1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
46 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
49 bool mac_selinux_use(void) {
52 cached_use = is_selinux_enabled() > 0;
60 /// UNNEEDED by elogind
62 void mac_selinux_retest(void) {
69 int mac_selinux_init(const char *prefix) {
73 usec_t before_timestamp, after_timestamp;
74 struct mallinfo before_mallinfo, after_mallinfo;
76 if (!mac_selinux_use())
82 before_mallinfo = mallinfo();
83 before_timestamp = now(CLOCK_MONOTONIC);
86 struct selinux_opt options[] = {
87 { .type = SELABEL_OPT_SUBSET, .value = prefix },
90 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
92 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
95 log_enforcing("Failed to initialize SELinux context: %m");
96 r = security_getenforce() == 1 ? -errno : 0;
98 char timespan[FORMAT_TIMESPAN_MAX];
101 after_timestamp = now(CLOCK_MONOTONIC);
102 after_mallinfo = mallinfo();
104 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
106 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
107 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
115 /// UNNEEDED by elogind
117 void mac_selinux_finish(void) {
123 selabel_close(label_hnd);
129 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
137 /* if mac_selinux_init() wasn't called before we are a NOOP */
141 r = lstat(path, &st);
143 _cleanup_security_context_free_ security_context_t fcon = NULL;
145 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
147 /* If there's no label to set, then exit without warning */
148 if (r < 0 && errno == ENOENT)
152 r = lsetfilecon(path, fcon);
154 /* If the FS doesn't support labels, then exit without warning */
155 if (r < 0 && errno == EOPNOTSUPP)
161 /* Ignore ENOENT in some cases */
162 if (ignore_enoent && errno == ENOENT)
165 if (ignore_erofs && errno == EROFS)
168 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
169 if (security_getenforce() == 1)
177 /// UNNEDED by elogind
179 int mac_selinux_apply(const char *path, const char *label) {
185 if (!mac_selinux_use())
188 if (setfilecon(path, (security_context_t) label) < 0) {
189 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
190 if (security_getenforce() == 1)
197 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
201 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
202 security_class_t sclass;
207 if (!mac_selinux_use())
214 r = getfilecon(exe, &fcon);
218 sclass = string_to_security_class("process");
219 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
227 int mac_selinux_get_our_label(char **label) {
233 if (!mac_selinux_use())
244 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
248 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
249 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
250 security_class_t sclass;
251 const char *range = NULL;
253 assert(socket_fd >= 0);
257 if (!mac_selinux_use())
264 r = getpeercon(socket_fd, &peercon);
269 /* If there is no context set for next exec let's use context
270 of target executable */
271 r = getfilecon(exe, &fcon);
276 bcon = context_new(mycon);
280 pcon = context_new(peercon);
284 range = context_range_get(pcon);
288 r = context_range_set(bcon, range);
293 mycon = strdup(context_str(bcon));
297 sclass = string_to_security_class("process");
298 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
306 void mac_selinux_free(char *label) {
309 if (!mac_selinux_use())
312 freecon((security_context_t) label);
317 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
321 _cleanup_security_context_free_ security_context_t filecon = NULL;
328 if (path_is_absolute(path))
329 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
331 _cleanup_free_ char *newpath;
333 newpath = path_make_absolute_cwd(path);
337 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
340 /* No context specified by the policy? Proceed without setting it. */
341 if (r < 0 && errno == ENOENT)
347 r = setfscreatecon(filecon);
349 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
354 if (r < 0 && security_getenforce() == 0)
361 void mac_selinux_create_file_clear(void) {
366 if (!mac_selinux_use())
369 setfscreatecon(NULL);
373 /// UNNEEDED by elogind
375 int mac_selinux_create_socket_prepare(const char *label) {
378 if (!mac_selinux_use())
383 if (setsockcreatecon((security_context_t) label) < 0) {
384 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
386 if (security_getenforce() == 1)
394 void mac_selinux_create_socket_clear(void) {
399 if (!mac_selinux_use())
402 setsockcreatecon(NULL);
406 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
408 /* Binds a socket and label its file system object according to the SELinux policy */
411 _cleanup_security_context_free_ security_context_t fcon = NULL;
412 const struct sockaddr_un *un;
418 assert(addrlen >= sizeof(sa_family_t));
423 /* Filter out non-local sockets */
424 if (addr->sa_family != AF_UNIX)
427 /* Filter out anonymous sockets */
428 if (addrlen < sizeof(sa_family_t) + 1)
431 /* Filter out abstract namespace sockets */
432 un = (const struct sockaddr_un*) addr;
433 if (un->sun_path[0] == 0)
436 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
438 if (path_is_absolute(path))
439 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
441 _cleanup_free_ char *newpath;
443 newpath = path_make_absolute_cwd(path);
447 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
451 r = setfscreatecon(fcon);
453 if (r < 0 && errno != ENOENT) {
454 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
456 if (security_getenforce() == 1) {
462 r = bind(fd, addr, addrlen);
467 setfscreatecon(NULL);
472 return bind(fd, addr, addrlen) < 0 ? -errno : 0;