]>
Commit | Line | Data |
---|---|---|
e51bc1a2 LP |
1 | /*-*- Mode: C; c-basic-offset: 8 -*-*/ |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU General Public License as published by | |
10 | the Free Software Foundation; either version 2 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
22 | #include <errno.h> | |
23 | #include <sys/stat.h> | |
24 | #include <unistd.h> | |
25 | ||
26 | #include "label.h" | |
27 | #include "util.h" | |
28 | ||
29 | #ifdef HAVE_SELINUX | |
30 | #include <selinux/selinux.h> | |
31 | #include <selinux/label.h> | |
32 | ||
33 | static struct selabel_handle *label_hnd = NULL; | |
34 | ||
35 | static inline bool use_selinux(void) { | |
36 | static int use_selinux_ind = -1; | |
37 | ||
38 | if (use_selinux_ind < 0) | |
39 | use_selinux_ind = is_selinux_enabled() > 0; | |
40 | ||
41 | return use_selinux_ind; | |
42 | } | |
43 | ||
44 | static int label_get_file_label_from_path( | |
45 | const char *label, | |
46 | const char *path, | |
47 | const char *class, | |
48 | security_context_t *fcon) { | |
49 | ||
50 | security_context_t dir_con = NULL; | |
51 | security_class_t sclass; | |
52 | int r = 0; | |
53 | ||
54 | r = getfilecon(path, &dir_con); | |
55 | if (r >= 0) { | |
56 | r = -1; | |
57 | errno = EINVAL; | |
58 | ||
59 | if ((sclass = string_to_security_class(class)) != 0) | |
60 | r = security_compute_create((security_context_t) label, dir_con, sclass, fcon); | |
61 | } | |
62 | if (r < 0) | |
63 | r = -errno; | |
64 | ||
65 | freecon(dir_con); | |
66 | return r; | |
67 | } | |
68 | ||
69 | #endif | |
70 | ||
71 | int label_init(void) { | |
72 | int r = 0; | |
73 | ||
74 | #ifdef HAVE_SELINUX | |
75 | ||
76 | if (!use_selinux()) | |
77 | return 0; | |
78 | ||
79 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); | |
80 | if (!label_hnd) { | |
81 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
82 | "Failed to initialize SELinux context: %m"); | |
83 | r = (security_getenforce() == 1) ? -errno : 0; | |
84 | } | |
85 | #endif | |
86 | ||
87 | return r; | |
88 | } | |
89 | ||
90 | int label_fix(const char *path) { | |
91 | int r = 0; | |
92 | ||
93 | #ifdef HAVE_SELINUX | |
94 | struct stat st; | |
95 | security_context_t fcon; | |
96 | ||
97 | if (!use_selinux() || !label_hnd) | |
98 | return 0; | |
99 | ||
100 | r = lstat(path, &st); | |
101 | if (r == 0) { | |
102 | r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); | |
103 | ||
104 | if (r == 0) { | |
105 | r = setfilecon(path, fcon); | |
106 | freecon(fcon); | |
107 | } | |
108 | } | |
109 | if (r < 0) { | |
110 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
111 | "Unable to fix label of %s: %m", path); | |
112 | r = (security_getenforce() == 1) ? -errno : 0; | |
113 | } | |
114 | #endif | |
115 | ||
116 | return r; | |
117 | } | |
118 | ||
119 | void label_finish(void) { | |
120 | ||
121 | #ifdef HAVE_SELINUX | |
122 | if (use_selinux() && label_hnd) | |
123 | selabel_close(label_hnd); | |
124 | #endif | |
125 | } | |
126 | ||
127 | int label_get_socket_label_from_exe(const char *exe, char **label) { | |
128 | ||
129 | int r = 0; | |
130 | ||
131 | #ifdef HAVE_SELINUX | |
132 | security_context_t mycon = NULL, fcon = NULL; | |
133 | security_class_t sclass; | |
134 | ||
135 | if (!use_selinux()) { | |
136 | *label = NULL; | |
137 | return 0; | |
138 | } | |
139 | ||
140 | r = getcon(&mycon); | |
141 | if (r < 0) | |
142 | goto fail; | |
143 | ||
144 | r = getfilecon(exe, &fcon); | |
145 | if (r < 0) | |
146 | goto fail; | |
147 | ||
148 | sclass = string_to_security_class("process"); | |
149 | r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); | |
150 | if (r == 0) | |
151 | log_debug("SELinux Socket context for %s will be set to %s", exe, *label); | |
152 | ||
153 | fail: | |
154 | if (r < 0 && security_getenforce() == 1) | |
155 | r = -errno; | |
156 | ||
157 | freecon(mycon); | |
158 | freecon(fcon); | |
159 | #endif | |
160 | ||
161 | return r; | |
162 | } | |
163 | ||
164 | int label_fifofile_set(const char *label, const char *path) { | |
165 | int r = 0; | |
166 | ||
167 | #ifdef HAVE_SELINUX | |
168 | security_context_t filecon = NULL; | |
169 | ||
170 | if (!use_selinux() || !label) | |
171 | return 0; | |
172 | ||
173 | if (((r = label_get_file_label_from_path(label, path, "fifo_file", &filecon)) == 0)) { | |
174 | if ((r = setfscreatecon(filecon)) < 0) { | |
175 | log_error("Failed to set SELinux file context (%s) on %s: %m", label, path); | |
176 | r = -errno; | |
177 | } | |
178 | ||
179 | freecon(filecon); | |
180 | } | |
181 | ||
182 | if (r < 0 && security_getenforce() == 0) | |
183 | r = 0; | |
184 | #endif | |
185 | ||
186 | return r; | |
187 | } | |
188 | ||
189 | int label_socket_set(const char *label) { | |
190 | ||
191 | #ifdef HAVE_SELINUX | |
192 | if (!use_selinux()) | |
193 | return 0; | |
194 | ||
195 | if (setsockcreatecon((security_context_t) label) < 0) { | |
196 | log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, | |
197 | "Failed to set SELinux context (%s) on socket: %m", label); | |
198 | ||
199 | if (security_getenforce() == 1) | |
200 | return -errno; | |
201 | } | |
202 | #endif | |
203 | ||
204 | return 0; | |
205 | } | |
206 | ||
207 | void label_file_clear(void) { | |
208 | ||
209 | #ifdef HAVE_SELINUX | |
210 | if (!use_selinux()) | |
211 | return; | |
212 | ||
213 | setfscreatecon(NULL); | |
214 | #endif | |
215 | } | |
216 | ||
217 | void label_socket_clear(void) { | |
218 | ||
219 | #ifdef HAVE_SELINUX | |
220 | if (!use_selinux()) | |
221 | return; | |
222 | ||
223 | setsockcreatecon(NULL); | |
224 | #endif | |
225 | } | |
226 | ||
227 | void label_free(const char *label) { | |
228 | ||
229 | #ifdef HAVE_SELINUX | |
230 | if (!use_selinux()) | |
231 | return; | |
232 | ||
233 | freecon((security_context_t) label); | |
234 | #endif | |
235 | } | |
236 | ||
237 | int label_mkdir( | |
238 | const char *path, | |
239 | mode_t mode) { | |
240 | ||
241 | /* Creates a directory and labels it according to the SELinux policy */ | |
242 | ||
243 | #ifdef HAVE_SELINUX | |
244 | int r; | |
245 | security_context_t fcon = NULL; | |
246 | ||
247 | if (use_selinux() && label_hnd) { | |
248 | ||
249 | if (path[0] == '/') | |
250 | r = selabel_lookup_raw(label_hnd, &fcon, path, mode); | |
251 | else { | |
252 | char *cwd = NULL, *newpath = NULL; | |
253 | ||
254 | cwd = get_current_dir_name(); | |
255 | ||
256 | if (cwd || asprintf(&newpath, "%s/%s", cwd, path) < 0) { | |
257 | free(cwd); | |
258 | return -errno; | |
259 | } | |
260 | ||
261 | r = selabel_lookup_raw(label_hnd, &fcon, newpath, mode); | |
262 | free(cwd); | |
263 | free(newpath); | |
264 | } | |
265 | ||
266 | if (r == 0) | |
267 | r = setfscreatecon(fcon); | |
268 | ||
269 | if (r < 0 && errno != ENOENT) { | |
270 | log_error("Failed to set security context %s for %s: %m", fcon, path); | |
271 | r = -errno; | |
272 | ||
273 | if (security_getenforce() == 1) | |
274 | goto finish; | |
275 | } | |
276 | } | |
277 | ||
278 | if ((r = mkdir(path, mode)) < 0) | |
279 | r = -errno; | |
280 | ||
281 | finish: | |
282 | if (use_selinux() && label_hnd) { | |
283 | setfscreatecon(NULL); | |
284 | freecon(fcon); | |
285 | } | |
286 | ||
287 | return r; | |
288 | #else | |
289 | return mkdir(path, mode); | |
290 | #endif | |
291 | } |