ */
+int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject,
+ const char *object, const char *access_add, const char *access_del);
+
+/*!
* Add rules from file.
*
* @param accesses instance
*/
int smack_new_label_from_socket(int fd, char **label);
+/*!
+ * Set the label associated with the callers process.
+ * Caller must be run by privileged user to succeed.
+ *
+ * @param label to set
+ * @return 0 on success and negative value on failure.
+ */
+int smack_set_label_for_self(const char *label);
+
+/*!
+ * Revoke all rules for a subject label.
+ *
+ * @param subject subject to revoke
+ * @return 0 on success and negative value on failure.
+ */
+int smack_revoke_subject(const char *subject);
+
+/*!
+ * Get SMACK label from file.
+ * On successful call label will be stored on allocated memory.
+ * Caller should take care of freeing that memory later.
+ *
+ * @param path file system path
+ * @param label returned label
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_getlabel(const char *path, char** label,
+ enum smack_label_type type);
+
+/*!
+ * Get SMACK label from file. If path points to a symbolic link, the
+ * function will return label of the link instead of file it refers to.
+ * On successful call label will be stored on allocated memory.
+ * Caller should take care of freeing that memory later.
+ *
+ * @param path file system path
+ * @param label returned label
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_lgetlabel(const char *path, char** label,
+ enum smack_label_type type);
+
+/*!
+ * Get SMACK label from file descriptor.
+ * On successful call label will be stored on allocated memory.
+ * Caller should take care of freeing that memory later.
+ *
+ * @param fd file descriptor
+ * @param label returned label
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_fgetlabel(int fd, char** label,
+ enum smack_label_type type);
+
+/*!
+ * Set SMACK label for file.
+ * On successful call label will be stored on allocated memory.
+ *
+ * @param path file system path
+ * @param label SMACK label to set
+ * if equal to NULL or "", label will be removed
+ * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_setlabel(const char *path, const char* label,
+ enum smack_label_type type);
+
+/*!
+ * Set SMACK label for file. If path points to a symbolic link, the
+ * function will set label of the link instead of file it refers to.
+ *
+ * @param path file system path
+ * @param label SMACK label to set
+ * if equal to NULL or "", label will be removed
+ * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_lsetlabel(const char *path, const char* label,
+ enum smack_label_type type);
+
+/*!
+ * Get SMACK label from file descriptor.
+ *
+ * @param fd file descriptor
+ * @param label SMACK label to set
+ * if equal to NULL or "", label will be removed
+ * for type SMACK_LABEL_TRANSMUTE valid values are NULL, "", "0" or "1"
+ * @param type label type to get
+ * @return 0 on success and negative value on failure.
+ */
+int smack_fsetlabel(int fd, const char* label,
+ enum smack_label_type type);
+
#ifdef __cplusplus
}
#endif
--- /dev/null
+libtool.m4
+ltoptions.m4
+ltsugar.m4
+ltversion.m4
+lt~obsolete.m4
-Name: smack
-Summary: SMACK library and utility executables
-Version: 1.0
-Release: rc4slp2+s2
-Group: System/Libraries
-License: LGPL2.1
-Source: smack-%{version}.tar.gz
-Requires(post): /sbin/ldconfig
-Requires(postun): /sbin/ldconfig
-
-BuildRequires: cmake
-
+Name: smack
+Version: 1.0slp2+s4
+Release: 1
+Summary: Package to interact with Smack
+Group: System/Kernel
+License: LGPLv2
+URL: https://github.com/organizations/smack-team/smack
+Source0: smack-%{version}.tar.gz
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+BuildRequires: automake autoconf libtool
%description
-SMACK library and utility executables
-
+Library allows applications to work with Smack
%package devel
-Summary: SMACK library header
+Summary: Developmnent headers and libs for libsmack
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
+%description devel
+Standard header files for use when developing Smack enabled applications
+
%package utils
-Summary: SMACK utility executables
-Group: System/Executables
+Summary: Selection of tools for developers working with Smack
+Group: System/Kernel
Requires: %{name} = %{version}-%{release}
-%description devel
-SMACK library (developement files)
-
%description utils
-SMACK utility executables
+Tools provided to load and unload rules from the kernel and query the policy
%prep
%setup -q
-
+autoreconf --install --symlink
%build
-cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix}
-
-
-make %{?jobs:-j%jobs}
+%configure
+make %{?_smp_mflags}
%install
rm -rf %{buildroot}
-%make_install
-
-%post utils
-mkdir -p /smack
-mkdir -p /opt/etc/smack
-mkdir -p /opt/etc/smack/accesses.d
-mkdir -p /opt/etc/smack/cipso.d
-
-if [ ! -e /opt/etc/smack/accesses ] ; then
- touch /opt/etc/smack/accesses
-fi
-if [ ! -e /opt/etc/smack/cipso ] ; then
- touch /opt/etc/smack/cipso
-fi
-
-if [ ! -e /etc/smack ] ; then
- ln -s /opt/etc/smack /etc/smack
-fi
-
-mkdir -p /etc/rc.d/rc3.d
-mkdir -p /etc/rc.d/rc4.d
-mkdir -p /etc/rc.d/rc5.d
-ln -s /etc/rc.d/init.d/smack-def /etc/rc.d/rc3.d/S07smack-def
-ln -s /etc/rc.d/init.d/smack-def /etc/rc.d/rc4.d/S07smack-def
-ln -s /etc/rc.d/init.d/smack-app /etc/rc.d/rc3.d/S08smack-app
-ln -s /etc/rc.d/init.d/smack-app /etc/rc.d/rc5.d/S08smack-app
+make install DESTDIR=%{buildroot}
+install -d %{buildroot}/smack
+install -d %{buildroot}/etc
+install -D -d %{buildroot}/opt/etc/smack/access.d
+install -D -d %{buildroot}/opt/etc/smack/cipso.d
+install -D -d %{buildroot}/opt/etc/rc.d/rc3.d/
+install -D -d %{buildroot}/opt/etc/rc.d/rc4.d/
+install -D init/smack.rc %{buildroot}/etc/init.d/smack-utils
+ln -sf /opt/etc/smack %{buildroot}/etc/
+ln -sf /etc/init.d/smack-utils %{buildroot}/opt/etc/rc.d/rc3.d/S07smack
+ln -sf /etc/init.d/smack-utils %{buildroot}/opt/etc/rc.d/rc4.d/S07smack
+rm -rf %{buildroot}/%{_docdir}
+
+%clean
+rm -rf %{buildroot}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
-
%files
-%defattr(-,root,root,-)
-/usr/lib/libsmack.so.1
-/usr/lib/libsmack.so.1.0.0
+%defattr(644,root,root,755)
+%{_libdir}/libsmack.so.*
%files devel
-%defattr(-,root,root,-)
-/usr/lib/libsmack.so
-/usr/include/sys/smack.h
-/usr/lib/pkgconfig/libsmack.pc
+%defattr(644,root,root,755)
+%{_includedir}/*
+%{_libdir}/libsmack.so
+%{_libdir}/libsmack.la
+%{_libdir}/pkgconfig/*
+%{_mandir}/man3/*
%files utils
-%defattr(-,root,root.-)
-/bin/chsmack
-/usr/bin/smackaccess
-/sbin/smackcipso
-/usr/bin/smackctl
-/sbin/smackload
-/usr/bin/smackd
-/etc/rc.d/init.d/smack-def
-/etc/rc.d/init.d/smack-app
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_bindir}/*
+%attr(755,root,root) /etc/init.d/smack-utils
+/etc/smack
+/opt/etc/*
+/smack/
+%{_mandir}/man1/*
+%{_mandir}/man8/*
+
+%changelog
+* Thu Jul 30 2012 Rafal Krypa <r.krypa@samsung.com> - 1.0slp2+s4
+- Rebuild, no source changes.
+
+* Thu Jul 19 2012 Rafal Krypa <r.krypa@samsung.com> - 1.0slp2+s3
+- Rebuild, change versioning schema.
+
+* Wed Jul 11 2012 Rafal Krypa <r.krypa@samsung.com> - 1.0-slp2+s2
+- Release with my source patches after review with the upstream maintainer.
+
+* Wed May 9 2012 Rafal Krypa <r.krypa@samsung.com> - 1.0-slp2+s1
+- Initial spec file
+++ /dev/null
-#! /bin/bash
-#
-# Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
-# Copyright (C) 2011 Nokia Corporation.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public
-# License along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-# 02110-1301 USA
-#
-# Authors:
-# Casey Schaufler <casey@schaufler-ca.com>
-#
-# chkconfig: 2345 08 08
-# description: Initialize Smack configuration
-### BEGIN INIT INFO
-# Provides: smack
-# Required-Start: $local_fs
-# Required-Stop:
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Set up Smack configuration
-# Description: Smack is an implementation of Mandatory Access Control. \
-# The access control rules are loaded using the smackfs \
-# pseudo-filesystem.
-### END INIT INFO
-
-#
-# Load any Smack access rules
-#
-load_rules() {
- for files in $( find /etc/smack/accesses.d/ )
- do
- /sbin/smackload $files
- done
-}
-
-#
-# Unload any Smack access rules
-#
-
-unload_rules() {
- /sbin/smackload -c < /smack/load
-}
-
-#
-# Load any Smack CIPSO mappings
-#
-load_cipso() {
- for files in $( find /etc/smack/cipso.d/ )
- do
- /sbin/smackcipso $files
- done
-}
-
-case "$1" in
- start)
- load_rules
- load_cipso
- ;;
- status)
- if [ ! -e /smack/load ] ; then
- exit 4
- fi
- ;;
- reload|force-reload|restart|try-restart)
- unload_rules
- load_rules
- load_cipso
- ;;
- stop)
- unload_rules
- ;;
- *)
- ;;
-esac
-
-exit 0
+++ /dev/null
-#! /bin/bash
-#
-# Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
-# Copyright (C) 2011 Nokia Corporation.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, version 2.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public
-# License along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-# 02110-1301 USA
-#
-# Authors:
-# Casey Schaufler <casey@schaufler-ca.com>
-#
-# chkconfig: 2345 08 08
-# description: Initialize Smack configuration
-### BEGIN INIT INFO
-# Provides: smack
-# Required-Start: $local_fs
-# Required-Stop:
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Set up Smack configuration
-# Description: Smack is an implementation of Mandatory Access Control. \
-# The access control rules are loaded using the smackfs \
-# pseudo-filesystem.
-### END INIT INFO
-
-#
-# Make sure that /smack is mounted
-# Ensure that the mount point is a directory
-#
-mount_smack() {
- if [ ! -e /smack ] ; then
- /bin/mkdir /smack
- fi
-
- if [ ! -d /smack ] ; then
- if [ -e /smack ] ; then
- /bin/rm -f /smack
- fi
- /bin/mkdir /smack
- fi
-
- /bin/mount smackfs -t smackfs /smack >& /dev/null
-}
-
-#
-# Load any Smack access rules
-#
-load_rules() {
- if [ -f /etc/smack/accesses ] ; then
- /sbin/smackload < /etc/smack/accesses
- fi
-}
-
-#
-# Unload any Smack access rules
-#
-unload_rules() {
- /sbin/smackload -c < /smack/load
-}
-
-#
-# Load any Smack CIPSO mappings
-#
-load_cipso() {
- if [ -f /etc/smack/cipso ] ; then
- /sbin/smackcipso < /etc/smack/cipso
- fi
-}
-
-case "$1" in
- start)
- mount_smack
- load_rules
- load_cipso
- ;;
- status)
- if [ ! -e /smack/load ] ; then
- exit 4
- fi
- ;;
- reload|force-reload|restart|try-restart)
- unload_rules
- load_rules
- load_cipso
- ;;
- stop)
- unload_rules
- ;;
- *)
- ;;
-esac
-
-exit 0
--- /dev/null
+.deps/
+.libs/
+smackaccess
+smackctl
+smackself
+smackcipso
+smackd
+smackload
+chsmack
+*.o
--- /dev/null
+instdir = ${bindir}
+bin_PROGRAMS = smackctl smackaccess smackload smackcipso smackd chsmack
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/libsmack
+
+smackctl_SOURCES = smackctl.c common.c
+smackctl_LDADD = ../libsmack/libsmack.la
+
+smackaccess_SOURCES = smackaccess.c
+smackaccess_LDADD = ../libsmack/libsmack.la
+
+smackload_SOURCES = smackload.c common.c
+smackload_LDADD = ../libsmack/libsmack.la
+
+smackcipso_SOURCES = smackcipso.c common.c
+smackcipso_LDADD = ../libsmack/libsmack.la
+
+smackd_SOURCES = smackd.c common.c
+smackd_LDADD = ../libsmack/libsmack.la
+
+chsmack_SOURCES = chsmack.c
+chsmack_LDADD = ../libsmack/libsmack.la
+
+EXTRA_DIST = common.h
* chsmack - Set smack attributes on files
*
* Copyright (C) 2011 Nokia Corporation.
+ * Copyright (C) 2012 Samsung Electronics Co.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
*
* Author:
* Casey Schaufler <casey@schaufler-ca.com>
+ * Rafal Krypa <r.krypa@samsung.com>
*/
#include <sys/types.h>
#include <sys/stat.h>
-#include <sys/xattr.h>
+#include <sys/smack.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#define LSIZE 23
static inline int leads(char *in, char *lead)
{
int rc;
int argi;
int transmute = 0;
- char buffer[LSIZE + 1];
+ char *buffer;
char *access = NULL;
char *mm = NULL;
char *execute = NULL;
fprintf(stderr, "No files specified.\n");
exit(1);
}
- if (access != NULL && strlen(access) > LSIZE) {
+ if (access != NULL && strlen(access) > SMACK_LABEL_LEN) {
fprintf(stderr, "Access label \"%s\" exceeds %d characters.\n",
- access, LSIZE);
+ access, SMACK_LABEL_LEN);
exit(1);
}
- if (mm != NULL && strlen(mm) > LSIZE) {
+ if (mm != NULL && strlen(mm) > SMACK_LABEL_LEN) {
fprintf(stderr, "mmap label \"%s\" exceeds %d characters.\n",
- mm, LSIZE);
+ mm, SMACK_LABEL_LEN);
exit(1);
}
- if (execute != NULL && strlen(execute) > LSIZE) {
+ if (execute != NULL && strlen(execute) > SMACK_LABEL_LEN) {
fprintf(stderr, "execute label \"%s\" exceeds %d characters.\n",
- execute, LSIZE);
+ execute, SMACK_LABEL_LEN);
exit(1);
}
for (; argi < argc; argi++) {
if (access == NULL && mm == NULL &&
execute == NULL && !transmute) {
printf("%s", argv[argi]);
- rc = lgetxattr(argv[argi], "security.SMACK64",
- buffer, LSIZE + 1);
- if (rc > 0) {
- buffer[rc] = '\0';
+ rc = smack_lgetlabel(argv[argi], &buffer, SMACK_LABEL_ACCESS);
+ if (rc == 0 && buffer != NULL) {
printf(" access=\"%s\"", buffer);
+ free(buffer);
}
- rc = lgetxattr(argv[argi], "security.SMACK64EXEC",
- buffer, LSIZE + 1);
- if (rc > 0) {
- buffer[rc] = '\0';
+ rc = smack_lgetlabel(argv[argi], &buffer, SMACK_LABEL_EXEC);
+ if (rc == 0 && buffer != NULL) {
printf(" execute=\"%s\"", buffer);
+ free(buffer);
}
- rc = lgetxattr(argv[argi], "security.SMACK64MMAP",
- buffer, LSIZE + 1);
- if (rc > 0) {
- buffer[rc] = '\0';
+ rc = smack_lgetlabel(argv[argi], &buffer, SMACK_LABEL_MMAP);
+ if (rc == 0 && buffer != NULL) {
printf(" mmap=\"%s\"", buffer);
+ free(buffer);
}
- rc = lgetxattr(argv[argi], "security.SMACK64TRANSMUTE",
- buffer, LSIZE + 1);
- if (rc > 0) {
- buffer[rc] = '\0';
+ rc = smack_lgetlabel(argv[argi], &buffer, SMACK_LABEL_TRANSMUTE);
+ if (rc == 0 && buffer != NULL) {
printf(" transmute=\"%s\"", buffer);
+ free(buffer);
}
printf("\n");
continue;
}
if (access != NULL) {
- rc = lsetxattr(argv[argi], "security.SMACK64",
- access, strlen(access) + 1, 0);
+ rc = smack_lsetlabel(argv[argi], access, SMACK_LABEL_ACCESS);
if (rc < 0)
perror(argv[argi]);
}
if (execute != NULL) {
- rc = lsetxattr(argv[argi], "security.SMACK64EXEC",
- execute, strlen(execute) + 1, 0);
+ rc = smack_lsetlabel(argv[argi], execute, SMACK_LABEL_EXEC);
if (rc < 0)
perror(argv[argi]);
}
if (mm != NULL) {
- rc = lsetxattr(argv[argi], "security.SMACK64MMAP",
- mm, strlen(mm) + 1, 0);
+ rc = smack_lsetlabel(argv[argi], mm, SMACK_LABEL_MMAP);
if (rc < 0)
perror(argv[argi]);
}
if (transmute) {
- rc = lsetxattr(argv[argi], "security.SMACK64TRANSMUTE",
- "TRUE", 4, 0);
+ rc = smack_lsetlabel(argv[argi], "1", SMACK_LABEL_TRANSMUTE);
if (rc < 0)
perror(argv[argi]);
}
#define LEVEL_MAX 255
#define NUM_LEN 4
-#define CIPSO_POS(i) (LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
+#define CIPSO_POS(i) (SMACK_LABEL_LEN + 1 + NUM_LEN + NUM_LEN + i * NUM_LEN)
#define CIPSO_MAX_SIZE CIPSO_POS(CAT_MAX_COUNT)
+#define CIPSO_NUM_LEN_STR "%-4d"
#define BUF_SIZE 512
struct cipso_mapping {
- char label[LABEL_LEN + 1];
+ char label[SMACK_LABEL_LEN + 1];
int cats[CAT_MAX_VALUE];
int ncats;
int level;
};
static int apply_rules_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf);
-static int apply_cipso_file(const char *path);
static int apply_cipso_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf);
-static struct cipso *cipso_new(const char *path);
+static struct cipso *cipso_new(int fd);
static void cipso_free(struct cipso *cipso);
static int cipso_apply(struct cipso *cipso);
if (is_smackfs_mounted() != 1)
return -1;
- fd = open(SMACKFS_MNT "/load", O_RDONLY);
+ fd = open(SMACKFS_MNT "/load2", O_RDONLY);
if (fd < 0)
return -1;
int apply_cipso(const char *path)
{
struct stat sbuf;
+ int fd;
int ret;
errno = 0;
return -1;
if (S_ISDIR(sbuf.st_mode))
- ret = nftw(path, apply_cipso_cb, 1, FTW_PHYS|FTW_ACTIONRETVAL);
- else
- ret = apply_cipso_file(path);
+ return nftw(path, apply_cipso_cb, 1, FTW_PHYS|FTW_ACTIONRETVAL);
- if (ret)
+ fd = open(path, O_RDONLY);
+ if (fd < 0)
return -1;
- return 0;
+ ret = apply_cipso_file(fd);
+ close(fd);
+ return ret;
}
int apply_rules_file(int fd, int clear)
return ret;
}
-static int apply_cipso_file(const char *path)
+int apply_cipso_file(int fd)
{
struct cipso *cipso = NULL;
int ret;
- cipso = cipso_new(path);
+ cipso = cipso_new(fd);
if (cipso == NULL)
return -1;
static int apply_cipso_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf)
{
+ int fd;
+ int ret;
+
if (typeflag == FTW_D)
return ftwbuf->level ? FTW_SKIP_SUBTREE : FTW_CONTINUE;
else if (typeflag != FTW_F)
return FTW_STOP;
- return apply_cipso_file(fpath) ? FTW_STOP : FTW_CONTINUE;
+
+ fd = open(fpath, O_RDONLY);
+ if (fd < 0)
+ return -1;
+
+ ret = apply_rules_file(fd, 0) ? FTW_STOP : FTW_CONTINUE;
+ close(fd);
+ return ret;
}
-static struct cipso *cipso_new(const char *path)
+static struct cipso *cipso_new(int fd)
{
struct cipso *cipso = NULL;
struct cipso_mapping *mapping = NULL;
char *label, *level, *cat, *ptr;
long int val;
int i;
+ int newfd;
- file = fopen(path, "r");
- if (file == NULL)
+ newfd = dup(fd);
+ if (newfd == -1)
return NULL;
+ file = fdopen(newfd, "r");
+ if (file == NULL) {
+ close(newfd);
+ return NULL;
+ }
+
cipso = calloc(sizeof(struct cipso), 1);
if (cipso == NULL) {
fclose(file);
level = strtok_r(NULL, " \t\n", &ptr);
cat = strtok_r(NULL, " \t\n", &ptr);
if (label == NULL || cat == NULL || level == NULL ||
- strlen(label) > LABEL_LEN) {
+ strlen(label) > SMACK_LABEL_LEN) {
errno = EINVAL;
goto err_out;
}
int fd;
int i;
- fd = open(SMACKFS_MNT "/cipso", O_WRONLY);
+ fd = open(SMACKFS_MNT "/cipso2", O_WRONLY);
if (fd < 0)
return -1;
for (m = cipso->first; m != NULL; m = m->next) {
- sprintf(buf, "%-23s ", m->label);
- sprintf(&buf[LABEL_LEN + 1], "%-4d", m->level);
- sprintf(&buf[LABEL_LEN + 1 + NUM_LEN], "%-4d", m->ncats);
+ sprintf(buf, "%s ", m->label);
+ sprintf(&buf[SMACK_LABEL_LEN + 1], CIPSO_NUM_LEN_STR, m->level);
+ sprintf(&buf[SMACK_LABEL_LEN + 1 + NUM_LEN], CIPSO_NUM_LEN_STR, m->ncats);
for (i = 0; i < m->ncats; i++)
- sprintf(&buf[CIPSO_POS(i)], "%-4d", m->cats[i]);
+ sprintf(&buf[CIPSO_POS(i)], CIPSO_NUM_LEN_STR, m->cats[i]);
if (write(fd, buf, strlen(buf)) < 0) {
close(fd);
#ifndef COMMON_H
#define COMMON_H
-#define LABEL_LEN 23
#define SMACKFS_MNT "/smack"
#define ACCESSES_D_PATH "/etc/smack/accesses.d"
#define CIPSO_D_PATH "/etc/smack/cipso.d"
int apply_rules(const char *path, int clear);
int apply_cipso(const char *path);
int apply_rules_file(int fd, int clear);
+int apply_cipso_file(int fd);
#endif // COMMON_H
#include "common.h"
#include <stdlib.h>
#include <stdio.h>
+#include <unistd.h>
int main(int argc, char **argv)
{
- if (argc != 2) {
- fprintf(stderr, "Usage: %s <path>\n", argv[0]);
+ if (is_smackfs_mounted() != 1) {
+ fprintf(stderr, "SmackFS is not mounted.\n");
exit(1);
}
- if (apply_cipso(argv[1])) {
- perror("Failure to apply cipso : ");
+ if (argc > 2) {
+ fprintf(stderr, "Usage: %s <path>\n", argv[0]);
exit(1);
}
+ if (argc == 1) {
+ if (apply_cipso_file(STDIN_FILENO)) {
+ perror("apply_cipso_file");
+ exit(1);
+ }
+ } else {
+ if (apply_cipso(argv[1])) {
+ perror("apply_cipso");
+ exit(1);
+ }
+ }
+
exit(0);
}
return -1;
if (apply_rules(ACCESSES_D_PATH, 0))
- perror("apply_rules Path");
+ perror("apply_rules");
if (apply_cipso(CIPSO_D_PATH))
- perror("apply_cipso Path");
+ perror("apply_cipso");
return 0;
}
int main(int argc, char **argv)
{
- int a;
-
if (argc < 2) {
fprintf(stderr, "Usage: %s <action>\n", argv[0]);
return 1;
#include <string.h>
#include <sys/inotify.h>
#include <sys/select.h>
+#include <sys/stat.h>
#define PID_FILE "/var/run/smackd.pid"
#define BUF_SIZE (4 * (sizeof(struct inotify_event) + NAME_MAX + 1))
return select(inotifyFd + 1, &readSet, NULL, NULL, NULL);
}
-void main(int argc, char **argv)
+int main(int argc, char **argv)
{
struct sigaction sa;
int inotify_fd;
projects / framework / security / smack.git / commitdiff