Security/Tizen 2.X libsmack

From Tizen Wiki
Jump to: navigation, search

Libsmack

Libsmack provides API to service daemon, library or utility. With libsmack, service daemon can set Smack label of file or get Smack label, check Smack access, and so on. For example, one function of security-server is privilegeByCookieRequest. This function checks cookie and message came from service daemon, whether client process can get service from daemon. (Service daemon asks security-server to check permission based on cookie)

Cookie has subject label, message has object label and access type. Security-server checks subject, object and access type by calling libsmack api; smack_have_access. Function smack_have_access returns 1 if correct rule is in rule set. Otherwise, it returns 0. Below code represents how developer can use libsmack.

 @security-server/src/service/cookie.cpp
 bool CookieService::privilegeByCookieRequest(MessageBuffer &buffer, MessageBuffer &send)
 {
    std::vector<char> cookie key;
    std::string subject;
    std::string object;
    std::string access;
 
    Try {
        Deserialization::Deserialize(buffer, cookieKey);
        Deserialization::Deserialize(buffer, object);
        Deserialization::Deserialize(buffer, access);
     } Catch (MessageBuffer::Exception::Base) {
        LogDebug("Broken protocol. Closing socket.");
        return false;
     }
 
    Cookie searchPattern;
    searchPattern.cookieId = cookieKey;
 
    /* searchResult is cookie instance having subject label */ 
    const Cookie *searchResult = m_cookieJar.SearchCookie(searchPattern, CompareType::COOKIE_ID);
   
    if (searchResult != NULL) {
        if (!smack_check()) {
             Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
        } else {
             subject = searchResult->smackLabel;
             int retval;
 
             /* security-server calls smack_have_access of libsmack, pass three components; subject, object, access type */
             /* If return value of smack_have_access is 1, security-server sends successive value; SECURITY_SERVER_API_SUCCESS,
                  otherwise, security-server sends access denied value; SECURITY_SERVER_API_ERROR_ACCESS_DENIED 
             */
             if ((retval = smack_have_access(subject.c_str(), object.c_str(), access.c_str())) == 1)
                Serialization::Serialize(send, (int)SECURITY_SERVER_API_SUCCESS);
             else {
                Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_ACCESS_DENIED);
                LogSmackAudit("SS_Smack: "
                      << " subject=" << subject
                      << ", object=" << object
                      << ", access=" << access
                      << ", result=" << retval);
              }
          }
      } else {
          Serialization::Serialize(send, (int)SECURITY_SERVER_API_ERROR_NO_SUCH_COOKIE);
      }
 
      return true;
  }

Libsmack is also used for smack-utility like command; chsmack, smackctl, smackload and so on.

Below APIs are provided from libsmack.

Name Description
smack_accesses_new Create new structure of smack accesses
smack_accesses_free Clear structure of smack acccesses after finishing task[rule loading, clear rule]
smack_accesses_save Write access rules to a file
smack_accesses_apply Load smack rule into kernel memory
smack_accesses_clear Clear smack rule loaded in kernel memory
smack_accesses_add Insert a rule
smack_accesses_add_modify change access type
smack_accesses_add_from_file Insert rule file based on file descriptor
accesses_add Internal function of smack_accesses_add
smack_have_access Check whether rule exists about subject+object+access_type
smack_cipso_new Create CIPSO structure
smack_cipso_free Remove CIPSO structure
smack_cipso_apply Write CIPSO contents in /sys/fs/smackfs/cipso2 or /sys/fs/smackfs/cipso
smack_smackfs_path Check smack mount filesystem and get path of it
smack_new_label_from_self Get smack label of current process; /proc/self/attr/current
smack_new_label_from_socket Get smack label of certain socket
smack_set_label_for_self Set label of current process (Same with 'echo [label] > /proc/self/attr/current')
smack_revoke_subject Write label of subject wanted be revoked in /sys/fs/smackfs/revoke-subject, rule associated with the subject is removed
smack_getlabel Get label and name of extended attributes based on path
smack_lgetlabel Get label and name of extended attributes in case that path is symbolic link
smack_fgetlabel Get label and name of extended attributes based on file descriptor
smack_setlabel Remove original label and name of extended attributes and set new one
smack_lsetlabel Remove original label and name of extended attributes and set new one in case that path is symbolic link
smack_fsetlabel Remove original label and name of extended attributes and set new one based on file descriptor
internal_getlabel Internal function of smack_getlabel & smack_lgetlabel & smack_fgetlabel
internal_setlabel Internal function of smack_setlabel & smack_lsetlabel & smack_fsetlabel
accesses_apply Internal function of smack_accesses_apply
get_xattr_name Get name of extended attribute based on label type

API



int smack_accesses_new(struct smack_accesses **accesses);

  • Description : Create new structure of smack accesses
  • Parameter :
accesses structure about access
  • Return : 0 on success / -1 on error


void smack_accesses_free(struct smack_accesses *handle);

  • Description : Clear structure of smack acccesses after finishing task[rule loading, clear rule]
  • Parameter :
handle structure about access


int smack_accesses_save(struct smack_accesses *handle, int fd);

  • Description : Write access rules to a file
  • Parameter :
handle handler of access structure
fd file descriptor
  • Return : 0 on success / -1 on error


int smack_accesses_apply(struct smack_accesses *handle);

  • Description : Load smack rule into kernel memory
  • Parameter :
handle handler of access structure
  • Return : 0 on success / -1 on error


int smack_accesses_clear(struct smack_accesses *handle);

  • Description : Clear smack rule loaded in kernel memory
  • Parameter :
handle handler of access structure
  • Return : 0 on success / -1 on error


static int accesses_add(struct smack_accesses *handle, const char *subject, const char *object, const char *allow_access_type, const char *deny_access_type);

  • Description : Internal function of smack_accesses_add
  • Parameter :
handle handler of access structure
subject subject label
object object label
allow_access_type type of allowed access
deny_access_type type of deny access
  • Return : 0 on success / -1 on error


int smack_accesses_add(struct smack_accesses *handle, const char *subject, const char *object, const char *access_type);

  • Description : Insert a rule
  • Parameter :
handle handler of access structure
subject subject label
object object label
access_type type of access
  • Return : 0 on success / -1 on error


int smack_accesses_add_modify(struct smack_accesses *handle, const char *subject, const char *object, const char *allow_access_type, const char *deny_access_type);

  • Description : Change access type
  • Parameter :
handle handler of access structure
subject subject label
object object label
allow_access_type type of allowed access
deny_access_type type of deny access
  • Return : 0 on success / -1 on error


int smack_accesses_add_from_file(struct smack_accesses *accesses, int fd);

  • Description : Insert rule file based on file descriptor
  • Parameter :
accesses Pointer of access structure
fd file descriptor
  • Return : 0 on success / -1 on error


int smack_have_access(const char *subject, const char *object, const char *access_type);

  • Description : Check whether rule exists about subject-object-access_type
  • Parameter :
subject subject label
object object label
access_type type of access
  • Return : 1 on success / -1 on error


int smack_cipso_new(struct smack_cipso *cipso);

  • Description : Create CIPSO structure
  • Parameter :
cipso structure of cipso object
  • Return : 0 on success / -1 on error


void smack_cipso_free(struct smack_cipso *cipso);

  • Description : Remove CIPSO structure
  • Parameter :
cipso structure of cipso object


int smack_cipso_apply(struct smack_cipso *cipso);

  • Description : Write CIPSO contents in /sys/fs/smackfs/cipso2 or /sys/fs/smackfs/cipso
  • Parameter :
cipso structure of cipso object
fd file descriptor
  • Return : 0 on success / -1 on error


const char smack_smackfs_path(void);

  • Description : Check smack mount filesystem and get path of it
  • Return : path of mounted smack file system


ssize_t smack_new_label_from_self(char **label);

  • Description : Get smack label of current process; /proc/self/attr/current
  • Parameter :
label label of /proc/self/attr/current
  • Return : Length of label


ssize_t smack_new_label_from_socket(int fd, char **label);

  • Description : Get smack label of certain socket
  • Parameter :
fd descriptor of socket
label label of socket
  • Return : Length of label


int smack_set_label_for_self(const char *label);

  • Description : Set label of current process (Same with 'echo [label] > /proc/self/attr/current')
  • Parameter :
label label wanted to be set
  • Return : 0 on success / -1 on error


int smack_revoke_subject(const char *subject);

  • Description : Remove rule associated with the subject by writing label of subject wanted be revoked in /sys/fs/smackfs/revoke-subject
  • Parameter :
subject subject label
  • Return : 0 on success / -1 on error


int smack_getlabel(const char *path, char** label, enum smack_label_type type);

  • Description : Get label and name of extended attributes based on path
  • Parameter :
path Path of file
label Label of file
type Type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


int smack_lgetlabel(const char *path, char** label, enum smack_label_type type);

  • Description : Get label and name of extended attributes in case path is symbolic link
  • Parameter :
path Path of file
label Label of file
type Type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


int smack_fgetlabel(int fd, char** label, enum smack_label_type type);

  • Description : Get label and name of extended attributes based on file descriptor
  • Parameter :
fd descriptor of file
label Label of file
type Type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


int smack_setlabel(const char *path, const char* label, enum smack_label_type type);

  • Description : Set new label by rename extended attributes. If label is not declared, then remove label
  • Parameter :
path Path of file
label Label of file
type Type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


int smack_lsetlabel(const char *path, const char* label, enum smack_label_type type);

  • Description : Set new label by rename extended attributes. If label is not declared, then remove label. This function is called in case path is symbolic link
  • Parameter :
path Path of file
label Label of file
type Type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


int smack_fsetlabel(int fd, const char* label, enum smack_label_type type);

  • Description : Set new label or remove existing label(in case that label is null) based on file descriptor
  • Parameter :
fd descriptor of file
label label of file
type type of smack label(access label, execution label, etc)
  • Return : 0 on success / -1 on error


static int internal_getlabel(void* file, char** label, enum smack_label_type type, getxattr_func getfunc);

  • Description : Internal function of smack_getlabel & smack_lgetlabel & smack_fgetlabel
  • Parameter :
file path of file
label label of file
type type of smack label(access label, execution label, etc)
getfunc Function pointer of getting extended attributes
  • Return : 0 on success / -1 on error


static int internal_setlabel(void* file, const char* label, enum smack_label_type type, setxattr_func setfunc, removexattr_func removefunc);

  • Description : Internal function of smack_setlabel & smack_lsetlabel & smack_fsetlabel
  • Parameter :
file path of file
label label of file
type type of smack label(access label, execution label, etc)
setfunc Function pointer of setting new extended attributes
removefunc Function pointer of removing current extended attributes
  • Return : 0 on success / -1 on error


static int accesses_apply(struct smack_accesses *handle, int clear);

  • Description : Internal function of smack_accesses_apply
  • Parameter :
handle structure of access
clear clear rule about allowed all access type
  • Return : 0 on success / -1 on error


static inline char* get_xattr_name(enum smack_label_type type);

  • Description : Get name of extended attribute based on label type
  • Parameter :
type label type( integer type value )
  • Return : extended attribute name(e.g.security.Smack64 or security.Smack64EXEC / NULL in case of default)