2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
30 #include <selinux/context.h>
31 #include <selinux/label.h>
32 #include <selinux/selinux.h>
35 #include "alloc-util.h"
38 #include "path-util.h"
39 #include "selinux-util.h"
40 #include "time-util.h"
44 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
45 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
47 #define _cleanup_freecon_ _cleanup_(freeconp)
48 #define _cleanup_context_free_ _cleanup_(context_freep)
50 static int cached_use = -1;
51 static struct selabel_handle *label_hnd = NULL;
53 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
56 bool mac_selinux_have(void) {
59 cached_use = is_selinux_enabled() > 0;
67 bool mac_selinux_use(void) {
68 if (!mac_selinux_have())
71 /* Never try to configure SELinux features if we aren't
77 #if 0 /// UNNEEDED by elogind
78 void mac_selinux_retest(void) {
85 int mac_selinux_init(void) {
89 usec_t before_timestamp, after_timestamp;
90 struct mallinfo before_mallinfo, after_mallinfo;
95 if (!mac_selinux_use())
98 before_mallinfo = mallinfo();
99 before_timestamp = now(CLOCK_MONOTONIC);
101 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
103 log_enforcing("Failed to initialize SELinux context: %m");
104 r = security_getenforce() == 1 ? -errno : 0;
106 char timespan[FORMAT_TIMESPAN_MAX];
109 after_timestamp = now(CLOCK_MONOTONIC);
110 after_mallinfo = mallinfo();
112 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
114 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
115 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
123 #if 0 /// UNNEEDED by elogind
124 void mac_selinux_finish(void) {
130 selabel_close(label_hnd);
136 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
144 /* if mac_selinux_init() wasn't called before we are a NOOP */
148 r = lstat(path, &st);
150 _cleanup_freecon_ char* fcon = NULL;
152 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
154 /* If there's no label to set, then exit without warning */
155 if (r < 0 && errno == ENOENT)
159 r = lsetfilecon_raw(path, fcon);
161 /* If the FS doesn't support labels, then exit without warning */
162 if (r < 0 && errno == EOPNOTSUPP)
168 /* Ignore ENOENT in some cases */
169 if (ignore_enoent && errno == ENOENT)
172 if (ignore_erofs && errno == EROFS)
175 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
176 if (security_getenforce() == 1)
184 #if 0 /// UNNEDED by elogind
185 int mac_selinux_apply(const char *path, const char *label) {
188 if (!mac_selinux_use())
194 if (setfilecon(path, label) < 0) {
195 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
196 if (security_getenforce() > 0)
203 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
207 _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
208 security_class_t sclass;
213 if (!mac_selinux_have())
216 r = getcon_raw(&mycon);
220 r = getfilecon_raw(exe, &fcon);
224 sclass = string_to_security_class("process");
225 r = security_compute_create_raw(mycon, fcon, sclass, label);
233 int mac_selinux_get_our_label(char **label) {
239 if (!mac_selinux_have())
242 r = getcon_raw(label);
250 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
254 _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
255 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
256 security_class_t sclass;
257 const char *range = NULL;
259 assert(socket_fd >= 0);
263 if (!mac_selinux_have())
266 r = getcon_raw(&mycon);
270 r = getpeercon_raw(socket_fd, &peercon);
275 /* If there is no context set for next exec let's use context
276 of target executable */
277 r = getfilecon_raw(exe, &fcon);
282 bcon = context_new(mycon);
286 pcon = context_new(peercon);
290 range = context_range_get(pcon);
294 r = context_range_set(bcon, range);
299 mycon = strdup(context_str(bcon));
303 sclass = string_to_security_class("process");
304 r = security_compute_create_raw(mycon, fcon, sclass, label);
312 char* mac_selinux_free(char *label) {
318 if (!mac_selinux_have())
329 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
332 _cleanup_freecon_ char *filecon = NULL;
340 if (path_is_absolute(path))
341 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
343 _cleanup_free_ char *newpath = NULL;
345 r = path_make_absolute_cwd(path, &newpath);
349 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
353 /* No context specified by the policy? Proceed without setting it. */
357 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
359 if (setfscreatecon_raw(filecon) >= 0)
360 return 0; /* Success! */
362 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
365 if (security_getenforce() > 0)
372 void mac_selinux_create_file_clear(void) {
377 if (!mac_selinux_use())
380 setfscreatecon_raw(NULL);
384 #if 0 /// UNNEEDED by elogind
385 int mac_selinux_create_socket_prepare(const char *label) {
388 if (!mac_selinux_use())
393 if (setsockcreatecon(label) < 0) {
394 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
396 if (security_getenforce() == 1)
404 void mac_selinux_create_socket_clear(void) {
409 if (!mac_selinux_use())
412 setsockcreatecon_raw(NULL);
416 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
418 /* Binds a socket and label its file system object according to the SELinux policy */
421 _cleanup_freecon_ char *fcon = NULL;
422 const struct sockaddr_un *un;
423 bool context_changed = false;
429 assert(addrlen >= sizeof(sa_family_t));
434 /* Filter out non-local sockets */
435 if (addr->sa_family != AF_UNIX)
438 /* Filter out anonymous sockets */
439 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
442 /* Filter out abstract namespace sockets */
443 un = (const struct sockaddr_un*) addr;
444 if (un->sun_path[0] == 0)
447 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
449 if (path_is_absolute(path))
450 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
452 _cleanup_free_ char *newpath = NULL;
454 r = path_make_absolute_cwd(path, &newpath);
458 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
462 /* No context specified by the policy? Proceed without setting it */
466 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
467 if (security_getenforce() > 0)
471 if (setfscreatecon_raw(fcon) < 0) {
472 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
473 if (security_getenforce() > 0)
476 context_changed = true;
479 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
482 setfscreatecon_raw(NULL);
488 if (bind(fd, addr, addrlen) < 0)
~ianmdlvl / elogind.git / blob