src/shared/selinux-util.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2010 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <errno.h>
  23 #include <malloc.h>
  24 #include <sys/un.h>
  25
  26 #ifdef HAVE_SELINUX
  27 #include <selinux/selinux.h>
  28 #include <selinux/label.h>
  29 #include <selinux/context.h>
  30 #endif
  31
  32 #include "strv.h"
  33 #include "path-util.h"
  34 #include "selinux-util.h"
  35
  36 #ifdef HAVE_SELINUX
  37 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
  38 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
  39
  40 #define _cleanup_security_context_free_ _cleanup_(freeconp)
  41 #define _cleanup_context_free_ _cleanup_(context_freep)
  42
  43 static int cached_use = -1;
  44 static struct selabel_handle *label_hnd = NULL;
  45
  46 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
  47 #endif
  48
  49 bool mac_selinux_use(void) {
  50 #ifdef HAVE_SELINUX
  51         if (cached_use < 0)
  52                 cached_use = is_selinux_enabled() > 0;
  53
  54         return cached_use;
  55 #else
  56         return false;
  57 #endif
  58 }
  59
  60 void mac_selinux_retest(void) {
  61 #ifdef HAVE_SELINUX
  62         cached_use = -1;
  63 #endif
  64 }
  65
  66 int mac_selinux_init(const char *prefix) {
  67         int r = 0;
  68
  69 #ifdef HAVE_SELINUX
  70         usec_t before_timestamp, after_timestamp;
  71         struct mallinfo before_mallinfo, after_mallinfo;
  72
  73         if (!mac_selinux_use())
  74                 return 0;
  75
  76         if (label_hnd)
  77                 return 0;
  78
  79         before_mallinfo = mallinfo();
  80         before_timestamp = now(CLOCK_MONOTONIC);
  81
  82         if (prefix) {
  83                 struct selinux_opt options[] = {
  84                         { .type = SELABEL_OPT_SUBSET, .value = prefix },
  85                 };
  86
  87                 label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
  88         } else
  89                 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
  90
  91         if (!label_hnd) {
  92                 log_enforcing("Failed to initialize SELinux context: %m");
  93                 r = security_getenforce() == 1 ? -errno : 0;
  94         } else  {
  95                 char timespan[FORMAT_TIMESPAN_MAX];
  96                 int l;
  97
  98                 after_timestamp = now(CLOCK_MONOTONIC);
  99                 after_mallinfo = mallinfo();
 100
 101                 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
 102
 103                 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
 104                           format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
 105                           (l+1023)/1024);
 106         }
 107 #endif
 108
 109         return r;
 110 }
 111
 112 void mac_selinux_finish(void) {
 113
 114 #ifdef HAVE_SELINUX
 115         if (!label_hnd)
 116                 return;
 117
 118         selabel_close(label_hnd);
 119 #endif
 120 }
 121
 122 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
 123
 124 #ifdef HAVE_SELINUX
 125         struct stat st;
 126         int r;
 127
 128         assert(path);
 129
 130         /* if mac_selinux_init() wasn't called before we are a NOOP */
 131         if (!label_hnd)
 132                 return 0;
 133
 134         r = lstat(path, &st);
 135         if (r >= 0) {
 136                 _cleanup_security_context_free_ security_context_t fcon = NULL;
 137
 138                 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
 139
 140                 /* If there's no label to set, then exit without warning */
 141                 if (r < 0 && errno == ENOENT)
 142                         return 0;
 143
 144                 if (r >= 0) {
 145                         r = lsetfilecon(path, fcon);
 146
 147                         /* If the FS doesn't support labels, then exit without warning */
 148                         if (r < 0 && errno == EOPNOTSUPP)
 149                                 return 0;
 150                 }
 151         }
 152
 153         if (r < 0) {
 154                 /* Ignore ENOENT in some cases */
 155                 if (ignore_enoent && errno == ENOENT)
 156                         return 0;
 157
 158                 if (ignore_erofs && errno == EROFS)
 159                         return 0;
 160
 161                 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
 162                 if (security_getenforce() == 1)
 163                         return -errno;
 164         }
 165 #endif
 166
 167         return 0;
 168 }
 169
 170 int mac_selinux_apply(const char *path, const char *label) {
 171
 172 #ifdef HAVE_SELINUX
 173         assert(path);
 174         assert(label);
 175
 176         if (!mac_selinux_use())
 177                 return 0;
 178
 179         if (setfilecon(path, (security_context_t) label) < 0) {
 180                 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
 181                 if (security_getenforce() == 1)
 182                         return -errno;
 183         }
 184 #endif
 185         return 0;
 186 }
 187
 188 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
 189         int r = -EOPNOTSUPP;
 190
 191 #ifdef HAVE_SELINUX
 192         _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
 193         security_class_t sclass;
 194
 195         assert(exe);
 196         assert(label);
 197
 198         if (!mac_selinux_use())
 199                 return -EOPNOTSUPP;
 200
 201         r = getcon(&mycon);
 202         if (r < 0)
 203                 return -errno;
 204
 205         r = getfilecon(exe, &fcon);
 206         if (r < 0)
 207                 return -errno;
 208
 209         sclass = string_to_security_class("process");
 210         r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
 211         if (r < 0)
 212                 return -errno;
 213 #endif
 214
 215         return r;
 216 }
 217
 218 int mac_selinux_get_our_label(char **label) {
 219         int r = -EOPNOTSUPP;
 220
 221         assert(label);
 222
 223 #ifdef HAVE_SELINUX
 224         if (!mac_selinux_use())
 225                 return -EOPNOTSUPP;
 226
 227         r = getcon(label);
 228         if (r < 0)
 229                 return -errno;
 230 #endif
 231
 232         return r;
 233 }
 234
 235 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
 236         int r = -EOPNOTSUPP;
 237
 238 #ifdef HAVE_SELINUX
 239         _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
 240         _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
 241         security_class_t sclass;
 242         const char *range = NULL;
 243
 244         assert(socket_fd >= 0);
 245         assert(exe);
 246         assert(label);
 247
 248         if (!mac_selinux_use())
 249                 return -EOPNOTSUPP;
 250
 251         r = getcon(&mycon);
 252         if (r < 0)
 253                 return -errno;
 254
 255         r = getpeercon(socket_fd, &peercon);
 256         if (r < 0)
 257                 return -errno;
 258
 259         if (!exec_label) {
 260                 /* If there is no context set for next exec let's use context
 261                    of target executable */
 262                 r = getfilecon(exe, &fcon);
 263                 if (r < 0)
 264                         return -errno;
 265         }
 266
 267         bcon = context_new(mycon);
 268         if (!bcon)
 269                 return -ENOMEM;
 270
 271         pcon = context_new(peercon);
 272         if (!pcon)
 273                 return -ENOMEM;
 274
 275         range = context_range_get(pcon);
 276         if (!range)
 277                 return -errno;
 278
 279         r = context_range_set(bcon, range);
 280         if (r)
 281                 return -errno;
 282
 283         freecon(mycon);
 284         mycon = strdup(context_str(bcon));
 285         if (!mycon)
 286                 return -ENOMEM;
 287
 288         sclass = string_to_security_class("process");
 289         r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
 290         if (r < 0)
 291                 return -errno;
 292 #endif
 293
 294         return r;
 295 }
 296
 297 void mac_selinux_free(char *label) {
 298
 299 #ifdef HAVE_SELINUX
 300         if (!mac_selinux_use())
 301                 return;
 302
 303         freecon((security_context_t) label);
 304 #endif
 305 }
 306
 307 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 308         int r = 0;
 309
 310 #ifdef HAVE_SELINUX
 311         _cleanup_security_context_free_ security_context_t filecon = NULL;
 312
 313         assert(path);
 314
 315         if (!label_hnd)
 316                 return 0;
 317
 318         if (path_is_absolute(path))
 319                 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
 320         else {
 321                 _cleanup_free_ char *newpath;
 322
 323                 newpath = path_make_absolute_cwd(path);
 324                 if (!newpath)
 325                         return -ENOMEM;
 326
 327                 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
 328         }
 329
 330         /* No context specified by the policy? Proceed without setting it. */
 331         if (r < 0 && errno == ENOENT)
 332                 return 0;
 333
 334         if (r < 0)
 335                 r = -errno;
 336         else {
 337                 r = setfscreatecon(filecon);
 338                 if (r < 0) {
 339                         log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
 340                         r = -errno;
 341                 }
 342         }
 343
 344         if (r < 0 && security_getenforce() == 0)
 345                 r = 0;
 346 #endif
 347
 348         return r;
 349 }
 350
 351 void mac_selinux_create_file_clear(void) {
 352
 353 #ifdef HAVE_SELINUX
 354         PROTECT_ERRNO;
 355
 356         if (!mac_selinux_use())
 357                 return;
 358
 359         setfscreatecon(NULL);
 360 #endif
 361 }
 362
 363 int mac_selinux_create_socket_prepare(const char *label) {
 364
 365 #ifdef HAVE_SELINUX
 366         if (!mac_selinux_use())
 367                 return 0;
 368
 369         assert(label);
 370
 371         if (setsockcreatecon((security_context_t) label) < 0) {
 372                 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
 373
 374                 if (security_getenforce() == 1)
 375                         return -errno;
 376         }
 377 #endif
 378
 379         return 0;
 380 }
 381
 382 void mac_selinux_create_socket_clear(void) {
 383
 384 #ifdef HAVE_SELINUX
 385         PROTECT_ERRNO;
 386
 387         if (!mac_selinux_use())
 388                 return;
 389
 390         setsockcreatecon(NULL);
 391 #endif
 392 }
 393
 394 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
 395
 396         /* Binds a socket and label its file system object according to the SELinux policy */
 397
 398 #ifdef HAVE_SELINUX
 399         _cleanup_security_context_free_ security_context_t fcon = NULL;
 400         const struct sockaddr_un *un;
 401         char *path;
 402         int r;
 403
 404         assert(fd >= 0);
 405         assert(addr);
 406         assert(addrlen >= sizeof(sa_family_t));
 407
 408         if (!label_hnd)
 409                 goto skipped;
 410
 411         /* Filter out non-local sockets */
 412         if (addr->sa_family != AF_UNIX)
 413                 goto skipped;
 414
 415         /* Filter out anonymous sockets */
 416         if (addrlen < sizeof(sa_family_t) + 1)
 417                 goto skipped;
 418
 419         /* Filter out abstract namespace sockets */
 420         un = (const struct sockaddr_un*) addr;
 421         if (un->sun_path[0] == 0)
 422                 goto skipped;
 423
 424         path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
 425
 426         if (path_is_absolute(path))
 427                 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
 428         else {
 429                 _cleanup_free_ char *newpath;
 430
 431                 newpath = path_make_absolute_cwd(path);
 432                 if (!newpath)
 433                         return -ENOMEM;
 434
 435                 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
 436         }
 437
 438         if (r == 0)
 439                 r = setfscreatecon(fcon);
 440
 441         if (r < 0 && errno != ENOENT) {
 442                 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
 443
 444                 if (security_getenforce() == 1) {
 445                         r = -errno;
 446                         goto finish;
 447                 }
 448         }
 449
 450         r = bind(fd, addr, addrlen);
 451         if (r < 0)
 452                 r = -errno;
 453
 454 finish:
 455         setfscreatecon(NULL);
 456         return r;
 457
 458 skipped:
 459 #endif
 460         return bind(fd, addr, addrlen) < 0 ? -errno : 0;
 461 }