1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <sys/socket.h>
33 #include <selinux/selinux.h>
34 #include <selinux/label.h>
36 static struct selabel_handle *label_hnd = NULL;
38 static int use_selinux_cached = -1;
40 static inline bool use_selinux(void) {
42 if (use_selinux_cached < 0)
43 use_selinux_cached = is_selinux_enabled() > 0;
45 return use_selinux_cached;
48 void label_retest_selinux(void) {
49 use_selinux_cached = -1;
54 int label_init(const char *prefix) {
58 usec_t before_timestamp, after_timestamp;
59 struct mallinfo before_mallinfo, after_mallinfo;
67 before_mallinfo = mallinfo();
68 before_timestamp = now(CLOCK_MONOTONIC);
71 struct selinux_opt options[] = {
72 { .type = SELABEL_OPT_SUBSET, .value = prefix },
75 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
77 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
80 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
81 "Failed to initialize SELinux context: %m");
82 r = security_getenforce() == 1 ? -errno : 0;
84 char timespan[FORMAT_TIMESPAN_MAX];
87 after_timestamp = now(CLOCK_MONOTONIC);
88 after_mallinfo = mallinfo();
90 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
92 log_info("Successfully loaded SELinux database in %s, size on heap is %iK.",
93 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
101 int label_fix(const char *path, bool ignore_enoent) {
106 security_context_t fcon;
108 if (!use_selinux() || !label_hnd)
111 r = lstat(path, &st);
113 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
115 /* If there's no label to set, then exit without warning */
116 if (r < 0 && errno == ENOENT)
120 r = lsetfilecon(path, fcon);
123 /* If the FS doesn't support labels, then exit without warning */
124 if (r < 0 && errno == ENOTSUP)
130 /* Ignore ENOENT in some cases */
131 if (ignore_enoent && errno == ENOENT)
134 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
135 "Unable to fix label of %s: %m", path);
136 r = security_getenforce() == 1 ? -errno : 0;
143 void label_finish(void) {
146 if (use_selinux() && label_hnd)
147 selabel_close(label_hnd);
151 int label_get_create_label_from_exe(const char *exe, char **label) {
156 security_context_t mycon = NULL, fcon = NULL;
157 security_class_t sclass;
159 if (!use_selinux()) {
168 r = getfilecon(exe, &fcon);
172 sclass = string_to_security_class("process");
173 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
175 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
178 if (r < 0 && security_getenforce() == 1)
188 int label_context_set(const char *path, mode_t mode) {
192 security_context_t filecon = NULL;
194 if (!use_selinux() || !label_hnd)
197 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
201 r = setfscreatecon(filecon);
203 log_error("Failed to set SELinux file context on %s: %m", path);
210 if (r < 0 && security_getenforce() == 0)
217 int label_socket_set(const char *label) {
223 if (setsockcreatecon((security_context_t) label) < 0) {
224 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
225 "Failed to set SELinux context (%s) on socket: %m", label);
227 if (security_getenforce() == 1)
235 void label_context_clear(void) {
241 setfscreatecon(NULL);
245 void label_socket_clear(void) {
251 setsockcreatecon(NULL);
255 void label_free(const char *label) {
261 freecon((security_context_t) label);
265 int label_mkdir(const char *path, mode_t mode) {
267 /* Creates a directory and labels it according to the SELinux policy */
271 security_context_t fcon = NULL;
273 if (!use_selinux() || !label_hnd)
276 if (path_is_absolute(path))
277 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
281 newpath = path_make_absolute_cwd(path);
285 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
290 r = setfscreatecon(fcon);
292 if (r < 0 && errno != ENOENT) {
293 log_error("Failed to set security context %s for %s: %m", fcon, path);
295 if (security_getenforce() == 1) {
301 r = mkdir(path, mode);
306 setfscreatecon(NULL);
313 return mkdir(path, mode) < 0 ? -errno : 0;
316 int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
318 /* Binds a socket and label its file system object according to the SELinux policy */
322 security_context_t fcon = NULL;
323 const struct sockaddr_un *un;
328 assert(addrlen >= sizeof(sa_family_t));
330 if (!use_selinux() || !label_hnd)
333 /* Filter out non-local sockets */
334 if (addr->sa_family != AF_UNIX)
337 /* Filter out anonymous sockets */
338 if (addrlen < sizeof(sa_family_t) + 1)
341 /* Filter out abstract namespace sockets */
342 un = (const struct sockaddr_un*) addr;
343 if (un->sun_path[0] == 0)
346 path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
350 if (path_is_absolute(path))
351 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
355 newpath = path_make_absolute_cwd(path);
362 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
367 r = setfscreatecon(fcon);
369 if (r < 0 && errno != ENOENT) {
370 log_error("Failed to set security context %s for %s: %m", fcon, path);
372 if (security_getenforce() == 1) {
378 r = bind(fd, addr, addrlen);
383 setfscreatecon(NULL);
391 return bind(fd, addr, addrlen) < 0 ? -errno : 0;