1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <sys/types.h>
15 #include <selinux/avc.h>
16 #include <selinux/context.h>
17 #include <selinux/label.h>
18 #include <selinux/selinux.h>
21 #include "alloc-util.h"
22 #include "errno-util.h"
26 #include "path-util.h"
27 #include "selinux-util.h"
28 #include "stdio-util.h"
29 #include "time-util.h"
32 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t
, context_free
);
33 #define _cleanup_context_free_ _cleanup_(context_freep)
35 static int mac_selinux_reload(int seqno
);
37 static int cached_use
= -1;
38 static struct selabel_handle
*label_hnd
= NULL
;
40 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
41 #define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_WARNING, r, __VA_ARGS__)
44 bool mac_selinux_use(void) {
47 cached_use
= is_selinux_enabled() > 0;
55 void mac_selinux_retest(void) {
61 int mac_selinux_init(void) {
65 usec_t before_timestamp
, after_timestamp
;
66 struct mallinfo before_mallinfo
, after_mallinfo
;
68 selinux_set_callback(SELINUX_CB_POLICYLOAD
, (union selinux_callback
) mac_selinux_reload
);
73 if (!mac_selinux_use())
76 before_mallinfo
= mallinfo();
77 before_timestamp
= now(CLOCK_MONOTONIC
);
79 label_hnd
= selabel_open(SELABEL_CTX_FILE
, NULL
, 0);
81 log_enforcing_errno(errno
, "Failed to initialize SELinux context: %m");
82 r
= security_getenforce() == 1 ? -errno
: 0;
84 char timespan
[FORMAT_TIMESPAN_MAX
];
87 after_timestamp
= now(CLOCK_MONOTONIC
);
88 after_mallinfo
= mallinfo();
90 l
= after_mallinfo
.uordblks
> before_mallinfo
.uordblks
? after_mallinfo
.uordblks
- before_mallinfo
.uordblks
: 0;
92 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
93 format_timespan(timespan
, sizeof(timespan
), after_timestamp
- before_timestamp
, 0),
101 void mac_selinux_finish(void) {
107 selabel_close(label_hnd
);
113 static int mac_selinux_reload(int seqno
) {
114 struct selabel_handle
*backup_label_hnd
;
119 backup_label_hnd
= TAKE_PTR(label_hnd
);
121 /* try to initialize new handle
122 * on success close backup
123 * on failure restore backup */
124 if (mac_selinux_init() == 0)
125 selabel_close(backup_label_hnd
);
127 label_hnd
= backup_label_hnd
;
133 int mac_selinux_fix(const char *path
, LabelFixFlags flags
) {
136 char procfs_path
[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
137 _cleanup_freecon_
char* fcon
= NULL
;
138 _cleanup_close_
int fd
= -1;
144 /* if mac_selinux_init() wasn't called before we are a NOOP */
148 /* Open the file as O_PATH, to pin it while we determine and adjust the label */
149 fd
= open(path
, O_NOFOLLOW
|O_CLOEXEC
|O_PATH
);
151 if ((flags
& LABEL_IGNORE_ENOENT
) && errno
== ENOENT
)
157 if (fstat(fd
, &st
) < 0)
160 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
161 (void) avc_netlink_check_nb();
163 if (selabel_lookup_raw(label_hnd
, &fcon
, path
, st
.st_mode
) < 0) {
166 /* If there's no label to set, then exit without warning */
173 xsprintf(procfs_path
, "/proc/self/fd/%i", fd
);
174 if (setfilecon_raw(procfs_path
, fcon
) < 0) {
175 _cleanup_freecon_
char *oldcon
= NULL
;
179 /* If the FS doesn't support labels, then exit without warning */
180 if (r
== -EOPNOTSUPP
)
183 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
184 if (r
== -EROFS
&& (flags
& LABEL_IGNORE_EROFS
))
187 /* If the old label is identical to the new one, suppress any kind of error */
188 if (getfilecon_raw(procfs_path
, &oldcon
) >= 0 && streq(fcon
, oldcon
))
197 log_enforcing_errno(r
, "Unable to fix SELinux security context of %s: %m", path
);
198 if (security_getenforce() == 1)
205 int mac_selinux_apply(const char *path
, const char *label
) {
208 if (!mac_selinux_use())
214 if (setfilecon(path
, label
) < 0) {
215 log_enforcing_errno(errno
, "Failed to set SELinux security context %s on path %s: %m", label
, path
);
216 if (security_getenforce() > 0)
223 int mac_selinux_get_create_label_from_exe(const char *exe
, char **label
) {
227 _cleanup_freecon_
char *mycon
= NULL
, *fcon
= NULL
;
228 security_class_t sclass
;
233 if (!mac_selinux_use())
236 r
= getcon_raw(&mycon
);
240 r
= getfilecon_raw(exe
, &fcon
);
244 sclass
= string_to_security_class("process");
248 r
= security_compute_create_raw(mycon
, fcon
, sclass
, label
);
256 int mac_selinux_get_our_label(char **label
) {
262 if (!mac_selinux_use())
265 r
= getcon_raw(label
);
273 int mac_selinux_get_child_mls_label(int socket_fd
, const char *exe
, const char *exec_label
, char **label
) {
277 _cleanup_freecon_
char *mycon
= NULL
, *peercon
= NULL
, *fcon
= NULL
;
278 _cleanup_context_free_ context_t pcon
= NULL
, bcon
= NULL
;
279 security_class_t sclass
;
280 const char *range
= NULL
;
282 assert(socket_fd
>= 0);
286 if (!mac_selinux_use())
289 r
= getcon_raw(&mycon
);
293 r
= getpeercon_raw(socket_fd
, &peercon
);
298 /* If there is no context set for next exec let's use context
299 of target executable */
300 r
= getfilecon_raw(exe
, &fcon
);
305 bcon
= context_new(mycon
);
309 pcon
= context_new(peercon
);
313 range
= context_range_get(pcon
);
317 r
= context_range_set(bcon
, range
);
322 mycon
= strdup(context_str(bcon
));
326 sclass
= string_to_security_class("process");
330 r
= security_compute_create_raw(mycon
, fcon
, sclass
, label
);
338 char* mac_selinux_free(char *label
) {
344 if (!mac_selinux_use())
354 static int selinux_create_file_prepare_abspath(const char *abspath
, mode_t mode
) {
355 _cleanup_freecon_
char *filecon
= NULL
;
359 assert(path_is_absolute(abspath
));
361 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
362 (void) avc_netlink_check_nb();
364 r
= selabel_lookup_raw(label_hnd
, &filecon
, abspath
, mode
);
366 /* No context specified by the policy? Proceed without setting it. */
370 log_enforcing_errno(errno
, "Failed to determine SELinux security context for %s: %m", abspath
);
372 if (setfscreatecon_raw(filecon
) >= 0)
373 return 0; /* Success! */
375 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for %s: %m", filecon
, abspath
);
378 if (security_getenforce() > 0)
385 int mac_selinux_create_file_prepare_at(int dirfd
, const char *path
, mode_t mode
) {
389 _cleanup_free_
char *abspath
= NULL
;
396 if (!path_is_absolute(path
)) {
397 _cleanup_free_
char *p
= NULL
;
399 if (dirfd
== AT_FDCWD
)
402 r
= fd_get_path(dirfd
, &p
);
406 path
= abspath
= path_join(p
, path
);
411 r
= selinux_create_file_prepare_abspath(path
, mode
);
416 int mac_selinux_create_file_prepare(const char *path
, mode_t mode
) {
420 _cleanup_free_
char *abspath
= NULL
;
427 r
= path_make_absolute_cwd(path
, &abspath
);
431 r
= selinux_create_file_prepare_abspath(abspath
, mode
);
436 void mac_selinux_create_file_clear(void) {
441 if (!mac_selinux_use())
444 setfscreatecon_raw(NULL
);
448 int mac_selinux_create_socket_prepare(const char *label
) {
451 if (!mac_selinux_use())
456 if (setsockcreatecon(label
) < 0) {
457 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for sockets: %m", label
);
459 if (security_getenforce() == 1)
467 void mac_selinux_create_socket_clear(void) {
472 if (!mac_selinux_use())
475 setsockcreatecon_raw(NULL
);
479 int mac_selinux_bind(int fd
, const struct sockaddr
*addr
, socklen_t addrlen
) {
481 /* Binds a socket and label its file system object according to the SELinux policy */
484 _cleanup_freecon_
char *fcon
= NULL
;
485 const struct sockaddr_un
*un
;
486 bool context_changed
= false;
492 assert(addrlen
>= sizeof(sa_family_t
));
497 /* Filter out non-local sockets */
498 if (addr
->sa_family
!= AF_UNIX
)
501 /* Filter out anonymous sockets */
502 if (addrlen
< offsetof(struct sockaddr_un
, sun_path
) + 1)
505 /* Filter out abstract namespace sockets */
506 un
= (const struct sockaddr_un
*) addr
;
507 if (un
->sun_path
[0] == 0)
510 path
= strndupa(un
->sun_path
, addrlen
- offsetof(struct sockaddr_un
, sun_path
));
512 /* Check for policy reload so 'label_hnd' is kept up-to-date by callbacks */
513 (void) avc_netlink_check_nb();
515 if (path_is_absolute(path
))
516 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFSOCK
);
518 _cleanup_free_
char *newpath
= NULL
;
520 r
= path_make_absolute_cwd(path
, &newpath
);
524 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFSOCK
);
528 /* No context specified by the policy? Proceed without setting it */
532 log_enforcing_errno(errno
, "Failed to determine SELinux security context for %s: %m", path
);
533 if (security_getenforce() > 0)
537 if (setfscreatecon_raw(fcon
) < 0) {
538 log_enforcing_errno(errno
, "Failed to set SELinux security context %s for %s: %m", fcon
, path
);
539 if (security_getenforce() > 0)
542 context_changed
= true;
545 r
= bind(fd
, addr
, addrlen
) < 0 ? -errno
: 0;
548 setfscreatecon_raw(NULL
);
554 if (bind(fd
, addr
, addrlen
) < 0)