[thirdparty/systemd.git] / src / core / selinux-setup.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <errno.h>
#include <stdio.h>
#include <unistd.h>

#if HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "sd-messages.h"

#include "initrd-util.h"
#include "log.h"
#include "macro.h"
#include "selinux-setup.h"
#include "selinux-util.h"
#include "string-util.h"
#include "time-util.h"

#if HAVE_SELINUX
_printf_(2,3)
static int null_log(int type, const char *fmt, ...) {
        return 0;
}
#endif

int mac_selinux_setup(bool *loaded_policy) {

#if HAVE_SELINUX
        int enforce = 0;
        usec_t before_load, after_load;
        char *con;
        int r;
        bool initialized;

        assert(loaded_policy);

        /* Turn off all of SELinux' own logging, we want to do that */
        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log });

        /* Don't load policy in the initrd if we don't appear to have it.  For the real root, we check below
         * if we've already loaded policy, and return gracefully. */
        if (in_initrd() && access(selinux_path(), F_OK) < 0)
                return 0;

        /* Already initialized by somebody else? */
        r = getcon_raw(&con);
        /* getcon_raw can return 0, and still give us a NULL pointer if /proc/self/attr/current is
         * empty. SELinux guarantees this won't happen, but that file isn't specific to SELinux, and may be
         * provided by some other arbitrary LSM with different semantics. */
        if (r == 0 && con) {
                initialized = !streq(con, "kernel");
                freecon(con);
        } else
                initialized = false;

        /* Make sure we have no fds open while loading the policy and
         * transitioning */
        log_close();

        /* Now load the policy */
        before_load = now(CLOCK_MONOTONIC);
        r = selinux_init_load_policy(&enforce);
        if (r == 0) {
                _cleanup_(mac_selinux_freep) char *label = NULL;

                mac_selinux_retest();

                /* Transition to the new context */
                r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
                if (r < 0 || !label) {
                        log_open();
                        log_error("Failed to compute init label, ignoring.");
                } else {
                        r = setcon_raw(label);

                        log_open();
                        if (r < 0)
                                log_error("Failed to transition into init label '%s', ignoring.", label);
                }

                after_load = now(CLOCK_MONOTONIC);

                log_info("Successfully loaded SELinux policy in %s.",
                         FORMAT_TIMESPAN(after_load - before_load, 0));

                *loaded_policy = true;

        } else {
                log_open();

                if (enforce > 0) {
                        if (!initialized)
                                return log_struct_errno(LOG_EMERG, SYNTHETIC_ERRNO(EIO),
                                                        LOG_MESSAGE("Failed to load SELinux policy :%m"),
                                                        "MESSAGE_ID=" SD_MESSAGE_SELINUX_FAILED_STR);

                        log_warning("Failed to load new SELinux policy. Continuing with old policy.");
                } else
                        log_debug("Unable to load SELinux policy. Ignoring.");
        }
#endif

        return 0;
}
Commit	Line	Data
db9ecf05	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
c4dcdb9f	2
c4dcdb9f	3	#include <errno.h>
07630cea LP	4	#include <stdio.h>
07630cea LP	5	#include <unistd.h>
c4dcdb9f	6
349cc4a5	7	#if HAVE_SELINUX
c4dcdb9f LP	8	#include <selinux/selinux.h>
	9	#endif
	10
ad5db940 OJ	11	#include "sd-messages.h"
ad5db940 OJ	12
baa6a42d	13	#include "initrd-util.h"
07630cea	14	#include "log.h"
c4dcdb9f	15	#include "macro.h"
cf0fbc49	16	#include "selinux-setup.h"
07630cea LP	17	#include "selinux-util.h"
07630cea LP	18	#include "string-util.h"
ca78ad1d	19	#include "time-util.h"
0b3325e7	20
349cc4a5	21	#if HAVE_SELINUX
82613b14	22	_printf_(2,3)
dbc655d5 LP	23	static int null_log(int type, const char *fmt, ...) {
	24	return 0;
	25	}
f8e9f2cc	26	#endif
dbc655d5	27
8a188de9	28	int mac_selinux_setup(bool *loaded_policy) {
c4dcdb9f	29
349cc4a5	30	#if HAVE_SELINUX
4ab72d6f WW	31	int enforce = 0;
4ab72d6f WW	32	usec_t before_load, after_load;
2ed96880	33	char *con;
4ab72d6f	34	int r;
4a69c2c7	35	bool initialized;
4ab72d6f WW	36
	37	assert(loaded_policy);
	38
	39	/* Turn off all of SELinux' own logging, we want to do that */
4a69c2c7	40	selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log });
4ab72d6f	41
4a69c2c7 LP	42	/* Don't load policy in the initrd if we don't appear to have it. For the real root, we check below
4a69c2c7 LP	43	* if we've already loaded policy, and return gracefully. */
4ab72d6f WW	44	if (in_initrd() && access(selinux_path(), F_OK) < 0)
	45	return 0;
	46
	47	/* Already initialized by somebody else? */
	48	r = getcon_raw(&con);
4a69c2c7 LP	49	/* getcon_raw can return 0, and still give us a NULL pointer if /proc/self/attr/current is
	50	* empty. SELinux guarantees this won't happen, but that file isn't specific to SELinux, and may be
	51	* provided by some other arbitrary LSM with different semantics. */
199a8922	52	if (r == 0 && con) {
4ab72d6f WW	53	initialized = !streq(con, "kernel");
4ab72d6f WW	54	freecon(con);
4a69c2c7 LP	55	} else
4a69c2c7 LP	56	initialized = false;
4ab72d6f WW	57
	58	/* Make sure we have no fds open while loading the policy and
	59	* transitioning */
	60	log_close();
	61
	62	/* Now load the policy */
	63	before_load = now(CLOCK_MONOTONIC);
	64	r = selinux_init_load_policy(&enforce);
	65	if (r == 0) {
710a6b50	66	_cleanup_(mac_selinux_freep) char *label = NULL;
4ab72d6f	67
6baa7db0	68	mac_selinux_retest();
4ab72d6f WW	69
4ab72d6f WW	70	/* Transition to the new context */
cc56fafe	71	r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
710a6b50	72	if (r < 0 \|\| !label) {
4ab72d6f WW	73	log_open();
	74	log_error("Failed to compute init label, ignoring.");
	75	} else {
a1d2de07	76	r = setcon_raw(label);
4ab72d6f WW	77
	78	log_open();
	79	if (r < 0)
	80	log_error("Failed to transition into init label '%s', ignoring.", label);
4ab72d6f WW	81	}
	82
	83	after_load = now(CLOCK_MONOTONIC);
	84
	85	log_info("Successfully loaded SELinux policy in %s.",
5291f26d	86	FORMAT_TIMESPAN(after_load - before_load, 0));
4ab72d6f WW	87
	88	*loaded_policy = true;
	89
	90	} else {
	91	log_open();
	92
	93	if (enforce > 0) {
d7a0f1f4	94	if (!initialized)
ad5db940 OJ	95	return log_struct_errno(LOG_EMERG, SYNTHETIC_ERRNO(EIO),
	96	LOG_MESSAGE("Failed to load SELinux policy :%m"),
	97	"MESSAGE_ID=" SD_MESSAGE_SELINUX_FAILED_STR);
68d3acac WW	98
68d3acac WW	99	log_warning("Failed to load new SELinux policy. Continuing with old policy.");
4ab72d6f WW	100	} else
	101	log_debug("Unable to load SELinux policy. Ignoring.");
	102	}
c4dcdb9f LP	103	#endif
c4dcdb9f LP	104
4ab72d6f	105	return 0;
c4dcdb9f	106	}