1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
47 bool mac_selinux_use(void) {
50 cached_use = is_selinux_enabled() > 0;
58 void mac_selinux_retest(void) {
64 int mac_selinux_init(const char *prefix) {
68 usec_t before_timestamp, after_timestamp;
69 struct mallinfo before_mallinfo, after_mallinfo;
71 if (!mac_selinux_use())
77 before_mallinfo = mallinfo();
78 before_timestamp = now(CLOCK_MONOTONIC);
81 struct selinux_opt options[] = {
82 { .type = SELABEL_OPT_SUBSET, .value = prefix },
85 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
87 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
90 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
91 "Failed to initialize SELinux context: %m");
92 r = security_getenforce() == 1 ? -errno : 0;
94 char timespan[FORMAT_TIMESPAN_MAX];
97 after_timestamp = now(CLOCK_MONOTONIC);
98 after_mallinfo = mallinfo();
100 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
102 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
103 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
111 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
119 /* if mac_selinux_init() wasn't called before we are a NOOP */
123 r = lstat(path, &st);
125 _cleanup_security_context_free_ security_context_t fcon = NULL;
127 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
129 /* If there's no label to set, then exit without warning */
130 if (r < 0 && errno == ENOENT)
134 r = lsetfilecon(path, fcon);
136 /* If the FS doesn't support labels, then exit without warning */
137 if (r < 0 && errno == ENOTSUP)
143 /* Ignore ENOENT in some cases */
144 if (ignore_enoent && errno == ENOENT)
147 if (ignore_erofs && errno == EROFS)
150 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path);
151 r = security_getenforce() == 1 ? -errno : 0;
158 void mac_selinux_finish(void) {
164 selabel_close(label_hnd);
168 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
173 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
174 security_class_t sclass;
176 if (!mac_selinux_use()) {
185 r = getfilecon(exe, &fcon);
189 sclass = string_to_security_class("process");
190 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
192 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
195 if (r < 0 && security_getenforce() == 1)
202 int mac_selinux_get_our_label(char **label) {
218 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
223 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
224 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
225 security_class_t sclass;
227 const char *range = NULL;
229 assert(socket_fd >= 0);
239 r = getpeercon(socket_fd, &peercon);
245 r = getexeccon(&fcon);
252 /* If there is no context set for next exec let's use context
253 of target executable */
254 r = getfilecon(exe, &fcon);
261 bcon = context_new(mycon);
267 pcon = context_new(peercon);
273 range = context_range_get(pcon);
279 r = context_range_set(bcon, range);
286 mycon = strdup(context_str(bcon));
292 sclass = string_to_security_class("process");
293 r = security_compute_create(mycon, fcon, sclass, &ret);
304 if (r < 0 && security_getenforce() == 1)
310 int mac_selinux_context_set(const char *path, mode_t mode) {
314 _cleanup_security_context_free_ security_context_t filecon = NULL;
316 if (!mac_selinux_use() || !label_hnd)
319 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
320 if (r < 0 && errno != ENOENT)
323 r = setfscreatecon(filecon);
325 log_error("Failed to set SELinux file context on %s: %m", path);
330 if (r < 0 && security_getenforce() == 0)
337 int mac_selinux_socket_set(const char *label) {
340 if (!mac_selinux_use())
343 if (setsockcreatecon((security_context_t) label) < 0) {
344 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
345 "Failed to set SELinux context (%s) on socket: %m", label);
347 if (security_getenforce() == 1)
355 void mac_selinux_context_clear(void) {
360 if (!mac_selinux_use())
363 setfscreatecon(NULL);
367 void mac_selinux_socket_clear(void) {
372 if (!mac_selinux_use())
375 setsockcreatecon(NULL);
379 void mac_selinux_free(const char *label) {
382 if (!mac_selinux_use())
385 freecon((security_context_t) label);
389 int mac_selinux_mkdir(const char *path, mode_t mode) {
393 /* Creates a directory and labels it according to the SELinux policy */
394 _cleanup_security_context_free_ security_context_t fcon = NULL;
399 if (path_is_absolute(path))
400 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
402 _cleanup_free_ char *newpath;
404 newpath = path_make_absolute_cwd(path);
408 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
412 r = setfscreatecon(fcon);
414 if (r < 0 && errno != ENOENT) {
415 log_error("Failed to set security context %s for %s: %m", fcon, path);
417 if (security_getenforce() == 1) {
423 r = mkdir(path, mode);
428 setfscreatecon(NULL);
434 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
436 /* Binds a socket and label its file system object according to the SELinux policy */
439 _cleanup_security_context_free_ security_context_t fcon = NULL;
440 const struct sockaddr_un *un;
446 assert(addrlen >= sizeof(sa_family_t));
448 if (!mac_selinux_use() || !label_hnd)
451 /* Filter out non-local sockets */
452 if (addr->sa_family != AF_UNIX)
455 /* Filter out anonymous sockets */
456 if (addrlen < sizeof(sa_family_t) + 1)
459 /* Filter out abstract namespace sockets */
460 un = (const struct sockaddr_un*) addr;
461 if (un->sun_path[0] == 0)
464 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
466 if (path_is_absolute(path))
467 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
469 _cleanup_free_ char *newpath;
471 newpath = path_make_absolute_cwd(path);
475 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
479 r = setfscreatecon(fcon);
481 if (r < 0 && errno != ENOENT) {
482 log_error("Failed to set security context %s for %s: %m", fcon, path);
484 if (security_getenforce() == 1) {
490 r = bind(fd, addr, addrlen);
495 setfscreatecon(NULL);
500 return bind(fd, addr, addrlen) < 0 ? -errno : 0;
503 int mac_selinux_apply(const char *path, const char *label) {
507 if (!mac_selinux_use())
510 r = setfilecon(path, (char *)label);