1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
33 #include "path-util.h"
34 #include "selinux-util.h"
37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
41 #define _cleanup_context_free_ _cleanup_(context_freep)
43 static int cached_use = -1;
44 static struct selabel_handle *label_hnd = NULL;
47 bool mac_selinux_use(void) {
50 cached_use = is_selinux_enabled() > 0;
58 void mac_selinux_retest(void) {
64 int mac_selinux_init(const char *prefix) {
68 usec_t before_timestamp, after_timestamp;
69 struct mallinfo before_mallinfo, after_mallinfo;
71 if (!mac_selinux_use())
77 before_mallinfo = mallinfo();
78 before_timestamp = now(CLOCK_MONOTONIC);
81 struct selinux_opt options[] = {
82 { .type = SELABEL_OPT_SUBSET, .value = prefix },
85 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
87 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
90 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
91 "Failed to initialize SELinux context: %m");
92 r = security_getenforce() == 1 ? -errno : 0;
94 char timespan[FORMAT_TIMESPAN_MAX];
97 after_timestamp = now(CLOCK_MONOTONIC);
98 after_mallinfo = mallinfo();
100 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
102 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
103 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
111 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
116 security_context_t fcon;
121 r = lstat(path, &st);
123 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
125 /* If there's no label to set, then exit without warning */
126 if (r < 0 && errno == ENOENT)
130 r = lsetfilecon(path, fcon);
133 /* If the FS doesn't support labels, then exit without warning */
134 if (r < 0 && errno == ENOTSUP)
140 /* Ignore ENOENT in some cases */
141 if (ignore_enoent && errno == ENOENT)
144 if (ignore_erofs && errno == EROFS)
147 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
148 "Unable to fix label of %s: %m", path);
149 r = security_getenforce() == 1 ? -errno : 0;
156 void mac_selinux_finish(void) {
159 if (!mac_selinux_use())
163 selabel_close(label_hnd);
167 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
172 _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
173 security_class_t sclass;
175 if (!mac_selinux_use()) {
184 r = getfilecon(exe, &fcon);
188 sclass = string_to_security_class("process");
189 r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
191 log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
194 if (r < 0 && security_getenforce() == 1)
201 int mac_selinux_get_our_label(char **label) {
217 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
222 _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
223 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
224 security_class_t sclass;
226 const char *range = NULL;
228 assert(socket_fd >= 0);
238 r = getpeercon(socket_fd, &peercon);
244 r = getexeccon(&fcon);
251 /* If there is no context set for next exec let's use context
252 of target executable */
253 r = getfilecon(exe, &fcon);
260 bcon = context_new(mycon);
266 pcon = context_new(peercon);
272 range = context_range_get(pcon);
278 r = context_range_set(bcon, range);
285 mycon = strdup(context_str(bcon));
291 sclass = string_to_security_class("process");
292 r = security_compute_create(mycon, fcon, sclass, &ret);
303 if (r < 0 && security_getenforce() == 1)
309 int mac_selinux_context_set(const char *path, mode_t mode) {
313 _cleanup_security_context_free_ security_context_t filecon = NULL;
315 if (!mac_selinux_use() || !label_hnd)
318 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
319 if (r < 0 && errno != ENOENT)
322 r = setfscreatecon(filecon);
324 log_error("Failed to set SELinux file context on %s: %m", path);
329 if (r < 0 && security_getenforce() == 0)
336 int mac_selinux_socket_set(const char *label) {
339 if (!mac_selinux_use())
342 if (setsockcreatecon((security_context_t) label) < 0) {
343 log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
344 "Failed to set SELinux context (%s) on socket: %m", label);
346 if (security_getenforce() == 1)
354 void mac_selinux_context_clear(void) {
359 if (!mac_selinux_use())
362 setfscreatecon(NULL);
366 void mac_selinux_socket_clear(void) {
371 if (!mac_selinux_use())
374 setsockcreatecon(NULL);
378 void mac_selinux_free(const char *label) {
381 if (!mac_selinux_use())
384 freecon((security_context_t) label);
388 int mac_selinux_mkdir(const char *path, mode_t mode) {
392 /* Creates a directory and labels it according to the SELinux policy */
393 _cleanup_security_context_free_ security_context_t fcon = NULL;
398 if (path_is_absolute(path))
399 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
401 _cleanup_free_ char *newpath;
403 newpath = path_make_absolute_cwd(path);
407 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
411 r = setfscreatecon(fcon);
413 if (r < 0 && errno != ENOENT) {
414 log_error("Failed to set security context %s for %s: %m", fcon, path);
416 if (security_getenforce() == 1) {
422 r = mkdir(path, mode);
427 setfscreatecon(NULL);
433 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
435 /* Binds a socket and label its file system object according to the SELinux policy */
438 _cleanup_security_context_free_ security_context_t fcon = NULL;
439 const struct sockaddr_un *un;
445 assert(addrlen >= sizeof(sa_family_t));
447 if (!mac_selinux_use() || !label_hnd)
450 /* Filter out non-local sockets */
451 if (addr->sa_family != AF_UNIX)
454 /* Filter out anonymous sockets */
455 if (addrlen < sizeof(sa_family_t) + 1)
458 /* Filter out abstract namespace sockets */
459 un = (const struct sockaddr_un*) addr;
460 if (un->sun_path[0] == 0)
463 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
465 if (path_is_absolute(path))
466 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
468 _cleanup_free_ char *newpath;
470 newpath = path_make_absolute_cwd(path);
474 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
478 r = setfscreatecon(fcon);
480 if (r < 0 && errno != ENOENT) {
481 log_error("Failed to set security context %s for %s: %m", fcon, path);
483 if (security_getenforce() == 1) {
489 r = bind(fd, addr, addrlen);
494 setfscreatecon(NULL);
499 return bind(fd, addr, addrlen) < 0 ? -errno : 0;
502 int mac_selinux_apply(const char *path, const char *label) {
506 if (!mac_selinux_use())
509 r = setfilecon(path, (char *)label);