[thirdparty/systemd.git] / src / shared / label.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <sys/stat.h>
#include <unistd.h>
#include <malloc.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#include "label.h"
#include "strv.h"
#include "util.h"
#include "path-util.h"

#ifdef HAVE_SELINUX
#include "selinux-util.h"
#include <selinux/selinux.h>
#include <selinux/label.h>

static struct selabel_handle *label_hnd = NULL;

#endif

int label_init(const char *prefix) {
        int r = 0;

#ifdef HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
        struct mallinfo before_mallinfo, after_mallinfo;

        if (!use_selinux())
                return 0;

        if (label_hnd)
                return 0;

        before_mallinfo = mallinfo();
        before_timestamp = now(CLOCK_MONOTONIC);

        if (prefix) {
                struct selinux_opt options[] = {
                        { .type = SELABEL_OPT_SUBSET, .value = prefix },
                };

                label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
        } else
                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);

        if (!label_hnd) {
                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Failed to initialize SELinux context: %m");
                r = security_getenforce() == 1 ? -errno : 0;
        } else  {
                char timespan[FORMAT_TIMESPAN_MAX];
                int l;

                after_timestamp = now(CLOCK_MONOTONIC);
                after_mallinfo = mallinfo();

                l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;

                log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
                          format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
                          (l+1023)/1024);
        }
#endif

        return r;
}

int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
        int r = 0;

#ifdef HAVE_SELINUX
        struct stat st;
        security_context_t fcon;

        if (!use_selinux() || !label_hnd)
                return 0;

        r = lstat(path, &st);
        if (r == 0) {
                r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);

                /* If there's no label to set, then exit without warning */
                if (r < 0 && errno == ENOENT)
                        return 0;

                if (r == 0) {
                        r = lsetfilecon(path, fcon);
                        freecon(fcon);

                        /* If the FS doesn't support labels, then exit without warning */
                        if (r < 0 && errno == ENOTSUP)
                                return 0;
                }
        }

        if (r < 0) {
                /* Ignore ENOENT in some cases */
                if (ignore_enoent && errno == ENOENT)
                        return 0;

                if (ignore_erofs && errno == EROFS)
                        return 0;

                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Unable to fix label of %s: %m", path);
                r = security_getenforce() == 1 ? -errno : 0;
        }
#endif

        return r;
}

void label_finish(void) {

#ifdef HAVE_SELINUX
        if (use_selinux() && label_hnd)
                selabel_close(label_hnd);
#endif
}

int label_get_create_label_from_exe(const char *exe, char **label) {

        int r = 0;

#ifdef HAVE_SELINUX
        security_context_t mycon = NULL, fcon = NULL;
        security_class_t sclass;

        if (!use_selinux()) {
                *label = NULL;
                return 0;
        }

        r = getcon(&mycon);
        if (r < 0)
                goto fail;

        r = getfilecon(exe, &fcon);
        if (r < 0)
                goto fail;

        sclass = string_to_security_class("process");
        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
        if (r == 0)
                log_debug("SELinux Socket context for %s will be set to %s", exe, *label);

fail:
        if (r < 0 && security_getenforce() == 1)
                r = -errno;

        freecon(mycon);
        freecon(fcon);
#endif

        return r;
}

int label_context_set(const char *path, mode_t mode) {
        int r = 0;

#ifdef HAVE_SELINUX
        security_context_t filecon = NULL;

        if (!use_selinux() || !label_hnd)
                return 0;

        r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
        if (r < 0 && errno != ENOENT)
                r = -errno;
        else if (r == 0) {
                r = setfscreatecon(filecon);
                if (r < 0) {
                        log_error("Failed to set SELinux file context on %s: %m", path);
                        r = -errno;
                }

                freecon(filecon);
        }

        if (r < 0 && security_getenforce() == 0)
                r = 0;
#endif

        return r;
}

int label_socket_set(const char *label) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return 0;

        if (setsockcreatecon((security_context_t) label) < 0) {
                log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
                         "Failed to set SELinux context (%s) on socket: %m", label);

                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

void label_context_clear(void) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        setfscreatecon(NULL);
#endif
}

void label_socket_clear(void) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        setsockcreatecon(NULL);
#endif
}

void label_free(const char *label) {

#ifdef HAVE_SELINUX
        if (!use_selinux())
                return;

        freecon((security_context_t) label);
#endif
}

int label_mkdir(const char *path, mode_t mode, bool apply) {

        /* Creates a directory and labels it according to the SELinux policy */
#ifdef HAVE_SELINUX
        int r;
        security_context_t fcon = NULL;

        if (!apply || !use_selinux() || !label_hnd)
                goto skipped;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
        else {
                char *newpath;

                newpath = path_make_absolute_cwd(path);
                if (!newpath)
                        return -ENOMEM;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
                free(newpath);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_error("Failed to set security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = mkdir(path, mode);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        freecon(fcon);

        return r;

skipped:
#endif
        return mkdir(path, mode) < 0 ? -errno : 0;
}

int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */

#ifdef HAVE_SELINUX
        int r;
        security_context_t fcon = NULL;
        const struct sockaddr_un *un;
        char *path = NULL;

        assert(fd >= 0);
        assert(addr);
        assert(addrlen >= sizeof(sa_family_t));

        if (!use_selinux() || !label_hnd)
                goto skipped;

        /* Filter out non-local sockets */
        if (addr->sa_family != AF_UNIX)
                goto skipped;

        /* Filter out anonymous sockets */
        if (addrlen < sizeof(sa_family_t) + 1)
                goto skipped;

        /* Filter out abstract namespace sockets */
        un = (const struct sockaddr_un*) addr;
        if (un->sun_path[0] == 0)
                goto skipped;

        path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
        if (!path)
                return -ENOMEM;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
        else {
                char *newpath;

                newpath = path_make_absolute_cwd(path);

                if (!newpath) {
                        free(path);
                        return -ENOMEM;
                }

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
                free(newpath);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_error("Failed to set security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = bind(fd, addr, addrlen);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        freecon(fcon);
        free(path);

        return r;

skipped:
#endif
        return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
Commit	Line	Data
d6c9574f	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
e51bc1a2 LP	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	9	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	10	the Free Software Foundation; either version 2.1 of the License, or
e51bc1a2 LP	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	16	Lesser General Public License for more details.
e51bc1a2	17
5430f7f2	18	You should have received a copy of the GNU Lesser General Public License
e51bc1a2 LP	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <errno.h>
	23	#include <sys/stat.h>
	24	#include <unistd.h>
455a946f	25	#include <malloc.h>
f13e30d2 LP	26	#include <sys/socket.h>
f13e30d2 LP	27	#include <sys/un.h>
a5c32cff HH	28	#include <sys/types.h>
	29	#include <sys/stat.h>
	30	#include <fcntl.h>
e51bc1a2 LP	31
e51bc1a2 LP	32	#include "label.h"
a5c32cff	33	#include "strv.h"
e51bc1a2	34	#include "util.h"
9eb977db	35	#include "path-util.h"
e51bc1a2 LP	36
e51bc1a2 LP	37	#ifdef HAVE_SELINUX
cad45ba1	38	#include "selinux-util.h"
e51bc1a2 LP	39	#include <selinux/selinux.h>
	40	#include <selinux/label.h>
	41
	42	static struct selabel_handle *label_hnd = NULL;
	43
e51bc1a2 LP	44	#endif
e51bc1a2 LP	45
0f9963a8	46	int label_init(const char *prefix) {
e51bc1a2 LP	47	int r = 0;
	48
	49	#ifdef HAVE_SELINUX
189583d7 LP	50	usec_t before_timestamp, after_timestamp;
189583d7 LP	51	struct mallinfo before_mallinfo, after_mallinfo;
e51bc1a2 LP	52
	53	if (!use_selinux())
	54	return 0;
	55
c4dcdb9f LP	56	if (label_hnd)
	57	return 0;
	58
189583d7 LP	59	before_mallinfo = mallinfo();
189583d7 LP	60	before_timestamp = now(CLOCK_MONOTONIC);
455a946f	61
0f9963a8	62	if (prefix) {
e9a5ef7c	63	struct selinux_opt options[] = {
0f9963a8	64	{ .type = SELABEL_OPT_SUBSET, .value = prefix },
e9a5ef7c KS	65	};
	66
	67	label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
	68	} else
	69	label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	70
e51bc1a2 LP	71	if (!label_hnd) {
	72	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
	73	"Failed to initialize SELinux context: %m");
049f8642	74	r = security_getenforce() == 1 ? -errno : 0;
871e5809	75	} else {
189583d7	76	char timespan[FORMAT_TIMESPAN_MAX];
455a946f	77	int l;
871e5809	78
189583d7 LP	79	after_timestamp = now(CLOCK_MONOTONIC);
189583d7 LP	80	after_mallinfo = mallinfo();
871e5809	81
189583d7	82	l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
455a946f	83
107a2db9	84	log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
2fa4092c	85	format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
107a2db9	86	(l+1023)/1024);
455a946f	87	}
e51bc1a2 LP	88	#endif
	89
	90	return r;
	91	}
	92
c9bc0764	93	int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
e51bc1a2 LP	94	int r = 0;
	95
	96	#ifdef HAVE_SELINUX
	97	struct stat st;
	98	security_context_t fcon;
	99
	100	if (!use_selinux() \|\| !label_hnd)
	101	return 0;
	102
	103	r = lstat(path, &st);
	104	if (r == 0) {
	105	r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
	106
5a33f657 LP	107	/* If there's no label to set, then exit without warning */
	108	if (r < 0 && errno == ENOENT)
	109	return 0;
	110
e51bc1a2	111	if (r == 0) {
81c3f1f6	112	r = lsetfilecon(path, fcon);
e51bc1a2	113	freecon(fcon);
d2dfce17 LP	114
	115	/* If the FS doesn't support labels, then exit without warning */
	116	if (r < 0 && errno == ENOTSUP)
	117	return 0;
e51bc1a2 LP	118	}
e51bc1a2 LP	119	}
5a33f657	120
e51bc1a2	121	if (r < 0) {
b4bd5144 LP	122	/* Ignore ENOENT in some cases */
	123	if (ignore_enoent && errno == ENOENT)
	124	return 0;
	125
c9bc0764 LP	126	if (ignore_erofs && errno == EROFS)
	127	return 0;
	128
e51bc1a2 LP	129	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
e51bc1a2 LP	130	"Unable to fix label of %s: %m", path);
049f8642	131	r = security_getenforce() == 1 ? -errno : 0;
e51bc1a2 LP	132	}
	133	#endif
	134
	135	return r;
	136	}
	137
	138	void label_finish(void) {
	139
	140	#ifdef HAVE_SELINUX
	141	if (use_selinux() && label_hnd)
	142	selabel_close(label_hnd);
	143	#endif
	144	}
	145
189583d7	146	int label_get_create_label_from_exe(const char exe, char *label) {
e51bc1a2 LP	147
	148	int r = 0;
	149
	150	#ifdef HAVE_SELINUX
	151	security_context_t mycon = NULL, fcon = NULL;
	152	security_class_t sclass;
	153
	154	if (!use_selinux()) {
	155	*label = NULL;
	156	return 0;
	157	}
	158
	159	r = getcon(&mycon);
	160	if (r < 0)
	161	goto fail;
	162
	163	r = getfilecon(exe, &fcon);
	164	if (r < 0)
	165	goto fail;
	166
	167	sclass = string_to_security_class("process");
	168	r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
	169	if (r == 0)
	170	log_debug("SELinux Socket context for %s will be set to %s", exe, *label);
	171
	172	fail:
	173	if (r < 0 && security_getenforce() == 1)
	174	r = -errno;
	175
	176	freecon(mycon);
	177	freecon(fcon);
	178	#endif
	179
	180	return r;
	181	}
	182
e9a5ef7c	183	int label_context_set(const char *path, mode_t mode) {
5c0532d1 LP	184	int r = 0;
	185
	186	#ifdef HAVE_SELINUX
	187	security_context_t filecon = NULL;
	188
	189	if (!use_selinux() \|\| !label_hnd)
	190	return 0;
	191
e9a5ef7c	192	r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
080ffcb4	193	if (r < 0 && errno != ENOENT)
382241ee LP	194	r = -errno;
	195	else if (r == 0) {
	196	r = setfscreatecon(filecon);
	197	if (r < 0) {
5c0532d1 LP	198	log_error("Failed to set SELinux file context on %s: %m", path);
	199	r = -errno;
	200	}
	201
	202	freecon(filecon);
	203	}
	204
	205	if (r < 0 && security_getenforce() == 0)
	206	r = 0;
	207	#endif
	208
	209	return r;
	210	}
	211
e51bc1a2 LP	212	int label_socket_set(const char *label) {
	213
	214	#ifdef HAVE_SELINUX
	215	if (!use_selinux())
	216	return 0;
	217
	218	if (setsockcreatecon((security_context_t) label) < 0) {
	219	log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
	220	"Failed to set SELinux context (%s) on socket: %m", label);
	221
	222	if (security_getenforce() == 1)
	223	return -errno;
	224	}
	225	#endif
	226
	227	return 0;
	228	}
	229
e9a5ef7c	230	void label_context_clear(void) {
e51bc1a2 LP	231
	232	#ifdef HAVE_SELINUX
	233	if (!use_selinux())
	234	return;
	235
	236	setfscreatecon(NULL);
	237	#endif
	238	}
	239
	240	void label_socket_clear(void) {
	241
	242	#ifdef HAVE_SELINUX
	243	if (!use_selinux())
	244	return;
	245
	246	setsockcreatecon(NULL);
	247	#endif
	248	}
	249
	250	void label_free(const char *label) {
	251
	252	#ifdef HAVE_SELINUX
	253	if (!use_selinux())
	254	return;
	255
	256	freecon((security_context_t) label);
	257	#endif
	258	}
	259
c66e7f04	260	int label_mkdir(const char *path, mode_t mode, bool apply) {
e51bc1a2 LP	261
e51bc1a2 LP	262	/* Creates a directory and labels it according to the SELinux policy */
e51bc1a2 LP	263	#ifdef HAVE_SELINUX
	264	int r;
	265	security_context_t fcon = NULL;
	266
c66e7f04	267	if (!apply \|\| !use_selinux() \|\| !label_hnd)
f13e30d2	268	goto skipped;
e51bc1a2	269
f13e30d2	270	if (path_is_absolute(path))
382241ee	271	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
f13e30d2 LP	272	else {
f13e30d2 LP	273	char *newpath;
e51bc1a2	274
f13e30d2 LP	275	newpath = path_make_absolute_cwd(path);
	276	if (!newpath)
	277	return -ENOMEM;
e51bc1a2	278
382241ee	279	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
f13e30d2 LP	280	free(newpath);
	281	}
	282
	283	if (r == 0)
	284	r = setfscreatecon(fcon);
e51bc1a2	285
f13e30d2 LP	286	if (r < 0 && errno != ENOENT) {
f13e30d2 LP	287	log_error("Failed to set security context %s for %s: %m", fcon, path);
e51bc1a2	288
f13e30d2	289	if (security_getenforce() == 1) {
e51bc1a2	290	r = -errno;
f13e30d2	291	goto finish;
e51bc1a2 LP	292	}
	293	}
	294
f13e30d2 LP	295	r = mkdir(path, mode);
f13e30d2 LP	296	if (r < 0)
e51bc1a2 LP	297	r = -errno;
	298
	299	finish:
f13e30d2 LP	300	setfscreatecon(NULL);
	301	freecon(fcon);
	302
	303	return r;
	304
	305	skipped:
	306	#endif
	307	return mkdir(path, mode) < 0 ? -errno : 0;
	308	}
	309
	310	int label_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
	311
	312	/* Binds a socket and label its file system object according to the SELinux policy */
	313
	314	#ifdef HAVE_SELINUX
	315	int r;
	316	security_context_t fcon = NULL;
	317	const struct sockaddr_un *un;
	318	char *path = NULL;
	319
	320	assert(fd >= 0);
	321	assert(addr);
	322	assert(addrlen >= sizeof(sa_family_t));
	323
	324	if (!use_selinux() \|\| !label_hnd)
	325	goto skipped;
	326
	327	/* Filter out non-local sockets */
	328	if (addr->sa_family != AF_UNIX)
	329	goto skipped;
	330
	331	/* Filter out anonymous sockets */
	332	if (addrlen < sizeof(sa_family_t) + 1)
	333	goto skipped;
	334
	335	/* Filter out abstract namespace sockets */
	336	un = (const struct sockaddr_un*) addr;
	337	if (un->sun_path[0] == 0)
	338	goto skipped;
	339
	340	path = strndup(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
	341	if (!path)
	342	return -ENOMEM;
	343
	344	if (path_is_absolute(path))
382241ee	345	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
f13e30d2 LP	346	else {
	347	char *newpath;
	348
	349	newpath = path_make_absolute_cwd(path);
	350
	351	if (!newpath) {
	352	free(path);
	353	return -ENOMEM;
	354	}
	355
382241ee	356	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
f13e30d2	357	free(newpath);
e51bc1a2 LP	358	}
e51bc1a2 LP	359
f13e30d2 LP	360	if (r == 0)
	361	r = setfscreatecon(fcon);
	362
	363	if (r < 0 && errno != ENOENT) {
	364	log_error("Failed to set security context %s for %s: %m", fcon, path);
	365
	366	if (security_getenforce() == 1) {
	367	r = -errno;
	368	goto finish;
	369	}
	370	}
	371
	372	r = bind(fd, addr, addrlen);
	373	if (r < 0)
	374	r = -errno;
	375
	376	finish:
	377	setfscreatecon(NULL);
	378	freecon(fcon);
	379	free(path);
	380
e51bc1a2	381	return r;
f13e30d2 LP	382
f13e30d2 LP	383	skipped:
e51bc1a2	384	#endif
f13e30d2	385	return bind(fd, addr, addrlen) < 0 ? -errno : 0;
e51bc1a2	386	}