[thirdparty/glibc.git] / nscd / selinux.c

/* SELinux access controls for nscd.
   Copyright (C) 2004-2019 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Matthew Rickard <mjricka@epoch.ncsc.mil>, 2004.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */

#include "config.h"
#include <error.h>
#include <errno.h>
#include <libintl.h>
#include <pthread.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <syslog.h>
#include <unistd.h>
#include <sys/prctl.h>
#include <selinux/avc.h>
#include <selinux/selinux.h>
#ifdef HAVE_LIBAUDIT
# include <libaudit.h>
#endif

#include "dbg_log.h"
#include "selinux.h"


#ifdef HAVE_SELINUX
/* Global variable to tell if the kernel has SELinux support.  */
int selinux_enabled;

/* Define mappings of request type to AVC permission name.  */
static const char *perms[LASTREQ] =
{
  [GETPWBYNAME] = "getpwd",
  [GETPWBYUID] = "getpwd",
  [GETGRBYNAME] = "getgrp",
  [GETGRBYGID] = "getgrp",
  [GETHOSTBYNAME] = "gethost",
  [GETHOSTBYNAMEv6] = "gethost",
  [GETHOSTBYADDR] = "gethost",
  [GETHOSTBYADDRv6] = "gethost",
  [SHUTDOWN] = "admin",
  [GETSTAT] = "getstat",
  [INVALIDATE] = "admin",
  [GETFDPW] = "shmempwd",
  [GETFDGR] = "shmemgrp",
  [GETFDHST] = "shmemhost",
  [GETAI] = "gethost",
  [INITGROUPS] = "getgrp",
  [GETSERVBYNAME] = "getserv",
  [GETSERVBYPORT] = "getserv",
  [GETFDSERV] = "shmemserv",
  [GETNETGRENT] = "getnetgrp",
  [INNETGR] = "getnetgrp",
  [GETFDNETGR] = "shmemnetgrp",
};

/* Store an entry ref to speed AVC decisions.  */
static struct avc_entry_ref aeref;

/* Thread to listen for SELinux status changes via netlink.  */
static pthread_t avc_notify_thread;

#ifdef HAVE_LIBAUDIT
/* Prototype for supporting the audit daemon */
static void log_callback (const char *fmt, ...);
#endif

/* Prototypes for AVC callback functions.  */
static void *avc_create_thread (void (*run) (void));
static void avc_stop_thread (void *thread);
static void *avc_alloc_lock (void);
static void avc_get_lock (void *lock);
static void avc_release_lock (void *lock);
static void avc_free_lock (void *lock);

/* AVC callback structures for use in avc_init.  */
static const struct avc_log_callback log_cb =
{
#ifdef HAVE_LIBAUDIT
  .func_log = log_callback,
#else
  .func_log = dbg_log,
#endif
  .func_audit = NULL
};
static const struct avc_thread_callback thread_cb =
{
  .func_create_thread = avc_create_thread,
  .func_stop_thread = avc_stop_thread
};
static const struct avc_lock_callback lock_cb =
{
  .func_alloc_lock = avc_alloc_lock,
  .func_get_lock = avc_get_lock,
  .func_release_lock = avc_release_lock,
  .func_free_lock = avc_free_lock
};

#ifdef HAVE_LIBAUDIT
/* The audit system's netlink socket descriptor */
static int audit_fd = -1;

/* When an avc denial occurs, log it to audit system */
static void
log_callback (const char *fmt, ...)
{
  if (audit_fd >= 0)
    {
      va_list ap;
      va_start (ap, fmt);

      char *buf;
      int e = vasprintf (&buf, fmt, ap);
      if (e < 0)
	{
	  buf = alloca (BUFSIZ);
	  vsnprintf (buf, BUFSIZ, fmt, ap);
	}

      /* FIXME: need to attribute this to real user, using getuid for now */
      audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
				  NULL, getuid ());

      if (e >= 0)
	free (buf);

      va_end (ap);
    }
}

/* Initialize the connection to the audit system */
static void
audit_init (void)
{
  audit_fd = audit_open ();
  if (audit_fd < 0
      /* If kernel doesn't support audit, bail out */
      && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
    dbg_log (_("Failed opening connection to the audit subsystem: %m"));
}


# ifdef HAVE_LIBCAP
static const cap_value_t new_cap_list[] =
  { CAP_AUDIT_WRITE };
#  define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0]))
static const cap_value_t tmp_cap_list[] =
  { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
#  define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0]))

cap_t
preserve_capabilities (void)
{
  if (getuid () != 0)
    /* Not root, then we cannot preserve anything.  */
    return NULL;

  if (prctl (PR_SET_KEEPCAPS, 1) == -1)
    {
      dbg_log (_("Failed to set keep-capabilities"));
      do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
      /* NOTREACHED */
    }

  cap_t tmp_caps = cap_init ();
  cap_t new_caps = NULL;
  if (tmp_caps != NULL)
    new_caps = cap_init ();

  if (tmp_caps == NULL || new_caps == NULL)
    {
      if (tmp_caps != NULL)
	cap_free (tmp_caps);

      dbg_log (_("Failed to initialize drop of capabilities"));
      do_exit (EXIT_FAILURE, 0, _("cap_init failed"));
    }

  /* There is no reason why these should not work.  */
  cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
		(cap_value_t *) new_cap_list, CAP_SET);
  cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
		(cap_value_t *) new_cap_list, CAP_SET);

  cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
		(cap_value_t *) tmp_cap_list, CAP_SET);
  cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
		(cap_value_t *) tmp_cap_list, CAP_SET);

  int res = cap_set_proc (tmp_caps);

  cap_free (tmp_caps);

  if (__glibc_unlikely (res != 0))
    {
      cap_free (new_caps);
      dbg_log (_("Failed to drop capabilities"));
      do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
    }

  return new_caps;
}

void
install_real_capabilities (cap_t new_caps)
{
  /* If we have no capabilities there is nothing to do here.  */
  if (new_caps == NULL)
    return;

  if (cap_set_proc (new_caps))
    {
      cap_free (new_caps);
      dbg_log (_("Failed to drop capabilities"));
      do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
      /* NOTREACHED */
    }

  cap_free (new_caps);

  if (prctl (PR_SET_KEEPCAPS, 0) == -1)
    {
      dbg_log (_("Failed to unset keep-capabilities"));
      do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
      /* NOTREACHED */
    }
}
# endif /* HAVE_LIBCAP */
#endif /* HAVE_LIBAUDIT */

/* Determine if we are running on an SELinux kernel. Set selinux_enabled
   to the result.  */
void
nscd_selinux_enabled (int *selinux_enabled)
{
  *selinux_enabled = is_selinux_enabled ();
  if (*selinux_enabled < 0)
    {
      dbg_log (_("Failed to determine if kernel supports SELinux"));
      do_exit (EXIT_FAILURE, 0, NULL);
    }
}


/* Create thread for AVC netlink notification.  */
static void *
avc_create_thread (void (*run) (void))
{
  int rc;

  rc =
    pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
  if (rc != 0)
    do_exit (EXIT_FAILURE, rc, _("Failed to start AVC thread"));

  return &avc_notify_thread;
}


/* Stop AVC netlink thread.  */
static void
avc_stop_thread (void *thread)
{
  pthread_cancel (*(pthread_t *) thread);
}


/* Allocate a new AVC lock.  */
static void *
avc_alloc_lock (void)
{
  pthread_mutex_t *avc_mutex;

  avc_mutex = malloc (sizeof (pthread_mutex_t));
  if (avc_mutex == NULL)
    do_exit (EXIT_FAILURE, errno, _("Failed to create AVC lock"));
  pthread_mutex_init (avc_mutex, NULL);

  return avc_mutex;
}


/* Acquire an AVC lock.  */
static void
avc_get_lock (void *lock)
{
  pthread_mutex_lock (lock);
}


/* Release an AVC lock.  */
static void
avc_release_lock (void *lock)
{
  pthread_mutex_unlock (lock);
}


/* Free an AVC lock.  */
static void
avc_free_lock (void *lock)
{
  pthread_mutex_destroy (lock);
  free (lock);
}


/* Initialize the user space access vector cache (AVC) for NSCD along with
   log/thread/lock callbacks.  */
void
nscd_avc_init (void)
{
  avc_entry_ref_init (&aeref);

  if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
    do_exit (EXIT_FAILURE, errno, _("Failed to start AVC"));
  else
    dbg_log (_("Access Vector Cache (AVC) started"));
#ifdef HAVE_LIBAUDIT
  audit_init ();
#endif
}


/* Check the permission from the caller (via getpeercon) to nscd.
   Returns 0 if access is allowed, 1 if denied, and -1 on error.

   The SELinux policy, enablement, and permission bits are all dynamic and the
   caching done by glibc is not entirely correct.  This nscd support should be
   rewritten to use selinux_check_permission.  A rewrite is risky though and
   requires some refactoring.  Currently we use symbolic mappings instead of
   compile time constants (which SELinux upstream says are going away), and we
   use security_deny_unknown to determine what to do if selinux-policy* doesn't
   have a definition for the the permission or object class we are looking
   up.  */
int
nscd_request_avc_has_perm (int fd, request_type req)
{
  /* Initialize to NULL so we know what to free in case of failure.  */
  security_context_t scon = NULL;
  security_context_t tcon = NULL;
  security_id_t ssid = NULL;
  security_id_t tsid = NULL;
  int rc = -1;
  security_class_t sc_nscd;
  access_vector_t perm;
  int avc_deny_unknown;

  /* Check if SELinux denys or allows unknown object classes
     and permissions.  It is 0 if they are allowed, 1 if they
     are not allowed and -1 on error.  */
  if ((avc_deny_unknown = security_deny_unknown ()) == -1)
    dbg_log (_("Error querying policy for undefined object classes "
	       "or permissions."));

  /* Get the security class for nscd.  If this fails we will likely be
     unable to do anything unless avc_deny_unknown is 0.  */
  sc_nscd = string_to_security_class ("nscd");
  if (sc_nscd == 0 && avc_deny_unknown == 1)
    dbg_log (_("Error getting security class for nscd."));

  /* Convert permission to AVC bits.  */
  perm = string_to_av_perm (sc_nscd, perms[req]);
  if (perm == 0 && avc_deny_unknown == 1)
      dbg_log (_("Error translating permission name "
		 "\"%s\" to access vector bit."), perms[req]);

  /* If the nscd security class was not found or perms were not
     found and AVC does not deny unknown values then allow it.  */
  if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0)
    return 0;

  if (getpeercon (fd, &scon) < 0)
    {
      dbg_log (_("Error getting context of socket peer"));
      goto out;
    }
  if (getcon (&tcon) < 0)
    {
      dbg_log (_("Error getting context of nscd"));
      goto out;
    }
  if (avc_context_to_sid (scon, &ssid) < 0
      || avc_context_to_sid (tcon, &tsid) < 0)
    {
      dbg_log (_("Error getting sid from context"));
      goto out;
    }

  /* The SELinux API for avc_has_perm conflates access denied and error into
     the return code -1, while nscd_request_avs_has_perm has distinct error
     (-1) and denied (1) return codes. We map the avc_has_perm access denied or
     error into an access denied at the nscd interface level (we do accurately
     report error for the getpeercon, getcon, and avc_context_to_sid interfaces
     used above).  */
  rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0;

out:
  if (scon)
    freecon (scon);
  if (tcon)
    freecon (tcon);
  if (ssid)
    sidput (ssid);
  if (tsid)
    sidput (tsid);

  return rc;
}


/* Wrapper to get AVC statistics.  */
void
nscd_avc_cache_stats (struct avc_cache_stats *cstats)
{
  avc_cache_stats (cstats);
}


/* Print the AVC statistics to stdout.  */
void
nscd_avc_print_stats (struct avc_cache_stats *cstats)
{
  printf (_("\nSELinux AVC Statistics:\n\n"
	    "%15u  entry lookups\n"
	    "%15u  entry hits\n"
	    "%15u  entry misses\n"
	    "%15u  entry discards\n"
	    "%15u  CAV lookups\n"
	    "%15u  CAV hits\n"
	    "%15u  CAV probes\n"
	    "%15u  CAV misses\n"),
	  cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses,
	  cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits,
	  cstats->cav_probes, cstats->cav_misses);
}

#endif /* HAVE_SELINUX */
Commit	Line	Data
74a30a58	1	/* SELinux access controls for nscd.
04277e02	2	Copyright (C) 2004-2019 Free Software Foundation, Inc.
74a30a58 UD	3	This file is part of the GNU C Library.
	4	Contributed by Matthew Rickard <mjricka@epoch.ncsc.mil>, 2004.
	5
	6	The GNU C Library is free software; you can redistribute it and/or
	7	modify it under the terms of the GNU Lesser General Public
	8	License as published by the Free Software Foundation; either
	9	version 2.1 of the License, or (at your option) any later version.
	10
	11	The GNU C Library is distributed in the hope that it will be useful,
	12	but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public
59ba27a6 PE	17	License along with the GNU C Library; if not, see
59ba27a6 PE	18	<http://www.gnu.org/licenses/>. */
74a30a58	19
ec23b9be	20	#include "config.h"
74a30a58 UD	21	#include <error.h>
	22	#include <errno.h>
	23	#include <libintl.h>
	24	#include <pthread.h>
	25	#include <stdarg.h>
	26	#include <stdio.h>
	27	#include <stdlib.h>
	28	#include <syslog.h>
62a8cefb	29	#include <unistd.h>
1f063dca	30	#include <sys/prctl.h>
74a30a58	31	#include <selinux/avc.h>
74a30a58	32	#include <selinux/selinux.h>
ec23b9be	33	#ifdef HAVE_LIBAUDIT
1f063dca	34	# include <libaudit.h>
ec23b9be	35	#endif
74a30a58 UD	36
	37	#include "dbg_log.h"
	38	#include "selinux.h"
	39
	40
	41	#ifdef HAVE_SELINUX
	42	/* Global variable to tell if the kernel has SELinux support. */
	43	int selinux_enabled;
	44
0699f766 CD	45	/* Define mappings of request type to AVC permission name. */
0699f766 CD	46	static const char *perms[LASTREQ] =
74a30a58	47	{
0699f766 CD	48	[GETPWBYNAME] = "getpwd",
	49	[GETPWBYUID] = "getpwd",
	50	[GETGRBYNAME] = "getgrp",
	51	[GETGRBYGID] = "getgrp",
	52	[GETHOSTBYNAME] = "gethost",
	53	[GETHOSTBYNAMEv6] = "gethost",
	54	[GETHOSTBYADDR] = "gethost",
	55	[GETHOSTBYADDRv6] = "gethost",
	56	[SHUTDOWN] = "admin",
	57	[GETSTAT] = "getstat",
	58	[INVALIDATE] = "admin",
	59	[GETFDPW] = "shmempwd",
	60	[GETFDGR] = "shmemgrp",
	61	[GETFDHST] = "shmemhost",
	62	[GETAI] = "gethost",
	63	[INITGROUPS] = "getgrp",
	64	[GETSERVBYNAME] = "getserv",
	65	[GETSERVBYPORT] = "getserv",
	66	[GETFDSERV] = "shmemserv",
	67	[GETNETGRENT] = "getnetgrp",
	68	[INNETGR] = "getnetgrp",
	69	[GETFDNETGR] = "shmemnetgrp",
74a30a58 UD	70	};
	71
	72	/* Store an entry ref to speed AVC decisions. */
	73	static struct avc_entry_ref aeref;
	74
	75	/* Thread to listen for SELinux status changes via netlink. */
	76	static pthread_t avc_notify_thread;
	77
ec23b9be UD	78	#ifdef HAVE_LIBAUDIT
	79	/* Prototype for supporting the audit daemon */
	80	static void log_callback (const char *fmt, ...);
	81	#endif
	82
74a30a58 UD	83	/* Prototypes for AVC callback functions. */
	84	static void avc_create_thread (void (run) (void));
	85	static void avc_stop_thread (void *thread);
	86	static void *avc_alloc_lock (void);
	87	static void avc_get_lock (void *lock);
	88	static void avc_release_lock (void *lock);
	89	static void avc_free_lock (void *lock);
	90
	91	/* AVC callback structures for use in avc_init. */
	92	static const struct avc_log_callback log_cb =
	93	{
ec23b9be UD	94	#ifdef HAVE_LIBAUDIT
	95	.func_log = log_callback,
	96	#else
74a30a58	97	.func_log = dbg_log,
ec23b9be	98	#endif
74a30a58 UD	99	.func_audit = NULL
	100	};
	101	static const struct avc_thread_callback thread_cb =
	102	{
	103	.func_create_thread = avc_create_thread,
	104	.func_stop_thread = avc_stop_thread
	105	};
	106	static const struct avc_lock_callback lock_cb =
	107	{
	108	.func_alloc_lock = avc_alloc_lock,
	109	.func_get_lock = avc_get_lock,
	110	.func_release_lock = avc_release_lock,
	111	.func_free_lock = avc_free_lock
	112	};
	113
ec23b9be UD	114	#ifdef HAVE_LIBAUDIT
	115	/* The audit system's netlink socket descriptor */
	116	static int audit_fd = -1;
	117
	118	/* When an avc denial occurs, log it to audit system */
64d64de6	119	static void
ec23b9be UD	120	log_callback (const char *fmt, ...)
ec23b9be UD	121	{
62a8cefb UD	122	if (audit_fd >= 0)
	123	{
	124	va_list ap;
	125	va_start (ap, fmt);
	126
	127	char *buf;
	128	int e = vasprintf (&buf, fmt, ap);
	129	if (e < 0)
	130	{
	131	buf = alloca (BUFSIZ);
	132	vsnprintf (buf, BUFSIZ, fmt, ap);
	133	}
	134
	135	/* FIXME: need to attribute this to real user, using getuid for now */
	136	audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
	137	NULL, getuid ());
ec23b9be	138
62a8cefb UD	139	if (e >= 0)
	140	free (buf);
	141
	142	va_end (ap);
	143	}
ec23b9be UD	144	}
	145
	146	/* Initialize the connection to the audit system */
64d64de6	147	static void
ec23b9be UD	148	audit_init (void)
	149	{
	150	audit_fd = audit_open ();
62a8cefb UD	151	if (audit_fd < 0
	152	/* If kernel doesn't support audit, bail out */
	153	&& errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
9b07a801	154	dbg_log (_("Failed opening connection to the audit subsystem: %m"));
ec23b9be	155	}
1f063dca UD	156
	157
	158	# ifdef HAVE_LIBCAP
	159	static const cap_value_t new_cap_list[] =
	160	{ CAP_AUDIT_WRITE };
	161	# define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0]))
	162	static const cap_value_t tmp_cap_list[] =
	163	{ CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
	164	# define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0]))
	165
	166	cap_t
	167	preserve_capabilities (void)
	168	{
	169	if (getuid () != 0)
	170	/* Not root, then we cannot preserve anything. */
	171	return NULL;
	172
	173	if (prctl (PR_SET_KEEPCAPS, 1) == -1)
	174	{
	175	dbg_log (_("Failed to set keep-capabilities"));
532a6035	176	do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
1f063dca UD	177	/* NOTREACHED */
	178	}
	179
	180	cap_t tmp_caps = cap_init ();
9d9febc7	181	cap_t new_caps = NULL;
1f063dca UD	182	if (tmp_caps != NULL)
	183	new_caps = cap_init ();
	184
	185	if (tmp_caps == NULL \|\| new_caps == NULL)
	186	{
	187	if (tmp_caps != NULL)
e1f0c5bc	188	cap_free (tmp_caps);
1f063dca UD	189
1f063dca UD	190	dbg_log (_("Failed to initialize drop of capabilities"));
532a6035	191	do_exit (EXIT_FAILURE, 0, _("cap_init failed"));
1f063dca UD	192	}
	193
	194	/* There is no reason why these should not work. */
e1f0c5bc UD	195	cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
	196	(cap_value_t *) new_cap_list, CAP_SET);
	197	cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
	198	(cap_value_t *) new_cap_list, CAP_SET);
	199
	200	cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
	201	(cap_value_t *) tmp_cap_list, CAP_SET);
	202	cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
	203	(cap_value_t *) tmp_cap_list, CAP_SET);
1f063dca UD	204
	205	int res = cap_set_proc (tmp_caps);
	206
	207	cap_free (tmp_caps);
	208
a1ffb40e	209	if (__glibc_unlikely (res != 0))
1f063dca UD	210	{
1f063dca UD	211	cap_free (new_caps);
11bf311e	212	dbg_log (_("Failed to drop capabilities"));
532a6035	213	do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
1f063dca UD	214	}
	215
	216	return new_caps;
	217	}
	218
	219	void
	220	install_real_capabilities (cap_t new_caps)
	221	{
	222	/* If we have no capabilities there is nothing to do here. */
	223	if (new_caps == NULL)
	224	return;
	225
	226	if (cap_set_proc (new_caps))
	227	{
	228	cap_free (new_caps);
	229	dbg_log (_("Failed to drop capabilities"));
532a6035	230	do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
1f063dca UD	231	/* NOTREACHED */
	232	}
	233
	234	cap_free (new_caps);
	235
	236	if (prctl (PR_SET_KEEPCAPS, 0) == -1)
	237	{
	238	dbg_log (_("Failed to unset keep-capabilities"));
532a6035	239	do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
1f063dca UD	240	/* NOTREACHED */
	241	}
	242	}
	243	# endif /* HAVE_LIBCAP */
ec23b9be	244	#endif /* HAVE_LIBAUDIT */
74a30a58 UD	245
	246	/* Determine if we are running on an SELinux kernel. Set selinux_enabled
	247	to the result. */
	248	void
	249	nscd_selinux_enabled (int *selinux_enabled)
	250	{
	251	*selinux_enabled = is_selinux_enabled ();
	252	if (*selinux_enabled < 0)
	253	{
	254	dbg_log (_("Failed to determine if kernel supports SELinux"));
532a6035	255	do_exit (EXIT_FAILURE, 0, NULL);
74a30a58 UD	256	}
	257	}
	258
	259
	260	/* Create thread for AVC netlink notification. */
	261	static void *
	262	avc_create_thread (void (*run) (void))
	263	{
	264	int rc;
	265
	266	rc =
	267	pthread_create (&avc_notify_thread, NULL, (void () (void *)) run, NULL);
	268	if (rc != 0)
532a6035	269	do_exit (EXIT_FAILURE, rc, _("Failed to start AVC thread"));
74a30a58 UD	270
	271	return &avc_notify_thread;
	272	}
	273
	274
	275	/* Stop AVC netlink thread. */
	276	static void
	277	avc_stop_thread (void *thread)
	278	{
	279	pthread_cancel ((pthread_t ) thread);
	280	}
	281
	282
	283	/* Allocate a new AVC lock. */
	284	static void *
	285	avc_alloc_lock (void)
	286	{
	287	pthread_mutex_t *avc_mutex;
	288
	289	avc_mutex = malloc (sizeof (pthread_mutex_t));
	290	if (avc_mutex == NULL)
532a6035	291	do_exit (EXIT_FAILURE, errno, _("Failed to create AVC lock"));
74a30a58 UD	292	pthread_mutex_init (avc_mutex, NULL);
	293
	294	return avc_mutex;
	295	}
	296
	297
	298	/* Acquire an AVC lock. */
	299	static void
	300	avc_get_lock (void *lock)
	301	{
	302	pthread_mutex_lock (lock);
	303	}
	304
	305
	306	/* Release an AVC lock. */
	307	static void
	308	avc_release_lock (void *lock)
	309	{
	310	pthread_mutex_unlock (lock);
	311	}
	312
	313
	314	/* Free an AVC lock. */
	315	static void
	316	avc_free_lock (void *lock)
	317	{
	318	pthread_mutex_destroy (lock);
	319	free (lock);
	320	}
	321
	322
	323	/* Initialize the user space access vector cache (AVC) for NSCD along with
	324	log/thread/lock callbacks. */
	325	void
	326	nscd_avc_init (void)
	327	{
	328	avc_entry_ref_init (&aeref);
	329
	330	if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
532a6035	331	do_exit (EXIT_FAILURE, errno, _("Failed to start AVC"));
74a30a58 UD	332	else
74a30a58 UD	333	dbg_log (_("Access Vector Cache (AVC) started"));
ec23b9be UD	334	#ifdef HAVE_LIBAUDIT
	335	audit_init ();
	336	#endif
74a30a58 UD	337	}
	338
	339
	340	/* Check the permission from the caller (via getpeercon) to nscd.
0699f766 CD	341	Returns 0 if access is allowed, 1 if denied, and -1 on error.
	342
	343	The SELinux policy, enablement, and permission bits are all dynamic and the
	344	caching done by glibc is not entirely correct. This nscd support should be
	345	rewritten to use selinux_check_permission. A rewrite is risky though and
	346	requires some refactoring. Currently we use symbolic mappings instead of
	347	compile time constants (which SELinux upstream says are going away), and we
	348	use security_deny_unknown to determine what to do if selinux-policy* doesn't
	349	have a definition for the the permission or object class we are looking
	350	up. */
74a30a58 UD	351	int
	352	nscd_request_avc_has_perm (int fd, request_type req)
	353	{
	354	/* Initialize to NULL so we know what to free in case of failure. */
	355	security_context_t scon = NULL;
	356	security_context_t tcon = NULL;
	357	security_id_t ssid = NULL;
	358	security_id_t tsid = NULL;
	359	int rc = -1;
0699f766 CD	360	security_class_t sc_nscd;
	361	access_vector_t perm;
	362	int avc_deny_unknown;
	363
	364	/* Check if SELinux denys or allows unknown object classes
	365	and permissions. It is 0 if they are allowed, 1 if they
	366	are not allowed and -1 on error. */
	367	if ((avc_deny_unknown = security_deny_unknown ()) == -1)
	368	dbg_log (_("Error querying policy for undefined object classes "
	369	"or permissions."));
	370
	371	/* Get the security class for nscd. If this fails we will likely be
	372	unable to do anything unless avc_deny_unknown is 0. */
	373	sc_nscd = string_to_security_class ("nscd");
a1189263	374	if (sc_nscd == 0 && avc_deny_unknown == 1)
0699f766 CD	375	dbg_log (_("Error getting security class for nscd."));
	376
	377	/* Convert permission to AVC bits. */
	378	perm = string_to_av_perm (sc_nscd, perms[req]);
	379	if (perm == 0 && avc_deny_unknown == 1)
	380	dbg_log (_("Error translating permission name "
	381	"\"%s\" to access vector bit."), perms[req]);
	382
	383	/* If the nscd security class was not found or perms were not
	384	found and AVC does not deny unknown values then allow it. */
	385	if ((sc_nscd == 0 \|\| perm == 0) && avc_deny_unknown == 0)
	386	return 0;
74a30a58 UD	387
	388	if (getpeercon (fd, &scon) < 0)
	389	{
	390	dbg_log (_("Error getting context of socket peer"));
	391	goto out;
	392	}
	393	if (getcon (&tcon) < 0)
	394	{
	395	dbg_log (_("Error getting context of nscd"));
	396	goto out;
	397	}
1945c96f UD	398	if (avc_context_to_sid (scon, &ssid) < 0
1945c96f UD	399	\|\| avc_context_to_sid (tcon, &tsid) < 0)
74a30a58 UD	400	{
	401	dbg_log (_("Error getting sid from context"));
	402	goto out;
	403	}
	404
0699f766 CD	405	/* The SELinux API for avc_has_perm conflates access denied and error into
	406	the return code -1, while nscd_request_avs_has_perm has distinct error
	407	(-1) and denied (1) return codes. We map the avc_has_perm access denied or
	408	error into an access denied at the nscd interface level (we do accurately
	409	report error for the getpeercon, getcon, and avc_context_to_sid interfaces
	410	used above). */
	411	rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0;
74a30a58 UD	412
	413	out:
	414	if (scon)
	415	freecon (scon);
	416	if (tcon)
	417	freecon (tcon);
	418	if (ssid)
	419	sidput (ssid);
	420	if (tsid)
	421	sidput (tsid);
	422
	423	return rc;
	424	}
	425
	426
	427	/* Wrapper to get AVC statistics. */
	428	void
	429	nscd_avc_cache_stats (struct avc_cache_stats *cstats)
	430	{
	431	avc_cache_stats (cstats);
	432	}
	433
	434
	435	/* Print the AVC statistics to stdout. */
	436	void
	437	nscd_avc_print_stats (struct avc_cache_stats *cstats)
	438	{
	439	printf (_("\nSELinux AVC Statistics:\n\n"
	440	"%15u entry lookups\n"
	441	"%15u entry hits\n"
	442	"%15u entry misses\n"
	443	"%15u entry discards\n"
	444	"%15u CAV lookups\n"
	445	"%15u CAV hits\n"
	446	"%15u CAV probes\n"
	447	"%15u CAV misses\n"),
	448	cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses,
	449	cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits,
	450	cstats->cav_probes, cstats->cav_misses);
	451	}
	452
74a30a58	453	#endif /* HAVE_SELINUX */