src/basic/selinux-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <errno.h>
   4 #include <fcntl.h>
   5 #include <malloc.h>
   6 #include <stddef.h>
   7 #include <string.h>
   8 #include <sys/stat.h>
   9 #include <sys/time.h>
  10 #include <sys/types.h>
  11 #include <sys/un.h>
  12 #include <syslog.h>
  13
  14 #if HAVE_SELINUX
  15 #include <selinux/context.h>
  16 #include <selinux/label.h>
  17 #include <selinux/selinux.h>
  18 #endif
  19
  20 #include "alloc-util.h"
  21 #include "errno-util.h"
  22 #include "fd-util.h"
  23 #include "log.h"
  24 #include "macro.h"
  25 #include "path-util.h"
  26 #include "selinux-util.h"
  27 #include "stdio-util.h"
  28 #include "time-util.h"
  29
  30 #if HAVE_SELINUX
  31 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
  32 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
  33
  34 #define _cleanup_freecon_ _cleanup_(freeconp)
  35 #define _cleanup_context_free_ _cleanup_(context_freep)
  36
  37 static int cached_use = -1;
  38 static struct selabel_handle *label_hnd = NULL;
  39
  40 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
  41 #define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
  42 #endif
  43
  44 bool mac_selinux_use(void) {
  45 #if HAVE_SELINUX
  46         if (cached_use < 0)
  47                 cached_use = is_selinux_enabled() > 0;
  48
  49         return cached_use;
  50 #else
  51         return false;
  52 #endif
  53 }
  54
  55 void mac_selinux_retest(void) {
  56 #if HAVE_SELINUX
  57         cached_use = -1;
  58 #endif
  59 }
  60
  61 int mac_selinux_init(void) {
  62         int r = 0;
  63
  64 #if HAVE_SELINUX
  65         usec_t before_timestamp, after_timestamp;
  66         struct mallinfo before_mallinfo, after_mallinfo;
  67
  68         if (label_hnd)
  69                 return 0;
  70
  71         if (!mac_selinux_use())
  72                 return 0;
  73
  74         before_mallinfo = mallinfo();
  75         before_timestamp = now(CLOCK_MONOTONIC);
  76
  77         label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
  78         if (!label_hnd) {
  79                 log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
  80                 r = security_getenforce() == 1 ? -errno : 0;
  81         } else  {
  82                 char timespan[FORMAT_TIMESPAN_MAX];
  83                 int l;
  84
  85                 after_timestamp = now(CLOCK_MONOTONIC);
  86                 after_mallinfo = mallinfo();
  87
  88                 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
  89
  90                 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
  91                           format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
  92                           (l+1023)/1024);
  93         }
  94 #endif
  95
  96         return r;
  97 }
  98
  99 void mac_selinux_finish(void) {
 100
 101 #if HAVE_SELINUX
 102         if (!label_hnd)
 103                 return;
 104
 105         selabel_close(label_hnd);
 106         label_hnd = NULL;
 107 #endif
 108 }
 109
 110 int mac_selinux_fix(const char *path, LabelFixFlags flags) {
 111
 112 #if HAVE_SELINUX
 113         char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
 114         _cleanup_freecon_ char* fcon = NULL;
 115         _cleanup_close_ int fd = -1;
 116         struct stat st;
 117         int r;
 118
 119         assert(path);
 120
 121         /* if mac_selinux_init() wasn't called before we are a NOOP */
 122         if (!label_hnd)
 123                 return 0;
 124
 125         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
 126         fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
 127         if (fd < 0) {
 128                 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
 129                         return 0;
 130
 131                 return -errno;
 132         }
 133
 134         if (fstat(fd, &st) < 0)
 135                 return -errno;
 136
 137         if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
 138                 r = -errno;
 139
 140                 /* If there's no label to set, then exit without warning */
 141                 if (r == -ENOENT)
 142                         return 0;
 143
 144                 goto fail;
 145         }
 146
 147         xsprintf(procfs_path, "/proc/self/fd/%i", fd);
 148         if (setfilecon_raw(procfs_path, fcon) < 0) {
 149                 _cleanup_freecon_ char *oldcon = NULL;
 150
 151                 r = -errno;
 152
 153                 /* If the FS doesn't support labels, then exit without warning */
 154                 if (r == -EOPNOTSUPP)
 155                         return 0;
 156
 157                 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
 158                 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
 159                         return 0;
 160
 161                 /* If the old label is identical to the new one, suppress any kind of error */
 162                 if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
 163                         return 0;
 164
 165                 goto fail;
 166         }
 167
 168         return 0;
 169
 170 fail:
 171         log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
 172         if (security_getenforce() == 1)
 173                 return r;
 174 #endif
 175
 176         return 0;
 177 }
 178
 179 int mac_selinux_apply(const char *path, const char *label) {
 180
 181 #if HAVE_SELINUX
 182         if (!mac_selinux_use())
 183                 return 0;
 184
 185         assert(path);
 186         assert(label);
 187
 188         if (setfilecon(path, label) < 0) {
 189                 log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
 190                 if (security_getenforce() > 0)
 191                         return -errno;
 192         }
 193 #endif
 194         return 0;
 195 }
 196
 197 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
 198         int r = -EOPNOTSUPP;
 199
 200 #if HAVE_SELINUX
 201         _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
 202         security_class_t sclass;
 203
 204         assert(exe);
 205         assert(label);
 206
 207         if (!mac_selinux_use())
 208                 return -EOPNOTSUPP;
 209
 210         r = getcon_raw(&mycon);
 211         if (r < 0)
 212                 return -errno;
 213
 214         r = getfilecon_raw(exe, &fcon);
 215         if (r < 0)
 216                 return -errno;
 217
 218         sclass = string_to_security_class("process");
 219         r = security_compute_create_raw(mycon, fcon, sclass, label);
 220         if (r < 0)
 221                 return -errno;
 222 #endif
 223
 224         return r;
 225 }
 226
 227 int mac_selinux_get_our_label(char **label) {
 228         int r = -EOPNOTSUPP;
 229
 230         assert(label);
 231
 232 #if HAVE_SELINUX
 233         if (!mac_selinux_use())
 234                 return -EOPNOTSUPP;
 235
 236         r = getcon_raw(label);
 237         if (r < 0)
 238                 return -errno;
 239 #endif
 240
 241         return r;
 242 }
 243
 244 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
 245         int r = -EOPNOTSUPP;
 246
 247 #if HAVE_SELINUX
 248         _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
 249         _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
 250         security_class_t sclass;
 251         const char *range = NULL;
 252
 253         assert(socket_fd >= 0);
 254         assert(exe);
 255         assert(label);
 256
 257         if (!mac_selinux_use())
 258                 return -EOPNOTSUPP;
 259
 260         r = getcon_raw(&mycon);
 261         if (r < 0)
 262                 return -errno;
 263
 264         r = getpeercon_raw(socket_fd, &peercon);
 265         if (r < 0)
 266                 return -errno;
 267
 268         if (!exec_label) {
 269                 /* If there is no context set for next exec let's use context
 270                    of target executable */
 271                 r = getfilecon_raw(exe, &fcon);
 272                 if (r < 0)
 273                         return -errno;
 274         }
 275
 276         bcon = context_new(mycon);
 277         if (!bcon)
 278                 return -ENOMEM;
 279
 280         pcon = context_new(peercon);
 281         if (!pcon)
 282                 return -ENOMEM;
 283
 284         range = context_range_get(pcon);
 285         if (!range)
 286                 return -errno;
 287
 288         r = context_range_set(bcon, range);
 289         if (r)
 290                 return -errno;
 291
 292         freecon(mycon);
 293         mycon = strdup(context_str(bcon));
 294         if (!mycon)
 295                 return -ENOMEM;
 296
 297         sclass = string_to_security_class("process");
 298         r = security_compute_create_raw(mycon, fcon, sclass, label);
 299         if (r < 0)
 300                 return -errno;
 301 #endif
 302
 303         return r;
 304 }
 305
 306 char* mac_selinux_free(char *label) {
 307
 308 #if HAVE_SELINUX
 309         if (!label)
 310                 return NULL;
 311
 312         if (!mac_selinux_use())
 313                 return NULL;
 314
 315         freecon(label);
 316 #endif
 317
 318         return NULL;
 319 }
 320
 321 #if HAVE_SELINUX
 322 static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
 323         _cleanup_freecon_ char *filecon = NULL;
 324         int r;
 325
 326         assert(abspath);
 327         assert(path_is_absolute(abspath));
 328
 329         r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
 330         if (r < 0) {
 331                 /* No context specified by the policy? Proceed without setting it. */
 332                 if (errno == ENOENT)
 333                         return 0;
 334
 335                 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
 336         } else {
 337                 if (setfscreatecon_raw(filecon) >= 0)
 338                         return 0; /* Success! */
 339
 340                 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
 341         }
 342
 343         if (security_getenforce() > 0)
 344                 return -errno;
 345
 346         return 0;
 347 }
 348 #endif
 349
 350 int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
 351         int r = 0;
 352
 353 #if HAVE_SELINUX
 354         _cleanup_free_ char *abspath = NULL;
 355
 356         assert(path);
 357
 358         if (!label_hnd)
 359                 return 0;
 360
 361         if (!path_is_absolute(path)) {
 362                 _cleanup_free_ char *p = NULL;
 363
 364                 if (dirfd == AT_FDCWD)
 365                         r = safe_getcwd(&p);
 366                 else
 367                         r = fd_get_path(dirfd, &p);
 368                 if (r < 0)
 369                         return r;
 370
 371                 path = abspath = path_join(p, path);
 372                 if (!path)
 373                         return -ENOMEM;
 374         }
 375
 376         r = selinux_create_file_prepare_abspath(path, mode);
 377 #endif
 378         return r;
 379 }
 380
 381 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 382         int r = 0;
 383
 384 #if HAVE_SELINUX
 385         _cleanup_free_ char *abspath = NULL;
 386
 387         assert(path);
 388
 389         if (!label_hnd)
 390                 return 0;
 391
 392         r = path_make_absolute_cwd(path, &abspath);
 393         if (r < 0)
 394                 return r;
 395
 396         r = selinux_create_file_prepare_abspath(abspath, mode);
 397 #endif
 398         return r;
 399 }
 400
 401 void mac_selinux_create_file_clear(void) {
 402
 403 #if HAVE_SELINUX
 404         PROTECT_ERRNO;
 405
 406         if (!mac_selinux_use())
 407                 return;
 408
 409         setfscreatecon_raw(NULL);
 410 #endif
 411 }
 412
 413 int mac_selinux_create_socket_prepare(const char *label) {
 414
 415 #if HAVE_SELINUX
 416         if (!mac_selinux_use())
 417                 return 0;
 418
 419         assert(label);
 420
 421         if (setsockcreatecon(label) < 0) {
 422                 log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
 423
 424                 if (security_getenforce() == 1)
 425                         return -errno;
 426         }
 427 #endif
 428
 429         return 0;
 430 }
 431
 432 void mac_selinux_create_socket_clear(void) {
 433
 434 #if HAVE_SELINUX
 435         PROTECT_ERRNO;
 436
 437         if (!mac_selinux_use())
 438                 return;
 439
 440         setsockcreatecon_raw(NULL);
 441 #endif
 442 }
 443
 444 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
 445
 446         /* Binds a socket and label its file system object according to the SELinux policy */
 447
 448 #if HAVE_SELINUX
 449         _cleanup_freecon_ char *fcon = NULL;
 450         const struct sockaddr_un *un;
 451         bool context_changed = false;
 452         char *path;
 453         int r;
 454
 455         assert(fd >= 0);
 456         assert(addr);
 457         assert(addrlen >= sizeof(sa_family_t));
 458
 459         if (!label_hnd)
 460                 goto skipped;
 461
 462         /* Filter out non-local sockets */
 463         if (addr->sa_family != AF_UNIX)
 464                 goto skipped;
 465
 466         /* Filter out anonymous sockets */
 467         if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
 468                 goto skipped;
 469
 470         /* Filter out abstract namespace sockets */
 471         un = (const struct sockaddr_un*) addr;
 472         if (un->sun_path[0] == 0)
 473                 goto skipped;
 474
 475         path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
 476
 477         if (path_is_absolute(path))
 478                 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
 479         else {
 480                 _cleanup_free_ char *newpath = NULL;
 481
 482                 r = path_make_absolute_cwd(path, &newpath);
 483                 if (r < 0)
 484                         return r;
 485
 486                 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
 487         }
 488
 489         if (r < 0) {
 490                 /* No context specified by the policy? Proceed without setting it */
 491                 if (errno == ENOENT)
 492                         goto skipped;
 493
 494                 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
 495                 if (security_getenforce() > 0)
 496                         return -errno;
 497
 498         } else {
 499                 if (setfscreatecon_raw(fcon) < 0) {
 500                         log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
 501                         if (security_getenforce() > 0)
 502                                 return -errno;
 503                 } else
 504                         context_changed = true;
 505         }
 506
 507         r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
 508
 509         if (context_changed)
 510                 setfscreatecon_raw(NULL);
 511
 512         return r;
 513
 514 skipped:
 515 #endif
 516         if (bind(fd, addr, addrlen) < 0)
 517                 return -errno;
 518
 519         return 0;
 520 }