2 * Copyright (c) 2014 Samsung Electronics Co., Ltd All Rights Reserved
4 * Contact: Rafal Krypa <r.krypa@samsung.com>
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License
19 * @file smack-labels.cpp
20 * @author Jan Cybulski <j.cybulski@samsung.com>
21 * @author Rafal Krypa <r.krypa@samsung.com>
23 * @brief Implementation of functions managing smack labels
28 #include <sys/smack.h>
29 #include <sys/xattr.h>
30 #include <linux/xattr.h>
36 #include <dpl/log/log.h>
38 #include "security-manager.h"
39 #include "smack-labels.h"
41 namespace SecurityManager {
43 /* Const defined below is used to label links to executables */
44 const char *const LABEL_FOR_PUBLIC_APP_PATH = "User";
46 enum class FileDecision {
52 typedef std::function<FileDecision(const FTSENT*)> LabelDecisionFn;
54 static FileDecision labelAll(const FTSENT *ftsent __attribute__((unused)))
56 return FileDecision::LABEL;
59 static FileDecision labelDirs(const FTSENT *ftsent)
61 // label only directories
62 if (S_ISDIR(ftsent->fts_statp->st_mode))
63 return FileDecision::LABEL;
64 return FileDecision::SKIP;
67 static FileDecision labelExecs(const FTSENT *ftsent)
69 // LogDebug("Mode = " << ftsent->fts_statp->st_mode); // this could be helpfull in debugging
70 // label only regular executable files
71 if (S_ISREG(ftsent->fts_statp->st_mode) && (ftsent->fts_statp->st_mode & S_IXUSR))
72 return FileDecision::LABEL;
73 return FileDecision::SKIP;
76 static bool dirSetSmack(const std::string &path, const std::string &label,
77 const char *xattr_name, LabelDecisionFn fn)
79 char *const path_argv[] = {const_cast<char *>(path.c_str()), NULL};
83 std::unique_ptr<FTS, std::function<void(FTS*)> > fts(
84 fts_open(path_argv, FTS_PHYSICAL | FTS_NOCHDIR, NULL),
87 if (fts.get() == NULL) {
88 LogError("fts_open failed.");
92 while ((ftsent = fts_read(fts.get())) != NULL) {
93 /* Check for error (FTS_ERR) or failed stat(2) (FTS_NS) */
94 if (ftsent->fts_info == FTS_ERR || ftsent->fts_info == FTS_NS) {
95 LogError("FTS_ERR error or failed stat(2) (FTS_NS)");
99 /* avoid to tag directories two times */
100 if (ftsent->fts_info == FTS_D)
104 if (ret == FileDecision::ERROR) {
105 LogError("fn(ftsent) failed.");
109 if (ret == FileDecision::LABEL) {
110 if (lsetxattr(ftsent->fts_path, xattr_name, label.c_str(), label.length(), 0) != 0) {
111 LogError("lsetxattr failed.");
118 /* If last call to fts_read() set errno, we need to return error. */
119 if ((errno != 0) && (ftsent == NULL)) {
120 LogError("Last errno from fts_read: " << strerror(errno));
127 static bool labelDir(const std::string &path, const std::string &label,
128 bool set_transmutable, bool set_executables)
132 // setting access label on everything in given directory and below
133 ret = dirSetSmack(path, label, XATTR_NAME_SMACK, labelAll);
135 LogError("dirSetSmack failed (access label)");
139 if (set_transmutable) {
140 // setting transmute on dirs
141 ret = dirSetSmack(path, "TRUE", XATTR_NAME_SMACKTRANSMUTE, labelDirs);
143 LogError("dirSetSmack failed (transmute)");
148 if (set_executables) {
149 ret = dirSetSmack(path, label, XATTR_NAME_SMACKEXEC, &labelExecs);
152 LogError("dirSetSmack failed (execs).");
160 bool setupPath(const std::string &pkgId, const std::string &path,
161 app_install_path_type pathType)
164 bool label_executables, label_transmute;
167 case SECURITY_MANAGER_PATH_PRIVATE:
168 if (!generatePkgLabel(pkgId, label))
170 label_executables = true;
171 label_transmute = false;
173 case SECURITY_MANAGER_PATH_PUBLIC:
174 label.assign(LABEL_FOR_PUBLIC_APP_PATH);
175 label_executables = false;
176 label_transmute = true;
178 case SECURITY_MANAGER_PATH_PUBLIC_RO:
180 label_executables = false;
181 label_transmute = false;
184 LogError("Path type not known.");
187 return labelDir(path, label, label_transmute, label_executables);
190 bool generateAppLabel(const std::string &appId, std::string &label)
197 bool generatePkgLabel(const std::string &pkgId, std::string &label)
204 } // namespace SecurityManager