[thirdparty/systemd.git] / src / core / selinux-setup.c

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <stdio.h>
#include <unistd.h>

#if HAVE_SELINUX
#include <selinux/selinux.h>
#endif

#include "log.h"
#include "macro.h"
#include "selinux-setup.h"
#include "selinux-util.h"
#include "string-util.h"
#include "util.h"

#if HAVE_SELINUX
_printf_(2,3)
static int null_log(int type, const char *fmt, ...) {
        return 0;
}
#endif

int mac_selinux_setup(bool *loaded_policy) {

#if HAVE_SELINUX
        int enforce = 0;
        usec_t before_load, after_load;
        char *con;
        int r;
        union selinux_callback cb;
        bool initialized = false;

        assert(loaded_policy);

        /* Turn off all of SELinux' own logging, we want to do that */
        cb.func_log = null_log;
        selinux_set_callback(SELINUX_CB_LOG, cb);

        /* Don't load policy in the initrd if we don't appear to have
         * it.  For the real root, we check below if we've already
         * loaded policy, and return gracefully.
         */
        if (in_initrd() && access(selinux_path(), F_OK) < 0)
                return 0;

        /* Already initialized by somebody else? */
        r = getcon_raw(&con);
        if (r == 0) {
                initialized = !streq(con, "kernel");
                freecon(con);
        }

        /* Make sure we have no fds open while loading the policy and
         * transitioning */
        log_close();

        /* Now load the policy */
        before_load = now(CLOCK_MONOTONIC);
        r = selinux_init_load_policy(&enforce);
        if (r == 0) {
                _cleanup_(mac_selinux_freep) char *label = NULL;
                char timespan[FORMAT_TIMESPAN_MAX];

                mac_selinux_retest();

                /* Transition to the new context */
                r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
                if (r < 0 || !label) {
                        log_open();
                        log_error("Failed to compute init label, ignoring.");
                } else {
                        r = setcon_raw(label);

                        log_open();
                        if (r < 0)
                                log_error("Failed to transition into init label '%s', ignoring.", label);
                }

                after_load = now(CLOCK_MONOTONIC);

                log_info("Successfully loaded SELinux policy in %s.",
                         format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));

                *loaded_policy = true;

        } else {
                log_open();

                if (enforce > 0) {
                        if (!initialized) {
                                log_emergency("Failed to load SELinux policy.");
                                return -EIO;
                        }

                        log_warning("Failed to load new SELinux policy. Continuing with old policy.");
                } else
                        log_debug("Unable to load SELinux policy. Ignoring.");
        }
#endif

        return 0;
}
Commit	Line	Data
53e1b683	1	/* SPDX-License-Identifier: LGPL-2.1+ */
c4dcdb9f LP	2	/***
	3	This file is part of systemd.
	4
	5	Copyright 2010 Lennart Poettering
	6
	7	systemd is free software; you can redistribute it and/or modify it
5430f7f2 LP	8	under the terms of the GNU Lesser General Public License as published by
5430f7f2 LP	9	the Free Software Foundation; either version 2.1 of the License, or
c4dcdb9f LP	10	(at your option) any later version.
	11
	12	systemd is distributed in the hope that it will be useful, but
	13	WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
5430f7f2	15	Lesser General Public License for more details.
c4dcdb9f	16
5430f7f2	17	You should have received a copy of the GNU Lesser General Public License
c4dcdb9f LP	18	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	19	***/
	20
c4dcdb9f	21	#include <errno.h>
07630cea LP	22	#include <stdio.h>
07630cea LP	23	#include <unistd.h>
c4dcdb9f	24
349cc4a5	25	#if HAVE_SELINUX
c4dcdb9f LP	26	#include <selinux/selinux.h>
	27	#endif
	28
07630cea	29	#include "log.h"
c4dcdb9f	30	#include "macro.h"
cf0fbc49	31	#include "selinux-setup.h"
07630cea LP	32	#include "selinux-util.h"
07630cea LP	33	#include "string-util.h"
c4dcdb9f	34	#include "util.h"
0b3325e7	35
349cc4a5	36	#if HAVE_SELINUX
82613b14	37	_printf_(2,3)
dbc655d5 LP	38	static int null_log(int type, const char *fmt, ...) {
	39	return 0;
	40	}
f8e9f2cc	41	#endif
dbc655d5	42
8a188de9	43	int mac_selinux_setup(bool *loaded_policy) {
c4dcdb9f	44
349cc4a5	45	#if HAVE_SELINUX
4ab72d6f WW	46	int enforce = 0;
4ab72d6f WW	47	usec_t before_load, after_load;
2ed96880	48	char *con;
4ab72d6f WW	49	int r;
4ab72d6f WW	50	union selinux_callback cb;
68d3acac	51	bool initialized = false;
4ab72d6f WW	52
	53	assert(loaded_policy);
	54
	55	/* Turn off all of SELinux' own logging, we want to do that */
	56	cb.func_log = null_log;
	57	selinux_set_callback(SELINUX_CB_LOG, cb);
	58
	59	/* Don't load policy in the initrd if we don't appear to have
	60	* it. For the real root, we check below if we've already
	61	* loaded policy, and return gracefully.
	62	*/
	63	if (in_initrd() && access(selinux_path(), F_OK) < 0)
	64	return 0;
	65
	66	/* Already initialized by somebody else? */
	67	r = getcon_raw(&con);
	68	if (r == 0) {
4ab72d6f WW	69	initialized = !streq(con, "kernel");
4ab72d6f WW	70	freecon(con);
4ab72d6f WW	71	}
	72
	73	/* Make sure we have no fds open while loading the policy and
	74	* transitioning */
	75	log_close();
	76
	77	/* Now load the policy */
	78	before_load = now(CLOCK_MONOTONIC);
	79	r = selinux_init_load_policy(&enforce);
	80	if (r == 0) {
710a6b50	81	_cleanup_(mac_selinux_freep) char *label = NULL;
4ab72d6f	82	char timespan[FORMAT_TIMESPAN_MAX];
4ab72d6f	83
6baa7db0	84	mac_selinux_retest();
4ab72d6f WW	85
4ab72d6f WW	86	/* Transition to the new context */
cc56fafe	87	r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
710a6b50	88	if (r < 0 \|\| !label) {
4ab72d6f WW	89	log_open();
	90	log_error("Failed to compute init label, ignoring.");
	91	} else {
a1d2de07	92	r = setcon_raw(label);
4ab72d6f WW	93
	94	log_open();
	95	if (r < 0)
	96	log_error("Failed to transition into init label '%s', ignoring.", label);
4ab72d6f WW	97	}
	98
	99	after_load = now(CLOCK_MONOTONIC);
	100
	101	log_info("Successfully loaded SELinux policy in %s.",
	102	format_timespan(timespan, sizeof(timespan), after_load - before_load, 0));
	103
	104	*loaded_policy = true;
	105
	106	} else {
	107	log_open();
	108
	109	if (enforce > 0) {
68d3acac	110	if (!initialized) {
cb6531be	111	log_emergency("Failed to load SELinux policy.");
68d3acac WW	112	return -EIO;
	113	}
	114
	115	log_warning("Failed to load new SELinux policy. Continuing with old policy.");
4ab72d6f WW	116	} else
	117	log_debug("Unable to load SELinux policy. Ignoring.");
	118	}
c4dcdb9f LP	119	#endif
c4dcdb9f LP	120
4ab72d6f	121	return 0;
c4dcdb9f	122	}