1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <sys/socket.h>
31 #include "path-util.h"
34 #include <selinux/selinux.h>
35 #include <selinux/label.h>
37 static struct selabel_handle *label_hnd = NULL;
39 static int use_selinux_cached = -1;
41 static inline bool use_selinux(void) {
43 if (use_selinux_cached < 0)
44 use_selinux_cached = is_selinux_enabled() > 0;
46 return use_selinux_cached;
49 void label_retest_selinux(void) {
50 use_selinux_cached = -1;
55 int label_init(const char *prefix) {
59 usec_t before_timestamp, after_timestamp;
60 struct mallinfo before_mallinfo, after_mallinfo;
68 before_mallinfo = mallinfo();
69 before_timestamp = now(CLOCK_MONOTONIC);
72 struct selinux_opt options[] = {
73 { .type = SELABEL_OPT_SUBSET, .value = prefix },
76 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
78 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
81 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
82 "Failed to initialize SELinux context: %m");
83 r = security_getenforce() == 1 ? -errno : 0;
85 char timespan[FORMAT_TIMESPAN_MAX];
88 after_timestamp = now(CLOCK_MONOTONIC);
89 after_mallinfo = mallinfo();
91 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
93 log_info("Successfully loaded SELinux database in %s, size on heap is %iK.",
94 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
102 int label_fix(const char *path, bool ignore_enoent) {
107 security_context_t fcon;
109 if (!use_selinux() || !label_hnd)
112 r = lstat(path, &st);
114 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
116 /* If there's no label to set, then exit without warning */
117 if (r < 0 && errno == ENOENT)
121 r = lsetfilecon(path, fcon);
124 /* If the FS doesn't support labels, then exit without warning */
125 if (r < 0 && errno == ENOTSUP)
131 /* Ignore ENOENT in some cases */
132 if (ignore_enoent && errno == ENOENT)
135 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
136 "Unable to fix label of %s: %m", path);
137 r = security_getenforce() == 1 ? -errno : 0;
144 void label_finish(void) {
147 if (use_selinux() && label_hnd)
148 selabel_close(label_hnd);
152 int label_get_create_label_from_exe(const char *exe, char **label) {
157 security_context_t mycon = NULL, fcon = NULL;
158 security_class_t sclass;
160 if (!use_selinux()) {
169 r = getfilecon(exe, &fcon);
173 sclass = string_to_security_class("process");
174 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
176 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
179 if (r < 0 && security_getenforce() == 1)
189 int label_context_set(const char *path, mode_t mode) {
193 security_context_t filecon = NULL;
195 if (!use_selinux() || !label_hnd)
198 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
202 r = setfscreatecon(filecon);
204 log_error("Failed to set SELinux file context on %s: %m", path);
211 if (r < 0 && security_getenforce() == 0)
218 int label_socket_set(const char *label) {
224 if (setsockcreatecon((security_context_t) label) < 0) {
225 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
226 "Failed to set SELinux context (%s) on socket: %m", label);
228 if (security_getenforce() == 1)
236 void label_context_clear(void) {
242 setfscreatecon(NULL);
246 void label_socket_clear(void) {
252 setsockcreatecon(NULL);
256 void label_free(const char *label) {
262 freecon((security_context_t) label);
266 int label_mkdir(const char *path, mode_t mode) {
268 /* Creates a directory and labels it according to the SELinux policy */
272 security_context_t fcon = NULL;
274 if (!use_selinux() || !label_hnd)
277 if (path_is_absolute(path))
278 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
282 newpath = path_make_absolute_cwd(path);
286 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
291 r = setfscreatecon(fcon);
293 if (r < 0 && errno != ENOENT) {
294 log_error("Failed to set security context %s for %s: %m", fcon, path);
296 if (security_getenforce() == 1) {
302 r = mkdir(path, mode);
307 setfscreatecon(NULL);
314 return mkdir(path, mode) < 0 ? -errno : 0;
317 int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
319 /* Binds a socket and label its file system object according to the SELinux policy */
323 security_context_t fcon = NULL;
324 const struct sockaddr_un *un;
329 assert(addrlen >= sizeof(sa_family_t));
331 if (!use_selinux() || !label_hnd)
334 /* Filter out non-local sockets */
335 if (addr->sa_family != AF_UNIX)
338 /* Filter out anonymous sockets */
339 if (addrlen < sizeof(sa_family_t) + 1)
342 /* Filter out abstract namespace sockets */
343 un = (const struct sockaddr_un*) addr;
344 if (un->sun_path[0] == 0)
347 path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
351 if (path_is_absolute(path))
352 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
356 newpath = path_make_absolute_cwd(path);
363 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
368 r = setfscreatecon(fcon);
370 if (r < 0 && errno != ENOENT) {
371 log_error("Failed to set security context %s for %s: %m", fcon, path);
373 if (security_getenforce() == 1) {
379 r = bind(fd, addr, addrlen);
384 setfscreatecon(NULL);
392 return bind(fd, addr, addrlen) < 0 ? -errno : 0;