1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <sys/types.h>
15 #include <selinux/avc.h>
16 #include <selinux/context.h>
17 #include <selinux/label.h>
18 #include <selinux/selinux.h>
21 #include "alloc-util.h"
22 #include "errno-util.h"
26 #include "path-util.h"
27 #include "selinux-util.h"
28 #include "stdio-util.h"
29 #include "time-util.h"
32 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t
, context_free
);
33 #define _cleanup_context_free_ _cleanup_(context_freep)
35 static int mac_selinux_reload(int seqno
);
37 static int cached_use
= -1;
38 static int cached_enforcing
= -1;
39 static struct selabel_handle
*label_hnd
= NULL
;
41 #define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
42 #define log_enforcing_errno(r, ...) log_full_errno(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__)
45 bool mac_selinux_use(void) {
48 cached_use
= is_selinux_enabled() > 0;
56 bool mac_selinux_enforcing(void) {
58 if (cached_enforcing
< 0) {
59 cached_enforcing
= security_getenforce();
60 if (cached_enforcing
== -1) {
61 log_error_errno(errno
, "Failed to get SELinux enforced status: %m");
65 /* treat failure as enforced mode */
66 return (cached_enforcing
!= 0);
72 void mac_selinux_retest(void) {
75 cached_enforcing
= -1;
80 static int setenforce_callback(int enforcing
) {
81 cached_enforcing
= enforcing
;
87 int mac_selinux_init(void) {
91 usec_t before_timestamp
, after_timestamp
;
92 struct mallinfo before_mallinfo
, after_mallinfo
;
94 selinux_set_callback(SELINUX_CB_POLICYLOAD
, (union selinux_callback
) mac_selinux_reload
);
95 selinux_set_callback(SELINUX_CB_SETENFORCE
, (union selinux_callback
) setenforce_callback
);
100 if (!mac_selinux_use())
103 before_mallinfo
= mallinfo();
104 before_timestamp
= now(CLOCK_MONOTONIC
);
106 label_hnd
= selabel_open(SELABEL_CTX_FILE
, NULL
, 0);
108 log_enforcing_errno(errno
, "Failed to initialize SELinux context: %m");
109 r
= mac_selinux_enforcing() ? -errno
: 0;
111 char timespan
[FORMAT_TIMESPAN_MAX
];
114 after_timestamp
= now(CLOCK_MONOTONIC
);
115 after_mallinfo
= mallinfo();
117 l
= after_mallinfo
.uordblks
> before_mallinfo
.uordblks
? after_mallinfo
.uordblks
- before_mallinfo
.uordblks
: 0;
119 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
120 format_timespan(timespan
, sizeof(timespan
), after_timestamp
- before_timestamp
, 0),
128 void mac_selinux_finish(void) {
134 selabel_close(label_hnd
);
140 static int mac_selinux_reload(int seqno
) {
141 struct selabel_handle
*backup_label_hnd
;
146 backup_label_hnd
= TAKE_PTR(label_hnd
);
148 /* try to initialize new handle
149 * on success close backup
150 * on failure restore backup */
151 if (mac_selinux_init() == 0)
152 selabel_close(backup_label_hnd
);
154 label_hnd
= backup_label_hnd
;
160 int mac_selinux_fix(const char *path
, LabelFixFlags flags
) {
163 char procfs_path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
164 _cleanup_freecon_
char* fcon
= NULL
;
165 _cleanup_close_
int fd
= -1;
171 /* if mac_selinux_init() wasn't called before we are a NOOP */
175 /* Open the file as O_PATH, to pin it while we determine and adjust the label */
176 fd
= open(path
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
178 if ((flags
& LABEL_IGNORE_ENOENT
) && errno
== ENOENT
)
184 if (fstat(fd
, &st
) < 0)
187 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
188 (void) avc_netlink_check_nb();
190 if (selabel_lookup_raw(label_hnd
, &fcon
, path
, st
.st_mode
) < 0) {
193 /* If there's no label to set, then exit without warning */
200 xsprintf(procfs_path
, "/proc/self/fd/%i", fd
);
201 if (setfilecon_raw(procfs_path
, fcon
) < 0) {
202 _cleanup_freecon_
char *oldcon
= NULL
;
206 /* If the FS doesn't support labels, then exit without warning */
207 if (r
== -EOPNOTSUPP
)
210 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
211 if (r
== -EROFS
&& (flags
& LABEL_IGNORE_EROFS
))
214 /* If the old label is identical to the new one, suppress any kind of error */
215 if (getfilecon_raw(procfs_path
, &oldcon
) >= 0 && streq(fcon
, oldcon
))
224 log_enforcing_errno(r
, "Unable to fix SELinux security context of %s: %m", path
);
225 if (mac_selinux_enforcing())
232 int mac_selinux_apply(const char *path
, const char *label
) {
235 if (!mac_selinux_use())
241 if (setfilecon(path
, label
) < 0) {
242 log_enforcing_errno(errno
, "Failed to set SELinux security context %s on path %s: %m", label
, path
);
243 if (mac_selinux_enforcing())
250 int mac_selinux_get_create_label_from_exe(const char *exe
, char **label
) {
254 _cleanup_freecon_
char *mycon
= NULL
, *fcon
= NULL
;
255 security_class_t sclass
;
260 if (!mac_selinux_use())
263 r
= getcon_raw(&mycon
);
267 r
= getfilecon_raw(exe
, &fcon
);
271 sclass
= string_to_security_class("process");
275 r
= security_compute_create_raw(mycon
, fcon
, sclass
, label
);
283 int mac_selinux_get_our_label(char **label
) {
289 if (!mac_selinux_use())
292 r
= getcon_raw(label
);
300 int mac_selinux_get_child_mls_label(int socket_fd
, const char *exe
, const char *exec_label
, char **label
) {
304 _cleanup_freecon_
char *mycon
= NULL
, *peercon
= NULL
, *fcon
= NULL
;
305 _cleanup_context_free_ context_t pcon
= NULL
, bcon
= NULL
;
306 security_class_t sclass
;
307 const char *range
= NULL
;
309 assert(socket_fd
>= 0);
313 if (!mac_selinux_use())
316 r
= getcon_raw(&mycon
);
320 r
= getpeercon_raw(socket_fd
, &peercon
);
325 /* If there is no context set for next exec let's use context
326 of target executable */
327 r
= getfilecon_raw(exe
, &fcon
);
332 bcon
= context_new(mycon
);
336 pcon
= context_new(peercon
);
340 range
= context_range_get(pcon
);
344 r
= context_range_set(bcon
, range
);
349 mycon
= strdup(context_str(bcon
));
353 sclass
= string_to_security_class("process");
357 r
= security_compute_create_raw(mycon
, fcon
, sclass
, label
);
365 char* mac_selinux_free(char *label
) {
371 if (!mac_selinux_use())
381 static int selinux_create_file_prepare_abspath(const char *abspath
, mode_t mode
) {
382 _cleanup_freecon_
char *filecon
= NULL
;
386 assert(path_is_absolute(abspath
));
388 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
389 (void) avc_netlink_check_nb();
391 r
= selabel_lookup_raw(label_hnd
, &filecon
, abspath
, mode
);
393 /* No context specified by the policy? Proceed without setting it. */
397 log_enforcing_errno(errno
, "Failed to determine SELinux security context for %s: %m", abspath
);
399 if (setfscreatecon_raw(filecon
) >= 0)
400 return 0; /* Success! */
402 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for %s: %m", filecon
, abspath
);
405 if (mac_selinux_enforcing())
412 int mac_selinux_create_file_prepare_at(int dirfd
, const char *path
, mode_t mode
) {
416 _cleanup_free_
char *abspath
= NULL
;
423 if (!path_is_absolute(path
)) {
424 _cleanup_free_
char *p
= NULL
;
426 if (dirfd
== AT_FDCWD
)
429 r
= fd_get_path(dirfd
, &p
);
433 path
= abspath
= path_join(p
, path
);
438 r
= selinux_create_file_prepare_abspath(path
, mode
);
443 int mac_selinux_create_file_prepare(const char *path
, mode_t mode
) {
447 _cleanup_free_
char *abspath
= NULL
;
454 r
= path_make_absolute_cwd(path
, &abspath
);
458 r
= selinux_create_file_prepare_abspath(abspath
, mode
);
463 void mac_selinux_create_file_clear(void) {
468 if (!mac_selinux_use())
471 setfscreatecon_raw(NULL
);
475 int mac_selinux_create_socket_prepare(const char *label
) {
478 if (!mac_selinux_use())
483 if (setsockcreatecon(label
) < 0) {
484 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for sockets: %m", label
);
486 if (mac_selinux_enforcing())
494 void mac_selinux_create_socket_clear(void) {
499 if (!mac_selinux_use())
502 setsockcreatecon_raw(NULL
);
506 int mac_selinux_bind(int fd
, const struct sockaddr
*addr
, socklen_t addrlen
) {
508 /* Binds a socket and label its file system object according to the SELinux policy */
511 _cleanup_freecon_
char *fcon
= NULL
;
512 const struct sockaddr_un
*un
;
513 bool context_changed
= false;
519 assert(addrlen
>= sizeof(sa_family_t
));
524 /* Filter out non-local sockets */
525 if (addr
->sa_family
!= AF_UNIX
)
528 /* Filter out anonymous sockets */
529 if (addrlen
< offsetof(struct sockaddr_un
, sun_path
) + 1)
532 /* Filter out abstract namespace sockets */
533 un
= (const struct sockaddr_un
*) addr
;
534 if (un
->sun_path
[0] == 0)
537 path
= strndupa(un
->sun_path
, addrlen
- offsetof(struct sockaddr_un
, sun_path
));
539 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
540 (void) avc_netlink_check_nb();
542 if (path_is_absolute(path
))
543 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFSOCK
);
545 _cleanup_free_
char *newpath
= NULL
;
547 r
= path_make_absolute_cwd(path
, &newpath
);
551 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFSOCK
);
555 /* No context specified by the policy? Proceed without setting it */
559 log_enforcing_errno(errno
, "Failed to determine SELinux security context for %s: %m", path
);
560 if (mac_selinux_enforcing())
564 if (setfscreatecon_raw(fcon
) < 0) {
565 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for %s: %m", fcon
, path
);
566 if (mac_selinux_enforcing())
569 context_changed
= true;
572 r
= bind(fd
, addr
, addrlen
) < 0 ? -errno
: 0;
575 setfscreatecon_raw(NULL
);
581 if (bind(fd
, addr
, addrlen
) < 0)