]>
Commit | Line | Data |
---|---|---|
d6c9574f | 1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
e51bc1a2 LP |
2 | |
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <sys/stat.h> | |
24 | #include <unistd.h> | |
25 | ||
26 | #include "label.h" | |
27 | #include "util.h" | |
28 | ||
29 | #ifdef HAVE_SELINUX | |
30 | #include <selinux/selinux.h> | |
31 | #include <selinux/label.h> | |
32 | ||
33 | static struct selabel_handle *label_hnd = NULL; | |
34 | ||
35 | static inline bool use_selinux(void) { | |
36 | static int use_selinux_ind = -1; | |
37 | ||
38 | if (use_selinux_ind < 0) | |
39 | use_selinux_ind = is_selinux_enabled() > 0; | |
40 | ||
41 | return use_selinux_ind; | |
42 | } | |
43 | ||
e51bc1a2 LP |
44 | #endif |
45 | ||
46 | int label_init(void) { | |
47 | int r = 0; | |
48 | ||
49 | #ifdef HAVE_SELINUX | |
50 | ||
51 | if (!use_selinux()) | |
52 | return 0; | |
53 | ||
c4dcdb9f LP |
54 | if (label_hnd) |
55 | return 0; | |
56 | ||
e51bc1a2 LP |
57 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); |
58 | if (!label_hnd) { | |
59 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
60 | "Failed to initialize SELinux context: %m"); | |
049f8642 | 61 | r = security_getenforce() == 1 ? -errno : 0; |
e51bc1a2 LP |
62 | } |
63 | #endif | |
64 | ||
65 | return r; | |
66 | } | |
67 | ||
c904f64d | 68 | int label_fix(const char *path, bool ignore_enoent) { |
e51bc1a2 LP |
69 | int r = 0; |
70 | ||
71 | #ifdef HAVE_SELINUX | |
72 | struct stat st; | |
73 | security_context_t fcon; | |
74 | ||
75 | if (!use_selinux() || !label_hnd) | |
76 | return 0; | |
77 | ||
78 | r = lstat(path, &st); | |
79 | if (r == 0) { | |
80 | r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); | |
81 | ||
5a33f657 LP |
82 | /* If there's no label to set, then exit without warning */ |
83 | if (r < 0 && errno == ENOENT) | |
84 | return 0; | |
85 | ||
e51bc1a2 LP |
86 | if (r == 0) { |
87 | r = setfilecon(path, fcon); | |
88 | freecon(fcon); | |
d2dfce17 LP |
89 | |
90 | /* If the FS doesn't support labels, then exit without warning */ | |
91 | if (r < 0 && errno == ENOTSUP) | |
92 | return 0; | |
c904f64d LP |
93 | |
94 | /* Ignore ENOENT in some cases */ | |
95 | if (r < 0 && ignore_enoent && errno == ENOENT) | |
96 | return 0; | |
e51bc1a2 LP |
97 | } |
98 | } | |
5a33f657 | 99 | |
e51bc1a2 LP |
100 | if (r < 0) { |
101 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
102 | "Unable to fix label of %s: %m", path); | |
049f8642 | 103 | r = security_getenforce() == 1 ? -errno : 0; |
e51bc1a2 LP |
104 | } |
105 | #endif | |
106 | ||
107 | return r; | |
108 | } | |
109 | ||
110 | void label_finish(void) { | |
111 | ||
112 | #ifdef HAVE_SELINUX | |
113 | if (use_selinux() && label_hnd) | |
114 | selabel_close(label_hnd); | |
115 | #endif | |
116 | } | |
117 | ||
118 | int label_get_socket_label_from_exe(const char *exe, char **label) { | |
119 | ||
120 | int r = 0; | |
121 | ||
122 | #ifdef HAVE_SELINUX | |
123 | security_context_t mycon = NULL, fcon = NULL; | |
124 | security_class_t sclass; | |
125 | ||
126 | if (!use_selinux()) { | |
127 | *label = NULL; | |
128 | return 0; | |
129 | } | |
130 | ||
131 | r = getcon(&mycon); | |
132 | if (r < 0) | |
133 | goto fail; | |
134 | ||
135 | r = getfilecon(exe, &fcon); | |
136 | if (r < 0) | |
137 | goto fail; | |
138 | ||
139 | sclass = string_to_security_class("process"); | |
140 | r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); | |
141 | if (r == 0) | |
142 | log_debug("SELinux Socket context for %s will be set to %s", exe, *label); | |
143 | ||
144 | fail: | |
145 | if (r < 0 && security_getenforce() == 1) | |
146 | r = -errno; | |
147 | ||
148 | freecon(mycon); | |
149 | freecon(fcon); | |
150 | #endif | |
151 | ||
152 | return r; | |
153 | } | |
154 | ||
049f8642 | 155 | int label_fifofile_set(const char *path) { |
e51bc1a2 LP |
156 | int r = 0; |
157 | ||
158 | #ifdef HAVE_SELINUX | |
159 | security_context_t filecon = NULL; | |
160 | ||
049f8642 | 161 | if (!use_selinux() || !label_hnd) |
e51bc1a2 LP |
162 | return 0; |
163 | ||
049f8642 | 164 | if ((r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFIFO)) == 0) { |
e51bc1a2 | 165 | if ((r = setfscreatecon(filecon)) < 0) { |
049f8642 | 166 | log_error("Failed to set SELinux file context on %s: %m", path); |
e51bc1a2 LP |
167 | r = -errno; |
168 | } | |
169 | ||
170 | freecon(filecon); | |
171 | } | |
172 | ||
173 | if (r < 0 && security_getenforce() == 0) | |
174 | r = 0; | |
175 | #endif | |
176 | ||
177 | return r; | |
178 | } | |
179 | ||
5c0532d1 LP |
180 | int label_symlinkfile_set(const char *path) { |
181 | int r = 0; | |
182 | ||
183 | #ifdef HAVE_SELINUX | |
184 | security_context_t filecon = NULL; | |
185 | ||
186 | if (!use_selinux() || !label_hnd) | |
187 | return 0; | |
188 | ||
189 | if ((r = selabel_lookup_raw(label_hnd, &filecon, path, S_IFLNK)) == 0) { | |
190 | if ((r = setfscreatecon(filecon)) < 0) { | |
191 | log_error("Failed to set SELinux file context on %s: %m", path); | |
192 | r = -errno; | |
193 | } | |
194 | ||
195 | freecon(filecon); | |
196 | } | |
197 | ||
198 | if (r < 0 && security_getenforce() == 0) | |
199 | r = 0; | |
200 | #endif | |
201 | ||
202 | return r; | |
203 | } | |
204 | ||
e51bc1a2 LP |
205 | int label_socket_set(const char *label) { |
206 | ||
207 | #ifdef HAVE_SELINUX | |
208 | if (!use_selinux()) | |
209 | return 0; | |
210 | ||
211 | if (setsockcreatecon((security_context_t) label) < 0) { | |
212 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
213 | "Failed to set SELinux context (%s) on socket: %m", label); | |
214 | ||
215 | if (security_getenforce() == 1) | |
216 | return -errno; | |
217 | } | |
218 | #endif | |
219 | ||
220 | return 0; | |
221 | } | |
222 | ||
223 | void label_file_clear(void) { | |
224 | ||
225 | #ifdef HAVE_SELINUX | |
226 | if (!use_selinux()) | |
227 | return; | |
228 | ||
229 | setfscreatecon(NULL); | |
230 | #endif | |
231 | } | |
232 | ||
233 | void label_socket_clear(void) { | |
234 | ||
235 | #ifdef HAVE_SELINUX | |
236 | if (!use_selinux()) | |
237 | return; | |
238 | ||
239 | setsockcreatecon(NULL); | |
240 | #endif | |
241 | } | |
242 | ||
243 | void label_free(const char *label) { | |
244 | ||
245 | #ifdef HAVE_SELINUX | |
246 | if (!use_selinux()) | |
247 | return; | |
248 | ||
249 | freecon((security_context_t) label); | |
250 | #endif | |
251 | } | |
252 | ||
253 | int label_mkdir( | |
254 | const char *path, | |
255 | mode_t mode) { | |
256 | ||
257 | /* Creates a directory and labels it according to the SELinux policy */ | |
258 | ||
259 | #ifdef HAVE_SELINUX | |
260 | int r; | |
261 | security_context_t fcon = NULL; | |
262 | ||
263 | if (use_selinux() && label_hnd) { | |
264 | ||
dce8e2e1 | 265 | if (path_is_absolute(path)) |
e51bc1a2 LP |
266 | r = selabel_lookup_raw(label_hnd, &fcon, path, mode); |
267 | else { | |
dce8e2e1 | 268 | char *newpath = NULL; |
e51bc1a2 | 269 | |
dce8e2e1 LP |
270 | if (!(newpath = path_make_absolute_cwd(path))) |
271 | return -ENOMEM; | |
e51bc1a2 LP |
272 | |
273 | r = selabel_lookup_raw(label_hnd, &fcon, newpath, mode); | |
e51bc1a2 LP |
274 | free(newpath); |
275 | } | |
276 | ||
277 | if (r == 0) | |
278 | r = setfscreatecon(fcon); | |
279 | ||
280 | if (r < 0 && errno != ENOENT) { | |
281 | log_error("Failed to set security context %s for %s: %m", fcon, path); | |
282 | r = -errno; | |
283 | ||
284 | if (security_getenforce() == 1) | |
285 | goto finish; | |
286 | } | |
287 | } | |
288 | ||
289 | if ((r = mkdir(path, mode)) < 0) | |
290 | r = -errno; | |
291 | ||
292 | finish: | |
293 | if (use_selinux() && label_hnd) { | |
294 | setfscreatecon(NULL); | |
295 | freecon(fcon); | |
296 | } | |
297 | ||
298 | return r; | |
299 | #else | |
300 | return mkdir(path, mode); | |
301 | #endif | |
302 | } |