[thirdparty/systemd.git] / src / core / selinux-access.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2012 Dan Walsh

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "selinux-access.h"

#ifdef HAVE_SELINUX

#include <stdio.h>
#include <errno.h>
#include <selinux/selinux.h>
#include <selinux/avc.h>
#ifdef HAVE_AUDIT
#include <libaudit.h>
#endif

#include "sd-bus.h"
#include "bus-util.h"
#include "util.h"
#include "log.h"
#include "selinux-util.h"
#include "audit-fd.h"
#include "strv.h"

static bool initialized = false;

struct audit_info {
        sd_bus_creds *creds;
        const char *path;
        const char *cmdline;
};

/*
   Any time an access gets denied this callback will be called
   with the audit data.  We then need to just copy the audit data into the msgbuf.
*/
static int audit_callback(
                void *auditdata,
                security_class_t cls,
                char *msgbuf,
                size_t msgbufsize) {

        const struct audit_info *audit = auditdata;
        uid_t uid = 0, login_uid = 0;
        gid_t gid = 0;
        char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
        char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
        char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";

        if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
                xsprintf(login_uid_buf, UID_FMT, login_uid);
        if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
                xsprintf(uid_buf, UID_FMT, uid);
        if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
                xsprintf(gid_buf, GID_FMT, gid);

        snprintf(msgbuf, msgbufsize,
                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
                 login_uid_buf, uid_buf, gid_buf,
                 audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
                 audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");

        return 0;
}

static int callback_type_to_priority(int type) {
        switch(type) {

        case SELINUX_ERROR:
                return LOG_ERR;

        case SELINUX_WARNING:
                return LOG_WARNING;

        case SELINUX_INFO:
                return LOG_INFO;

        case SELINUX_AVC:
        default:
                return LOG_NOTICE;
        }
}

/*
   libselinux uses this callback when access gets denied or other
   events happen. If audit is turned on, messages will be reported
   using audit netlink, otherwise they will be logged using the usual
   channels.

   Code copied from dbus and modified.
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
        va_list ap;

#ifdef HAVE_AUDIT
        int fd;

        fd = get_audit_fd();

        if (fd >= 0) {
                _cleanup_free_ char *buf = NULL;
                int r;

                va_start(ap, fmt);
                r = vasprintf(&buf, fmt, ap);
                va_end(ap);

                if (r >= 0) {
                        audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
                        return 0;
                }
        }
#endif

        va_start(ap, fmt);
        log_internalv(LOG_AUTH | callback_type_to_priority(type),
                      0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
        va_end(ap);

        return 0;
}

/*
   Function must be called once to initialize the SELinux AVC environment.
   Sets up callbacks.
   If you want to cleanup memory you should need to call selinux_access_finish.
*/
static int access_init(void) {
        int r = 0;

        if (avc_open(NULL, 0))
                return log_error_errno(errno, "avc_open() failed: %m");

        selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
        selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);

        if (security_getenforce() < 0){
                r = -errno;
                avc_destroy();
        }

        return r;
}

static int mac_selinux_access_init(sd_bus_error *error) {
        int r;

        if (initialized)
                return 0;

        if (!mac_selinux_use())
                return 0;

        r = access_init();
        if (r < 0)
                return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");

        initialized = true;
        return 0;
}
#endif

void mac_selinux_access_free(void) {

#ifdef HAVE_SELINUX
        if (!initialized)
                return;

        avc_destroy();
        initialized = false;
#endif
}

/*
   This function communicates with the kernel to check whether or not it should
   allow the access.
   If the machine is in permissive mode it will return ok.  Audit messages will
   still be generated if the access would be denied in enforcing mode.
*/
int mac_selinux_generic_access_check(
                sd_bus_message *message,
                const char *path,
                const char *permission,
                sd_bus_error *error) {

#ifdef HAVE_SELINUX
        _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
        const char *tclass = NULL, *scon = NULL;
        struct audit_info audit_info = {};
        _cleanup_free_ char *cl = NULL;
        security_context_t fcon = NULL;
        char **cmdline = NULL;
        int r = 0;

        assert(message);
        assert(permission);
        assert(error);

        if (!mac_selinux_use())
                return 0;

        r = mac_selinux_access_init(error);
        if (r < 0)
                return r;

        r = sd_bus_query_sender_creds(
                        message,
                        SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
                        SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
                        SD_BUS_CREDS_SELINUX_CONTEXT|
                        SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
                        &creds);
        if (r < 0)
                goto finish;

        /* The SELinux context is something we really should have
         * gotten directly from the message or sender, and not be an
         * augmented field. If it was augmented we cannot use it for
         * authorization, since this is racy and vulnerable. Let's add
         * an extra check, just in case, even though this really
         * shouldn't be possible. */
        assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);

        r = sd_bus_creds_get_selinux_context(creds, &scon);
        if (r < 0)
                goto finish;

        if (path) {
                /* Get the file context of the unit file */

                r = getfilecon(path, &fcon);
                if (r < 0) {
                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
                        goto finish;
                }

                tclass = "service";
        } else {
                r = getcon(&fcon);
                if (r < 0) {
                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
                        goto finish;
                }

                tclass = "system";
        }

        sd_bus_creds_get_cmdline(creds, &cmdline);
        cl = strv_join(cmdline, " ");

        audit_info.creds = creds;
        audit_info.path = path;
        audit_info.cmdline = cl;

        r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
        if (r < 0)
                r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");

        log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);

finish:
        freecon(fcon);

        if (r < 0 && security_getenforce() != 1) {
                sd_bus_error_free(error);
                r = 0;
        }

        return r;
#else
        return 0;
#endif
}

int mac_selinux_unit_access_check_strv(
                char **units,
                sd_bus_message *message,
                Manager *m,
                const char *permission,
                sd_bus_error *error) {

#ifdef HAVE_SELINUX
        char **i;
        Unit *u;
        int r;

        STRV_FOREACH(i, units) {
                u = manager_get_unit(m, *i);
                if (u) {
                        r = mac_selinux_unit_access_check(u, message, permission, error);
                        if (r < 0)
                                return r;
                }
        }
#endif
        return 0;
}
Commit	Line	Data
e2417e41 DW	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2012 Dan Walsh
	7
	8	systemd is free software; you can redistribute it and/or modify it
03e22642 KS	9	under the terms of the GNU Lesser General Public License as published by
03e22642 KS	10	the Free Software Foundation; either version 2.1 of the License, or
e2417e41 DW	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
03e22642	16	Lesser General Public License for more details.
e2417e41	17
03e22642	18	You should have received a copy of the GNU Lesser General Public License
e2417e41 DW	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
e2417e41 DW	22	#include "selinux-access.h"
	23
	24	#ifdef HAVE_SELINUX
e2417e41 DW	25
e2417e41 DW	26	#include <stdio.h>
e2417e41 DW	27	#include <errno.h>
	28	#include <selinux/selinux.h>
	29	#include <selinux/avc.h>
	30	#ifdef HAVE_AUDIT
	31	#include <libaudit.h>
	32	#endif
ffc227c9	33
718db961 LP	34	#include "sd-bus.h"
718db961 LP	35	#include "bus-util.h"
ffc227c9 LP	36	#include "util.h"
ffc227c9 LP	37	#include "log.h"
ffc227c9 LP	38	#include "selinux-util.h"
ffc227c9 LP	39	#include "audit-fd.h"
5b12334d	40	#include "strv.h"
e2417e41	41
cad45ba1	42	static bool initialized = false;
e2417e41	43
5b12334d LP	44	struct audit_info {
5b12334d LP	45	sd_bus_creds *creds;
e2417e41	46	const char *path;
5b12334d	47	const char *cmdline;
e2417e41 DW	48	};
e2417e41 DW	49
e2417e41 DW	50	/*
e2417e41 DW	51	Any time an access gets denied this callback will be called
dec23413	52	with the audit data. We then need to just copy the audit data into the msgbuf.
e2417e41	53	*/
cad45ba1 LP	54	static int audit_callback(
	55	void *auditdata,
	56	security_class_t cls,
	57	char *msgbuf,
	58	size_t msgbufsize) {
	59
5b12334d LP	60	const struct audit_info *audit = auditdata;
	61	uid_t uid = 0, login_uid = 0;
	62	gid_t gid = 0;
5ffa8c81 ZJS	63	char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
	64	char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
	65	char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";
5b12334d	66
dec23413	67	if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
5ffa8c81	68	xsprintf(login_uid_buf, UID_FMT, login_uid);
05bae4a6	69	if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
5ffa8c81	70	xsprintf(uid_buf, UID_FMT, uid);
05bae4a6	71	if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
5ffa8c81	72	xsprintf(gid_buf, GID_FMT, gid);
cad45ba1	73
e2417e41	74	snprintf(msgbuf, msgbufsize,
dec23413 ZJS	75	"auid=%s uid=%s gid=%s%s%s%s%s%s%s",
dec23413 ZJS	76	login_uid_buf, uid_buf, gid_buf,
5b12334d LP	77	audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
5b12334d LP	78	audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
d67227c8	79
e2417e41 DW	80	return 0;
	81	}
	82
17af49f2 ZJS	83	static int callback_type_to_priority(int type) {
17af49f2 ZJS	84	switch(type) {
c04754bc LP	85
	86	case SELINUX_ERROR:
	87	return LOG_ERR;
	88
	89	case SELINUX_WARNING:
	90	return LOG_WARNING;
	91
	92	case SELINUX_INFO:
	93	return LOG_INFO;
	94
17af49f2	95	case SELINUX_AVC:
c04754bc LP	96	default:
c04754bc LP	97	return LOG_NOTICE;
17af49f2 ZJS	98	}
	99	}
	100
e2417e41	101	/*
17af49f2 ZJS	102	libselinux uses this callback when access gets denied or other
	103	events happen. If audit is turned on, messages will be reported
	104	using audit netlink, otherwise they will be logged using the usual
	105	channels.
	106
	107	Code copied from dbus and modified.
e2417e41	108	*/
44b601bc	109	_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
e2417e41 DW	110	va_list ap;
e2417e41 DW	111
e2417e41	112	#ifdef HAVE_AUDIT
17af49f2 ZJS	113	int fd;
	114
	115	fd = get_audit_fd();
	116
	117	if (fd >= 0) {
ace188cf LP	118	_cleanup_free_ char *buf = NULL;
ace188cf LP	119	int r;
e2417e41	120
5b12334d	121	va_start(ap, fmt);
ace188cf	122	r = vasprintf(&buf, fmt, ap);
7f1736f7	123	va_end(ap);
cad45ba1	124
ace188cf	125	if (r >= 0) {
17af49f2	126	audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
ace188cf LP	127	return 0;
ace188cf LP	128	}
e2417e41 DW	129	}
e2417e41 DW	130	#endif
5b12334d LP	131
5b12334d LP	132	va_start(ap, fmt);
17af49f2 ZJS	133	log_internalv(LOG_AUTH \| callback_type_to_priority(type),
17af49f2 ZJS	134	0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
e2417e41	135	va_end(ap);
cad45ba1	136
e2417e41 DW	137	return 0;
	138	}
	139
	140	/*
	141	Function must be called once to initialize the SELinux AVC environment.
	142	Sets up callbacks.
	143	If you want to cleanup memory you should need to call selinux_access_finish.
	144	*/
	145	static int access_init(void) {
718db961	146	int r = 0;
e2417e41	147
4a62c710 MS	148	if (avc_open(NULL, 0))
4a62c710 MS	149	return log_error_errno(errno, "avc_open() failed: %m");
e2417e41	150
cad45ba1 LP	151	selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
cad45ba1 LP	152	selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
e2417e41	153
718db961 LP	154	if (security_getenforce() < 0){
	155	r = -errno;
	156	avc_destroy();
	157	}
cad45ba1	158
e2417e41 DW	159	return r;
	160	}
	161
8a188de9	162	static int mac_selinux_access_init(sd_bus_error *error) {
e2417e41 DW	163	int r;
e2417e41 DW	164
cad45ba1	165	if (initialized)
e2417e41 DW	166	return 0;
e2417e41 DW	167
6baa7db0	168	if (!mac_selinux_use())
718db961 LP	169	return 0;
	170
	171	r = access_init();
	172	if (r < 0)
	173	return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
e2417e41	174
cad45ba1	175	initialized = true;
e2417e41 DW	176	return 0;
e2417e41 DW	177	}
8a188de9	178	#endif
e2417e41	179
8a188de9	180	void mac_selinux_access_free(void) {
718db961	181
8a188de9	182	#ifdef HAVE_SELINUX
ffc227c9 LP	183	if (!initialized)
	184	return;
	185
	186	avc_destroy();
	187	initialized = false;
8a188de9	188	#endif
ffc227c9 LP	189	}
ffc227c9 LP	190
e2417e41 DW	191	/*
	192	This function communicates with the kernel to check whether or not it should
	193	allow the access.
	194	If the machine is in permissive mode it will return ok. Audit messages will
	195	still be generated if the access would be denied in enforcing mode.
	196	*/
8a188de9	197	int mac_selinux_generic_access_check(
718db961	198	sd_bus_message *message,
cad45ba1 LP	199	const char *path,
cad45ba1 LP	200	const char *permission,
718db961	201	sd_bus_error *error) {
cad45ba1	202
8a188de9	203	#ifdef HAVE_SELINUX
5b12334d LP	204	_cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
	205	const char tclass = NULL, scon = NULL;
	206	struct audit_info audit_info = {};
	207	_cleanup_free_ char *cl = NULL;
	208	security_context_t fcon = NULL;
	209	char **cmdline = NULL;
718db961	210	int r = 0;
c3090674	211
cad45ba1 LP	212	assert(message);
	213	assert(permission);
	214	assert(error);
	215
6baa7db0	216	if (!mac_selinux_use())
cad45ba1 LP	217	return 0;
cad45ba1 LP	218
8a188de9	219	r = mac_selinux_access_init(error);
ffc227c9 LP	220	if (r < 0)
	221	return r;
	222
5b12334d LP	223	r = sd_bus_query_sender_creds(
5b12334d LP	224	message,
05bae4a6	225	SD_BUS_CREDS_PID\|SD_BUS_CREDS_EUID\|SD_BUS_CREDS_EGID\|
5b12334d	226	SD_BUS_CREDS_CMDLINE\|SD_BUS_CREDS_AUDIT_LOGIN_UID\|
8fd00193 LP	227	SD_BUS_CREDS_SELINUX_CONTEXT\|
8fd00193 LP	228	SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
5b12334d LP	229	&creds);
	230	if (r < 0)
	231	goto finish;
e2417e41	232
0f514420 LP	233	/* The SELinux context is something we really should have
	234	* gotten directly from the message or sender, and not be an
	235	* augmented field. If it was augmented we cannot use it for
	236	* authorization, since this is racy and vulnerable. Let's add
	237	* an extra check, just in case, even though this really
	238	* shouldn't be possible. */
	239	assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
	240
5b12334d	241	r = sd_bus_creds_get_selinux_context(creds, &scon);
718db961	242	if (r < 0)
e2417e41	243	goto finish;
cad45ba1	244
e2417e41	245	if (path) {
718db961 LP	246	/* Get the file context of the unit file */
718db961 LP	247
e2417e41 DW	248	r = getfilecon(path, &fcon);
e2417e41 DW	249	if (r < 0) {
718db961	250	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
e2417e41 DW	251	goto finish;
	252	}
	253
718db961	254	tclass = "service";
e2417e41	255	} else {
e2417e41 DW	256	r = getcon(&fcon);
e2417e41 DW	257	if (r < 0) {
718db961	258	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
e2417e41 DW	259	goto finish;
e2417e41 DW	260	}
718db961 LP	261
718db961 LP	262	tclass = "system";
e2417e41 DW	263	}
e2417e41 DW	264
5b12334d LP	265	sd_bus_creds_get_cmdline(creds, &cmdline);
	266	cl = strv_join(cmdline, " ");
	267
	268	audit_info.creds = creds;
	269	audit_info.path = path;
	270	audit_info.cmdline = cl;
e2417e41	271
236f83af	272	r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
718db961 LP	273	if (r < 0)
718db961 LP	274	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
e2417e41	275
5b12334d	276	log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
cad45ba1	277
e2417e41	278	finish:
e2417e41 DW	279	freecon(fcon);
e2417e41 DW	280
5b12334d	281	if (r < 0 && security_getenforce() != 1) {
718db961	282	sd_bus_error_free(error);
e2417e41 DW	283	r = 0;
	284	}
	285
	286	return r;
8a188de9 WC	287	#else
	288	return 0;
	289	#endif
e2417e41 DW	290	}
e2417e41 DW	291
c04754bc LP	292	int mac_selinux_unit_access_check_strv(
	293	char **units,
	294	sd_bus_message *message,
	295	Manager *m,
	296	const char *permission,
	297	sd_bus_error *error) {
	298
8a188de9	299	#ifdef HAVE_SELINUX
e94937df LN	300	char **i;
	301	Unit *u;
	302	int r;
	303
	304	STRV_FOREACH(i, units) {
	305	u = manager_get_unit(m, *i);
	306	if (u) {
8a188de9	307	r = mac_selinux_unit_access_check(u, message, permission, error);
e94937df LN	308	if (r < 0)
	309	return r;
	310	}
	311	}
8a188de9	312	#endif
e94937df LN	313	return 0;
e94937df LN	314	}