1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
26 #include <sys/socket.h>
33 #include <selinux/selinux.h>
34 #include <selinux/label.h>
36 static struct selabel_handle
*label_hnd
= NULL
;
38 static int use_selinux_cached
= -1;
40 static inline bool use_selinux(void) {
42 if (use_selinux_cached
< 0)
43 use_selinux_cached
= is_selinux_enabled() > 0;
45 return use_selinux_cached
;
48 void label_retest_selinux(void) {
49 use_selinux_cached
= -1;
54 int label_init(void) {
58 usec_t before_timestamp
, after_timestamp
;
59 struct mallinfo before_mallinfo
, after_mallinfo
;
67 before_mallinfo
= mallinfo();
68 before_timestamp
= now(CLOCK_MONOTONIC
);
70 label_hnd
= selabel_open(SELABEL_CTX_FILE
, NULL
, 0);
72 log_full(security_getenforce() == 1 ? LOG_ERR
: LOG_DEBUG
,
73 "Failed to initialize SELinux context: %m");
74 r
= security_getenforce() == 1 ? -errno
: 0;
76 char timespan
[FORMAT_TIMESPAN_MAX
];
79 after_timestamp
= now(CLOCK_MONOTONIC
);
80 after_mallinfo
= mallinfo();
82 l
= after_mallinfo
.uordblks
> before_mallinfo
.uordblks
? after_mallinfo
.uordblks
- before_mallinfo
.uordblks
: 0;
84 log_info("Successfully loaded SELinux database in %s, size on heap is %iK.",
85 format_timespan(timespan
, sizeof(timespan
), after_timestamp
- before_timestamp
),
93 int label_fix(const char *path
, bool ignore_enoent
) {
98 security_context_t fcon
;
100 if (!use_selinux() || !label_hnd
)
103 r
= lstat(path
, &st
);
105 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, st
.st_mode
);
107 /* If there's no label to set, then exit without warning */
108 if (r
< 0 && errno
== ENOENT
)
112 r
= lsetfilecon(path
, fcon
);
115 /* If the FS doesn't support labels, then exit without warning */
116 if (r
< 0 && errno
== ENOTSUP
)
122 /* Ignore ENOENT in some cases */
123 if (ignore_enoent
&& errno
== ENOENT
)
126 log_full(security_getenforce() == 1 ? LOG_ERR
: LOG_DEBUG
,
127 "Unable to fix label of %s: %m", path
);
128 r
= security_getenforce() == 1 ? -errno
: 0;
135 void label_finish(void) {
138 if (use_selinux() && label_hnd
)
139 selabel_close(label_hnd
);
143 int label_get_create_label_from_exe(const char *exe
, char **label
) {
148 security_context_t mycon
= NULL
, fcon
= NULL
;
149 security_class_t sclass
;
151 if (!use_selinux()) {
160 r
= getfilecon(exe
, &fcon
);
164 sclass
= string_to_security_class("process");
165 r
= security_compute_create(mycon
, fcon
, sclass
, (security_context_t
*) label
);
167 log_debug("SELinux Socket context for %s will be set to %s", exe
, *label
);
170 if (r
< 0 && security_getenforce() == 1)
180 int label_fifofile_set(const char *path
) {
184 security_context_t filecon
= NULL
;
186 if (!use_selinux() || !label_hnd
)
189 r
= selabel_lookup_raw(label_hnd
, &filecon
, path
, S_IFIFO
);
193 r
= setfscreatecon(filecon
);
195 log_error("Failed to set SELinux file context on %s: %m", path
);
202 if (r
< 0 && security_getenforce() == 0)
209 int label_symlinkfile_set(const char *path
) {
213 security_context_t filecon
= NULL
;
215 if (!use_selinux() || !label_hnd
)
218 r
= selabel_lookup_raw(label_hnd
, &filecon
, path
, S_IFLNK
);
222 r
= setfscreatecon(filecon
);
224 log_error("Failed to set SELinux file context on %s: %m", path
);
231 if (r
< 0 && security_getenforce() == 0)
238 int label_socket_set(const char *label
) {
244 if (setsockcreatecon((security_context_t
) label
) < 0) {
245 log_full(security_getenforce() == 1 ? LOG_ERR
: LOG_DEBUG
,
246 "Failed to set SELinux context (%s) on socket: %m", label
);
248 if (security_getenforce() == 1)
256 void label_file_clear(void) {
262 setfscreatecon(NULL
);
266 void label_socket_clear(void) {
272 setsockcreatecon(NULL
);
276 void label_free(const char *label
) {
282 freecon((security_context_t
) label
);
286 int label_mkdir(const char *path
, mode_t mode
) {
288 /* Creates a directory and labels it according to the SELinux policy */
292 security_context_t fcon
= NULL
;
294 if (!use_selinux() || !label_hnd
)
297 if (path_is_absolute(path
))
298 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFDIR
);
302 newpath
= path_make_absolute_cwd(path
);
306 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFDIR
);
311 r
= setfscreatecon(fcon
);
313 if (r
< 0 && errno
!= ENOENT
) {
314 log_error("Failed to set security context %s for %s: %m", fcon
, path
);
316 if (security_getenforce() == 1) {
322 r
= mkdir(path
, mode
);
327 setfscreatecon(NULL
);
334 return mkdir(path
, mode
) < 0 ? -errno
: 0;
337 int label_bind(int fd
, const struct sockaddr
*addr
, socklen_t addrlen
) {
339 /* Binds a socket and label its file system object according to the SELinux policy */
343 security_context_t fcon
= NULL
;
344 const struct sockaddr_un
*un
;
349 assert(addrlen
>= sizeof(sa_family_t
));
351 if (!use_selinux() || !label_hnd
)
354 /* Filter out non-local sockets */
355 if (addr
->sa_family
!= AF_UNIX
)
358 /* Filter out anonymous sockets */
359 if (addrlen
< sizeof(sa_family_t
) + 1)
362 /* Filter out abstract namespace sockets */
363 un
= (const struct sockaddr_un
*) addr
;
364 if (un
->sun_path
[0] == 0)
367 path
= strndup(un
->sun_path
, addrlen
- offsetof(struct sockaddr_un
, sun_path
));
371 if (path_is_absolute(path
))
372 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFSOCK
);
376 newpath
= path_make_absolute_cwd(path
);
383 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFSOCK
);
388 r
= setfscreatecon(fcon
);
390 if (r
< 0 && errno
!= ENOENT
) {
391 log_error("Failed to set security context %s for %s: %m", fcon
, path
);
393 if (security_getenforce() == 1) {
399 r
= bind(fd
, addr
, addrlen
);
404 setfscreatecon(NULL
);
412 return bind(fd
, addr
, addrlen
) < 0 ? -errno
: 0;