1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
46 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
49 bool mac_selinux_use(void) {
52 cached_use = is_selinux_enabled() > 0;
60 void mac_selinux_retest(void) {
66 int mac_selinux_init(const char *prefix) {
70 usec_t before_timestamp, after_timestamp;
71 struct mallinfo before_mallinfo, after_mallinfo;
73 if (!mac_selinux_use())
79 before_mallinfo = mallinfo();
80 before_timestamp = now(CLOCK_MONOTONIC);
83 struct selinux_opt options[] = {
84 { .type = SELABEL_OPT_SUBSET, .value = prefix },
87 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
89 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
92 log_enforcing("Failed to initialize SELinux context: %m");
93 r = security_getenforce() == 1 ? -errno : 0;
95 char timespan[FORMAT_TIMESPAN_MAX];
98 after_timestamp = now(CLOCK_MONOTONIC);
99 after_mallinfo = mallinfo();
101 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
103 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
104 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
112 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
120 /* if mac_selinux_init() wasn't called before we are a NOOP */
124 r = lstat(path, &st);
126 _cleanup_security_context_free_ security_context_t fcon = NULL;
128 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
130 /* If there's no label to set, then exit without warning */
131 if (r < 0 && errno == ENOENT)
135 r = lsetfilecon(path, fcon);
137 /* If the FS doesn't support labels, then exit without warning */
138 if (r < 0 && errno == ENOTSUP)
144 /* Ignore ENOENT in some cases */
145 if (ignore_enoent && errno == ENOENT)
148 if (ignore_erofs && errno == EROFS)
151 log_enforcing("Unable to fix SELinux label of %s: %m", path);
152 r = security_getenforce() == 1 ? -errno : 0;
159 void mac_selinux_finish(void) {
165 selabel_close(label_hnd);
169 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
173 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
174 security_class_t sclass;
179 if (!mac_selinux_use())
186 r = getfilecon(exe, &fcon);
190 sclass = string_to_security_class("process");
191 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
199 int mac_selinux_get_our_label(char **label) {
205 if (!mac_selinux_use())
216 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
220 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
221 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
222 security_class_t sclass;
223 const char *range = NULL;
225 assert(socket_fd >= 0);
229 if (!mac_selinux_use())
236 r = getpeercon(socket_fd, &peercon);
240 r = getexeccon(&fcon);
245 /* If there is no context set for next exec let's use context
246 of target executable */
247 r = getfilecon(exe, &fcon);
252 bcon = context_new(mycon);
256 pcon = context_new(peercon);
260 range = context_range_get(pcon);
264 r = context_range_set(bcon, range);
269 mycon = strdup(context_str(bcon));
273 sclass = string_to_security_class("process");
274 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
282 int mac_selinux_context_set(const char *path, mode_t mode) {
286 _cleanup_security_context_free_ security_context_t filecon = NULL;
291 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
292 if (r < 0 && errno != ENOENT)
295 r = setfscreatecon(filecon);
297 log_enforcing("Failed to set SELinux file context on %s: %m", path);
302 if (r < 0 && security_getenforce() == 0)
309 int mac_selinux_socket_set(const char *label) {
312 if (!mac_selinux_use())
315 if (setsockcreatecon((security_context_t) label) < 0) {
316 log_enforcing("Failed to set SELinux context (%s) on socket: %m", label);
318 if (security_getenforce() == 1)
326 void mac_selinux_context_clear(void) {
331 if (!mac_selinux_use())
334 setfscreatecon(NULL);
338 void mac_selinux_socket_clear(void) {
343 if (!mac_selinux_use())
346 setsockcreatecon(NULL);
350 void mac_selinux_free(const char *label) {
353 if (!mac_selinux_use())
356 freecon((security_context_t) label);
360 int mac_selinux_mkdir(const char *path, mode_t mode) {
364 /* Creates a directory and labels it according to the SELinux policy */
365 _cleanup_security_context_free_ security_context_t fcon = NULL;
370 if (path_is_absolute(path))
371 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
373 _cleanup_free_ char *newpath;
375 newpath = path_make_absolute_cwd(path);
379 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
383 r = setfscreatecon(fcon);
385 if (r < 0 && errno != ENOENT) {
386 log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
388 if (security_getenforce() == 1) {
394 r = mkdir(path, mode);
399 setfscreatecon(NULL);
405 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
407 /* Binds a socket and label its file system object according to the SELinux policy */
410 _cleanup_security_context_free_ security_context_t fcon = NULL;
411 const struct sockaddr_un *un;
417 assert(addrlen >= sizeof(sa_family_t));
419 if (!mac_selinux_use() || !label_hnd)
422 /* Filter out non-local sockets */
423 if (addr->sa_family != AF_UNIX)
426 /* Filter out anonymous sockets */
427 if (addrlen < sizeof(sa_family_t) + 1)
430 /* Filter out abstract namespace sockets */
431 un = (const struct sockaddr_un*) addr;
432 if (un->sun_path[0] == 0)
435 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
437 if (path_is_absolute(path))
438 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
440 _cleanup_free_ char *newpath;
442 newpath = path_make_absolute_cwd(path);
446 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
450 r = setfscreatecon(fcon);
452 if (r < 0 && errno != ENOENT) {
453 log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
455 if (security_getenforce() == 1) {
461 r = bind(fd, addr, addrlen);
466 setfscreatecon(NULL);
471 return bind(fd, addr, addrlen) < 0 ? -errno : 0;
474 int mac_selinux_apply(const char *path, const char *label) {
478 if (!mac_selinux_use())
481 r = setfilecon(path, (char *)label);
~ianmdlvl / elogind.git / blob