1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/context.h>
28 #include <selinux/label.h>
29 #include <selinux/selinux.h>
32 #include "alloc-util.h"
33 #include "path-util.h"
34 #include "selinux-util.h"
38 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
39 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
41 #define _cleanup_security_context_free_ _cleanup_(freeconp)
42 #define _cleanup_context_free_ _cleanup_(context_freep)
44 static int cached_use = -1;
45 static struct selabel_handle *label_hnd = NULL;
47 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
50 bool mac_selinux_use(void) {
53 cached_use = is_selinux_enabled() > 0;
61 /// UNNEEDED by elogind
63 void mac_selinux_retest(void) {
70 int mac_selinux_init(const char *prefix) {
74 usec_t before_timestamp, after_timestamp;
75 struct mallinfo before_mallinfo, after_mallinfo;
77 if (!mac_selinux_use())
83 before_mallinfo = mallinfo();
84 before_timestamp = now(CLOCK_MONOTONIC);
87 struct selinux_opt options[] = {
88 { .type = SELABEL_OPT_SUBSET, .value = prefix },
91 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
93 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
96 log_enforcing("Failed to initialize SELinux context: %m");
97 r = security_getenforce() == 1 ? -errno : 0;
99 char timespan[FORMAT_TIMESPAN_MAX];
102 after_timestamp = now(CLOCK_MONOTONIC);
103 after_mallinfo = mallinfo();
105 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
107 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
108 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
116 /// UNNEEDED by elogind
118 void mac_selinux_finish(void) {
124 selabel_close(label_hnd);
130 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
138 /* if mac_selinux_init() wasn't called before we are a NOOP */
142 r = lstat(path, &st);
144 _cleanup_security_context_free_ security_context_t fcon = NULL;
146 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
148 /* If there's no label to set, then exit without warning */
149 if (r < 0 && errno == ENOENT)
153 r = lsetfilecon(path, fcon);
155 /* If the FS doesn't support labels, then exit without warning */
156 if (r < 0 && errno == EOPNOTSUPP)
162 /* Ignore ENOENT in some cases */
163 if (ignore_enoent && errno == ENOENT)
166 if (ignore_erofs && errno == EROFS)
169 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
170 if (security_getenforce() == 1)
178 /// UNNEDED by elogind
180 int mac_selinux_apply(const char *path, const char *label) {
183 if (!mac_selinux_use())
189 if (setfilecon(path, (security_context_t) label) < 0) {
190 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
191 if (security_getenforce() > 0)
198 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
202 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
203 security_class_t sclass;
208 if (!mac_selinux_use())
211 r = getcon_raw(&mycon);
215 r = getfilecon_raw(exe, &fcon);
219 sclass = string_to_security_class("process");
220 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
228 int mac_selinux_get_our_label(char **label) {
234 if (!mac_selinux_use())
237 r = getcon_raw(label);
245 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
249 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
250 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
251 security_class_t sclass;
252 const char *range = NULL;
254 assert(socket_fd >= 0);
258 if (!mac_selinux_use())
261 r = getcon_raw(&mycon);
265 r = getpeercon(socket_fd, &peercon);
270 /* If there is no context set for next exec let's use context
271 of target executable */
272 r = getfilecon_raw(exe, &fcon);
277 bcon = context_new(mycon);
281 pcon = context_new(peercon);
285 range = context_range_get(pcon);
289 r = context_range_set(bcon, range);
294 mycon = strdup(context_str(bcon));
298 sclass = string_to_security_class("process");
299 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
307 char* mac_selinux_free(char *label) {
313 if (!mac_selinux_use())
317 freecon((security_context_t) label);
324 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
327 _cleanup_security_context_free_ security_context_t filecon = NULL;
335 if (path_is_absolute(path))
336 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
338 _cleanup_free_ char *newpath = NULL;
340 r = path_make_absolute_cwd(path, &newpath);
344 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
348 /* No context specified by the policy? Proceed without setting it. */
352 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
354 if (setfscreatecon(filecon) >= 0)
355 return 0; /* Success! */
357 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
360 if (security_getenforce() > 0)
367 void mac_selinux_create_file_clear(void) {
372 if (!mac_selinux_use())
375 setfscreatecon(NULL);
379 /// UNNEEDED by elogind
381 int mac_selinux_create_socket_prepare(const char *label) {
384 if (!mac_selinux_use())
389 if (setsockcreatecon((security_context_t) label) < 0) {
390 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
392 if (security_getenforce() == 1)
400 void mac_selinux_create_socket_clear(void) {
405 if (!mac_selinux_use())
408 setsockcreatecon(NULL);
412 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
414 /* Binds a socket and label its file system object according to the SELinux policy */
417 _cleanup_security_context_free_ security_context_t fcon = NULL;
418 const struct sockaddr_un *un;
419 bool context_changed = false;
425 assert(addrlen >= sizeof(sa_family_t));
430 /* Filter out non-local sockets */
431 if (addr->sa_family != AF_UNIX)
434 /* Filter out anonymous sockets */
435 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
438 /* Filter out abstract namespace sockets */
439 un = (const struct sockaddr_un*) addr;
440 if (un->sun_path[0] == 0)
443 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
445 if (path_is_absolute(path))
446 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
448 _cleanup_free_ char *newpath = NULL;
450 r = path_make_absolute_cwd(path, &newpath);
454 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
458 /* No context specified by the policy? Proceed without setting it */
462 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
463 if (security_getenforce() > 0)
467 if (setfscreatecon(fcon) < 0) {
468 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
469 if (security_getenforce() > 0)
472 context_changed = true;
475 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
478 setfscreatecon(NULL);
484 if (bind(fd, addr, addrlen) < 0)