1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
46 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
49 bool mac_selinux_use(void) {
52 cached_use = is_selinux_enabled() > 0;
60 void mac_selinux_retest(void) {
66 int mac_selinux_init(const char *prefix) {
70 usec_t before_timestamp, after_timestamp;
71 struct mallinfo before_mallinfo, after_mallinfo;
73 if (!mac_selinux_use())
79 before_mallinfo = mallinfo();
80 before_timestamp = now(CLOCK_MONOTONIC);
83 struct selinux_opt options[] = {
84 { .type = SELABEL_OPT_SUBSET, .value = prefix },
87 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
89 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
92 log_enforcing("Failed to initialize SELinux context: %m");
93 r = security_getenforce() == 1 ? -errno : 0;
95 char timespan[FORMAT_TIMESPAN_MAX];
98 after_timestamp = now(CLOCK_MONOTONIC);
99 after_mallinfo = mallinfo();
101 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
103 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
104 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
112 void mac_selinux_finish(void) {
118 selabel_close(label_hnd);
122 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
130 /* if mac_selinux_init() wasn't called before we are a NOOP */
134 r = lstat(path, &st);
136 _cleanup_security_context_free_ security_context_t fcon = NULL;
138 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
140 /* If there's no label to set, then exit without warning */
141 if (r < 0 && errno == ENOENT)
145 r = lsetfilecon(path, fcon);
147 /* If the FS doesn't support labels, then exit without warning */
148 if (r < 0 && errno == EOPNOTSUPP)
154 /* Ignore ENOENT in some cases */
155 if (ignore_enoent && errno == ENOENT)
158 if (ignore_erofs && errno == EROFS)
161 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
162 if (security_getenforce() == 1)
170 int mac_selinux_apply(const char *path, const char *label) {
176 if (!mac_selinux_use())
179 if (setfilecon(path, (security_context_t) label) < 0) {
180 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
181 if (security_getenforce() == 1)
188 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
192 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
193 security_class_t sclass;
198 if (!mac_selinux_use())
205 r = getfilecon(exe, &fcon);
209 sclass = string_to_security_class("process");
210 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
218 int mac_selinux_get_our_label(char **label) {
224 if (!mac_selinux_use())
235 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
239 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
240 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
241 security_class_t sclass;
242 const char *range = NULL;
244 assert(socket_fd >= 0);
248 if (!mac_selinux_use())
255 r = getpeercon(socket_fd, &peercon);
260 /* If there is no context set for next exec let's use context
261 of target executable */
262 r = getfilecon(exe, &fcon);
267 bcon = context_new(mycon);
271 pcon = context_new(peercon);
275 range = context_range_get(pcon);
279 r = context_range_set(bcon, range);
284 mycon = strdup(context_str(bcon));
288 sclass = string_to_security_class("process");
289 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
297 void mac_selinux_free(char *label) {
300 if (!mac_selinux_use())
303 freecon((security_context_t) label);
307 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
311 _cleanup_security_context_free_ security_context_t filecon = NULL;
318 if (path_is_absolute(path))
319 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
321 _cleanup_free_ char *newpath;
323 newpath = path_make_absolute_cwd(path);
327 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
330 /* No context specified by the policy? Proceed without setting it. */
331 if (r < 0 && errno == ENOENT)
337 r = setfscreatecon(filecon);
339 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
344 if (r < 0 && security_getenforce() == 0)
351 void mac_selinux_create_file_clear(void) {
356 if (!mac_selinux_use())
359 setfscreatecon(NULL);
363 int mac_selinux_create_socket_prepare(const char *label) {
366 if (!mac_selinux_use())
371 if (setsockcreatecon((security_context_t) label) < 0) {
372 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
374 if (security_getenforce() == 1)
382 void mac_selinux_create_socket_clear(void) {
387 if (!mac_selinux_use())
390 setsockcreatecon(NULL);
394 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
396 /* Binds a socket and label its file system object according to the SELinux policy */
399 _cleanup_security_context_free_ security_context_t fcon = NULL;
400 const struct sockaddr_un *un;
406 assert(addrlen >= sizeof(sa_family_t));
411 /* Filter out non-local sockets */
412 if (addr->sa_family != AF_UNIX)
415 /* Filter out anonymous sockets */
416 if (addrlen < sizeof(sa_family_t) + 1)
419 /* Filter out abstract namespace sockets */
420 un = (const struct sockaddr_un*) addr;
421 if (un->sun_path[0] == 0)
424 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
426 if (path_is_absolute(path))
427 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
429 _cleanup_free_ char *newpath;
431 newpath = path_make_absolute_cwd(path);
435 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
439 r = setfscreatecon(fcon);
441 if (r < 0 && errno != ENOENT) {
442 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
444 if (security_getenforce() == 1) {
450 r = bind(fd, addr, addrlen);
455 setfscreatecon(NULL);
460 return bind(fd, addr, addrlen) < 0 ? -errno : 0;