1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
32 #include <selinux/context.h>
33 #include <selinux/label.h>
34 #include <selinux/selinux.h>
37 #include "alloc-util.h"
40 #include "path-util.h"
41 #include "selinux-util.h"
42 #include "time-util.h"
46 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
47 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
49 #define _cleanup_security_context_free_ _cleanup_(freeconp)
50 #define _cleanup_context_free_ _cleanup_(context_freep)
52 static int cached_use = -1;
53 static struct selabel_handle *label_hnd = NULL;
55 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
58 bool mac_selinux_use(void) {
61 cached_use = is_selinux_enabled() > 0;
69 #if 0 /// UNNEEDED by elogind
70 void mac_selinux_retest(void) {
77 int mac_selinux_init(const char *prefix) {
81 usec_t before_timestamp, after_timestamp;
82 struct mallinfo before_mallinfo, after_mallinfo;
84 if (!mac_selinux_use())
90 before_mallinfo = mallinfo();
91 before_timestamp = now(CLOCK_MONOTONIC);
94 struct selinux_opt options[] = {
95 { .type = SELABEL_OPT_SUBSET, .value = prefix },
98 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
100 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
103 log_enforcing("Failed to initialize SELinux context: %m");
104 r = security_getenforce() == 1 ? -errno : 0;
106 char timespan[FORMAT_TIMESPAN_MAX];
109 after_timestamp = now(CLOCK_MONOTONIC);
110 after_mallinfo = mallinfo();
112 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
114 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
115 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
123 #if 0 /// UNNEEDED by elogind
124 void mac_selinux_finish(void) {
130 selabel_close(label_hnd);
136 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
144 /* if mac_selinux_init() wasn't called before we are a NOOP */
148 r = lstat(path, &st);
150 _cleanup_security_context_free_ security_context_t fcon = NULL;
152 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
154 /* If there's no label to set, then exit without warning */
155 if (r < 0 && errno == ENOENT)
159 r = lsetfilecon(path, fcon);
161 /* If the FS doesn't support labels, then exit without warning */
162 if (r < 0 && errno == EOPNOTSUPP)
168 /* Ignore ENOENT in some cases */
169 if (ignore_enoent && errno == ENOENT)
172 if (ignore_erofs && errno == EROFS)
175 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
176 if (security_getenforce() == 1)
184 #if 0 /// UNNEDED by elogind
185 int mac_selinux_apply(const char *path, const char *label) {
188 if (!mac_selinux_use())
194 if (setfilecon(path, (security_context_t) label) < 0) {
195 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
196 if (security_getenforce() > 0)
203 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
207 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
208 security_class_t sclass;
213 if (!mac_selinux_use())
216 r = getcon_raw(&mycon);
220 r = getfilecon_raw(exe, &fcon);
224 sclass = string_to_security_class("process");
225 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
233 int mac_selinux_get_our_label(char **label) {
239 if (!mac_selinux_use())
242 r = getcon_raw(label);
250 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
254 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
255 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
256 security_class_t sclass;
257 const char *range = NULL;
259 assert(socket_fd >= 0);
263 if (!mac_selinux_use())
266 r = getcon_raw(&mycon);
270 r = getpeercon(socket_fd, &peercon);
275 /* If there is no context set for next exec let's use context
276 of target executable */
277 r = getfilecon_raw(exe, &fcon);
282 bcon = context_new(mycon);
286 pcon = context_new(peercon);
290 range = context_range_get(pcon);
294 r = context_range_set(bcon, range);
299 mycon = strdup(context_str(bcon));
303 sclass = string_to_security_class("process");
304 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
312 char* mac_selinux_free(char *label) {
318 if (!mac_selinux_use())
322 freecon((security_context_t) label);
329 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
332 _cleanup_security_context_free_ security_context_t filecon = NULL;
340 if (path_is_absolute(path))
341 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
343 _cleanup_free_ char *newpath = NULL;
345 r = path_make_absolute_cwd(path, &newpath);
349 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
353 /* No context specified by the policy? Proceed without setting it. */
357 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
359 if (setfscreatecon(filecon) >= 0)
360 return 0; /* Success! */
362 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
365 if (security_getenforce() > 0)
372 void mac_selinux_create_file_clear(void) {
377 if (!mac_selinux_use())
380 setfscreatecon(NULL);
384 #if 0 /// UNNEEDED by elogind
385 int mac_selinux_create_socket_prepare(const char *label) {
388 if (!mac_selinux_use())
393 if (setsockcreatecon((security_context_t) label) < 0) {
394 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
396 if (security_getenforce() == 1)
404 void mac_selinux_create_socket_clear(void) {
409 if (!mac_selinux_use())
412 setsockcreatecon(NULL);
416 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
418 /* Binds a socket and label its file system object according to the SELinux policy */
421 _cleanup_security_context_free_ security_context_t fcon = NULL;
422 const struct sockaddr_un *un;
423 bool context_changed = false;
429 assert(addrlen >= sizeof(sa_family_t));
434 /* Filter out non-local sockets */
435 if (addr->sa_family != AF_UNIX)
438 /* Filter out anonymous sockets */
439 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
442 /* Filter out abstract namespace sockets */
443 un = (const struct sockaddr_un*) addr;
444 if (un->sun_path[0] == 0)
447 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
449 if (path_is_absolute(path))
450 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
452 _cleanup_free_ char *newpath = NULL;
454 r = path_make_absolute_cwd(path, &newpath);
458 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
462 /* No context specified by the policy? Proceed without setting it */
466 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
467 if (security_getenforce() > 0)
471 if (setfscreatecon(fcon) < 0) {
472 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
473 if (security_getenforce() > 0)
476 context_changed = true;
479 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
482 setfscreatecon(NULL);
488 if (bind(fd, addr, addrlen) < 0)