[thirdparty/systemd.git] / src / core / selinux-access.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2012 Dan Walsh

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include "selinux-access.h"

#if HAVE_SELINUX

#include <errno.h>
#include <selinux/avc.h>
#include <selinux/selinux.h>
#include <stdio.h>
#if HAVE_AUDIT
#include <libaudit.h>
#endif

#include "sd-bus.h"

#include "alloc-util.h"
#include "audit-fd.h"
#include "bus-util.h"
#include "log.h"
#include "path-util.h"
#include "selinux-util.h"
#include "stdio-util.h"
#include "strv.h"
#include "util.h"

static bool initialized = false;

struct audit_info {
        sd_bus_creds *creds;
        const char *path;
        const char *cmdline;
};

/*
   Any time an access gets denied this callback will be called
   with the audit data.  We then need to just copy the audit data into the msgbuf.
*/
static int audit_callback(
                void *auditdata,
                security_class_t cls,
                char *msgbuf,
                size_t msgbufsize) {

        const struct audit_info *audit = auditdata;
        uid_t uid = 0, login_uid = 0;
        gid_t gid = 0;
        char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
        char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
        char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";

        if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
                xsprintf(login_uid_buf, UID_FMT, login_uid);
        if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
                xsprintf(uid_buf, UID_FMT, uid);
        if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
                xsprintf(gid_buf, GID_FMT, gid);

        snprintf(msgbuf, msgbufsize,
                 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
                 login_uid_buf, uid_buf, gid_buf,
                 audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
                 audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");

        return 0;
}

static int callback_type_to_priority(int type) {
        switch(type) {

        case SELINUX_ERROR:
                return LOG_ERR;

        case SELINUX_WARNING:
                return LOG_WARNING;

        case SELINUX_INFO:
                return LOG_INFO;

        case SELINUX_AVC:
        default:
                return LOG_NOTICE;
        }
}

/*
   libselinux uses this callback when access gets denied or other
   events happen. If audit is turned on, messages will be reported
   using audit netlink, otherwise they will be logged using the usual
   channels.

   Code copied from dbus and modified.
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
        va_list ap;
        const char *fmt2;

#if HAVE_AUDIT
        int fd;

        fd = get_audit_fd();

        if (fd >= 0) {
                _cleanup_free_ char *buf = NULL;
                int r;

                va_start(ap, fmt);
                r = vasprintf(&buf, fmt, ap);
                va_end(ap);

                if (r >= 0) {
                        audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
                        return 0;
                }
        }
#endif

        fmt2 = strjoina("selinux: ", fmt);

        va_start(ap, fmt);
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wformat-nonliteral"
        log_internalv(LOG_AUTH | callback_type_to_priority(type),
                      0, __FILE__, __LINE__, __FUNCTION__,
                      fmt2, ap);
#pragma GCC diagnostic pop
        va_end(ap);

        return 0;
}

static int access_init(sd_bus_error *error) {

        if (!mac_selinux_use())
                return 0;

        if (initialized)
                return 1;

        if (avc_open(NULL, 0) != 0) {
                int enforce, saved_errno = errno;

                enforce = security_getenforce();
                log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");

                /* If enforcement isn't on, then let's suppress this
                 * error, and just don't do any AVC checks. The
                 * warning we printed is hence all the admin will
                 * see. */
                if (enforce == 0)
                        return 0;

                /* Return an access denied error, if we couldn't load
                 * the AVC but enforcing mode was on, or we couldn't
                 * determine whether it is one. */
                return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno));
        }

        selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
        selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);

        initialized = true;
        return 1;
}

/*
   This function communicates with the kernel to check whether or not it should
   allow the access.
   If the machine is in permissive mode it will return ok.  Audit messages will
   still be generated if the access would be denied in enforcing mode.
*/
int mac_selinux_generic_access_check(
                sd_bus_message *message,
                const char *path,
                const char *permission,
                sd_bus_error *error) {

        _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
        const char *tclass = NULL, *scon = NULL;
        struct audit_info audit_info = {};
        _cleanup_free_ char *cl = NULL;
        char *fcon = NULL;
        char **cmdline = NULL;
        int r = 0;

        assert(message);
        assert(permission);
        assert(error);

        r = access_init(error);
        if (r <= 0)
                return r;

        r = sd_bus_query_sender_creds(
                        message,
                        SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
                        SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
                        SD_BUS_CREDS_SELINUX_CONTEXT|
                        SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
                        &creds);
        if (r < 0)
                goto finish;

        /* The SELinux context is something we really should have
         * gotten directly from the message or sender, and not be an
         * augmented field. If it was augmented we cannot use it for
         * authorization, since this is racy and vulnerable. Let's add
         * an extra check, just in case, even though this really
         * shouldn't be possible. */
        assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);

        r = sd_bus_creds_get_selinux_context(creds, &scon);
        if (r < 0)
                goto finish;

        if (path) {
                /* Get the file context of the unit file */

                r = getfilecon_raw(path, &fcon);
                if (r < 0) {
                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
                        goto finish;
                }

                tclass = "service";
        } else {
                r = getcon_raw(&fcon);
                if (r < 0) {
                        r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
                        goto finish;
                }

                tclass = "system";
        }

        sd_bus_creds_get_cmdline(creds, &cmdline);
        cl = strv_join(cmdline, " ");

        audit_info.creds = creds;
        audit_info.path = path;
        audit_info.cmdline = cl;

        r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
        if (r < 0)
                r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");

        log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);

finish:
        freecon(fcon);

        if (r < 0 && security_getenforce() != 1) {
                sd_bus_error_free(error);
                r = 0;
        }

        return r;
}

#else

int mac_selinux_generic_access_check(
                sd_bus_message *message,
                const char *path,
                const char *permission,
                sd_bus_error *error) {

        return 0;
}

#endif
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
e2417e41 DW	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2012 Dan Walsh
	6
	7	systemd is free software; you can redistribute it and/or modify it
03e22642 KS	8	under the terms of the GNU Lesser General Public License as published by
03e22642 KS	9	the Free Software Foundation; either version 2.1 of the License, or
e2417e41 DW	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
03e22642	15	Lesser General Public License for more details.
e2417e41	16
03e22642	17	You should have received a copy of the GNU Lesser General Public License
e2417e41 DW	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
e2417e41 DW	21	#include "selinux-access.h"
e2417e41 DW	22
349cc4a5	23	#if HAVE_SELINUX
e2417e41	24
e2417e41	25	#include <errno.h>
e2417e41	26	#include <selinux/avc.h>
cf0fbc49 TA	27	#include <selinux/selinux.h>
cf0fbc49 TA	28	#include <stdio.h>
349cc4a5	29	#if HAVE_AUDIT
e2417e41 DW	30	#include <libaudit.h>
e2417e41 DW	31	#endif
ffc227c9	32
718db961	33	#include "sd-bus.h"
15a5e950	34
b5efdb8a	35	#include "alloc-util.h"
15a5e950	36	#include "audit-fd.h"
718db961	37	#include "bus-util.h"
ffc227c9	38	#include "log.h"
15a5e950	39	#include "path-util.h"
ffc227c9	40	#include "selinux-util.h"
15a5e950	41	#include "stdio-util.h"
5b12334d	42	#include "strv.h"
15a5e950	43	#include "util.h"
e2417e41	44
cad45ba1	45	static bool initialized = false;
e2417e41	46
5b12334d LP	47	struct audit_info {
5b12334d LP	48	sd_bus_creds *creds;
e2417e41	49	const char *path;
5b12334d	50	const char *cmdline;
e2417e41 DW	51	};
e2417e41 DW	52
e2417e41 DW	53	/*
e2417e41 DW	54	Any time an access gets denied this callback will be called
dec23413	55	with the audit data. We then need to just copy the audit data into the msgbuf.
e2417e41	56	*/
cad45ba1 LP	57	static int audit_callback(
	58	void *auditdata,
	59	security_class_t cls,
	60	char *msgbuf,
	61	size_t msgbufsize) {
	62
5b12334d LP	63	const struct audit_info *audit = auditdata;
	64	uid_t uid = 0, login_uid = 0;
	65	gid_t gid = 0;
5ffa8c81 ZJS	66	char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
	67	char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
	68	char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";
5b12334d	69
dec23413	70	if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
5ffa8c81	71	xsprintf(login_uid_buf, UID_FMT, login_uid);
05bae4a6	72	if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
5ffa8c81	73	xsprintf(uid_buf, UID_FMT, uid);
05bae4a6	74	if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
5ffa8c81	75	xsprintf(gid_buf, GID_FMT, gid);
cad45ba1	76
e2417e41	77	snprintf(msgbuf, msgbufsize,
dec23413 ZJS	78	"auid=%s uid=%s gid=%s%s%s%s%s%s%s",
dec23413 ZJS	79	login_uid_buf, uid_buf, gid_buf,
5b12334d LP	80	audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
5b12334d LP	81	audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
d67227c8	82
e2417e41 DW	83	return 0;
	84	}
	85
17af49f2 ZJS	86	static int callback_type_to_priority(int type) {
17af49f2 ZJS	87	switch(type) {
c04754bc LP	88
	89	case SELINUX_ERROR:
	90	return LOG_ERR;
	91
	92	case SELINUX_WARNING:
	93	return LOG_WARNING;
	94
	95	case SELINUX_INFO:
	96	return LOG_INFO;
	97
17af49f2	98	case SELINUX_AVC:
c04754bc LP	99	default:
c04754bc LP	100	return LOG_NOTICE;
17af49f2 ZJS	101	}
	102	}
	103
e2417e41	104	/*
17af49f2 ZJS	105	libselinux uses this callback when access gets denied or other
	106	events happen. If audit is turned on, messages will be reported
	107	using audit netlink, otherwise they will be logged using the usual
	108	channels.
	109
	110	Code copied from dbus and modified.
e2417e41	111	*/
44b601bc	112	_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
e2417e41	113	va_list ap;
c8a806f2	114	const char *fmt2;
e2417e41	115
349cc4a5	116	#if HAVE_AUDIT
17af49f2 ZJS	117	int fd;
	118
	119	fd = get_audit_fd();
	120
	121	if (fd >= 0) {
ace188cf LP	122	_cleanup_free_ char *buf = NULL;
ace188cf LP	123	int r;
e2417e41	124
5b12334d	125	va_start(ap, fmt);
ace188cf	126	r = vasprintf(&buf, fmt, ap);
7f1736f7	127	va_end(ap);
cad45ba1	128
ace188cf	129	if (r >= 0) {
17af49f2	130	audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
ace188cf LP	131	return 0;
ace188cf LP	132	}
e2417e41 DW	133	}
e2417e41 DW	134	#endif
5b12334d	135
c8a806f2 ZJS	136	fmt2 = strjoina("selinux: ", fmt);
c8a806f2 ZJS	137
5b12334d	138	va_start(ap, fmt);
032b7541 ZJS	139	#pragma GCC diagnostic push
	140	#pragma GCC diagnostic ignored "-Wformat-nonliteral"
	141	log_internalv(LOG_AUTH \| callback_type_to_priority(type),
	142	0, __FILE__, __LINE__, __FUNCTION__,
	143	fmt2, ap);
	144	#pragma GCC diagnostic pop
e2417e41	145	va_end(ap);
cad45ba1	146
e2417e41 DW	147	return 0;
	148	}
	149
6344f3e2	150	static int access_init(sd_bus_error *error) {
e2417e41	151
6344f3e2 LP	152	if (!mac_selinux_use())
6344f3e2 LP	153	return 0;
e2417e41	154
6344f3e2 LP	155	if (initialized)
6344f3e2 LP	156	return 1;
cad45ba1	157
6344f3e2 LP	158	if (avc_open(NULL, 0) != 0) {
6344f3e2 LP	159	int enforce, saved_errno = errno;
e2417e41	160
6344f3e2 LP	161	enforce = security_getenforce();
6344f3e2 LP	162	log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
e2417e41	163
6344f3e2 LP	164	/* If enforcement isn't on, then let's suppress this
	165	* error, and just don't do any AVC checks. The
	166	* warning we printed is hence all the admin will
	167	* see. */
	168	if (enforce == 0)
	169	return 0;
e2417e41	170
6344f3e2 LP	171	/* Return an access denied error, if we couldn't load
	172	* the AVC but enforcing mode was on, or we couldn't
	173	* determine whether it is one. */
	174	return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno));
	175	}
718db961	176
6344f3e2 LP	177	selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
6344f3e2 LP	178	selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
e2417e41	179
cad45ba1	180	initialized = true;
6344f3e2	181	return 1;
e2417e41 DW	182	}
e2417e41 DW	183
e2417e41 DW	184	/*
	185	This function communicates with the kernel to check whether or not it should
	186	allow the access.
	187	If the machine is in permissive mode it will return ok. Audit messages will
	188	still be generated if the access would be denied in enforcing mode.
	189	*/
8a188de9	190	int mac_selinux_generic_access_check(
718db961	191	sd_bus_message *message,
cad45ba1 LP	192	const char *path,
cad45ba1 LP	193	const char *permission,
718db961	194	sd_bus_error *error) {
cad45ba1	195
4afd3348	196	_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
5b12334d LP	197	const char tclass = NULL, scon = NULL;
	198	struct audit_info audit_info = {};
	199	_cleanup_free_ char *cl = NULL;
2ed96880	200	char *fcon = NULL;
5b12334d	201	char **cmdline = NULL;
718db961	202	int r = 0;
c3090674	203
cad45ba1 LP	204	assert(message);
	205	assert(permission);
	206	assert(error);
	207
6344f3e2 LP	208	r = access_init(error);
6344f3e2 LP	209	if (r <= 0)
ffc227c9 LP	210	return r;
ffc227c9 LP	211
5b12334d LP	212	r = sd_bus_query_sender_creds(
5b12334d LP	213	message,
05bae4a6	214	SD_BUS_CREDS_PID\|SD_BUS_CREDS_EUID\|SD_BUS_CREDS_EGID\|
5b12334d	215	SD_BUS_CREDS_CMDLINE\|SD_BUS_CREDS_AUDIT_LOGIN_UID\|
8fd00193 LP	216	SD_BUS_CREDS_SELINUX_CONTEXT\|
8fd00193 LP	217	SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
5b12334d LP	218	&creds);
	219	if (r < 0)
	220	goto finish;
e2417e41	221
0f514420 LP	222	/* The SELinux context is something we really should have
	223	* gotten directly from the message or sender, and not be an
	224	* augmented field. If it was augmented we cannot use it for
	225	* authorization, since this is racy and vulnerable. Let's add
	226	* an extra check, just in case, even though this really
	227	* shouldn't be possible. */
	228	assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
	229
5b12334d	230	r = sd_bus_creds_get_selinux_context(creds, &scon);
718db961	231	if (r < 0)
e2417e41	232	goto finish;
cad45ba1	233
e2417e41	234	if (path) {
718db961 LP	235	/* Get the file context of the unit file */
718db961 LP	236
24154879	237	r = getfilecon_raw(path, &fcon);
e2417e41	238	if (r < 0) {
718db961	239	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
e2417e41 DW	240	goto finish;
	241	}
	242
718db961	243	tclass = "service";
e2417e41	244	} else {
24154879	245	r = getcon_raw(&fcon);
e2417e41	246	if (r < 0) {
718db961	247	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
e2417e41 DW	248	goto finish;
e2417e41 DW	249	}
718db961 LP	250
718db961 LP	251	tclass = "system";
e2417e41 DW	252	}
e2417e41 DW	253
5b12334d LP	254	sd_bus_creds_get_cmdline(creds, &cmdline);
	255	cl = strv_join(cmdline, " ");
	256
	257	audit_info.creds = creds;
	258	audit_info.path = path;
	259	audit_info.cmdline = cl;
e2417e41	260
236f83af	261	r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
718db961 LP	262	if (r < 0)
718db961 LP	263	r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
e2417e41	264
5b12334d	265	log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
cad45ba1	266
e2417e41	267	finish:
e2417e41 DW	268	freecon(fcon);
e2417e41 DW	269
5b12334d	270	if (r < 0 && security_getenforce() != 1) {
718db961	271	sd_bus_error_free(error);
e2417e41 DW	272	r = 0;
	273	}
	274
	275	return r;
6344f3e2 LP	276	}
6344f3e2 LP	277
8a188de9	278	#else
6344f3e2 LP	279
	280	int mac_selinux_generic_access_check(
	281	sd_bus_message *message,
	282	const char *path,
	283	const char *permission,
	284	sd_bus_error *error) {
	285
8a188de9	286	return 0;
e2417e41	287	}
6344f3e2 LP	288
6344f3e2 LP	289	#endif