1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2010 Lennart Poettering
16 #include <selinux/context.h>
17 #include <selinux/label.h>
18 #include <selinux/selinux.h>
21 #include "alloc-util.h"
22 //#include "fd-util.h"
25 #include "path-util.h"
26 #include "selinux-util.h"
27 //#include "stdio-util.h"
28 #include "time-util.h"
32 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
33 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
35 #define _cleanup_freecon_ _cleanup_(freeconp)
36 #define _cleanup_context_free_ _cleanup_(context_freep)
38 static int cached_use = -1;
39 static struct selabel_handle *label_hnd = NULL;
41 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
42 #define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
45 bool mac_selinux_use(void) {
48 cached_use = is_selinux_enabled() > 0;
56 void mac_selinux_retest(void) {
62 int mac_selinux_init(void) {
66 usec_t before_timestamp, after_timestamp;
67 struct mallinfo before_mallinfo, after_mallinfo;
72 if (!mac_selinux_use())
75 before_mallinfo = mallinfo();
76 before_timestamp = now(CLOCK_MONOTONIC);
78 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
80 log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
81 r = security_getenforce() == 1 ? -errno : 0;
83 char timespan[FORMAT_TIMESPAN_MAX];
86 after_timestamp = now(CLOCK_MONOTONIC);
87 after_mallinfo = mallinfo();
89 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
91 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
92 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
100 void mac_selinux_finish(void) {
106 selabel_close(label_hnd);
111 int mac_selinux_fix(const char *path, LabelFixFlags flags) {
114 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
115 _cleanup_freecon_ char* fcon = NULL;
116 _cleanup_close_ int fd = -1;
122 /* if mac_selinux_init() wasn't called before we are a NOOP */
126 /* Open the file as O_PATH, to pin it while we determine and adjust the label */
127 fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
129 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
135 if (fstat(fd, &st) < 0)
138 if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
141 /* If there's no label to set, then exit without warning */
148 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
149 if (setfilecon_raw(procfs_path, fcon) < 0) {
150 _cleanup_freecon_ char *oldcon = NULL;
154 /* If the FS doesn't support labels, then exit without warning */
155 if (r == -EOPNOTSUPP)
158 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
159 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
162 /* If the old label is identical to the new one, suppress any kind of error */
163 if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
172 log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
173 if (security_getenforce() == 1)
180 #if 0 /// UNNEDED by elogind
181 int mac_selinux_apply(const char *path, const char *label) {
184 if (!mac_selinux_use())
190 if (setfilecon(path, label) < 0) {
191 log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
192 if (security_getenforce() > 0)
199 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
203 _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
204 security_class_t sclass;
209 if (!mac_selinux_use())
212 r = getcon_raw(&mycon);
216 r = getfilecon_raw(exe, &fcon);
220 sclass = string_to_security_class("process");
221 r = security_compute_create_raw(mycon, fcon, sclass, label);
229 int mac_selinux_get_our_label(char **label) {
235 if (!mac_selinux_use())
238 r = getcon_raw(label);
246 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
250 _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
251 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
252 security_class_t sclass;
253 const char *range = NULL;
255 assert(socket_fd >= 0);
259 if (!mac_selinux_use())
262 r = getcon_raw(&mycon);
266 r = getpeercon_raw(socket_fd, &peercon);
271 /* If there is no context set for next exec let's use context
272 of target executable */
273 r = getfilecon_raw(exe, &fcon);
278 bcon = context_new(mycon);
282 pcon = context_new(peercon);
286 range = context_range_get(pcon);
290 r = context_range_set(bcon, range);
295 mycon = strdup(context_str(bcon));
299 sclass = string_to_security_class("process");
300 r = security_compute_create_raw(mycon, fcon, sclass, label);
308 char* mac_selinux_free(char *label) {
314 if (!mac_selinux_use())
324 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
327 _cleanup_freecon_ char *filecon = NULL;
335 if (path_is_absolute(path))
336 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
338 _cleanup_free_ char *newpath = NULL;
340 r = path_make_absolute_cwd(path, &newpath);
344 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
348 /* No context specified by the policy? Proceed without setting it. */
352 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
354 if (setfscreatecon_raw(filecon) >= 0)
355 return 0; /* Success! */
357 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
360 if (security_getenforce() > 0)
367 void mac_selinux_create_file_clear(void) {
372 if (!mac_selinux_use())
375 setfscreatecon_raw(NULL);
379 #if 0 /// UNNEEDED by elogind
380 int mac_selinux_create_socket_prepare(const char *label) {
383 if (!mac_selinux_use())
388 if (setsockcreatecon(label) < 0) {
389 log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
391 if (security_getenforce() == 1)
399 void mac_selinux_create_socket_clear(void) {
404 if (!mac_selinux_use())
407 setsockcreatecon_raw(NULL);
411 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
413 /* Binds a socket and label its file system object according to the SELinux policy */
416 _cleanup_freecon_ char *fcon = NULL;
417 const struct sockaddr_un *un;
418 bool context_changed = false;
424 assert(addrlen >= sizeof(sa_family_t));
429 /* Filter out non-local sockets */
430 if (addr->sa_family != AF_UNIX)
433 /* Filter out anonymous sockets */
434 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
437 /* Filter out abstract namespace sockets */
438 un = (const struct sockaddr_un*) addr;
439 if (un->sun_path[0] == 0)
442 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
444 if (path_is_absolute(path))
445 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
447 _cleanup_free_ char *newpath = NULL;
449 r = path_make_absolute_cwd(path, &newpath);
453 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
457 /* No context specified by the policy? Proceed without setting it */
461 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
462 if (security_getenforce() > 0)
466 if (setfscreatecon_raw(fcon) < 0) {
467 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
468 if (security_getenforce() > 0)
471 context_changed = true;
474 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
477 setfscreatecon_raw(NULL);
483 if (bind(fd, addr, addrlen) < 0)