1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <sys/socket.h>
31 #include "path-util.h"
34 #include "selinux-util.h"
35 #include <selinux/selinux.h>
36 #include <selinux/label.h>
38 static struct selabel_handle *label_hnd = NULL;
42 int label_init(const char *prefix) {
46 usec_t before_timestamp, after_timestamp;
47 struct mallinfo before_mallinfo, after_mallinfo;
55 before_mallinfo = mallinfo();
56 before_timestamp = now(CLOCK_MONOTONIC);
59 struct selinux_opt options[] = {
60 { .type = SELABEL_OPT_SUBSET, .value = prefix },
63 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
65 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
68 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
69 "Failed to initialize SELinux context: %m");
70 r = security_getenforce() == 1 ? -errno : 0;
72 char timespan[FORMAT_TIMESPAN_MAX];
75 after_timestamp = now(CLOCK_MONOTONIC);
76 after_mallinfo = mallinfo();
78 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
80 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
81 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
89 int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
94 security_context_t fcon;
96 if (!use_selinux() || !label_hnd)
101 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
103 /* If there's no label to set, then exit without warning */
104 if (r < 0 && errno == ENOENT)
108 r = lsetfilecon(path, fcon);
111 /* If the FS doesn't support labels, then exit without warning */
112 if (r < 0 && errno == ENOTSUP)
118 /* Ignore ENOENT in some cases */
119 if (ignore_enoent && errno == ENOENT)
122 if (ignore_erofs && errno == EROFS)
125 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
126 "Unable to fix label of %s: %m", path);
127 r = security_getenforce() == 1 ? -errno : 0;
134 void label_finish(void) {
137 if (use_selinux() && label_hnd)
138 selabel_close(label_hnd);
142 int label_get_create_label_from_exe(const char *exe, char **label) {
147 security_context_t mycon = NULL, fcon = NULL;
148 security_class_t sclass;
150 if (!use_selinux()) {
159 r = getfilecon(exe, &fcon);
163 sclass = string_to_security_class("process");
164 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
166 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
169 if (r < 0 && security_getenforce() == 1)
179 int label_context_set(const char *path, mode_t mode) {
183 security_context_t filecon = NULL;
185 if (!use_selinux() || !label_hnd)
188 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
189 if (r < 0 && errno != ENOENT)
192 r = setfscreatecon(filecon);
194 log_error("Failed to set SELinux file context on %s: %m", path);
201 if (r < 0 && security_getenforce() == 0)
208 int label_socket_set(const char *label) {
214 if (setsockcreatecon((security_context_t) label) < 0) {
215 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
216 "Failed to set SELinux context (%s) on socket: %m", label);
218 if (security_getenforce() == 1)
226 void label_context_clear(void) {
232 setfscreatecon(NULL);
236 void label_socket_clear(void) {
242 setsockcreatecon(NULL);
246 void label_free(const char *label) {
252 freecon((security_context_t) label);
256 int label_mkdir(const char *path, mode_t mode, bool apply) {
258 /* Creates a directory and labels it according to the SELinux policy */
261 security_context_t fcon = NULL;
263 if (!apply || !use_selinux() || !label_hnd)
266 if (path_is_absolute(path))
267 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
271 newpath = path_make_absolute_cwd(path);
275 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
280 r = setfscreatecon(fcon);
282 if (r < 0 && errno != ENOENT) {
283 log_error("Failed to set security context %s for %s: %m", fcon, path);
285 if (security_getenforce() == 1) {
291 r = mkdir(path, mode);
296 setfscreatecon(NULL);
303 return mkdir(path, mode) < 0 ? -errno : 0;
306 int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
308 /* Binds a socket and label its file system object according to the SELinux policy */
312 security_context_t fcon = NULL;
313 const struct sockaddr_un *un;
318 assert(addrlen >= sizeof(sa_family_t));
320 if (!use_selinux() || !label_hnd)
323 /* Filter out non-local sockets */
324 if (addr->sa_family != AF_UNIX)
327 /* Filter out anonymous sockets */
328 if (addrlen < sizeof(sa_family_t) + 1)
331 /* Filter out abstract namespace sockets */
332 un = (const struct sockaddr_un*) addr;
333 if (un->sun_path[0] == 0)
336 path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
340 if (path_is_absolute(path))
341 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
345 newpath = path_make_absolute_cwd(path);
352 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
357 r = setfscreatecon(fcon);
359 if (r < 0 && errno != ENOENT) {
360 log_error("Failed to set security context %s for %s: %m", fcon, path);
362 if (security_getenforce() == 1) {
368 r = bind(fd, addr, addrlen);
373 setfscreatecon(NULL);
381 return bind(fd, addr, addrlen) < 0 ? -errno : 0;