1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/socket.h>
27 #include <sys/types.h>
34 #include "path-util.h"
37 #include "selinux-util.h"
38 #include <selinux/selinux.h>
39 #include <selinux/label.h>
41 static struct selabel_handle *label_hnd = NULL;
45 int label_init(const char *prefix) {
49 usec_t before_timestamp, after_timestamp;
50 struct mallinfo before_mallinfo, after_mallinfo;
58 before_mallinfo = mallinfo();
59 before_timestamp = now(CLOCK_MONOTONIC);
62 struct selinux_opt options[] = {
63 { .type = SELABEL_OPT_SUBSET, .value = prefix },
66 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
68 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
71 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
72 "Failed to initialize SELinux context: %m");
73 r = security_getenforce() == 1 ? -errno : 0;
75 char timespan[FORMAT_TIMESPAN_MAX];
78 after_timestamp = now(CLOCK_MONOTONIC);
79 after_mallinfo = mallinfo();
81 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
83 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
84 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
92 int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
97 security_context_t fcon;
99 if (!use_selinux() || !label_hnd)
102 r = lstat(path, &st);
104 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
106 /* If there's no label to set, then exit without warning */
107 if (r < 0 && errno == ENOENT)
111 r = lsetfilecon(path, fcon);
114 /* If the FS doesn't support labels, then exit without warning */
115 if (r < 0 && errno == ENOTSUP)
121 /* Ignore ENOENT in some cases */
122 if (ignore_enoent && errno == ENOENT)
125 if (ignore_erofs && errno == EROFS)
128 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
129 "Unable to fix label of %s: %m", path);
130 r = security_getenforce() == 1 ? -errno : 0;
137 void label_finish(void) {
144 selabel_close(label_hnd);
148 int label_get_create_label_from_exe(const char *exe, char **label) {
153 security_context_t mycon = NULL, fcon = NULL;
154 security_class_t sclass;
156 if (!use_selinux()) {
165 r = getfilecon(exe, &fcon);
169 sclass = string_to_security_class("process");
170 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
172 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
175 if (r < 0 && security_getenforce() == 1)
185 int label_context_set(const char *path, mode_t mode) {
189 security_context_t filecon = NULL;
191 if (!use_selinux() || !label_hnd)
194 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
195 if (r < 0 && errno != ENOENT)
198 r = setfscreatecon(filecon);
200 log_error("Failed to set SELinux file context on %s: %m", path);
207 if (r < 0 && security_getenforce() == 0)
214 int label_socket_set(const char *label) {
220 if (setsockcreatecon((security_context_t) label) < 0) {
221 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
222 "Failed to set SELinux context (%s) on socket: %m", label);
224 if (security_getenforce() == 1)
232 void label_context_clear(void) {
238 setfscreatecon(NULL);
242 void label_socket_clear(void) {
248 setsockcreatecon(NULL);
252 void label_free(const char *label) {
258 freecon((security_context_t) label);
262 int label_mkdir(const char *path, mode_t mode) {
264 /* Creates a directory and labels it according to the SELinux policy */
266 security_context_t fcon = NULL;
269 if (!use_selinux() || !label_hnd)
272 if (path_is_absolute(path))
273 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
275 _cleanup_free_ char *newpath;
277 newpath = path_make_absolute_cwd(path);
281 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
285 r = setfscreatecon(fcon);
287 if (r < 0 && errno != ENOENT) {
288 log_error("Failed to set security context %s for %s: %m", fcon, path);
290 if (security_getenforce() == 1) {
296 r = mkdir(path, mode);
301 setfscreatecon(NULL);
308 return mkdir(path, mode) < 0 ? -errno : 0;
311 int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
313 /* Binds a socket and label its file system object according to the SELinux policy */
316 security_context_t fcon = NULL;
317 const struct sockaddr_un *un;
323 assert(addrlen >= sizeof(sa_family_t));
325 if (!use_selinux() || !label_hnd)
328 /* Filter out non-local sockets */
329 if (addr->sa_family != AF_UNIX)
332 /* Filter out anonymous sockets */
333 if (addrlen < sizeof(sa_family_t) + 1)
336 /* Filter out abstract namespace sockets */
337 un = (const struct sockaddr_un*) addr;
338 if (un->sun_path[0] == 0)
341 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
343 if (path_is_absolute(path))
344 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
346 _cleanup_free_ char *newpath;
348 newpath = path_make_absolute_cwd(path);
352 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
356 r = setfscreatecon(fcon);
358 if (r < 0 && errno != ENOENT) {
359 log_error("Failed to set security context %s for %s: %m", fcon, path);
361 if (security_getenforce() == 1) {
367 r = bind(fd, addr, addrlen);
372 setfscreatecon(NULL);
379 return bind(fd, addr, addrlen) < 0 ? -errno : 0;
382 int label_apply(const char *path, const char *label) {
389 r = setfilecon(path, (char *)label);