1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/context.h>
28 #include <selinux/label.h>
29 #include <selinux/selinux.h>
32 #include "alloc-util.h"
33 #include "path-util.h"
34 #include "selinux-util.h"
38 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
39 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
41 #define _cleanup_security_context_free_ _cleanup_(freeconp)
42 #define _cleanup_context_free_ _cleanup_(context_freep)
44 static int cached_use = -1;
45 static struct selabel_handle *label_hnd = NULL;
47 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
50 bool mac_selinux_use(void) {
53 cached_use = is_selinux_enabled() > 0;
61 #if 0 /// UNNEEDED by elogind
62 void mac_selinux_retest(void) {
69 int mac_selinux_init(const char *prefix) {
73 usec_t before_timestamp, after_timestamp;
74 struct mallinfo before_mallinfo, after_mallinfo;
76 if (!mac_selinux_use())
82 before_mallinfo = mallinfo();
83 before_timestamp = now(CLOCK_MONOTONIC);
86 struct selinux_opt options[] = {
87 { .type = SELABEL_OPT_SUBSET, .value = prefix },
90 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
92 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
95 log_enforcing("Failed to initialize SELinux context: %m");
96 r = security_getenforce() == 1 ? -errno : 0;
98 char timespan[FORMAT_TIMESPAN_MAX];
101 after_timestamp = now(CLOCK_MONOTONIC);
102 after_mallinfo = mallinfo();
104 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
106 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
107 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
115 #if 0 /// UNNEEDED by elogind
116 void mac_selinux_finish(void) {
122 selabel_close(label_hnd);
128 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
136 /* if mac_selinux_init() wasn't called before we are a NOOP */
140 r = lstat(path, &st);
142 _cleanup_security_context_free_ security_context_t fcon = NULL;
144 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
146 /* If there's no label to set, then exit without warning */
147 if (r < 0 && errno == ENOENT)
151 r = lsetfilecon(path, fcon);
153 /* If the FS doesn't support labels, then exit without warning */
154 if (r < 0 && errno == EOPNOTSUPP)
160 /* Ignore ENOENT in some cases */
161 if (ignore_enoent && errno == ENOENT)
164 if (ignore_erofs && errno == EROFS)
167 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
168 if (security_getenforce() == 1)
176 #if 0 /// UNNEDED by elogind
177 int mac_selinux_apply(const char *path, const char *label) {
180 if (!mac_selinux_use())
186 if (setfilecon(path, (security_context_t) label) < 0) {
187 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
188 if (security_getenforce() > 0)
195 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
199 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
200 security_class_t sclass;
205 if (!mac_selinux_use())
208 r = getcon_raw(&mycon);
212 r = getfilecon_raw(exe, &fcon);
216 sclass = string_to_security_class("process");
217 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
225 int mac_selinux_get_our_label(char **label) {
231 if (!mac_selinux_use())
234 r = getcon_raw(label);
242 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
246 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
247 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
248 security_class_t sclass;
249 const char *range = NULL;
251 assert(socket_fd >= 0);
255 if (!mac_selinux_use())
258 r = getcon_raw(&mycon);
262 r = getpeercon(socket_fd, &peercon);
267 /* If there is no context set for next exec let's use context
268 of target executable */
269 r = getfilecon_raw(exe, &fcon);
274 bcon = context_new(mycon);
278 pcon = context_new(peercon);
282 range = context_range_get(pcon);
286 r = context_range_set(bcon, range);
291 mycon = strdup(context_str(bcon));
295 sclass = string_to_security_class("process");
296 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
304 char* mac_selinux_free(char *label) {
310 if (!mac_selinux_use())
314 freecon((security_context_t) label);
321 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
324 _cleanup_security_context_free_ security_context_t filecon = NULL;
332 if (path_is_absolute(path))
333 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
335 _cleanup_free_ char *newpath = NULL;
337 r = path_make_absolute_cwd(path, &newpath);
341 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
345 /* No context specified by the policy? Proceed without setting it. */
349 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
351 if (setfscreatecon(filecon) >= 0)
352 return 0; /* Success! */
354 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
357 if (security_getenforce() > 0)
364 void mac_selinux_create_file_clear(void) {
369 if (!mac_selinux_use())
372 setfscreatecon(NULL);
376 #if 0 /// UNNEEDED by elogind
377 int mac_selinux_create_socket_prepare(const char *label) {
380 if (!mac_selinux_use())
385 if (setsockcreatecon((security_context_t) label) < 0) {
386 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
388 if (security_getenforce() == 1)
396 void mac_selinux_create_socket_clear(void) {
401 if (!mac_selinux_use())
404 setsockcreatecon(NULL);
408 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
410 /* Binds a socket and label its file system object according to the SELinux policy */
413 _cleanup_security_context_free_ security_context_t fcon = NULL;
414 const struct sockaddr_un *un;
415 bool context_changed = false;
421 assert(addrlen >= sizeof(sa_family_t));
426 /* Filter out non-local sockets */
427 if (addr->sa_family != AF_UNIX)
430 /* Filter out anonymous sockets */
431 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
434 /* Filter out abstract namespace sockets */
435 un = (const struct sockaddr_un*) addr;
436 if (un->sun_path[0] == 0)
439 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
441 if (path_is_absolute(path))
442 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
444 _cleanup_free_ char *newpath = NULL;
446 r = path_make_absolute_cwd(path, &newpath);
450 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
454 /* No context specified by the policy? Proceed without setting it */
458 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
459 if (security_getenforce() > 0)
463 if (setfscreatecon(fcon) < 0) {
464 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
465 if (security_getenforce() > 0)
468 context_changed = true;
471 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
474 setfscreatecon(NULL);
480 if (bind(fd, addr, addrlen) < 0)