10f66f451Sopenharmony_ci/* lsm.h - header file for lib directory 20f66f451Sopenharmony_ci * 30f66f451Sopenharmony_ci * Copyright 2015 Rob Landley <rob@landley.net> 40f66f451Sopenharmony_ci */ 50f66f451Sopenharmony_ci 60f66f451Sopenharmony_ci#if CFG_TOYBOX_SELINUX 70f66f451Sopenharmony_ci#include <selinux/selinux.h> 80f66f451Sopenharmony_ci#else 90f66f451Sopenharmony_ci#define is_selinux_enabled() 0 100f66f451Sopenharmony_ci#define setfscreatecon(...) (-1) 110f66f451Sopenharmony_ci#define getcon(...) (-1) 120f66f451Sopenharmony_ci#define getfilecon(...) (-1) 130f66f451Sopenharmony_ci#define lgetfilecon(...) (-1) 140f66f451Sopenharmony_ci#define fgetfilecon(...) (-1) 150f66f451Sopenharmony_ci#define setfilecon(...) (-1) 160f66f451Sopenharmony_ci#define lsetfilecon(...) (-1) 170f66f451Sopenharmony_ci#define fsetfilecon(...) (-1) 180f66f451Sopenharmony_ci#endif 190f66f451Sopenharmony_ci 200f66f451Sopenharmony_ci#if CFG_TOYBOX_SMACK 210f66f451Sopenharmony_ci#include <sys/smack.h> 220f66f451Sopenharmony_ci#include <linux/xattr.h> 230f66f451Sopenharmony_ci#else 240f66f451Sopenharmony_ci#ifndef XATTR_NAME_SMACK 250f66f451Sopenharmony_ci#define XATTR_NAME_SMACK 0 260f66f451Sopenharmony_ci#endif 270f66f451Sopenharmony_ci#define smack_smackfs_path(...) (-1) 280f66f451Sopenharmony_ci#define smack_new_label_from_self(...) (-1) 290f66f451Sopenharmony_ci#define smack_new_label_from_path(...) (-1) 300f66f451Sopenharmony_ci#define smack_new_label_from_file(...) (-1) 310f66f451Sopenharmony_ci#define smack_set_label_for_self(...) (-1) 320f66f451Sopenharmony_ci#define smack_set_label_for_path(...) (-1) 330f66f451Sopenharmony_ci#define smack_set_label_for_file(...) (-1) 340f66f451Sopenharmony_ci#endif 350f66f451Sopenharmony_ci 360f66f451Sopenharmony_ci// This turns into "return 0" when no LSM and lets code optimize out. 370f66f451Sopenharmony_cistatic inline int lsm_enabled(void) 380f66f451Sopenharmony_ci{ 390f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) return !!smack_smackfs_path(); 400f66f451Sopenharmony_ci else return is_selinux_enabled() == 1; 410f66f451Sopenharmony_ci} 420f66f451Sopenharmony_ci 430f66f451Sopenharmony_cistatic inline char *lsm_name(void) 440f66f451Sopenharmony_ci{ 450f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) return "Smack"; 460f66f451Sopenharmony_ci if (CFG_TOYBOX_SELINUX) return "SELinux"; 470f66f451Sopenharmony_ci 480f66f451Sopenharmony_ci return "LSM"; 490f66f451Sopenharmony_ci} 500f66f451Sopenharmony_ci 510f66f451Sopenharmony_ci// Fetch this process's lsm context 520f66f451Sopenharmony_cistatic inline char *lsm_context(void) 530f66f451Sopenharmony_ci{ 540f66f451Sopenharmony_ci int ok = 0; 550f66f451Sopenharmony_ci char *result = 0; 560f66f451Sopenharmony_ci 570f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) ok = smack_new_label_from_self(&result) > 0; 580f66f451Sopenharmony_ci else ok = getcon(&result) == 0; 590f66f451Sopenharmony_ci 600f66f451Sopenharmony_ci return ok ? result : strdup("?"); 610f66f451Sopenharmony_ci} 620f66f451Sopenharmony_ci 630f66f451Sopenharmony_ci// Set default label to apply to newly created stuff (NULL to clear it) 640f66f451Sopenharmony_cistatic inline int lsm_set_create(char *context) 650f66f451Sopenharmony_ci{ 660f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) return smack_set_label_for_self(context); 670f66f451Sopenharmony_ci else return setfscreatecon(context); 680f66f451Sopenharmony_ci} 690f66f451Sopenharmony_ci 700f66f451Sopenharmony_ci// Label a file, following symlinks 710f66f451Sopenharmony_cistatic inline int lsm_set_context(char *filename, char *context) 720f66f451Sopenharmony_ci{ 730f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 740f66f451Sopenharmony_ci return smack_set_label_for_path(filename, XATTR_NAME_SMACK, 1, context); 750f66f451Sopenharmony_ci else return setfilecon(filename, context); 760f66f451Sopenharmony_ci} 770f66f451Sopenharmony_ci 780f66f451Sopenharmony_ci// Label a file, don't follow symlinks 790f66f451Sopenharmony_cistatic inline int lsm_lset_context(char *filename, char *context) 800f66f451Sopenharmony_ci{ 810f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 820f66f451Sopenharmony_ci return smack_set_label_for_path(filename, XATTR_NAME_SMACK, 0, context); 830f66f451Sopenharmony_ci else return lsetfilecon(filename, context); 840f66f451Sopenharmony_ci} 850f66f451Sopenharmony_ci 860f66f451Sopenharmony_ci// Label a file by filehandle 870f66f451Sopenharmony_cistatic inline int lsm_fset_context(int file, char *context) 880f66f451Sopenharmony_ci{ 890f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 900f66f451Sopenharmony_ci return smack_set_label_for_file(file, XATTR_NAME_SMACK, context); 910f66f451Sopenharmony_ci else return fsetfilecon(file, context); 920f66f451Sopenharmony_ci} 930f66f451Sopenharmony_ci 940f66f451Sopenharmony_ci// returns -1 in case of error or else the length of the context */ 950f66f451Sopenharmony_ci// context can be NULL to get the length only */ 960f66f451Sopenharmony_cistatic inline int lsm_get_context(char *filename, char **context) 970f66f451Sopenharmony_ci{ 980f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 990f66f451Sopenharmony_ci return smack_new_label_from_path(filename, XATTR_NAME_SMACK, 1, context); 1000f66f451Sopenharmony_ci else return getfilecon(filename, context); 1010f66f451Sopenharmony_ci} 1020f66f451Sopenharmony_ci 1030f66f451Sopenharmony_cistatic inline int lsm_lget_context(char *filename, char **context) 1040f66f451Sopenharmony_ci{ 1050f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 1060f66f451Sopenharmony_ci return smack_new_label_from_path(filename, XATTR_NAME_SMACK, 0, context); 1070f66f451Sopenharmony_ci else return lgetfilecon(filename, context); 1080f66f451Sopenharmony_ci} 1090f66f451Sopenharmony_ci 1100f66f451Sopenharmony_cistatic inline int lsm_fget_context(int file, char **context) 1110f66f451Sopenharmony_ci{ 1120f66f451Sopenharmony_ci if (CFG_TOYBOX_SMACK) 1130f66f451Sopenharmony_ci return smack_new_label_from_file(file, XATTR_NAME_SMACK, context); 1140f66f451Sopenharmony_ci return fgetfilecon(file, context); 1150f66f451Sopenharmony_ci} 116