[thirdparty/systemd.git] / src / basic / selinux-util.c

/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <malloc.h>
#include <stddef.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/un.h>
#include <syslog.h>

#if HAVE_SELINUX
#include <selinux/context.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#endif

#include "alloc-util.h"
#include "fd-util.h"
#include "log.h"
#include "macro.h"
#include "path-util.h"
#include "selinux-util.h"
#include "stdio-util.h"
#include "time-util.h"
#include "util.h"

#if HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);

#define _cleanup_freecon_ _cleanup_(freeconp)
#define _cleanup_context_free_ _cleanup_(context_freep)

static int cached_use = -1;
static struct selabel_handle *label_hnd = NULL;

#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
#endif

bool mac_selinux_use(void) {
#if HAVE_SELINUX
        if (cached_use < 0)
                cached_use = is_selinux_enabled() > 0;

        return cached_use;
#else
        return false;
#endif
}

void mac_selinux_retest(void) {
#if HAVE_SELINUX
        cached_use = -1;
#endif
}

int mac_selinux_init(void) {
        int r = 0;

#if HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
        struct mallinfo before_mallinfo, after_mallinfo;

        if (label_hnd)
                return 0;

        if (!mac_selinux_use())
                return 0;

        before_mallinfo = mallinfo();
        before_timestamp = now(CLOCK_MONOTONIC);

        label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
        if (!label_hnd) {
                log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
                r = security_getenforce() == 1 ? -errno : 0;
        } else  {
                char timespan[FORMAT_TIMESPAN_MAX];
                int l;

                after_timestamp = now(CLOCK_MONOTONIC);
                after_mallinfo = mallinfo();

                l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;

                log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
                          format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
                          (l+1023)/1024);
        }
#endif

        return r;
}

void mac_selinux_finish(void) {

#if HAVE_SELINUX
        if (!label_hnd)
                return;

        selabel_close(label_hnd);
        label_hnd = NULL;
#endif
}

int mac_selinux_fix(const char *path, LabelFixFlags flags) {

#if HAVE_SELINUX
        char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
        _cleanup_freecon_ char* fcon = NULL;
        _cleanup_close_ int fd = -1;
        struct stat st;
        int r;

        assert(path);

        /* if mac_selinux_init() wasn't called before we are a NOOP */
        if (!label_hnd)
                return 0;

        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
        if (fd < 0) {
                if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
                        return 0;

                return -errno;
        }

        if (fstat(fd, &st) < 0)
                return -errno;

        if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
                r = -errno;

                /* If there's no label to set, then exit without warning */
                if (r == -ENOENT)
                        return 0;

                goto fail;
        }

        xsprintf(procfs_path, "/proc/self/fd/%i", fd);
        if (setfilecon_raw(procfs_path, fcon) < 0) {
                _cleanup_freecon_ char *oldcon = NULL;

                r = -errno;

                /* If the FS doesn't support labels, then exit without warning */
                if (r == -EOPNOTSUPP)
                        return 0;

                /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
                if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
                        return 0;

                /* If the old label is identical to the new one, suppress any kind of error */
                if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
                        return 0;

                goto fail;
        }

        return 0;

fail:
        log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
        if (security_getenforce() == 1)
                return r;
#endif

        return 0;
}

int mac_selinux_apply(const char *path, const char *label) {

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return 0;

        assert(path);
        assert(label);

        if (setfilecon(path, label) < 0) {
                log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
                if (security_getenforce() > 0)
                        return -errno;
        }
#endif
        return 0;
}

int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
        int r = -EOPNOTSUPP;

#if HAVE_SELINUX
        _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
        security_class_t sclass;

        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(&mycon);
        if (r < 0)
                return -errno;

        r = getfilecon_raw(exe, &fcon);
        if (r < 0)
                return -errno;

        sclass = string_to_security_class("process");
        r = security_compute_create_raw(mycon, fcon, sclass, label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_our_label(char **label) {
        int r = -EOPNOTSUPP;

        assert(label);

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
        int r = -EOPNOTSUPP;

#if HAVE_SELINUX
        _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
        _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
        security_class_t sclass;
        const char *range = NULL;

        assert(socket_fd >= 0);
        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(&mycon);
        if (r < 0)
                return -errno;

        r = getpeercon_raw(socket_fd, &peercon);
        if (r < 0)
                return -errno;

        if (!exec_label) {
                /* If there is no context set for next exec let's use context
                   of target executable */
                r = getfilecon_raw(exe, &fcon);
                if (r < 0)
                        return -errno;
        }

        bcon = context_new(mycon);
        if (!bcon)
                return -ENOMEM;

        pcon = context_new(peercon);
        if (!pcon)
                return -ENOMEM;

        range = context_range_get(pcon);
        if (!range)
                return -errno;

        r = context_range_set(bcon, range);
        if (r)
                return -errno;

        freecon(mycon);
        mycon = strdup(context_str(bcon));
        if (!mycon)
                return -ENOMEM;

        sclass = string_to_security_class("process");
        r = security_compute_create_raw(mycon, fcon, sclass, label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

char* mac_selinux_free(char *label) {

#if HAVE_SELINUX
        if (!label)
                return NULL;

        if (!mac_selinux_use())
                return NULL;

        freecon(label);
#endif

        return NULL;
}

int mac_selinux_create_file_prepare(const char *path, mode_t mode) {

#if HAVE_SELINUX
        _cleanup_freecon_ char *filecon = NULL;
        int r;

        assert(path);

        if (!label_hnd)
                return 0;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
        else {
                _cleanup_free_ char *newpath = NULL;

                r = path_make_absolute_cwd(path, &newpath);
                if (r < 0)
                        return r;

                r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
        }

        if (r < 0) {
                /* No context specified by the policy? Proceed without setting it. */
                if (errno == ENOENT)
                        return 0;

                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
        } else {
                if (setfscreatecon_raw(filecon) >= 0)
                        return 0; /* Success! */

                log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
        }

        if (security_getenforce() > 0)
                return -errno;

#endif
        return 0;
}

void mac_selinux_create_file_clear(void) {

#if HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setfscreatecon_raw(NULL);
#endif
}

int mac_selinux_create_socket_prepare(const char *label) {

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return 0;

        assert(label);

        if (setsockcreatecon(label) < 0) {
                log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);

                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

void mac_selinux_create_socket_clear(void) {

#if HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setsockcreatecon_raw(NULL);
#endif
}

int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */

#if HAVE_SELINUX
        _cleanup_freecon_ char *fcon = NULL;
        const struct sockaddr_un *un;
        bool context_changed = false;
        char *path;
        int r;

        assert(fd >= 0);
        assert(addr);
        assert(addrlen >= sizeof(sa_family_t));

        if (!label_hnd)
                goto skipped;

        /* Filter out non-local sockets */
        if (addr->sa_family != AF_UNIX)
                goto skipped;

        /* Filter out anonymous sockets */
        if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
                goto skipped;

        /* Filter out abstract namespace sockets */
        un = (const struct sockaddr_un*) addr;
        if (un->sun_path[0] == 0)
                goto skipped;

        path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
        else {
                _cleanup_free_ char *newpath = NULL;

                r = path_make_absolute_cwd(path, &newpath);
                if (r < 0)
                        return r;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
        }

        if (r < 0) {
                /* No context specified by the policy? Proceed without setting it */
                if (errno == ENOENT)
                        goto skipped;

                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
                if (security_getenforce() > 0)
                        return -errno;

        } else {
                if (setfscreatecon_raw(fcon) < 0) {
                        log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
                        if (security_getenforce() > 0)
                                return -errno;
                } else
                        context_changed = true;
        }

        r = bind(fd, addr, addrlen) < 0 ? -errno : 0;

        if (context_changed)
                setfscreatecon_raw(NULL);

        return r;

skipped:
#endif
        if (bind(fd, addr, addrlen) < 0)
                return -errno;

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
cad45ba1	2
66b6d9d5	3	#include <errno.h>
66b6d9d5	4	#include <malloc.h>
11c3a366 TA	5	#include <stddef.h>
	6	#include <string.h>
	7	#include <sys/stat.h>
	8	#include <sys/time.h>
66b6d9d5	9	#include <sys/un.h>
11c3a366	10	#include <syslog.h>
a07e9cfb	11
349cc4a5	12	#if HAVE_SELINUX
66b6d9d5	13	#include <selinux/context.h>
cf0fbc49 TA	14	#include <selinux/label.h>
cf0fbc49 TA	15	#include <selinux/selinux.h>
66b6d9d5 WC	16	#endif
66b6d9d5 WC	17
b5efdb8a	18	#include "alloc-util.h"
08c84981	19	#include "fd-util.h"
11c3a366 TA	20	#include "log.h"
11c3a366 TA	21	#include "macro.h"
93cc7779 TA	22	#include "path-util.h"
93cc7779 TA	23	#include "selinux-util.h"
08c84981	24	#include "stdio-util.h"
11c3a366 TA	25	#include "time-util.h"
11c3a366 TA	26	#include "util.h"
cad45ba1	27
349cc4a5	28	#if HAVE_SELINUX
2ed96880	29	DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
66b6d9d5	30	DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
0b6018f3	31
2ed96880	32	#define _cleanup_freecon_ _cleanup_(freeconp)
66b6d9d5	33	#define _cleanup_context_free_ _cleanup_(context_freep)
0b6018f3	34
6baa7db0	35	static int cached_use = -1;
66b6d9d5	36	static struct selabel_handle *label_hnd = NULL;
66cedb30	37
08c84981 LP	38	#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
08c84981 LP	39	#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
66b6d9d5	40	#endif
cad45ba1	41
6d395665	42	bool mac_selinux_use(void) {
349cc4a5	43	#if HAVE_SELINUX
6baa7db0 LP	44	if (cached_use < 0)
6baa7db0 LP	45	cached_use = is_selinux_enabled() > 0;
cad45ba1	46
6baa7db0	47	return cached_use;
66b6d9d5 WC	48	#else
	49	return false;
	50	#endif
cad45ba1 LP	51	}
cad45ba1 LP	52
6baa7db0	53	void mac_selinux_retest(void) {
349cc4a5	54	#if HAVE_SELINUX
6baa7db0	55	cached_use = -1;
66b6d9d5	56	#endif
cad45ba1	57	}
0b6018f3	58
c3dacc8b	59	int mac_selinux_init(void) {
66b6d9d5	60	int r = 0;
d682b3a7	61
349cc4a5	62	#if HAVE_SELINUX
66b6d9d5 WC	63	usec_t before_timestamp, after_timestamp;
	64	struct mallinfo before_mallinfo, after_mallinfo;
	65
c3dacc8b	66	if (label_hnd)
66b6d9d5 WC	67	return 0;
66b6d9d5 WC	68
c3dacc8b	69	if (!mac_selinux_use())
66b6d9d5 WC	70	return 0;
	71
	72	before_mallinfo = mallinfo();
	73	before_timestamp = now(CLOCK_MONOTONIC);
	74
c3dacc8b	75	label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
66b6d9d5	76	if (!label_hnd) {
b8b846d7	77	log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
66b6d9d5 WC	78	r = security_getenforce() == 1 ? -errno : 0;
	79	} else {
	80	char timespan[FORMAT_TIMESPAN_MAX];
	81	int l;
	82
	83	after_timestamp = now(CLOCK_MONOTONIC);
	84	after_mallinfo = mallinfo();
	85
	86	l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
	87
	88	log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
	89	format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
	90	(l+1023)/1024);
	91	}
	92	#endif
	93
	94	return r;
d682b3a7 LP	95	}
d682b3a7 LP	96
ecabcf8b LP	97	void mac_selinux_finish(void) {
ecabcf8b LP	98
349cc4a5	99	#if HAVE_SELINUX
ecabcf8b LP	100	if (!label_hnd)
	101	return;
	102
	103	selabel_close(label_hnd);
f5ce2b49	104	label_hnd = NULL;
ecabcf8b LP	105	#endif
	106	}
	107
08c84981	108	int mac_selinux_fix(const char *path, LabelFixFlags flags) {
66b6d9d5	109
349cc4a5	110	#if HAVE_SELINUX
08c84981 LP	111	char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
	112	_cleanup_freecon_ char* fcon = NULL;
	113	_cleanup_close_ int fd = -1;
66b6d9d5	114	struct stat st;
ecabcf8b	115	int r;
66b6d9d5	116
5dfc5461 LP	117	assert(path);
	118
	119	/* if mac_selinux_init() wasn't called before we are a NOOP */
66b6d9d5 WC	120	if (!label_hnd)
	121	return 0;
	122
08c84981 LP	123	/* Open the file as O_PATH, to pin it while we determine and adjust the label */
	124	fd = open(path, O_NOFOLLOW\|O_CLOEXEC\|O_PATH);
	125	if (fd < 0) {
	126	if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
	127	return 0;
	128
	129	return -errno;
	130	}
	131
	132	if (fstat(fd, &st) < 0)
	133	return -errno;
5dfc5461	134
08c84981 LP	135	if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
08c84981 LP	136	r = -errno;
66b6d9d5 WC	137
66b6d9d5 WC	138	/* If there's no label to set, then exit without warning */
08c84981	139	if (r == -ENOENT)
66b6d9d5 WC	140	return 0;
66b6d9d5 WC	141
08c84981	142	goto fail;
66b6d9d5 WC	143	}
66b6d9d5 WC	144
08c84981 LP	145	xsprintf(procfs_path, "/proc/self/fd/%i", fd);
	146	if (setfilecon_raw(procfs_path, fcon) < 0) {
	147	_cleanup_freecon_ char *oldcon = NULL;
	148
	149	r = -errno;
	150
	151	/* If the FS doesn't support labels, then exit without warning */
	152	if (r == -EOPNOTSUPP)
66b6d9d5 WC	153	return 0;
66b6d9d5 WC	154
08c84981 LP	155	/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
08c84981 LP	156	if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
66b6d9d5 WC	157	return 0;
66b6d9d5 WC	158
08c84981 LP	159	/* If the old label is identical to the new one, suppress any kind of error */
	160	if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
	161	return 0;
	162
	163	goto fail;
66b6d9d5	164	}
08c84981 LP	165
	166	return 0;
	167
	168	fail:
	169	log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
	170	if (security_getenforce() == 1)
	171	return r;
66b6d9d5 WC	172	#endif
66b6d9d5 WC	173
ecabcf8b	174	return 0;
66b6d9d5 WC	175	}
66b6d9d5 WC	176
ecabcf8b	177	int mac_selinux_apply(const char path, const char label) {
66b6d9d5	178
349cc4a5	179	#if HAVE_SELINUX
ecabcf8b LP	180	if (!mac_selinux_use())
	181	return 0;
	182
0f474365 LP	183	assert(path);
	184	assert(label);
	185
2ed96880	186	if (setfilecon(path, label) < 0) {
b8b846d7	187	log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
0f474365	188	if (security_getenforce() > 0)
ecabcf8b LP	189	return -errno;
ecabcf8b LP	190	}
66b6d9d5	191	#endif
ecabcf8b	192	return 0;
d682b3a7 LP	193	}
d682b3a7 LP	194
cc56fafe	195	int mac_selinux_get_create_label_from_exe(const char exe, char *label) {
7f416dae	196	int r = -EOPNOTSUPP;
66b6d9d5	197
349cc4a5	198	#if HAVE_SELINUX
2ed96880	199	_cleanup_freecon_ char mycon = NULL, fcon = NULL;
66b6d9d5 WC	200	security_class_t sclass;
66b6d9d5 WC	201
7f416dae LP	202	assert(exe);
	203	assert(label);
	204
6d395665	205	if (!mac_selinux_use())
7f416dae	206	return -EOPNOTSUPP;
66b6d9d5	207
24154879	208	r = getcon_raw(&mycon);
66b6d9d5	209	if (r < 0)
7f416dae	210	return -errno;
66b6d9d5	211
24154879	212	r = getfilecon_raw(exe, &fcon);
66b6d9d5	213	if (r < 0)
7f416dae	214	return -errno;
66b6d9d5 WC	215
66b6d9d5 WC	216	sclass = string_to_security_class("process");
2ed96880	217	r = security_compute_create_raw(mycon, fcon, sclass, label);
7f416dae LP	218	if (r < 0)
7f416dae LP	219	return -errno;
66b6d9d5 WC	220	#endif
	221
	222	return r;
	223	}
	224
cc56fafe	225	int mac_selinux_get_our_label(char **label) {
66b6d9d5 WC	226	int r = -EOPNOTSUPP;
66b6d9d5 WC	227
7f416dae LP	228	assert(label);
7f416dae LP	229
349cc4a5	230	#if HAVE_SELINUX
6d395665	231	if (!mac_selinux_use())
7f416dae	232	return -EOPNOTSUPP;
66b6d9d5	233
24154879	234	r = getcon_raw(label);
66b6d9d5	235	if (r < 0)
7f416dae	236	return -errno;
0b6018f3	237	#endif
66b6d9d5 WC	238
	239	return r;
	240	}
	241
9008e1ac	242	int mac_selinux_get_child_mls_label(int socket_fd, const char exe, const char exec_label, char **label) {
66b6d9d5 WC	243	int r = -EOPNOTSUPP;
66b6d9d5 WC	244
349cc4a5	245	#if HAVE_SELINUX
2ed96880	246	_cleanup_freecon_ char mycon = NULL, peercon = NULL, *fcon = NULL;
66b6d9d5 WC	247	_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
66b6d9d5 WC	248	security_class_t sclass;
66b6d9d5 WC	249	const char *range = NULL;
	250
	251	assert(socket_fd >= 0);
	252	assert(exe);
	253	assert(label);
	254
6d395665	255	if (!mac_selinux_use())
7f416dae LP	256	return -EOPNOTSUPP;
7f416dae LP	257
24154879	258	r = getcon_raw(&mycon);
7f416dae LP	259	if (r < 0)
7f416dae LP	260	return -errno;
66b6d9d5	261
a1d2de07	262	r = getpeercon_raw(socket_fd, &peercon);
7f416dae LP	263	if (r < 0)
7f416dae LP	264	return -errno;
66b6d9d5	265
9008e1ac	266	if (!exec_label) {
66b6d9d5 WC	267	/* If there is no context set for next exec let's use context
66b6d9d5 WC	268	of target executable */
24154879	269	r = getfilecon_raw(exe, &fcon);
7f416dae LP	270	if (r < 0)
7f416dae LP	271	return -errno;
66b6d9d5 WC	272	}
	273
	274	bcon = context_new(mycon);
7f416dae LP	275	if (!bcon)
7f416dae LP	276	return -ENOMEM;
66b6d9d5 WC	277
66b6d9d5 WC	278	pcon = context_new(peercon);
7f416dae LP	279	if (!pcon)
7f416dae LP	280	return -ENOMEM;
66b6d9d5 WC	281
66b6d9d5 WC	282	range = context_range_get(pcon);
7f416dae LP	283	if (!range)
7f416dae LP	284	return -errno;
66b6d9d5 WC	285
66b6d9d5 WC	286	r = context_range_set(bcon, range);
7f416dae LP	287	if (r)
7f416dae LP	288	return -errno;
66b6d9d5 WC	289
	290	freecon(mycon);
	291	mycon = strdup(context_str(bcon));
7f416dae LP	292	if (!mycon)
7f416dae LP	293	return -ENOMEM;
66b6d9d5 WC	294
66b6d9d5 WC	295	sclass = string_to_security_class("process");
2ed96880	296	r = security_compute_create_raw(mycon, fcon, sclass, label);
7f416dae LP	297	if (r < 0)
7f416dae LP	298	return -errno;
66b6d9d5	299	#endif
7f416dae	300
66b6d9d5 WC	301	return r;
	302	}
	303
710a6b50	304	char* mac_selinux_free(char *label) {
ecabcf8b	305
349cc4a5	306	#if HAVE_SELINUX
710a6b50 LP	307	if (!label)
	308	return NULL;
	309
6d395665	310	if (!mac_selinux_use())
710a6b50 LP	311	return NULL;
710a6b50 LP	312
2ed96880	313	freecon(label);
ecabcf8b	314	#endif
710a6b50 LP	315
710a6b50 LP	316	return NULL;
ecabcf8b LP	317	}
	318
	319	int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
66b6d9d5	320
349cc4a5	321	#if HAVE_SELINUX
2ed96880	322	_cleanup_freecon_ char *filecon = NULL;
0f474365	323	int r;
66b6d9d5	324
ecabcf8b LP	325	assert(path);
ecabcf8b LP	326
66cedb30	327	if (!label_hnd)
66b6d9d5 WC	328	return 0;
66b6d9d5 WC	329
c34255bd LP	330	if (path_is_absolute(path))
	331	r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
	332	else {
0f474365	333	_cleanup_free_ char *newpath = NULL;
c34255bd	334
0f474365 LP	335	r = path_make_absolute_cwd(path, &newpath);
	336	if (r < 0)
	337	return r;
c34255bd	338
a07e9cfb	339	r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
c34255bd LP	340	}
c34255bd LP	341
0f474365 LP	342	if (r < 0) {
	343	/* No context specified by the policy? Proceed without setting it. */
	344	if (errno == ENOENT)
	345	return 0;
2d58aa46	346
b8b846d7	347	log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
0f474365	348	} else {
5c5433ad	349	if (setfscreatecon_raw(filecon) >= 0)
0f474365 LP	350	return 0; /* Success! */
0f474365 LP	351
b8b846d7	352	log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, path);
66b6d9d5 WC	353	}
66b6d9d5 WC	354
0f474365 LP	355	if (security_getenforce() > 0)
0f474365 LP	356	return -errno;
66b6d9d5	357
0f474365 LP	358	#endif
0f474365 LP	359	return 0;
66b6d9d5 WC	360	}
66b6d9d5 WC	361
ecabcf8b	362	void mac_selinux_create_file_clear(void) {
66b6d9d5	363
349cc4a5	364	#if HAVE_SELINUX
66b6d9d5 WC	365	PROTECT_ERRNO;
66b6d9d5 WC	366
6baa7db0	367	if (!mac_selinux_use())
66b6d9d5 WC	368	return;
66b6d9d5 WC	369
a1d2de07	370	setfscreatecon_raw(NULL);
66b6d9d5 WC	371	#endif
	372	}
	373
ecabcf8b	374	int mac_selinux_create_socket_prepare(const char *label) {
66b6d9d5	375
349cc4a5	376	#if HAVE_SELINUX
6baa7db0	377	if (!mac_selinux_use())
ecabcf8b	378	return 0;
66b6d9d5	379
ecabcf8b LP	380	assert(label);
ecabcf8b LP	381
2ed96880	382	if (setsockcreatecon(label) < 0) {
b8b846d7	383	log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
ecabcf8b LP	384
	385	if (security_getenforce() == 1)
	386	return -errno;
	387	}
66b6d9d5	388	#endif
ecabcf8b LP	389
ecabcf8b LP	390	return 0;
66b6d9d5 WC	391	}
66b6d9d5 WC	392
ecabcf8b	393	void mac_selinux_create_socket_clear(void) {
66b6d9d5	394
349cc4a5	395	#if HAVE_SELINUX
ecabcf8b LP	396	PROTECT_ERRNO;
ecabcf8b LP	397
6baa7db0	398	if (!mac_selinux_use())
66b6d9d5 WC	399	return;
66b6d9d5 WC	400
a1d2de07	401	setsockcreatecon_raw(NULL);
66b6d9d5 WC	402	#endif
	403	}
	404
cc56fafe	405	int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
66b6d9d5 WC	406
	407	/* Binds a socket and label its file system object according to the SELinux policy */
	408
349cc4a5	409	#if HAVE_SELINUX
2ed96880	410	_cleanup_freecon_ char *fcon = NULL;
66b6d9d5	411	const struct sockaddr_un *un;
0f474365	412	bool context_changed = false;
66b6d9d5 WC	413	char *path;
	414	int r;
	415
	416	assert(fd >= 0);
	417	assert(addr);
	418	assert(addrlen >= sizeof(sa_family_t));
	419
ecabcf8b	420	if (!label_hnd)
66b6d9d5 WC	421	goto skipped;
	422
	423	/* Filter out non-local sockets */
	424	if (addr->sa_family != AF_UNIX)
	425	goto skipped;
	426
	427	/* Filter out anonymous sockets */
0f474365	428	if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
66b6d9d5 WC	429	goto skipped;
	430
	431	/* Filter out abstract namespace sockets */
	432	un = (const struct sockaddr_un*) addr;
	433	if (un->sun_path[0] == 0)
	434	goto skipped;
	435
	436	path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
	437
	438	if (path_is_absolute(path))
	439	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
	440	else {
0f474365	441	_cleanup_free_ char *newpath = NULL;
66b6d9d5	442
0f474365 LP	443	r = path_make_absolute_cwd(path, &newpath);
	444	if (r < 0)
	445	return r;
66b6d9d5 WC	446
	447	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
	448	}
	449
0f474365 LP	450	if (r < 0) {
	451	/* No context specified by the policy? Proceed without setting it */
	452	if (errno == ENOENT)
	453	goto skipped;
66b6d9d5	454
b8b846d7	455	log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
0f474365 LP	456	if (security_getenforce() > 0)
0f474365 LP	457	return -errno;
66b6d9d5	458
0f474365	459	} else {
a1d2de07	460	if (setfscreatecon_raw(fcon) < 0) {
b8b846d7	461	log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
0f474365 LP	462	if (security_getenforce() > 0)
	463	return -errno;
	464	} else
	465	context_changed = true;
66b6d9d5 WC	466	}
66b6d9d5 WC	467
0f474365 LP	468	r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
	469
	470	if (context_changed)
a1d2de07	471	setfscreatecon_raw(NULL);
66b6d9d5	472
66b6d9d5 WC	473	return r;
	474
	475	skipped:
	476	#endif
0f474365 LP	477	if (bind(fd, addr, addrlen) < 0)
	478	return -errno;
	479
	480	return 0;
66b6d9d5	481	}