-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
-/***
- This file is part of systemd.
-
- Copyright 2010 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
-***/
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <errno.h>
-#include <unistd.h>
+#include <fcntl.h>
#include <malloc.h>
+#include <stddef.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/types.h>
#include <sys/un.h>
+#include <syslog.h>
-#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#include <selinux/label.h>
+#if HAVE_SELINUX
+#include <selinux/avc.h>
#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
#endif
-#include "strv.h"
+#include "alloc-util.h"
+#include "errno-util.h"
+#include "fd-util.h"
+#include "log.h"
+#include "macro.h"
#include "path-util.h"
#include "selinux-util.h"
+#include "stdio-util.h"
+#include "time-util.h"
-#ifdef HAVE_SELINUX
-DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
-DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
-
-#define _cleanup_security_context_free_ _cleanup_(freeconp)
+#if HAVE_SELINUX
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(context_t, context_free, NULL);
#define _cleanup_context_free_ _cleanup_(context_freep)
+static int mac_selinux_reload(int seqno);
+
static int cached_use = -1;
+static bool initialized = false;
+static int last_policyload = 0;
static struct selabel_handle *label_hnd = NULL;
-
-#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
+static bool have_status_page = false;
+
+#define log_enforcing(...) \
+ log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
+
+#define log_enforcing_errno(error, ...) \
+ ({ \
+ bool _enforcing = mac_selinux_enforcing(); \
+ int _level = _enforcing ? LOG_ERR : LOG_WARNING; \
+ int _e = (error); \
+ \
+ int _r = (log_get_max_level() >= LOG_PRI(_level)) \
+ ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \
+ : -ERRNO_VALUE(_e); \
+ _enforcing ? _r : 0; \
+ })
#endif
bool mac_selinux_use(void) {
-#ifdef HAVE_SELINUX
- if (cached_use < 0)
+#if HAVE_SELINUX
+ if (_unlikely_(cached_use < 0)) {
cached_use = is_selinux_enabled() > 0;
+ log_debug("SELinux enabled state cached to: %s", cached_use ? "enabled" : "disabled");
+ }
return cached_use;
#else
#endif
}
+bool mac_selinux_enforcing(void) {
+ int r = 0;
+#if HAVE_SELINUX
+
+ /* If the SELinux status page has been successfully opened, retrieve the enforcing
+ * status over it to avoid system calls in security_getenforce(). */
+
+ if (have_status_page)
+ r = selinux_status_getenforce();
+ else
+ r = security_getenforce();
+
+#endif
+ return r != 0;
+}
+
void mac_selinux_retest(void) {
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
cached_use = -1;
#endif
}
-int mac_selinux_init(const char *prefix) {
- int r = 0;
+#if HAVE_SELINUX
+# if HAVE_MALLINFO2
+# define HAVE_GENERIC_MALLINFO 1
+typedef struct mallinfo2 generic_mallinfo;
+static generic_mallinfo generic_mallinfo_get(void) {
+ return mallinfo2();
+}
+# elif HAVE_MALLINFO
+# define HAVE_GENERIC_MALLINFO 1
+typedef struct mallinfo generic_mallinfo;
+static generic_mallinfo generic_mallinfo_get(void) {
+ /* glibc has deprecated mallinfo(), let's suppress the deprecation warning if mallinfo2() doesn't
+ * exist yet. */
+DISABLE_WARNING_DEPRECATED_DECLARATIONS
+ return mallinfo();
+REENABLE_WARNING
+}
+# else
+# define HAVE_GENERIC_MALLINFO 0
+# endif
-#ifdef HAVE_SELINUX
+static int open_label_db(void) {
+ struct selabel_handle *hnd;
usec_t before_timestamp, after_timestamp;
- struct mallinfo before_mallinfo, after_mallinfo;
- if (!mac_selinux_use())
- return 0;
+# if HAVE_GENERIC_MALLINFO
+ generic_mallinfo before_mallinfo = generic_mallinfo_get();
+# endif
+ before_timestamp = now(CLOCK_MONOTONIC);
+ hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (!hnd)
+ return log_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m");
+
+ after_timestamp = now(CLOCK_MONOTONIC);
+# if HAVE_GENERIC_MALLINFO
+ generic_mallinfo after_mallinfo = generic_mallinfo_get();
+ size_t l = LESS_BY((size_t) after_mallinfo.uordblks, (size_t) before_mallinfo.uordblks);
+ log_debug("Successfully loaded SELinux database in %s, size on heap is %zuK.",
+ FORMAT_TIMESPAN(after_timestamp - before_timestamp, 0),
+ DIV_ROUND_UP(l, 1024));
+# else
+ log_debug("Successfully loaded SELinux database in %s.",
+ FORMAT_TIMESPAN(after_timestamp - before_timestamp, 0));
+# endif
+
+ /* release memory after measurement */
if (label_hnd)
+ selabel_close(label_hnd);
+ label_hnd = TAKE_PTR(hnd);
+
+ return 0;
+}
+#endif
+
+int mac_selinux_init(void) {
+#if HAVE_SELINUX
+ int r;
+
+ if (initialized)
return 0;
- before_mallinfo = mallinfo();
- before_timestamp = now(CLOCK_MONOTONIC);
+ if (!mac_selinux_use())
+ return 0;
- if (prefix) {
- struct selinux_opt options[] = {
- { .type = SELABEL_OPT_SUBSET, .value = prefix },
- };
+ r = selinux_status_open(/* netlink fallback */ 1);
+ if (r < 0) {
+ if (!ERRNO_IS_PRIVILEGE(errno))
+ return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+ log_warning_errno(errno, "selinux_status_open() with netlink fallback failed, not checking for policy reloads: %m");
+ } else if (r == 1)
+ log_warning("selinux_status_open() failed to open the status page, using the netlink fallback.");
+ else
+ have_status_page = true;
+
+ r = open_label_db();
+ if (r < 0) {
+ selinux_status_close();
+ return r;
+ }
- label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
- } else
- label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
+ * first call without any actual change. */
+ last_policyload = selinux_status_policyload();
+
+ initialized = true;
+#endif
+ return 0;
+}
- if (!label_hnd) {
- log_enforcing("Failed to initialize SELinux context: %m");
- r = security_getenforce() == 1 ? -errno : 0;
- } else {
- char timespan[FORMAT_TIMESPAN_MAX];
- int l;
+void mac_selinux_maybe_reload(void) {
+#if HAVE_SELINUX
+ int policyload;
- after_timestamp = now(CLOCK_MONOTONIC);
- after_mallinfo = mallinfo();
+ if (!initialized)
+ return;
- l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
+ /* Do not use selinux_status_updated(3), cause since libselinux 3.2 selinux_check_access(3),
+ * called in core and user instances, does also use it under the hood.
+ * That can cause changes to be consumed by selinux_check_access(3) and not being visible here.
+ * Also do not use selinux callbacks, selinux_set_callback(3), cause they are only automatically
+ * invoked since libselinux 3.2 by selinux_status_updated(3).
+ * Relevant libselinux commit: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
+ * Debian Bullseye is going to ship libselinux 3.1, so stay compatible for backports. */
+ policyload = selinux_status_policyload();
+ if (policyload < 0) {
+ log_debug_errno(errno, "Failed to get SELinux policyload from status page: %m");
+ return;
+ }
- log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
- format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
- (l+1023)/1024);
+ if (policyload != last_policyload) {
+ mac_selinux_reload(policyload);
+ last_policyload = policyload;
}
#endif
-
- return r;
}
void mac_selinux_finish(void) {
-#ifdef HAVE_SELINUX
- if (!label_hnd)
- return;
+#if HAVE_SELINUX
+ if (label_hnd) {
+ selabel_close(label_hnd);
+ label_hnd = NULL;
+ }
+
+ selinux_status_close();
+ have_status_page = false;
- selabel_close(label_hnd);
+ initialized = false;
#endif
}
-int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
+#if HAVE_SELINUX
+static int mac_selinux_reload(int seqno) {
+ log_debug("SELinux reload %d", seqno);
+
+ (void) open_label_db();
+
+ return 0;
+}
+#endif
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
+static int selinux_fix_fd(
+ int fd,
+ const char *label_path,
+ LabelFixFlags flags) {
+
+ _cleanup_freecon_ char* fcon = NULL;
struct stat st;
int r;
- assert(path);
+ assert(fd >= 0);
+ assert(label_path);
+ assert(path_is_absolute(label_path));
- /* if mac_selinux_init() wasn't called before we are a NOOP */
+ if (fstat(fd, &st) < 0)
+ return -errno;
+
+ /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
+ mac_selinux_maybe_reload();
if (!label_hnd)
return 0;
- r = lstat(path, &st);
- if (r >= 0) {
- _cleanup_security_context_free_ security_context_t fcon = NULL;
-
- r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
-
+ if (selabel_lookup_raw(label_hnd, &fcon, label_path, st.st_mode) < 0) {
/* If there's no label to set, then exit without warning */
- if (r < 0 && errno == ENOENT)
+ if (errno == ENOENT)
return 0;
- if (r >= 0) {
- r = lsetfilecon(path, fcon);
-
- /* If the FS doesn't support labels, then exit without warning */
- if (r < 0 && errno == ENOTSUP)
- return 0;
- }
+ return log_enforcing_errno(errno, "Unable to lookup intended SELinux security context of %s: %m", label_path);
}
- if (r < 0) {
- /* Ignore ENOENT in some cases */
- if (ignore_enoent && errno == ENOENT)
+ if (setfilecon_raw(FORMAT_PROC_FD_PATH(fd), fcon) < 0) {
+ _cleanup_freecon_ char *oldcon = NULL;
+
+ r = -errno;
+
+ /* If the FS doesn't support labels, then exit without warning */
+ if (ERRNO_IS_NOT_SUPPORTED(r))
return 0;
- if (ignore_erofs && errno == EROFS)
+ /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
+ if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
return 0;
- log_enforcing("Unable to fix SELinux security context of %s: %m", path);
- if (security_getenforce() == 1)
- return -errno;
+ /* If the old label is identical to the new one, suppress any kind of error */
+ if (getfilecon_raw(FORMAT_PROC_FD_PATH(fd), &oldcon) >= 0 && streq_ptr(fcon, oldcon))
+ return 0;
+
+ return log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", label_path);
}
+
+ return 0;
+}
#endif
+int mac_selinux_fix_full(
+ int atfd,
+ const char *inode_path,
+ const char *label_path,
+ LabelFixFlags flags) {
+
+ assert(atfd >= 0 || atfd == AT_FDCWD);
+ assert(atfd >= 0 || inode_path);
+
+#if HAVE_SELINUX
+ _cleanup_close_ int opened_fd = -EBADF;
+ _cleanup_free_ char *p = NULL;
+ int inode_fd, r;
+
+ /* if mac_selinux_init() wasn't called before we are a NOOP */
+ if (!label_hnd)
+ return 0;
+
+ if (inode_path) {
+ opened_fd = openat(atfd, inode_path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+ if (opened_fd < 0) {
+ if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
+ return 0;
+
+ return -errno;
+ }
+
+ inode_fd = opened_fd;
+ } else
+ inode_fd = atfd;
+
+ if (!label_path) {
+ if (path_is_absolute(inode_path))
+ label_path = inode_path;
+ else {
+ r = fd_get_path(inode_fd, &p);
+ if (r < 0)
+ return r;
+
+ label_path = p;
+ }
+ }
+
+ return selinux_fix_fd(inode_fd, label_path, flags);
+#else
return 0;
+#endif
}
int mac_selinux_apply(const char *path, const char *label) {
-#ifdef HAVE_SELINUX
assert(path);
+
+#if HAVE_SELINUX
+ if (!mac_selinux_use())
+ return 0;
+
assert(label);
+ if (setfilecon(path, label) < 0)
+ return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
+#endif
+ return 0;
+}
+
+int mac_selinux_apply_fd(int fd, const char *path, const char *label) {
+
+ assert(fd >= 0);
+
+#if HAVE_SELINUX
if (!mac_selinux_use())
return 0;
- if (setfilecon(path, (security_context_t) label) < 0) {
- log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
- if (security_getenforce() == 1)
- return -errno;
- }
+ assert(label);
+
+ if (setfilecon(FORMAT_PROC_FD_PATH(fd), label) < 0)
+ return log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, strna(path));
#endif
return 0;
}
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
- int r = -EOPNOTSUPP;
-
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
+#if HAVE_SELINUX
+ _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
security_class_t sclass;
assert(exe);
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(&mycon);
- if (r < 0)
+ if (getcon_raw(&mycon) < 0)
return -errno;
+ if (!mycon)
+ return -EOPNOTSUPP;
- r = getfilecon(exe, &fcon);
- if (r < 0)
+ if (getfilecon_raw(exe, &fcon) < 0)
return -errno;
+ if (!fcon)
+ return -EOPNOTSUPP;
sclass = string_to_security_class("process");
- r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
- if (r < 0)
- return -errno;
-#endif
+ if (sclass == 0)
+ return -ENOSYS;
- return r;
+ return RET_NERRNO(security_compute_create_raw(mycon, fcon, sclass, label));
+#else
+ return -EOPNOTSUPP;
+#endif
}
-int mac_selinux_get_our_label(char **label) {
- int r = -EOPNOTSUPP;
-
- assert(label);
+int mac_selinux_get_our_label(char **ret) {
+ assert(ret);
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(label);
- if (r < 0)
+ _cleanup_freecon_ char *con = NULL;
+ if (getcon_raw(&con) < 0)
return -errno;
-#endif
+ if (!con)
+ return -EOPNOTSUPP;
- return r;
+ *ret = TAKE_PTR(con);
+ return 0;
+#else
+ return -EOPNOTSUPP;
+#endif
}
-int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
- int r = -EOPNOTSUPP;
-
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
+int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **ret_label) {
+#if HAVE_SELINUX
+ _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
+ const char *range = NULL, *bcon_str = NULL;
security_class_t sclass;
- const char *range = NULL;
assert(socket_fd >= 0);
assert(exe);
- assert(label);
+ assert(ret_label);
if (!mac_selinux_use())
return -EOPNOTSUPP;
- r = getcon(&mycon);
- if (r < 0)
- return -errno;
-
- r = getpeercon(socket_fd, &peercon);
- if (r < 0)
+ if (getcon_raw(&mycon) < 0)
return -errno;
+ if (!mycon)
+ return -EOPNOTSUPP;
- r = getexeccon(&fcon);
- if (r < 0)
+ if (getpeercon_raw(socket_fd, &peercon) < 0)
return -errno;
+ if (!peercon)
+ return -EOPNOTSUPP;
- if (!fcon) {
- /* If there is no context set for next exec let's use context
- of target executable */
- r = getfilecon(exe, &fcon);
- if (r < 0)
+ if (!exec_label) { /* If there is no context set for next exec let's use context of target executable */
+ if (getfilecon_raw(exe, &fcon) < 0)
return -errno;
+ if (!fcon)
+ return -EOPNOTSUPP;
}
bcon = context_new(mycon);
if (!range)
return -errno;
- r = context_range_set(bcon, range);
- if (r)
+ if (context_range_set(bcon, range) != 0)
return -errno;
- freecon(mycon);
- mycon = strdup(context_str(bcon));
- if (!mycon)
+ bcon_str = context_str(bcon);
+ if (!bcon_str)
return -ENOMEM;
sclass = string_to_security_class("process");
- r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
- if (r < 0)
- return -errno;
+ if (sclass == 0)
+ return -ENOSYS;
+
+ return RET_NERRNO(security_compute_create_raw(bcon_str, fcon, sclass, ret_label));
+#else
+ return -EOPNOTSUPP;
#endif
+}
- return r;
+char* mac_selinux_free(char *label) {
+
+#if HAVE_SELINUX
+ freecon(label);
+#else
+ assert(!label);
+#endif
+
+ return NULL;
}
-void mac_selinux_free(char *label) {
+#if HAVE_SELINUX
+static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
+ _cleanup_freecon_ char *filecon = NULL;
+ int r;
-#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
- return;
+ assert(abspath);
+ assert(path_is_absolute(abspath));
- freecon((security_context_t) label);
-#endif
+ /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
+ mac_selinux_maybe_reload();
+ if (!label_hnd)
+ return 0;
+
+ r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
+ if (r < 0) {
+ /* No context specified by the policy? Proceed without setting it. */
+ if (errno == ENOENT)
+ return 0;
+
+ return log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
+ }
+
+ if (setfscreatecon_raw(filecon) < 0)
+ return log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
+
+ return 0;
}
+#endif
-int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
- int r = 0;
+int mac_selinux_create_file_prepare_at(
+ int dir_fd,
+ const char *path,
+ mode_t mode) {
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t filecon = NULL;
+#if HAVE_SELINUX
+ _cleanup_free_ char *abspath = NULL;
+ int r;
- assert(path);
+ if (dir_fd < 0 && dir_fd != AT_FDCWD)
+ return -EBADF;
if (!label_hnd)
return 0;
- if (path_is_absolute(path))
- r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
- else {
- _cleanup_free_ char *newpath;
+ if (isempty(path) || !path_is_absolute(path)) {
+ if (dir_fd == AT_FDCWD)
+ r = safe_getcwd(&abspath);
+ else
+ r = fd_get_path(dir_fd, &abspath);
+ if (r < 0)
+ return r;
- newpath = path_make_absolute_cwd(path);
- if (!newpath)
+ if (!isempty(path) && !path_extend(&abspath, path))
return -ENOMEM;
- r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
+ path = abspath;
}
- /* No context specified by the policy? Proceed without setting it. */
- if (r < 0 && errno == ENOENT)
+ return selinux_create_file_prepare_abspath(path, mode);
+#else
+ return 0;
+#endif
+}
+
+int mac_selinux_create_file_prepare_label(const char *path, const char *label) {
+#if HAVE_SELINUX
+
+ if (!label)
return 0;
- if (r < 0)
- r = -errno;
- else {
- r = setfscreatecon(filecon);
- if (r < 0) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
- r = -errno;
- }
- }
+ if (!mac_selinux_use())
+ return 0;
- if (r < 0 && security_getenforce() == 0)
- r = 0;
+ if (setfscreatecon_raw(label) < 0)
+ return log_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path));
#endif
-
- return r;
+ return 0;
}
void mac_selinux_create_file_clear(void) {
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
PROTECT_ERRNO;
if (!mac_selinux_use())
return;
- setfscreatecon(NULL);
+ setfscreatecon_raw(NULL);
#endif
}
int mac_selinux_create_socket_prepare(const char *label) {
-#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
- return 0;
-
+#if HAVE_SELINUX
assert(label);
- if (setsockcreatecon((security_context_t) label) < 0) {
- log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
+ if (!mac_selinux_use())
+ return 0;
- if (security_getenforce() == 1)
- return -errno;
- }
+ if (setsockcreatecon(label) < 0)
+ return log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
#endif
return 0;
void mac_selinux_create_socket_clear(void) {
-#ifdef HAVE_SELINUX
+#if HAVE_SELINUX
PROTECT_ERRNO;
if (!mac_selinux_use())
return;
- setsockcreatecon(NULL);
+ setsockcreatecon_raw(NULL);
#endif
}
/* Binds a socket and label its file system object according to the SELinux policy */
-#ifdef HAVE_SELINUX
- _cleanup_security_context_free_ security_context_t fcon = NULL;
+#if HAVE_SELINUX
+ _cleanup_freecon_ char *fcon = NULL;
const struct sockaddr_un *un;
+ bool context_changed = false;
+ size_t sz;
char *path;
int r;
goto skipped;
/* Filter out anonymous sockets */
- if (addrlen < sizeof(sa_family_t) + 1)
+ if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
goto skipped;
/* Filter out abstract namespace sockets */
if (un->sun_path[0] == 0)
goto skipped;
- path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
+ sz = addrlen - offsetof(struct sockaddr_un, sun_path);
+ if (sz > PATH_MAX)
+ goto skipped;
+ path = strndupa_safe(un->sun_path, sz);
+
+ /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
+ mac_selinux_maybe_reload();
+ if (!label_hnd)
+ goto skipped;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
- _cleanup_free_ char *newpath;
+ _cleanup_free_ char *newpath = NULL;
- newpath = path_make_absolute_cwd(path);
- if (!newpath)
- return -ENOMEM;
+ r = path_make_absolute_cwd(path, &newpath);
+ if (r < 0)
+ return r;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
}
- if (r == 0)
- r = setfscreatecon(fcon);
-
- if (r < 0 && errno != ENOENT) {
- log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
+ if (r < 0) {
+ /* No context specified by the policy? Proceed without setting it */
+ if (errno == ENOENT)
+ goto skipped;
- if (security_getenforce() == 1) {
- r = -errno;
- goto finish;
- }
+ r = log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
+ if (r < 0)
+ return r;
+ } else {
+ if (setfscreatecon_raw(fcon) < 0) {
+ r = log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
+ if (r < 0)
+ return r;
+ } else
+ context_changed = true;
}
- r = bind(fd, addr, addrlen);
- if (r < 0)
- r = -errno;
+ r = RET_NERRNO(bind(fd, addr, addrlen));
+
+ if (context_changed)
+ (void) setfscreatecon_raw(NULL);
-finish:
- setfscreatecon(NULL);
return r;
skipped:
#endif
- return bind(fd, addr, addrlen) < 0 ? -errno : 0;
+ return RET_NERRNO(bind(fd, addr, addrlen));
}