src/core/selinux-access.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2012 Dan Walsh
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include "selinux-access.h"
  23
  24 #ifdef HAVE_SELINUX
  25
  26 #include <stdio.h>
  27 #include <errno.h>
  28 #include <selinux/selinux.h>
  29 #include <selinux/avc.h>
  30 #ifdef HAVE_AUDIT
  31 #include <libaudit.h>
  32 #endif
  33
  34 #include "sd-bus.h"
  35 #include "bus-util.h"
  36 #include "util.h"
  37 #include "log.h"
  38 #include "selinux-util.h"
  39 #include "audit-fd.h"
  40 #include "strv.h"
  41 #include "path-util.h"
  42
  43 static bool initialized = false;
  44
  45 struct audit_info {
  46         sd_bus_creds *creds;
  47         const char *path;
  48         const char *cmdline;
  49 };
  50
  51 /*
  52    Any time an access gets denied this callback will be called
  53    with the audit data.  We then need to just copy the audit data into the msgbuf.
  54 */
  55 static int audit_callback(
  56                 void *auditdata,
  57                 security_class_t cls,
  58                 char *msgbuf,
  59                 size_t msgbufsize) {
  60
  61         const struct audit_info *audit = auditdata;
  62         uid_t uid = 0, login_uid = 0;
  63         gid_t gid = 0;
  64         char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  65         char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  66         char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";
  67
  68         if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
  69                 xsprintf(login_uid_buf, UID_FMT, login_uid);
  70         if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
  71                 xsprintf(uid_buf, UID_FMT, uid);
  72         if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
  73                 xsprintf(gid_buf, GID_FMT, gid);
  74
  75         snprintf(msgbuf, msgbufsize,
  76                  "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
  77                  login_uid_buf, uid_buf, gid_buf,
  78                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
  79                  audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
  80
  81         return 0;
  82 }
  83
  84 static int callback_type_to_priority(int type) {
  85         switch(type) {
  86
  87         case SELINUX_ERROR:
  88                 return LOG_ERR;
  89
  90         case SELINUX_WARNING:
  91                 return LOG_WARNING;
  92
  93         case SELINUX_INFO:
  94                 return LOG_INFO;
  95
  96         case SELINUX_AVC:
  97         default:
  98                 return LOG_NOTICE;
  99         }
 100 }
 101
 102 /*
 103    libselinux uses this callback when access gets denied or other
 104    events happen. If audit is turned on, messages will be reported
 105    using audit netlink, otherwise they will be logged using the usual
 106    channels.
 107
 108    Code copied from dbus and modified.
 109 */
 110 _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
 111         va_list ap;
 112
 113 #ifdef HAVE_AUDIT
 114         int fd;
 115
 116         fd = get_audit_fd();
 117
 118         if (fd >= 0) {
 119                 _cleanup_free_ char *buf = NULL;
 120                 int r;
 121
 122                 va_start(ap, fmt);
 123                 r = vasprintf(&buf, fmt, ap);
 124                 va_end(ap);
 125
 126                 if (r >= 0) {
 127                         audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
 128                         return 0;
 129                 }
 130         }
 131 #endif
 132
 133         va_start(ap, fmt);
 134         log_internalv(LOG_AUTH | callback_type_to_priority(type),
 135                       0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
 136         va_end(ap);
 137
 138         return 0;
 139 }
 140
 141 /*
 142    Function must be called once to initialize the SELinux AVC environment.
 143    Sets up callbacks.
 144    If you want to cleanup memory you should need to call selinux_access_finish.
 145 */
 146 static int access_init(void) {
 147         int r = 0;
 148
 149         if (avc_open(NULL, 0))
 150                 return log_error_errno(errno, "avc_open() failed: %m");
 151
 152         selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
 153         selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
 154
 155         if (security_getenforce() < 0){
 156                 r = -errno;
 157                 avc_destroy();
 158         }
 159
 160         return r;
 161 }
 162
 163 static int mac_selinux_access_init(sd_bus_error *error) {
 164         int r;
 165
 166         if (initialized)
 167                 return 0;
 168
 169         if (!mac_selinux_use())
 170                 return 0;
 171
 172         r = access_init();
 173         if (r < 0)
 174                 return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
 175
 176         initialized = true;
 177         return 0;
 178 }
 179 #endif
 180
 181 void mac_selinux_access_free(void) {
 182
 183 #ifdef HAVE_SELINUX
 184         if (!initialized)
 185                 return;
 186
 187         avc_destroy();
 188         initialized = false;
 189 #endif
 190 }
 191
 192 /*
 193    This function communicates with the kernel to check whether or not it should
 194    allow the access.
 195    If the machine is in permissive mode it will return ok.  Audit messages will
 196    still be generated if the access would be denied in enforcing mode.
 197 */
 198 int mac_selinux_generic_access_check(
 199                 sd_bus_message *message,
 200                 const char *path,
 201                 const char *permission,
 202                 sd_bus_error *error) {
 203
 204 #ifdef HAVE_SELINUX
 205         _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
 206         const char *tclass = NULL, *scon = NULL;
 207         struct audit_info audit_info = {};
 208         _cleanup_free_ char *cl = NULL;
 209         security_context_t fcon = NULL;
 210         char **cmdline = NULL;
 211         int r = 0;
 212
 213         assert(message);
 214         assert(permission);
 215         assert(error);
 216
 217         if (!mac_selinux_use())
 218                 return 0;
 219
 220         r = mac_selinux_access_init(error);
 221         if (r < 0)
 222                 return r;
 223
 224         r = sd_bus_query_sender_creds(
 225                         message,
 226                         SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
 227                         SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
 228                         SD_BUS_CREDS_SELINUX_CONTEXT|
 229                         SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
 230                         &creds);
 231         if (r < 0)
 232                 goto finish;
 233
 234         /* The SELinux context is something we really should have
 235          * gotten directly from the message or sender, and not be an
 236          * augmented field. If it was augmented we cannot use it for
 237          * authorization, since this is racy and vulnerable. Let's add
 238          * an extra check, just in case, even though this really
 239          * shouldn't be possible. */
 240         assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
 241
 242         r = sd_bus_creds_get_selinux_context(creds, &scon);
 243         if (r < 0)
 244                 goto finish;
 245
 246         if (path) {
 247                 /* Get the file context of the unit file */
 248
 249                 r = getfilecon_raw(path, &fcon);
 250                 if (r < 0) {
 251                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
 252                         goto finish;
 253                 }
 254
 255                 tclass = "service";
 256         } else {
 257                 r = getcon_raw(&fcon);
 258                 if (r < 0) {
 259                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
 260                         goto finish;
 261                 }
 262
 263                 tclass = "system";
 264         }
 265
 266         sd_bus_creds_get_cmdline(creds, &cmdline);
 267         cl = strv_join(cmdline, " ");
 268
 269         audit_info.creds = creds;
 270         audit_info.path = path;
 271         audit_info.cmdline = cl;
 272
 273         r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
 274         if (r < 0)
 275                 r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
 276
 277         log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
 278
 279 finish:
 280         freecon(fcon);
 281
 282         if (r < 0 && security_getenforce() != 1) {
 283                 sd_bus_error_free(error);
 284                 r = 0;
 285         }
 286
 287         return r;
 288 #else
 289         return 0;
 290 #endif
 291 }