xref: /freebsd/usr.sbin/setfmac/setfmac.c (revision 05427f4639bcf2703329a9be9d25ec09bb782742)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2002, 2004 Networks Associates Technology, Inc.
5  * All rights reserved.
6  *
7  * This software was developed for the FreeBSD Project by NAI Labs, the
8  * Security Research Division of Network Associates, Inc. under
9  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA
10  * CHATS research program.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/types.h>
35 #include <sys/mac.h>
36 #include <sys/queue.h>
37 #include <sys/stat.h>
38 
39 #include <ctype.h>
40 #include <err.h>
41 #include <errno.h>
42 #include <fts.h>
43 #include <libgen.h>
44 #include <regex.h>
45 #include <stdio.h>
46 #include <stdlib.h>
47 #include <string.h>
48 #include <unistd.h>
49 
50 struct label_spec {
51 	struct label_spec_entry {
52 		regex_t regex;	/* compiled regular expression to match */
53 		char *regexstr;	/* uncompiled regular expression */
54 		mode_t mode;	/* mode to possibly match */
55 		const char *modestr;	/* print-worthy ",-?" mode string */
56 		char *mactext;	/* MAC label to apply */
57 		int flags;	/* miscellaneous flags */
58 #define		F_DONTLABEL	0x01
59 #define		F_ALWAYSMATCH	0x02
60 	} *entries,		/* entries[0..nentries] */
61 	  *match;		/* cached decision for MAC label to apply */
62 	size_t nentries;	/* size of entries list */
63 	STAILQ_ENTRY(label_spec) link;
64 };
65 
66 struct label_specs {
67 	STAILQ_HEAD(label_specs_head, label_spec) head;
68 };
69 
70 void usage(int) __dead2;
71 struct label_specs *new_specs(void);
72 void add_specs(struct label_specs *, const char *, int);
73 void add_setfmac_specs(struct label_specs *, char *);
74 void add_spec_line(const char *, int, struct label_spec_entry *, char *);
75 int apply_specs(struct label_specs *, FTSENT *, int, int);
76 int specs_empty(struct label_specs *);
77 
78 static int qflag;
79 
80 int
81 main(int argc, char **argv)
82 {
83 	FTSENT *ftsent;
84 	FTS *fts;
85 	struct label_specs *specs;
86 	int eflag = 0, xflag = 0, vflag = 0, Rflag = 0, hflag;
87 	int ch, is_setfmac;
88 	char *bn;
89 
90 	bn = basename(argv[0]);
91 	if (bn == NULL)
92 		err(1, "basename");
93 	is_setfmac = strcmp(bn, "setfmac") == 0;
94 	hflag = is_setfmac ? FTS_LOGICAL : FTS_PHYSICAL;
95 	specs = new_specs();
96 	while ((ch = getopt(argc, argv, is_setfmac ? "Rhq" : "ef:qs:vx")) !=
97 	    -1) {
98 		switch (ch) {
99 		case 'R':
100 			Rflag = 1;
101 			break;
102 		case 'e':
103 			eflag = 1;
104 			break;
105 		case 'f':
106 			add_specs(specs, optarg, 0);
107 			break;
108 		case 'h':
109 			hflag = FTS_PHYSICAL;
110 			break;
111 		case 'q':
112 			qflag = 1;
113 			break;
114 		case 's':
115 			add_specs(specs, optarg, 1);
116 			break;
117 		case 'v':
118 			vflag++;
119 			break;
120 		case 'x':
121 			xflag = FTS_XDEV;
122 			break;
123 		default:
124 			usage(is_setfmac);
125 		}
126 	}
127 	argc -= optind;
128 	argv += optind;
129 
130 	if (is_setfmac) {
131 		if (argc <= 1)
132 			usage(is_setfmac);
133 		add_setfmac_specs(specs, *argv);
134 		argc--;
135 		argv++;
136 	} else {
137 		if (argc == 0 || specs_empty(specs))
138 			usage(is_setfmac);
139 	}
140 	fts = fts_open(argv, hflag | xflag, NULL);
141 	if (fts == NULL)
142 		err(1, "cannot traverse filesystem%s", argc ? "s" : "");
143 	while (errno = 0, (ftsent = fts_read(fts)) != NULL) {
144 		switch (ftsent->fts_info) {
145 		case FTS_DP:		/* skip post-order */
146 			break;
147 		case FTS_D:		/* do pre-order */
148 		case FTS_DC:		/* do cyclic? */
149 			/* don't ever recurse directories as setfmac(8) */
150 			if (is_setfmac && !Rflag)
151 				fts_set(fts, ftsent, FTS_SKIP);
152 		case FTS_DEFAULT:	/* do default */
153 		case FTS_F:		/* do regular */
154 		case FTS_SL:		/* do symlink */
155 		case FTS_SLNONE:	/* do symlink */
156 		case FTS_W:		/* do whiteout */
157 			if (apply_specs(specs, ftsent, hflag, vflag)) {
158 				if (eflag) {
159 					errx(1, "labeling not supported in %s",
160 					    ftsent->fts_path);
161 				}
162 				if (!qflag)
163 					warnx("labeling not supported in %s",
164 					    ftsent->fts_path);
165 				fts_set(fts, ftsent, FTS_SKIP);
166 			}
167 			break;
168 		case FTS_DNR:		/* die on all errors */
169 		case FTS_ERR:
170 		case FTS_NS:
171 			err(1, "traversing %s", ftsent->fts_path);
172 		default:
173 			errx(1, "CANNOT HAPPEN (%d) traversing %s",
174 			    ftsent->fts_info, ftsent->fts_path);
175 		}
176 	}
177 	if (errno != 0)
178 		err(1, "fts_read");
179 	fts_close(fts);
180 	exit(0);
181 }
182 
183 void
184 usage(int is_setfmac)
185 {
186 
187 	if (is_setfmac)
188 		fprintf(stderr, "usage: setfmac [-Rhq] label file ...\n");
189 	else
190 		fprintf(stderr, "usage: setfsmac [-ehqvx] [-f specfile [...]] [-s specfile [...]] file ...\n");
191 	exit(1);
192 }
193 
194 static int
195 chomp_line(char **line, size_t *linesize)
196 {
197 	char *s;
198 	int freeme = 0;
199 
200 	for (s = *line; (unsigned)(s - *line) < *linesize; s++) {
201 		if (!isspace(*s))
202 			break;
203 	}
204 	if (*s == '#') {
205 		**line = '\0';
206 		*linesize = 0;
207 		return (freeme);
208 	}
209 	memmove(*line, s, *linesize - (s - *line));
210 	*linesize -= s - *line;
211 	for (s = &(*line)[*linesize - 1]; s >= *line; s--) {
212 		if (!isspace(*s))
213 			break;
214 	}
215 	if (s != &(*line)[*linesize - 1]) {
216 		*linesize = s - *line + 1;
217 	} else {
218 		s = malloc(*linesize + 1);
219 		if (s == NULL)
220 			err(1, "malloc");
221 		strncpy(s, *line, *linesize);
222 		*line = s;
223 		freeme = 1;
224 	}
225 	(*line)[*linesize] = '\0';
226 	return (freeme);
227 }
228 
229 void
230 add_specs(struct label_specs *specs, const char *file, int is_sebsd)
231 {
232 	struct label_spec *spec;
233 	FILE *fp;
234 	char *line;
235 	size_t nlines = 0, linesize;
236 	int freeline;
237 
238 	spec = malloc(sizeof(*spec));
239 	if (spec == NULL)
240 		err(1, "malloc");
241 	fp = fopen(file, "r");
242 	if (fp == NULL)
243 		err(1, "opening %s", file);
244 	while ((line = fgetln(fp, &linesize)) != NULL) {
245 		freeline = chomp_line(&line, &linesize);
246 		if (linesize > 0) /* only allocate space for non-comments */
247 			nlines++;
248 		if (freeline)
249 			free(line);
250 	}
251 	if (ferror(fp))
252 		err(1, "fgetln on %s", file);
253 	rewind(fp);
254 	spec->entries = calloc(nlines, sizeof(*spec->entries));
255 	if (spec->entries == NULL)
256 		err(1, "malloc");
257 	spec->nentries = nlines;
258 	while (nlines > 0) {
259 		line = fgetln(fp, &linesize);
260 		if (line == NULL) {
261 			if (feof(fp))
262 				errx(1, "%s ended prematurely", file);
263 			else
264 				err(1, "failure reading %s", file);
265 		}
266 		freeline = chomp_line(&line, &linesize);
267 		if (linesize == 0) {
268 			if (freeline)
269 				free(line);
270 			continue;
271 		}
272 		add_spec_line(file, is_sebsd, &spec->entries[--nlines], line);
273 		if (freeline)
274 			free(line);
275 	}
276 	fclose(fp);
277 	if (!qflag)
278 		warnx("%s: read %lu specifications", file,
279 		    (long)spec->nentries);
280 	STAILQ_INSERT_TAIL(&specs->head, spec, link);
281 }
282 
283 void
284 add_setfmac_specs(struct label_specs *specs, char *label)
285 {
286 	struct label_spec *spec;
287 
288 	spec = malloc(sizeof(*spec));
289 	if (spec == NULL)
290 		err(1, "malloc");
291 	spec->nentries = 1;
292 	spec->entries = calloc(spec->nentries, sizeof(*spec->entries));
293 	if (spec->entries == NULL)
294 		err(1, "malloc");
295 	/* The _only_ thing specified here is the mactext! */
296 	spec->entries->mactext = label;
297 	spec->entries->flags |= F_ALWAYSMATCH;
298 	STAILQ_INSERT_TAIL(&specs->head, spec, link);
299 }
300 
301 void
302 add_spec_line(const char *file, int is_sebsd, struct label_spec_entry *entry,
303     char *line)
304 {
305 	char *regexstr, *modestr, *macstr, *regerrorstr;
306 	size_t size;
307 	int error;
308 
309 	regexstr = strtok(line, " \t");
310 	if (regexstr == NULL)
311 		errx(1, "%s: need regular expression", file);
312 	modestr = strtok(NULL, " \t");
313 	if (modestr == NULL)
314 		errx(1, "%s: need a label", file);
315 	macstr = strtok(NULL, " \t");
316 	if (macstr == NULL) {	/* the mode is just optional */
317 		macstr = modestr;
318 		modestr = NULL;
319 	}
320 	if (strtok(NULL, " \t") != NULL)
321 		errx(1, "%s: extraneous fields at end of line", file);
322 	/* assume we need to anchor this regex */
323 	if (asprintf(&regexstr, "^%s$", regexstr) == -1)
324 		err(1, "%s: processing regular expression", file);
325 	entry->regexstr = regexstr;
326 	error = regcomp(&entry->regex, regexstr, REG_EXTENDED | REG_NOSUB);
327 	if (error) {
328 		size = regerror(error, &entry->regex, NULL, 0);
329 		regerrorstr = malloc(size);
330 		if (regerrorstr == NULL)
331 			err(1, "malloc");
332 		(void)regerror(error, &entry->regex, regerrorstr, size);
333 		errx(1, "%s: %s: %s", file, entry->regexstr, regerrorstr);
334 	}
335 	if (!is_sebsd) {
336 		entry->mactext = strdup(macstr);
337 		if (entry->mactext == NULL)
338 			err(1, "strdup");
339 	} else {
340 		if (asprintf(&entry->mactext, "sebsd/%s", macstr) == -1)
341 			err(1, "asprintf");
342 		if (strcmp(macstr, "<<none>>") == 0)
343 			entry->flags |= F_DONTLABEL;
344 	}
345 	if (modestr != NULL) {
346 		if (strlen(modestr) != 2 || modestr[0] != '-')
347 			errx(1, "%s: invalid mode string: %s", file, modestr);
348 		switch (modestr[1]) {
349 		case 'b':
350 			entry->mode = S_IFBLK;
351 			entry->modestr = ",-b";
352 			break;
353 		case 'c':
354 			entry->mode = S_IFCHR;
355 			entry->modestr = ",-c";
356 			break;
357 		case 'd':
358 			entry->mode = S_IFDIR;
359 			entry->modestr = ",-d";
360 			break;
361 		case 'p':
362 			entry->mode = S_IFIFO;
363 			entry->modestr = ",-p";
364 			break;
365 		case 'l':
366 			entry->mode = S_IFLNK;
367 			entry->modestr = ",-l";
368 			break;
369 		case 's':
370 			entry->mode = S_IFSOCK;
371 			entry->modestr = ",-s";
372 			break;
373 		case '-':
374 			entry->mode = S_IFREG;
375 			entry->modestr = ",--";
376 			break;
377 		default:
378 			errx(1, "%s: invalid mode string: %s", file, modestr);
379 		}
380 	} else {
381 		entry->modestr = "";
382 	}
383 }
384 
385 int
386 specs_empty(struct label_specs *specs)
387 {
388 
389 	return (STAILQ_EMPTY(&specs->head));
390 }
391 
392 int
393 apply_specs(struct label_specs *specs, FTSENT *ftsent, int hflag, int vflag)
394 {
395 	regmatch_t pmatch;
396 	struct label_spec *ls;
397 	struct label_spec_entry *ent;
398 	char *regerrorstr, *macstr;
399 	size_t size;
400 	mac_t mac;
401 	int error, matchedby;
402 
403 	/*
404 	 * Work through file context sources in order of specification
405 	 * on the command line, and through their entries in reverse
406 	 * order to find the "last" (hopefully "best") match.
407 	 */
408 	matchedby = 0;
409 	STAILQ_FOREACH(ls, &specs->head, link) {
410 		for (ls->match = NULL, ent = ls->entries;
411 		    ent < &ls->entries[ls->nentries]; ent++) {
412 			if (ent->flags & F_ALWAYSMATCH)
413 				goto matched;
414 			if (ent->mode != 0 &&
415 			    (ftsent->fts_statp->st_mode & S_IFMT) != ent->mode)
416 				continue;
417 			pmatch.rm_so = 0;
418 			pmatch.rm_eo = ftsent->fts_pathlen;
419 			error = regexec(&ent->regex, ftsent->fts_path, 1,
420 			    &pmatch, REG_STARTEND);
421 			switch (error) {
422 			case REG_NOMATCH:
423 				continue;
424 			case 0:
425 				break;
426 			default:
427 				size = regerror(error, &ent->regex, NULL, 0);
428 				regerrorstr = malloc(size);
429 				if (regerrorstr == NULL)
430 					err(1, "malloc");
431 				(void)regerror(error, &ent->regex, regerrorstr,
432 				    size);
433 				errx(1, "%s: %s", ent->regexstr, regerrorstr);
434 			}
435 		matched:
436 			ls->match = ent;
437 			if (vflag) {
438 				if (matchedby == 0) {
439 					printf("%s matched by ",
440 					    ftsent->fts_path);
441 					matchedby = 1;
442 				}
443 				printf("%s(%s%s,%s)", matchedby == 2 ? "," : "",
444 				    ent->regexstr, ent->modestr, ent->mactext);
445 				if (matchedby == 1)
446 					matchedby = 2;
447 			}
448 			break;
449 		}
450 	}
451 	if (vflag && matchedby)
452 		printf("\n");
453 	size = 0;
454 	STAILQ_FOREACH(ls, &specs->head, link) {
455 		/* cached match decision */
456 		if (ls->match && (ls->match->flags & F_DONTLABEL) == 0)
457 			 /* add length of "x\0"/"y," */
458 			size += strlen(ls->match->mactext) + 1;
459 	}
460 	if (size == 0)
461 		return (0);
462 	macstr = malloc(size);
463 	if (macstr == NULL)
464 		err(1, "malloc");
465 	*macstr = '\0';
466 	STAILQ_FOREACH(ls, &specs->head, link) {
467 		/* cached match decision */
468 		if (ls->match && (ls->match->flags & F_DONTLABEL) == 0) {
469 			if (*macstr != '\0')
470 				strcat(macstr, ",");
471 			strcat(macstr, ls->match->mactext);
472 		}
473 	}
474 	if (mac_from_text(&mac, macstr))
475 		err(1, "mac_from_text(%s)", macstr);
476 	if ((hflag == FTS_PHYSICAL ? mac_set_link(ftsent->fts_accpath, mac) :
477 	    mac_set_file(ftsent->fts_accpath, mac)) != 0) {
478 		if (errno == EOPNOTSUPP) {
479 			mac_free(mac);
480 			free(macstr);
481 			return (1);
482 		}
483 		err(1, "mac_set_link(%s, %s)", ftsent->fts_path, macstr);
484 	}
485 	mac_free(mac);
486 	free(macstr);
487 	return (0);
488 }
489 
490 struct label_specs *
491 new_specs(void)
492 {
493 	struct label_specs *specs;
494 
495 	specs = malloc(sizeof(*specs));
496 	if (specs == NULL)
497 		err(1, "malloc");
498 	STAILQ_INIT(&specs->head);
499 	return (specs);
500 }
501