[thirdparty/systemd.git] / src / shared / label.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/stat.h>
#include <unistd.h>
#include <malloc.h>
#include <sys/socket.h>
#include <sys/un.h>

#include "label.h"
#include "util.h"
#include "path-util.h"

#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>

static struct selabel_handle *label_hnd = NULL;

static int use_selinux_cached = -1;

static inline bool use_selinux(void) {

        if (use_selinux_cached < 0)
                use_selinux_cached = is_selinux_enabled() > 0;

        return use_selinux_cached;
}

void label_retest_selinux(void) {
        use_selinux_cached = -1;
}

#endif

int label_init(const char *prefix) {
        int r = 0;

#ifdef HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
        struct mallinfo before_mallinfo, after_mallinfo;

        if (!use_selinux())
                return 0;

        if (label_hnd)
                return 0;

        before_mallinfo = mallinfo();
        before_timestamp = now(CLOCK_MONOTONIC);

        if (prefix) {
                struct selinux_opt options[] = {
                        { .type = SELABEL_OPT_SUBSET, .value = prefix },
                };

                label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
        } else
                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);

        if (!label_hnd) {
                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Failed to initialize SELinux context: %m");
                r = security_getenforce() == 1 ? -errno : 0;
        } else  {
                char timespan[FORMAT_TIMESPAN_MAX];
                int l;

                after_timestamp = now(CLOCK_MONOTONIC);
                after_mallinfo = mallinfo();

                l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;

                log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
                          format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
                          (l+1023)/1024);
        }
#endif

        return r;
}

int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
        int r = 0;

#ifdef HAVE_SELINUX
        struct stat st;
        security_context_t fcon;

        if (!use_selinux() || !label_hnd)
                return 0;

        r = lstat(path, &st);
        if (r == 0) {
                r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);

                /* If there's no label to set, then exit without warning */
                if (r < 0 && errno == ENOENT)
                        return 0;

                if (r == 0) {
                        r = lsetfilecon(path, fcon);
                        freecon(fcon);

                        /* If the FS doesn't support labels, then exit without warning */
                        if (r < 0 && errno == ENOTSUP)
                                return 0;
                }
        }

        if (r < 0) {
                /* Ignore ENOENT in some cases */
                if (ignore_enoent && errno == ENOENT)
                        return 0;

                if (ignore_erofs && errno == EROFS)
                        return 0;

                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Unable to fix label of %s: %m", path);
                r = security_getenforce() == 1 ? -errno : 0;
        }
#endif

        return r;
}

void label_finish(void) {

#ifdef HAVE_SELINUX
        if (use_selinux() && label_hnd)
                selabel_close(label_hnd);
#endif
}

int label_get_create_label_from_exe(const char *exe, char **label) {

        int r = 0;

#ifdef HAVE_SELINUX
        security_context_t mycon = NULL, fcon = NULL;
        security_class_t sclass;

        if (!use_selinux()) {
                *label = NULL;
                return 0;
        }

        r = getcon(&mycon);
        if (r < 0)
                goto fail;

        r = getfilecon(exe, &fcon);
        if (r < 0)
                goto fail;

        sclass = string_to_security_class("process");
        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
        if (r == 0)
                log_debug("SELinux Socket context for %s will be set to %s", exe, *label);

fail:
        if (r < 0 && security_getenforce() == 1)
                r = -errno;

        freecon(mycon);
        freecon(fcon);
#endif

        return r;
}

int label_context_set(const char *path, mode_t mode) {
        int r = 0;

#ifdef HAVE_SELINUX
        security_context_t filecon = NULL;

        if (!use_selinux() || !label_hnd)
                return 0;

        r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
        if (r < 0)
                r = -errno;
        else if (r == 0) {
                r = setfscreatecon(filecon);
                if (r < 0) {
                        log_error("Failed to set SELinux file context on %s: %m", path);
                        r = -errno;
                }

                freecon(filecon);
        }

        if (r < 0 && security_getenforce() == 0)
                r = 0;
#endif

        return r;
}

int label_socket_set(const char *label) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return 0;

        if (setsockcreatecon((security_context_t) label) < 0) {
                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Failed to set SELinux context (%s) on socket: %m", label);

                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

void label_context_clear(void) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        setfscreatecon(NULL);
#endif
}

void label_socket_clear(void) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        setsockcreatecon(NULL);
#endif
}

void label_free(const char *label) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        freecon((security_context_t) label);
#endif
}

int label_mkdir(const char *path, mode_t mode, bool apply) {

        /* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
        int r;
        security_context_t fcon = NULL;

        if (!apply || !use_selinux() || !label_hnd)
                goto skipped;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
        else {
                char *newpath;

                newpath = path_make_absolute_cwd(path);
                if (!newpath)
                        return -ENOMEM;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
                free(newpath);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_error("Failed to set security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = mkdir(path, mode);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        freecon(fcon);

        return r;

skipped:
#endif
        return mkdir(path, mode) < 0 ? -errno : 0;
}

int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */

#ifdef HAVE_SELINUX
        int r;
        security_context_t fcon = NULL;
        const struct sockaddr_un *un;
        char *path = NULL;

        assert(fd >= 0);
        assert(addr);
        assert(addrlen >= sizeof(sa_family_t));

        if (!use_selinux() || !label_hnd)
                goto skipped;

        /* Filter out non-local sockets */
        if (addr->sa_family != AF_UNIX)
                goto skipped;

        /* Filter out anonymous sockets */
        if (addrlen < sizeof(sa_family_t) + 1)
                goto skipped;

        /* Filter out abstract namespace sockets */
        un = (const struct sockaddr_un*) addr;
        if (un->sun_path[0] == 0)
                goto skipped;

        path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
        if (!path)
                return -ENOMEM;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
        else {
                char *newpath;

                newpath = path_make_absolute_cwd(path);

                if (!newpath) {
                        free(path);
                        return -ENOMEM;
                }

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
                free(newpath);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_error("Failed to set security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = bind(fd, addr, addrlen);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        freecon(fcon);
        free(path);

        return r;

skipped:
#endif
        return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
e51bc1a2 LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
e51bc1a2 LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
e51bc1a2	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
e51bc1a2 LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/stat.h>
	24	#include <unistd.h>
455a946f	25	#include <malloc.h>
f13e30d2 LP	26	#include <sys/socket.h>
f13e30d2 LP	27	#include <sys/un.h>
e51bc1a2 LP	28
	29	#include "label.h"
	30	#include "util.h"
9eb977db	31	#include "path-util.h"
e51bc1a2 LP	32
	33	#ifdef HAVE_SELINUX
	34	#include <selinux/selinux.h>
	35	#include <selinux/label.h>
	36
	37	static struct selabel_handle *label_hnd = NULL;
	38
4d4c7486 LP	39	static int use_selinux_cached = -1;
4d4c7486 LP	40
e51bc1a2	41	static inline bool use_selinux(void) {
e51bc1a2	42
4ef31082 LP	43	if (use_selinux_cached < 0)
4ef31082 LP	44	use_selinux_cached = is_selinux_enabled() > 0;
e51bc1a2	45
4ef31082	46	return use_selinux_cached;
e51bc1a2 LP	47	}
e51bc1a2 LP	48
4d4c7486 LP	49	void label_retest_selinux(void) {
	50	use_selinux_cached = -1;
	51	}
	52
e51bc1a2 LP	53	#endif
e51bc1a2 LP	54
0f9963a8	55	int label_init(const char *prefix) {
e51bc1a2 LP	56	int r = 0;
	57
	58	#ifdef HAVE_SELINUX
189583d7 LP	59	usec_t before_timestamp, after_timestamp;
189583d7 LP	60	struct mallinfo before_mallinfo, after_mallinfo;
e51bc1a2 LP	61
	62	if (!use_selinux())
	63	return 0;
	64
c4dcdb9f LP	65	if (label_hnd)
	66	return 0;
	67
189583d7 LP	68	before_mallinfo = mallinfo();
189583d7 LP	69	before_timestamp = now(CLOCK_MONOTONIC);
455a946f	70
0f9963a8	71	if (prefix) {
e9a5ef7c	72	struct selinux_opt options[] = {
0f9963a8	73	{ .type = SELABEL_OPT_SUBSET, .value = prefix },
e9a5ef7c KS	74	};
	75
	76	label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
	77	} else
	78	label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	79
e51bc1a2 LP	80	if (!label_hnd) {
	81	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
	82	"Failed to initialize SELinux context: %m");
049f8642	83	r = security_getenforce() == 1 ? -errno : 0;
871e5809	84	} else {
189583d7	85	char timespan[FORMAT_TIMESPAN_MAX];
455a946f	86	int l;
871e5809	87
189583d7 LP	88	after_timestamp = now(CLOCK_MONOTONIC);
189583d7 LP	89	after_mallinfo = mallinfo();
871e5809	90
189583d7	91	l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
455a946f	92
107a2db9 LP	93	log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
	94	format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp),
	95	(l+1023)/1024);
455a946f	96	}
e51bc1a2 LP	97	#endif
	98
	99	return r;
	100	}
	101
c9bc0764	102	int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
e51bc1a2 LP	103	int r = 0;
	104
	105	#ifdef HAVE_SELINUX
	106	struct stat st;
	107	security_context_t fcon;
	108
	109	if (!use_selinux() \|\| !label_hnd)
	110	return 0;
	111
	112	r = lstat(path, &st);
	113	if (r == 0) {
	114	r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
	115
5a33f657 LP	116	/* If there's no label to set, then exit without warning */
	117	if (r < 0 && errno == ENOENT)
	118	return 0;
	119
e51bc1a2	120	if (r == 0) {
81c3f1f6	121	r = lsetfilecon(path, fcon);
e51bc1a2	122	freecon(fcon);
d2dfce17 LP	123
	124	/* If the FS doesn't support labels, then exit without warning */
	125	if (r < 0 && errno == ENOTSUP)
	126	return 0;
e51bc1a2 LP	127	}
e51bc1a2 LP	128	}
5a33f657	129
e51bc1a2	130	if (r < 0) {
b4bd5144 LP	131	/* Ignore ENOENT in some cases */
	132	if (ignore_enoent && errno == ENOENT)
	133	return 0;
	134
c9bc0764 LP	135	if (ignore_erofs && errno == EROFS)
	136	return 0;
	137
e51bc1a2 LP	138	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
e51bc1a2 LP	139	"Unable to fix label of %s: %m", path);
049f8642	140	r = security_getenforce() == 1 ? -errno : 0;
e51bc1a2 LP	141	}
	142	#endif
	143
	144	return r;
	145	}
	146
	147	void label_finish(void) {
	148
	149	#ifdef HAVE_SELINUX
	150	if (use_selinux() && label_hnd)
	151	selabel_close(label_hnd);
	152	#endif
	153	}
	154
189583d7	155	int label_get_create_label_from_exe(const char exe, char *label) {
e51bc1a2 LP	156
	157	int r = 0;
	158
	159	#ifdef HAVE_SELINUX
	160	security_context_t mycon = NULL, fcon = NULL;
	161	security_class_t sclass;
	162
	163	if (!use_selinux()) {
	164	*label = NULL;
	165	return 0;
	166	}
	167
	168	r = getcon(&mycon);
	169	if (r < 0)
	170	goto fail;
	171
	172	r = getfilecon(exe, &fcon);
	173	if (r < 0)
	174	goto fail;
	175
	176	sclass = string_to_security_class("process");
	177	r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
	178	if (r == 0)
	179	log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
	180
	181	fail:
	182	if (r < 0 && security_getenforce() == 1)
	183	r = -errno;
	184
	185	freecon(mycon);
	186	freecon(fcon);
	187	#endif
	188
	189	return r;
	190	}
	191
e9a5ef7c	192	int label_context_set(const char *path, mode_t mode) {
5c0532d1 LP	193	int r = 0;
	194
	195	#ifdef HAVE_SELINUX
	196	security_context_t filecon = NULL;
	197
	198	if (!use_selinux() \|\| !label_hnd)
	199	return 0;
	200
e9a5ef7c	201	r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
382241ee LP	202	if (r < 0)
	203	r = -errno;
	204	else if (r == 0) {
	205	r = setfscreatecon(filecon);
	206	if (r < 0) {
5c0532d1 LP	207	log_error("Failed to set SELinux file context on %s: %m", path);
	208	r = -errno;
	209	}
	210
	211	freecon(filecon);
	212	}
	213
	214	if (r < 0 && security_getenforce() == 0)
	215	r = 0;
	216	#endif
	217
	218	return r;
	219	}
	220
e51bc1a2 LP	221	int label_socket_set(const char *label) {
	222
	223	#ifdef HAVE_SELINUX
	224	if (!use_selinux())
	225	return 0;
	226
	227	if (setsockcreatecon((security_context_t) label) < 0) {
	228	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
	229	"Failed to set SELinux context (%s) on socket: %m", label);
	230
	231	if (security_getenforce() == 1)
	232	return -errno;
	233	}
	234	#endif
	235
	236	return 0;
	237	}
	238
e9a5ef7c	239	void label_context_clear(void) {
e51bc1a2 LP	240
	241	#ifdef HAVE_SELINUX
	242	if (!use_selinux())
	243	return;
	244
	245	setfscreatecon(NULL);
	246	#endif
	247	}
	248
	249	void label_socket_clear(void) {
	250
	251	#ifdef HAVE_SELINUX
	252	if (!use_selinux())
	253	return;
	254
	255	setsockcreatecon(NULL);
	256	#endif
	257	}
	258
	259	void label_free(const char *label) {
	260
	261	#ifdef HAVE_SELINUX
	262	if (!use_selinux())
	263	return;
	264
	265	freecon((security_context_t) label);
	266	#endif
	267	}
	268
c66e7f04	269	int label_mkdir(const char *path, mode_t mode, bool apply) {
e51bc1a2 LP	270
e51bc1a2 LP	271	/* Creates a directory and labels it according to the SELinux policy */
e51bc1a2 LP	272	#ifdef HAVE_SELINUX
	273	int r;
	274	security_context_t fcon = NULL;
	275
c66e7f04	276	if (!apply \|\| !use_selinux() \|\| !label_hnd)
f13e30d2	277	goto skipped;
e51bc1a2	278
f13e30d2	279	if (path_is_absolute(path))
382241ee	280	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
f13e30d2 LP	281	else {
f13e30d2 LP	282	char *newpath;
e51bc1a2	283
f13e30d2 LP	284	newpath = path_make_absolute_cwd(path);
	285	if (!newpath)
	286	return -ENOMEM;
e51bc1a2	287
382241ee	288	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
f13e30d2 LP	289	free(newpath);
	290	}
	291
	292	if (r == 0)
	293	r = setfscreatecon(fcon);
e51bc1a2	294
f13e30d2 LP	295	if (r < 0 && errno != ENOENT) {
f13e30d2 LP	296	log_error("Failed to set security context %s for %s: %m", fcon, path);
e51bc1a2	297
f13e30d2	298	if (security_getenforce() == 1) {
e51bc1a2	299	r = -errno;
f13e30d2	300	goto finish;
e51bc1a2 LP	301	}
	302	}
	303
f13e30d2 LP	304	r = mkdir(path, mode);
f13e30d2 LP	305	if (r < 0)
e51bc1a2 LP	306	r = -errno;
	307
	308	finish:
f13e30d2 LP	309	setfscreatecon(NULL);
	310	freecon(fcon);
	311
	312	return r;
	313
	314	skipped:
	315	#endif
	316	return mkdir(path, mode) < 0 ? -errno : 0;
	317	}
	318
	319	int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
	320
	321	/* Binds a socket and label its file system object according to the SELinux policy */
	322
	323	#ifdef HAVE_SELINUX
	324	int r;
	325	security_context_t fcon = NULL;
	326	const struct sockaddr_un *un;
	327	char *path = NULL;
	328
	329	assert(fd >= 0);
	330	assert(addr);
	331	assert(addrlen >= sizeof(sa_family_t));
	332
	333	if (!use_selinux() \|\| !label_hnd)
	334	goto skipped;
	335
	336	/* Filter out non-local sockets */
	337	if (addr->sa_family != AF_UNIX)
	338	goto skipped;
	339
	340	/* Filter out anonymous sockets */
	341	if (addrlen < sizeof(sa_family_t) + 1)
	342	goto skipped;
	343
	344	/* Filter out abstract namespace sockets */
	345	un = (const struct sockaddr_un*) addr;
	346	if (un->sun_path[0] == 0)
	347	goto skipped;
	348
	349	path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
	350	if (!path)
	351	return -ENOMEM;
	352
	353	if (path_is_absolute(path))
382241ee	354	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
f13e30d2 LP	355	else {
	356	char *newpath;
	357
	358	newpath = path_make_absolute_cwd(path);
	359
	360	if (!newpath) {
	361	free(path);
	362	return -ENOMEM;
	363	}
	364
382241ee	365	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
f13e30d2	366	free(newpath);
e51bc1a2 LP	367	}
e51bc1a2 LP	368
f13e30d2 LP	369	if (r == 0)
	370	r = setfscreatecon(fcon);
	371
	372	if (r < 0 && errno != ENOENT) {
	373	log_error("Failed to set security context %s for %s: %m", fcon, path);
	374
	375	if (security_getenforce() == 1) {
	376	r = -errno;
	377	goto finish;
	378	}
	379	}
	380
	381	r = bind(fd, addr, addrlen);
	382	if (r < 0)
	383	r = -errno;
	384
	385	finish:
	386	setfscreatecon(NULL);
	387	freecon(fcon);
	388	free(path);
	389
e51bc1a2	390	return r;
f13e30d2 LP	391
f13e30d2 LP	392	skipped:
e51bc1a2	393	#endif
f13e30d2	394	return bind(fd, addr, addrlen) < 0 ? -errno : 0;
e51bc1a2	395	}