1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <sys/socket.h>
28 #include <sys/types.h>
35 #include "path-util.h"
38 #include "selinux-util.h"
39 #include <selinux/selinux.h>
40 #include <selinux/label.h>
42 static struct selabel_handle *label_hnd = NULL;
46 int label_init(const char *prefix) {
50 usec_t before_timestamp, after_timestamp;
51 struct mallinfo before_mallinfo, after_mallinfo;
59 before_mallinfo = mallinfo();
60 before_timestamp = now(CLOCK_MONOTONIC);
63 struct selinux_opt options[] = {
64 { .type = SELABEL_OPT_SUBSET, .value = prefix },
67 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
69 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
72 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
73 "Failed to initialize SELinux context: %m");
74 r = security_getenforce() == 1 ? -errno : 0;
76 char timespan[FORMAT_TIMESPAN_MAX];
79 after_timestamp = now(CLOCK_MONOTONIC);
80 after_mallinfo = mallinfo();
82 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
84 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
85 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
93 int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
98 security_context_t fcon;
100 if (!use_selinux() || !label_hnd)
103 r = lstat(path, &st);
105 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
107 /* If there's no label to set, then exit without warning */
108 if (r < 0 && errno == ENOENT)
112 r = lsetfilecon(path, fcon);
115 /* If the FS doesn't support labels, then exit without warning */
116 if (r < 0 && errno == ENOTSUP)
122 /* Ignore ENOENT in some cases */
123 if (ignore_enoent && errno == ENOENT)
126 if (ignore_erofs && errno == EROFS)
129 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
130 "Unable to fix label of %s: %m", path);
131 r = security_getenforce() == 1 ? -errno : 0;
138 void label_finish(void) {
141 if (use_selinux() && label_hnd)
142 selabel_close(label_hnd);
146 int label_get_create_label_from_exe(const char *exe, char **label) {
151 security_context_t mycon = NULL, fcon = NULL;
152 security_class_t sclass;
154 if (!use_selinux()) {
163 r = getfilecon(exe, &fcon);
167 sclass = string_to_security_class("process");
168 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
170 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
173 if (r < 0 && security_getenforce() == 1)
183 int label_context_set(const char *path, mode_t mode) {
187 security_context_t filecon = NULL;
189 if (!use_selinux() || !label_hnd)
192 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
193 if (r < 0 && errno != ENOENT)
196 r = setfscreatecon(filecon);
198 log_error("Failed to set SELinux file context on %s: %m", path);
205 if (r < 0 && security_getenforce() == 0)
212 int label_socket_set(const char *label) {
218 if (setsockcreatecon((security_context_t) label) < 0) {
219 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
220 "Failed to set SELinux context (%s) on socket: %m", label);
222 if (security_getenforce() == 1)
230 void label_context_clear(void) {
236 setfscreatecon(NULL);
240 void label_socket_clear(void) {
246 setsockcreatecon(NULL);
250 void label_free(const char *label) {
256 freecon((security_context_t) label);
260 int label_mkdir(const char *path, mode_t mode, bool apply) {
262 /* Creates a directory and labels it according to the SELinux policy */
265 security_context_t fcon = NULL;
267 if (!apply || !use_selinux() || !label_hnd)
270 if (path_is_absolute(path))
271 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
275 newpath = path_make_absolute_cwd(path);
279 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
284 r = setfscreatecon(fcon);
286 if (r < 0 && errno != ENOENT) {
287 log_error("Failed to set security context %s for %s: %m", fcon, path);
289 if (security_getenforce() == 1) {
295 r = mkdir(path, mode);
300 setfscreatecon(NULL);
307 return mkdir(path, mode) < 0 ? -errno : 0;
310 int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
312 /* Binds a socket and label its file system object according to the SELinux policy */
316 security_context_t fcon = NULL;
317 const struct sockaddr_un *un;
322 assert(addrlen >= sizeof(sa_family_t));
324 if (!use_selinux() || !label_hnd)
327 /* Filter out non-local sockets */
328 if (addr->sa_family != AF_UNIX)
331 /* Filter out anonymous sockets */
332 if (addrlen < sizeof(sa_family_t) + 1)
335 /* Filter out abstract namespace sockets */
336 un = (const struct sockaddr_un*) addr;
337 if (un->sun_path[0] == 0)
340 path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
344 if (path_is_absolute(path))
345 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
349 newpath = path_make_absolute_cwd(path);
356 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
361 r = setfscreatecon(fcon);
363 if (r < 0 && errno != ENOENT) {
364 log_error("Failed to set security context %s for %s: %m", fcon, path);
366 if (security_getenforce() == 1) {
372 r = bind(fd, addr, addrlen);
377 setfscreatecon(NULL);
385 return bind(fd, addr, addrlen) < 0 ? -errno : 0;