src/core/selinux-access.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   This file is part of systemd.
   4
   5   Copyright 2012 Dan Walsh
   6 ***/
   7
   8 #include "selinux-access.h"
   9
  10 #if HAVE_SELINUX
  11
  12 #include <errno.h>
  13 #include <selinux/avc.h>
  14 #include <selinux/selinux.h>
  15 #include <stdio.h>
  16 #if HAVE_AUDIT
  17 #include <libaudit.h>
  18 #endif
  19
  20 #include "sd-bus.h"
  21
  22 #include "alloc-util.h"
  23 #include "audit-fd.h"
  24 #include "bus-util.h"
  25 #include "log.h"
  26 #include "path-util.h"
  27 #include "selinux-util.h"
  28 #include "stdio-util.h"
  29 #include "strv.h"
  30 #include "util.h"
  31
  32 static bool initialized = false;
  33
  34 struct audit_info {
  35         sd_bus_creds *creds;
  36         const char *path;
  37         const char *cmdline;
  38 };
  39
  40 /*
  41    Any time an access gets denied this callback will be called
  42    with the audit data.  We then need to just copy the audit data into the msgbuf.
  43 */
  44 static int audit_callback(
  45                 void *auditdata,
  46                 security_class_t cls,
  47                 char *msgbuf,
  48                 size_t msgbufsize) {
  49
  50         const struct audit_info *audit = auditdata;
  51         uid_t uid = 0, login_uid = 0;
  52         gid_t gid = 0;
  53         char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  54         char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  55         char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";
  56
  57         if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
  58                 xsprintf(login_uid_buf, UID_FMT, login_uid);
  59         if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
  60                 xsprintf(uid_buf, UID_FMT, uid);
  61         if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
  62                 xsprintf(gid_buf, GID_FMT, gid);
  63
  64         snprintf(msgbuf, msgbufsize,
  65                  "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
  66                  login_uid_buf, uid_buf, gid_buf,
  67                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
  68                  audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
  69
  70         return 0;
  71 }
  72
  73 static int callback_type_to_priority(int type) {
  74         switch(type) {
  75
  76         case SELINUX_ERROR:
  77                 return LOG_ERR;
  78
  79         case SELINUX_WARNING:
  80                 return LOG_WARNING;
  81
  82         case SELINUX_INFO:
  83                 return LOG_INFO;
  84
  85         case SELINUX_AVC:
  86         default:
  87                 return LOG_NOTICE;
  88         }
  89 }
  90
  91 /*
  92    libselinux uses this callback when access gets denied or other
  93    events happen. If audit is turned on, messages will be reported
  94    using audit netlink, otherwise they will be logged using the usual
  95    channels.
  96
  97    Code copied from dbus and modified.
  98 */
  99 _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
 100         va_list ap;
 101         const char *fmt2;
 102
 103 #if HAVE_AUDIT
 104         int fd;
 105
 106         fd = get_audit_fd();
 107
 108         if (fd >= 0) {
 109                 _cleanup_free_ char *buf = NULL;
 110                 int r;
 111
 112                 va_start(ap, fmt);
 113                 r = vasprintf(&buf, fmt, ap);
 114                 va_end(ap);
 115
 116                 if (r >= 0) {
 117                         audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
 118                         return 0;
 119                 }
 120         }
 121 #endif
 122
 123         fmt2 = strjoina("selinux: ", fmt);
 124
 125         va_start(ap, fmt);
 126 #pragma GCC diagnostic push
 127 #pragma GCC diagnostic ignored "-Wformat-nonliteral"
 128         log_internalv(LOG_AUTH | callback_type_to_priority(type),
 129                       0, __FILE__, __LINE__, __FUNCTION__,
 130                       fmt2, ap);
 131 #pragma GCC diagnostic pop
 132         va_end(ap);
 133
 134         return 0;
 135 }
 136
 137 static int access_init(sd_bus_error *error) {
 138
 139         if (!mac_selinux_use())
 140                 return 0;
 141
 142         if (initialized)
 143                 return 1;
 144
 145         if (avc_open(NULL, 0) != 0) {
 146                 int enforce, saved_errno = errno;
 147
 148                 enforce = security_getenforce();
 149                 log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
 150
 151                 /* If enforcement isn't on, then let's suppress this
 152                  * error, and just don't do any AVC checks. The
 153                  * warning we printed is hence all the admin will
 154                  * see. */
 155                 if (enforce == 0)
 156                         return 0;
 157
 158                 /* Return an access denied error, if we couldn't load
 159                  * the AVC but enforcing mode was on, or we couldn't
 160                  * determine whether it is one. */
 161                 return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno));
 162         }
 163
 164         selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
 165         selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
 166
 167         initialized = true;
 168         return 1;
 169 }
 170
 171 /*
 172    This function communicates with the kernel to check whether or not it should
 173    allow the access.
 174    If the machine is in permissive mode it will return ok.  Audit messages will
 175    still be generated if the access would be denied in enforcing mode.
 176 */
 177 int mac_selinux_generic_access_check(
 178                 sd_bus_message *message,
 179                 const char *path,
 180                 const char *permission,
 181                 sd_bus_error *error) {
 182
 183         _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
 184         const char *tclass = NULL, *scon = NULL;
 185         struct audit_info audit_info = {};
 186         _cleanup_free_ char *cl = NULL;
 187         char *fcon = NULL;
 188         char **cmdline = NULL;
 189         int r = 0;
 190
 191         assert(message);
 192         assert(permission);
 193         assert(error);
 194
 195         r = access_init(error);
 196         if (r <= 0)
 197                 return r;
 198
 199         r = sd_bus_query_sender_creds(
 200                         message,
 201                         SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
 202                         SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
 203                         SD_BUS_CREDS_SELINUX_CONTEXT|
 204                         SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
 205                         &creds);
 206         if (r < 0)
 207                 goto finish;
 208
 209         /* The SELinux context is something we really should have
 210          * gotten directly from the message or sender, and not be an
 211          * augmented field. If it was augmented we cannot use it for
 212          * authorization, since this is racy and vulnerable. Let's add
 213          * an extra check, just in case, even though this really
 214          * shouldn't be possible. */
 215         assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
 216
 217         r = sd_bus_creds_get_selinux_context(creds, &scon);
 218         if (r < 0)
 219                 goto finish;
 220
 221         if (path) {
 222                 /* Get the file context of the unit file */
 223
 224                 r = getfilecon_raw(path, &fcon);
 225                 if (r < 0) {
 226                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
 227                         goto finish;
 228                 }
 229
 230                 tclass = "service";
 231         } else {
 232                 r = getcon_raw(&fcon);
 233                 if (r < 0) {
 234                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
 235                         goto finish;
 236                 }
 237
 238                 tclass = "system";
 239         }
 240
 241         sd_bus_creds_get_cmdline(creds, &cmdline);
 242         cl = strv_join(cmdline, " ");
 243
 244         audit_info.creds = creds;
 245         audit_info.path = path;
 246         audit_info.cmdline = cl;
 247
 248         r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
 249         if (r < 0)
 250                 r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
 251
 252         log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
 253
 254 finish:
 255         freecon(fcon);
 256
 257         if (r < 0 && security_getenforce() != 1) {
 258                 sd_bus_error_free(error);
 259                 r = 0;
 260         }
 261
 262         return r;
 263 }
 264
 265 #else
 266
 267 int mac_selinux_generic_access_check(
 268                 sd_bus_message *message,
 269                 const char *path,
 270                 const char *permission,
 271                 sd_bus_error *error) {
 272
 273         return 0;
 274 }
 275
 276 #endif