1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
46 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
49 bool mac_selinux_use(void) {
52 cached_use = is_selinux_enabled() > 0;
60 void mac_selinux_retest(void) {
66 int mac_selinux_init(const char *prefix) {
70 usec_t before_timestamp, after_timestamp;
71 struct mallinfo before_mallinfo, after_mallinfo;
73 if (!mac_selinux_use())
79 before_mallinfo = mallinfo();
80 before_timestamp = now(CLOCK_MONOTONIC);
83 struct selinux_opt options[] = {
84 { .type = SELABEL_OPT_SUBSET, .value = prefix },
87 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
89 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
92 log_enforcing("Failed to initialize SELinux context: %m");
93 r = security_getenforce() == 1 ? -errno : 0;
95 char timespan[FORMAT_TIMESPAN_MAX];
98 after_timestamp = now(CLOCK_MONOTONIC);
99 after_mallinfo = mallinfo();
101 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
103 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
104 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
112 void mac_selinux_finish(void) {
118 selabel_close(label_hnd);
123 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
131 /* if mac_selinux_init() wasn't called before we are a NOOP */
135 r = lstat(path, &st);
137 _cleanup_security_context_free_ security_context_t fcon = NULL;
139 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
141 /* If there's no label to set, then exit without warning */
142 if (r < 0 && errno == ENOENT)
146 r = lsetfilecon(path, fcon);
148 /* If the FS doesn't support labels, then exit without warning */
149 if (r < 0 && errno == EOPNOTSUPP)
155 /* Ignore ENOENT in some cases */
156 if (ignore_enoent && errno == ENOENT)
159 if (ignore_erofs && errno == EROFS)
162 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
163 if (security_getenforce() == 1)
171 /// UNNEDED by elogind
173 int mac_selinux_apply(const char *path, const char *label) {
179 if (!mac_selinux_use())
182 if (setfilecon(path, (security_context_t) label) < 0) {
183 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
184 if (security_getenforce() == 1)
192 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
196 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
197 security_class_t sclass;
202 if (!mac_selinux_use())
209 r = getfilecon(exe, &fcon);
213 sclass = string_to_security_class("process");
214 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
222 int mac_selinux_get_our_label(char **label) {
228 if (!mac_selinux_use())
239 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
243 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
244 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
245 security_class_t sclass;
246 const char *range = NULL;
248 assert(socket_fd >= 0);
252 if (!mac_selinux_use())
259 r = getpeercon(socket_fd, &peercon);
264 /* If there is no context set for next exec let's use context
265 of target executable */
266 r = getfilecon(exe, &fcon);
271 bcon = context_new(mycon);
275 pcon = context_new(peercon);
279 range = context_range_get(pcon);
283 r = context_range_set(bcon, range);
288 mycon = strdup(context_str(bcon));
292 sclass = string_to_security_class("process");
293 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
301 void mac_selinux_free(char *label) {
304 if (!mac_selinux_use())
307 freecon((security_context_t) label);
311 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
315 _cleanup_security_context_free_ security_context_t filecon = NULL;
322 if (path_is_absolute(path))
323 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
325 _cleanup_free_ char *newpath;
327 newpath = path_make_absolute_cwd(path);
331 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
334 /* No context specified by the policy? Proceed without setting it. */
335 if (r < 0 && errno == ENOENT)
341 r = setfscreatecon(filecon);
343 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
348 if (r < 0 && security_getenforce() == 0)
355 void mac_selinux_create_file_clear(void) {
360 if (!mac_selinux_use())
363 setfscreatecon(NULL);
367 int mac_selinux_create_socket_prepare(const char *label) {
370 if (!mac_selinux_use())
375 if (setsockcreatecon((security_context_t) label) < 0) {
376 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
378 if (security_getenforce() == 1)
386 void mac_selinux_create_socket_clear(void) {
391 if (!mac_selinux_use())
394 setsockcreatecon(NULL);
398 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
400 /* Binds a socket and label its file system object according to the SELinux policy */
403 _cleanup_security_context_free_ security_context_t fcon = NULL;
404 const struct sockaddr_un *un;
410 assert(addrlen >= sizeof(sa_family_t));
415 /* Filter out non-local sockets */
416 if (addr->sa_family != AF_UNIX)
419 /* Filter out anonymous sockets */
420 if (addrlen < sizeof(sa_family_t) + 1)
423 /* Filter out abstract namespace sockets */
424 un = (const struct sockaddr_un*) addr;
425 if (un->sun_path[0] == 0)
428 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
430 if (path_is_absolute(path))
431 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
433 _cleanup_free_ char *newpath;
435 newpath = path_make_absolute_cwd(path);
439 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
443 r = setfscreatecon(fcon);
445 if (r < 0 && errno != ENOENT) {
446 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
448 if (security_getenforce() == 1) {
454 r = bind(fd, addr, addrlen);
459 setfscreatecon(NULL);
464 return bind(fd, addr, addrlen) < 0 ? -errno : 0;