]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/selinux-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: drop 'This file is part of systemd' blurb
[thirdparty/systemd.git] / src / basic / selinux-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 Copyright 2010 Lennart Poettering
4 ***/
5
6 #include <errno.h>
7 #include <malloc.h>
8 #include <stddef.h>
9 #include <string.h>
10 #include <sys/stat.h>
11 #include <sys/time.h>
12 #include <sys/un.h>
13 #include <syslog.h>
14
15 #if HAVE_SELINUX
16 #include <selinux/context.h>
17 #include <selinux/label.h>
18 #include <selinux/selinux.h>
19 #endif
20
21 #include "alloc-util.h"
22 #include "fd-util.h"
23 #include "log.h"
24 #include "macro.h"
25 #include "path-util.h"
26 #include "selinux-util.h"
27 #include "stdio-util.h"
28 #include "time-util.h"
29 #include "util.h"
30
31 #if HAVE_SELINUX
32 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
33 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
34
35 #define _cleanup_freecon_ _cleanup_(freeconp)
36 #define _cleanup_context_free_ _cleanup_(context_freep)
37
38 static int cached_use = -1;
39 static struct selabel_handle *label_hnd = NULL;
40
41 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
42 #define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
43 #endif
44
45 bool mac_selinux_use(void) {
46 #if HAVE_SELINUX
47 if (cached_use < 0)
48 cached_use = is_selinux_enabled() > 0;
49
50 return cached_use;
51 #else
52 return false;
53 #endif
54 }
55
56 void mac_selinux_retest(void) {
57 #if HAVE_SELINUX
58 cached_use = -1;
59 #endif
60 }
61
62 int mac_selinux_init(void) {
63 int r = 0;
64
65 #if HAVE_SELINUX
66 usec_t before_timestamp, after_timestamp;
67 struct mallinfo before_mallinfo, after_mallinfo;
68
69 if (label_hnd)
70 return 0;
71
72 if (!mac_selinux_use())
73 return 0;
74
75 before_mallinfo = mallinfo();
76 before_timestamp = now(CLOCK_MONOTONIC);
77
78 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
79 if (!label_hnd) {
80 log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
81 r = security_getenforce() == 1 ? -errno : 0;
82 } else {
83 char timespan[FORMAT_TIMESPAN_MAX];
84 int l;
85
86 after_timestamp = now(CLOCK_MONOTONIC);
87 after_mallinfo = mallinfo();
88
89 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
90
91 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
92 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
93 (l+1023)/1024);
94 }
95 #endif
96
97 return r;
98 }
99
100 void mac_selinux_finish(void) {
101
102 #if HAVE_SELINUX
103 if (!label_hnd)
104 return;
105
106 selabel_close(label_hnd);
107 label_hnd = NULL;
108 #endif
109 }
110
111 int mac_selinux_fix(const char *path, LabelFixFlags flags) {
112
113 #if HAVE_SELINUX
114 char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
115 _cleanup_freecon_ char* fcon = NULL;
116 _cleanup_close_ int fd = -1;
117 struct stat st;
118 int r;
119
120 assert(path);
121
122 /* if mac_selinux_init() wasn't called before we are a NOOP */
123 if (!label_hnd)
124 return 0;
125
126 /* Open the file as O_PATH, to pin it while we determine and adjust the label */
127 fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
128 if (fd < 0) {
129 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
130 return 0;
131
132 return -errno;
133 }
134
135 if (fstat(fd, &st) < 0)
136 return -errno;
137
138 if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
139 r = -errno;
140
141 /* If there's no label to set, then exit without warning */
142 if (r == -ENOENT)
143 return 0;
144
145 goto fail;
146 }
147
148 xsprintf(procfs_path, "/proc/self/fd/%i", fd);
149 if (setfilecon_raw(procfs_path, fcon) < 0) {
150 _cleanup_freecon_ char *oldcon = NULL;
151
152 r = -errno;
153
154 /* If the FS doesn't support labels, then exit without warning */
155 if (r == -EOPNOTSUPP)
156 return 0;
157
158 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
159 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
160 return 0;
161
162 /* If the old label is identical to the new one, suppress any kind of error */
163 if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
164 return 0;
165
166 goto fail;
167 }
168
169 return 0;
170
171 fail:
172 log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
173 if (security_getenforce() == 1)
174 return r;
175 #endif
176
177 return 0;
178 }
179
180 int mac_selinux_apply(const char *path, const char *label) {
181
182 #if HAVE_SELINUX
183 if (!mac_selinux_use())
184 return 0;
185
186 assert(path);
187 assert(label);
188
189 if (setfilecon(path, label) < 0) {
190 log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
191 if (security_getenforce() > 0)
192 return -errno;
193 }
194 #endif
195 return 0;
196 }
197
198 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
199 int r = -EOPNOTSUPP;
200
201 #if HAVE_SELINUX
202 _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
203 security_class_t sclass;
204
205 assert(exe);
206 assert(label);
207
208 if (!mac_selinux_use())
209 return -EOPNOTSUPP;
210
211 r = getcon_raw(&mycon);
212 if (r < 0)
213 return -errno;
214
215 r = getfilecon_raw(exe, &fcon);
216 if (r < 0)
217 return -errno;
218
219 sclass = string_to_security_class("process");
220 r = security_compute_create_raw(mycon, fcon, sclass, label);
221 if (r < 0)
222 return -errno;
223 #endif
224
225 return r;
226 }
227
228 int mac_selinux_get_our_label(char **label) {
229 int r = -EOPNOTSUPP;
230
231 assert(label);
232
233 #if HAVE_SELINUX
234 if (!mac_selinux_use())
235 return -EOPNOTSUPP;
236
237 r = getcon_raw(label);
238 if (r < 0)
239 return -errno;
240 #endif
241
242 return r;
243 }
244
245 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
246 int r = -EOPNOTSUPP;
247
248 #if HAVE_SELINUX
249 _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
250 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
251 security_class_t sclass;
252 const char *range = NULL;
253
254 assert(socket_fd >= 0);
255 assert(exe);
256 assert(label);
257
258 if (!mac_selinux_use())
259 return -EOPNOTSUPP;
260
261 r = getcon_raw(&mycon);
262 if (r < 0)
263 return -errno;
264
265 r = getpeercon_raw(socket_fd, &peercon);
266 if (r < 0)
267 return -errno;
268
269 if (!exec_label) {
270 /* If there is no context set for next exec let's use context
271 of target executable */
272 r = getfilecon_raw(exe, &fcon);
273 if (r < 0)
274 return -errno;
275 }
276
277 bcon = context_new(mycon);
278 if (!bcon)
279 return -ENOMEM;
280
281 pcon = context_new(peercon);
282 if (!pcon)
283 return -ENOMEM;
284
285 range = context_range_get(pcon);
286 if (!range)
287 return -errno;
288
289 r = context_range_set(bcon, range);
290 if (r)
291 return -errno;
292
293 freecon(mycon);
294 mycon = strdup(context_str(bcon));
295 if (!mycon)
296 return -ENOMEM;
297
298 sclass = string_to_security_class("process");
299 r = security_compute_create_raw(mycon, fcon, sclass, label);
300 if (r < 0)
301 return -errno;
302 #endif
303
304 return r;
305 }
306
307 char* mac_selinux_free(char *label) {
308
309 #if HAVE_SELINUX
310 if (!label)
311 return NULL;
312
313 if (!mac_selinux_use())
314 return NULL;
315
316 freecon(label);
317 #endif
318
319 return NULL;
320 }
321
322 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
323
324 #if HAVE_SELINUX
325 _cleanup_freecon_ char *filecon = NULL;
326 int r;
327
328 assert(path);
329
330 if (!label_hnd)
331 return 0;
332
333 if (path_is_absolute(path))
334 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
335 else {
336 _cleanup_free_ char *newpath = NULL;
337
338 r = path_make_absolute_cwd(path, &newpath);
339 if (r < 0)
340 return r;
341
342 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
343 }
344
345 if (r < 0) {
346 /* No context specified by the policy? Proceed without setting it. */
347 if (errno == ENOENT)
348 return 0;
349
350 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
351 } else {
352 if (setfscreatecon_raw(filecon) >= 0)
353 return 0; /* Success! */
354
355 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
356 }
357
358 if (security_getenforce() > 0)
359 return -errno;
360
361 #endif
362 return 0;
363 }
364
365 void mac_selinux_create_file_clear(void) {
366
367 #if HAVE_SELINUX
368 PROTECT_ERRNO;
369
370 if (!mac_selinux_use())
371 return;
372
373 setfscreatecon_raw(NULL);
374 #endif
375 }
376
377 int mac_selinux_create_socket_prepare(const char *label) {
378
379 #if HAVE_SELINUX
380 if (!mac_selinux_use())
381 return 0;
382
383 assert(label);
384
385 if (setsockcreatecon(label) < 0) {
386 log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
387
388 if (security_getenforce() == 1)
389 return -errno;
390 }
391 #endif
392
393 return 0;
394 }
395
396 void mac_selinux_create_socket_clear(void) {
397
398 #if HAVE_SELINUX
399 PROTECT_ERRNO;
400
401 if (!mac_selinux_use())
402 return;
403
404 setsockcreatecon_raw(NULL);
405 #endif
406 }
407
408 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
409
410 /* Binds a socket and label its file system object according to the SELinux policy */
411
412 #if HAVE_SELINUX
413 _cleanup_freecon_ char *fcon = NULL;
414 const struct sockaddr_un *un;
415 bool context_changed = false;
416 char *path;
417 int r;
418
419 assert(fd >= 0);
420 assert(addr);
421 assert(addrlen >= sizeof(sa_family_t));
422
423 if (!label_hnd)
424 goto skipped;
425
426 /* Filter out non-local sockets */
427 if (addr->sa_family != AF_UNIX)
428 goto skipped;
429
430 /* Filter out anonymous sockets */
431 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
432 goto skipped;
433
434 /* Filter out abstract namespace sockets */
435 un = (const struct sockaddr_un*) addr;
436 if (un->sun_path[0] == 0)
437 goto skipped;
438
439 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
440
441 if (path_is_absolute(path))
442 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
443 else {
444 _cleanup_free_ char *newpath = NULL;
445
446 r = path_make_absolute_cwd(path, &newpath);
447 if (r < 0)
448 return r;
449
450 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
451 }
452
453 if (r < 0) {
454 /* No context specified by the policy? Proceed without setting it */
455 if (errno == ENOENT)
456 goto skipped;
457
458 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
459 if (security_getenforce() > 0)
460 return -errno;
461
462 } else {
463 if (setfscreatecon_raw(fcon) < 0) {
464 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
465 if (security_getenforce() > 0)
466 return -errno;
467 } else
468 context_changed = true;
469 }
470
471 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
472
473 if (context_changed)
474 setfscreatecon_raw(NULL);
475
476 return r;
477
478 skipped:
479 #endif
480 if (bind(fd, addr, addrlen) < 0)
481 return -errno;
482
483 return 0;
484 }
Unnamed repository; edit this file 'description' to name the repository.