[thirdparty/systemd.git] / src / shared / selinux-util.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2010 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <unistd.h>
#include <malloc.h>
#include <sys/un.h>
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <selinux/context.h>
#endif

#include "strv.h"
#include "path-util.h"
#include "selinux-util.h"

#ifdef HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);

#define _cleanup_security_context_free_ _cleanup_(freeconp)
#define _cleanup_context_free_ _cleanup_(context_freep)

static int cached_use = -1;
static struct selabel_handle *label_hnd = NULL;

#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif

bool mac_selinux_use(void) {
#ifdef HAVE_SELINUX
        if (cached_use < 0)
                cached_use = is_selinux_enabled() > 0;

        return cached_use;
#else
        return false;
#endif
}

void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
        cached_use = -1;
#endif
}

int mac_selinux_init(const char *prefix) {
        int r = 0;

#ifdef HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
        struct mallinfo before_mallinfo, after_mallinfo;

        if (!mac_selinux_use())
                return 0;

        if (label_hnd)
                return 0;

        before_mallinfo = mallinfo();
        before_timestamp = now(CLOCK_MONOTONIC);

        if (prefix) {
                struct selinux_opt options[] = {
                        { .type = SELABEL_OPT_SUBSET, .value = prefix },
                };

                label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
        } else
                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);

        if (!label_hnd) {
                log_enforcing("Failed to initialize SELinux context: %m");
                r = security_getenforce() == 1 ? -errno : 0;
        } else  {
                char timespan[FORMAT_TIMESPAN_MAX];
                int l;

                after_timestamp = now(CLOCK_MONOTONIC);
                after_mallinfo = mallinfo();

                l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;

                log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
                          format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
                          (l+1023)/1024);
        }
#endif

        return r;
}

void mac_selinux_finish(void) {

#ifdef HAVE_SELINUX
        if (!label_hnd)
                return;

        selabel_close(label_hnd);
#endif
}

int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {

#ifdef HAVE_SELINUX
        struct stat st;
        int r;

        assert(path);

        /* if mac_selinux_init() wasn't called before we are a NOOP */
        if (!label_hnd)
                return 0;

        r = lstat(path, &st);
        if (r >= 0) {
                _cleanup_security_context_free_ security_context_t fcon = NULL;

                r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);

                /* If there's no label to set, then exit without warning */
                if (r < 0 && errno == ENOENT)
                        return 0;

                if (r >= 0) {
                        r = lsetfilecon(path, fcon);

                        /* If the FS doesn't support labels, then exit without warning */
                        if (r < 0 && errno == ENOTSUP)
                                return 0;
                }
        }

        if (r < 0) {
                /* Ignore ENOENT in some cases */
                if (ignore_enoent && errno == ENOENT)
                        return 0;

                if (ignore_erofs && errno == EROFS)
                        return 0;

                log_enforcing("Unable to fix SELinux security context of %s: %m", path);
                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

int mac_selinux_apply(const char *path, const char *label) {

#ifdef HAVE_SELINUX
        assert(path);
        assert(label);

        if (!mac_selinux_use())
                return 0;

        if (setfilecon(path, (security_context_t) label) < 0) {
                log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
                if (security_getenforce() == 1)
                        return -errno;
        }
#endif
        return 0;
}

int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
        int r = -EOPNOTSUPP;

#ifdef HAVE_SELINUX
        _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
        security_class_t sclass;

        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon(&mycon);
        if (r < 0)
                return -errno;

        r = getfilecon(exe, &fcon);
        if (r < 0)
                return -errno;

        sclass = string_to_security_class("process");
        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_our_label(char **label) {
        int r = -EOPNOTSUPP;

        assert(label);

#ifdef HAVE_SELINUX
        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon(label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
        int r = -EOPNOTSUPP;

#ifdef HAVE_SELINUX
        _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
        _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
        security_class_t sclass;
        const char *range = NULL;

        assert(socket_fd >= 0);
        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon(&mycon);
        if (r < 0)
                return -errno;

        r = getpeercon(socket_fd, &peercon);
        if (r < 0)
                return -errno;

        r = getexeccon(&fcon);
        if (r < 0)
                return -errno;

        if (!fcon) {
                /* If there is no context set for next exec let's use context
                   of target executable */
                r = getfilecon(exe, &fcon);
                if (r < 0)
                        return -errno;
        }

        bcon = context_new(mycon);
        if (!bcon)
                return -ENOMEM;

        pcon = context_new(peercon);
        if (!pcon)
                return -ENOMEM;

        range = context_range_get(pcon);
        if (!range)
                return -errno;

        r = context_range_set(bcon, range);
        if (r)
                return -errno;

        freecon(mycon);
        mycon = strdup(context_str(bcon));
        if (!mycon)
                return -ENOMEM;

        sclass = string_to_security_class("process");
        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

void mac_selinux_free(char *label) {

#ifdef HAVE_SELINUX
        if (!mac_selinux_use())
                return;

        freecon((security_context_t) label);
#endif
}

int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
        int r = 0;

#ifdef HAVE_SELINUX
        _cleanup_security_context_free_ security_context_t filecon = NULL;

        assert(path);

        if (!label_hnd)
                return 0;

        r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
        if (r < 0 && errno != ENOENT)
                r = -errno;
        else if (r == 0) {
                r = setfscreatecon(filecon);
                if (r < 0) {
                        log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
                        r = -errno;
                }
        }

        if (r < 0 && security_getenforce() == 0)
                r = 0;
#endif

        return r;
}

void mac_selinux_create_file_clear(void) {

#ifdef HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setfscreatecon(NULL);
#endif
}

int mac_selinux_create_socket_prepare(const char *label) {

#ifdef HAVE_SELINUX
        if (!mac_selinux_use())
                return 0;

        assert(label);

        if (setsockcreatecon((security_context_t) label) < 0) {
                log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);

                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

void mac_selinux_create_socket_clear(void) {

#ifdef HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setsockcreatecon(NULL);
#endif
}

int mac_selinux_mkdir(const char *path, mode_t mode) {

        /* Creates a directory and labels it according to the SELinux policy */

#ifdef HAVE_SELINUX
        _cleanup_security_context_free_ security_context_t fcon = NULL;
        int r;

        assert(path);

        if (!label_hnd)
                goto skipped;

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
        else {
                _cleanup_free_ char *newpath;

                newpath = path_make_absolute_cwd(path);
                if (!newpath)
                        return -ENOMEM;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = mkdir(path, mode);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        return r;

skipped:
#endif
        return mkdir(path, mode) < 0 ? -errno : 0;
}

int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */

#ifdef HAVE_SELINUX
        _cleanup_security_context_free_ security_context_t fcon = NULL;
        const struct sockaddr_un *un;
        char *path;
        int r;

        assert(fd >= 0);
        assert(addr);
        assert(addrlen >= sizeof(sa_family_t));

        if (!label_hnd)
                goto skipped;

        /* Filter out non-local sockets */
        if (addr->sa_family != AF_UNIX)
                goto skipped;

        /* Filter out anonymous sockets */
        if (addrlen < sizeof(sa_family_t) + 1)
                goto skipped;

        /* Filter out abstract namespace sockets */
        un = (const struct sockaddr_un*) addr;
        if (un->sun_path[0] == 0)
                goto skipped;

        path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
        else {
                _cleanup_free_ char *newpath;

                newpath = path_make_absolute_cwd(path);
                if (!newpath)
                        return -ENOMEM;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
        }

        if (r == 0)
                r = setfscreatecon(fcon);

        if (r < 0 && errno != ENOENT) {
                log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);

                if (security_getenforce() == 1) {
                        r = -errno;
                        goto finish;
                }
        }

        r = bind(fd, addr, addrlen);
        if (r < 0)
                r = -errno;

finish:
        setfscreatecon(NULL);
        return r;

skipped:
#endif
        return bind(fd, addr, addrlen) < 0 ? -errno : 0;
}
Commit	Line	Data
cad45ba1 LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2010 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
66b6d9d5 WC	22	#include <errno.h>
	23	#include <unistd.h>
	24	#include <malloc.h>
	25	#include <sys/un.h>
	26	#ifdef HAVE_SELINUX
	27	#include <selinux/selinux.h>
	28	#include <selinux/label.h>
	29	#include <selinux/context.h>
	30	#endif
	31
	32	#include "strv.h"
	33	#include "path-util.h"
cad45ba1 LP	34	#include "selinux-util.h"
cad45ba1 LP	35
0b6018f3	36	#ifdef HAVE_SELINUX
66b6d9d5 WC	37	DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
66b6d9d5 WC	38	DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
0b6018f3	39
66b6d9d5 WC	40	#define _cleanup_security_context_free_ _cleanup_(freeconp)
66b6d9d5 WC	41	#define _cleanup_context_free_ _cleanup_(context_freep)
0b6018f3	42
6baa7db0	43	static int cached_use = -1;
66b6d9d5	44	static struct selabel_handle *label_hnd = NULL;
66cedb30 LP	45
66cedb30 LP	46	#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
66b6d9d5	47	#endif
cad45ba1	48
6baa7db0	49	bool mac_selinux_use(void) {
66b6d9d5	50	#ifdef HAVE_SELINUX
6baa7db0 LP	51	if (cached_use < 0)
6baa7db0 LP	52	cached_use = is_selinux_enabled() > 0;
cad45ba1	53
6baa7db0	54	return cached_use;
66b6d9d5 WC	55	#else
	56	return false;
	57	#endif
cad45ba1 LP	58	}
cad45ba1 LP	59
6baa7db0	60	void mac_selinux_retest(void) {
66b6d9d5	61	#ifdef HAVE_SELINUX
6baa7db0	62	cached_use = -1;
66b6d9d5	63	#endif
cad45ba1	64	}
0b6018f3	65
cc56fafe	66	int mac_selinux_init(const char *prefix) {
66b6d9d5	67	int r = 0;
d682b3a7	68
66b6d9d5 WC	69	#ifdef HAVE_SELINUX
	70	usec_t before_timestamp, after_timestamp;
	71	struct mallinfo before_mallinfo, after_mallinfo;
	72
6baa7db0	73	if (!mac_selinux_use())
66b6d9d5 WC	74	return 0;
	75
	76	if (label_hnd)
	77	return 0;
	78
	79	before_mallinfo = mallinfo();
	80	before_timestamp = now(CLOCK_MONOTONIC);
	81
	82	if (prefix) {
	83	struct selinux_opt options[] = {
	84	{ .type = SELABEL_OPT_SUBSET, .value = prefix },
	85	};
	86
	87	label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
	88	} else
	89	label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	90
	91	if (!label_hnd) {
66cedb30	92	log_enforcing("Failed to initialize SELinux context: %m");
66b6d9d5 WC	93	r = security_getenforce() == 1 ? -errno : 0;
	94	} else {
	95	char timespan[FORMAT_TIMESPAN_MAX];
	96	int l;
	97
	98	after_timestamp = now(CLOCK_MONOTONIC);
	99	after_mallinfo = mallinfo();
	100
	101	l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
	102
	103	log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
	104	format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
	105	(l+1023)/1024);
	106	}
	107	#endif
	108
	109	return r;
d682b3a7 LP	110	}
d682b3a7 LP	111
ecabcf8b LP	112	void mac_selinux_finish(void) {
	113
	114	#ifdef HAVE_SELINUX
	115	if (!label_hnd)
	116	return;
	117
	118	selabel_close(label_hnd);
	119	#endif
	120	}
	121
cc56fafe	122	int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
66b6d9d5 WC	123
	124	#ifdef HAVE_SELINUX
	125	struct stat st;
ecabcf8b	126	int r;
66b6d9d5	127
5dfc5461 LP	128	assert(path);
	129
	130	/* if mac_selinux_init() wasn't called before we are a NOOP */
66b6d9d5 WC	131	if (!label_hnd)
	132	return 0;
	133
	134	r = lstat(path, &st);
5dfc5461 LP	135	if (r >= 0) {
	136	_cleanup_security_context_free_ security_context_t fcon = NULL;
	137
66b6d9d5 WC	138	r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
	139
	140	/* If there's no label to set, then exit without warning */
	141	if (r < 0 && errno == ENOENT)
	142	return 0;
	143
5dfc5461	144	if (r >= 0) {
66b6d9d5	145	r = lsetfilecon(path, fcon);
66b6d9d5 WC	146
	147	/* If the FS doesn't support labels, then exit without warning */
	148	if (r < 0 && errno == ENOTSUP)
	149	return 0;
	150	}
	151	}
	152
	153	if (r < 0) {
	154	/* Ignore ENOENT in some cases */
	155	if (ignore_enoent && errno == ENOENT)
	156	return 0;
	157
	158	if (ignore_erofs && errno == EROFS)
	159	return 0;
	160
ecabcf8b LP	161	log_enforcing("Unable to fix SELinux security context of %s: %m", path);
	162	if (security_getenforce() == 1)
	163	return -errno;
66b6d9d5 WC	164	}
	165	#endif
	166
ecabcf8b	167	return 0;
66b6d9d5 WC	168	}
66b6d9d5 WC	169
ecabcf8b	170	int mac_selinux_apply(const char path, const char label) {
66b6d9d5 WC	171
66b6d9d5 WC	172	#ifdef HAVE_SELINUX
ecabcf8b LP	173	assert(path);
ecabcf8b LP	174	assert(label);
66b6d9d5	175
ecabcf8b LP	176	if (!mac_selinux_use())
	177	return 0;
	178
	179	if (setfilecon(path, (security_context_t) label) < 0) {
	180	log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
	181	if (security_getenforce() == 1)
	182	return -errno;
	183	}
66b6d9d5	184	#endif
ecabcf8b	185	return 0;
d682b3a7 LP	186	}
d682b3a7 LP	187
cc56fafe	188	int mac_selinux_get_create_label_from_exe(const char exe, char *label) {
7f416dae	189	int r = -EOPNOTSUPP;
66b6d9d5 WC	190
66b6d9d5 WC	191	#ifdef HAVE_SELINUX
1ec220bc	192	_cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL;
66b6d9d5 WC	193	security_class_t sclass;
66b6d9d5 WC	194
7f416dae LP	195	assert(exe);
	196	assert(label);
	197
	198	if (!mac_selinux_use())
	199	return -EOPNOTSUPP;
66b6d9d5 WC	200
	201	r = getcon(&mycon);
	202	if (r < 0)
7f416dae	203	return -errno;
66b6d9d5 WC	204
	205	r = getfilecon(exe, &fcon);
	206	if (r < 0)
7f416dae	207	return -errno;
66b6d9d5 WC	208
	209	sclass = string_to_security_class("process");
	210	r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
7f416dae LP	211	if (r < 0)
7f416dae LP	212	return -errno;
66b6d9d5 WC	213	#endif
	214
	215	return r;
	216	}
	217
cc56fafe	218	int mac_selinux_get_our_label(char **label) {
66b6d9d5 WC	219	int r = -EOPNOTSUPP;
66b6d9d5 WC	220
7f416dae LP	221	assert(label);
7f416dae LP	222
66b6d9d5	223	#ifdef HAVE_SELINUX
7f416dae LP	224	if (!mac_selinux_use())
7f416dae LP	225	return -EOPNOTSUPP;
66b6d9d5	226
7f416dae	227	r = getcon(label);
66b6d9d5	228	if (r < 0)
7f416dae	229	return -errno;
0b6018f3	230	#endif
66b6d9d5 WC	231
	232	return r;
	233	}
	234
cc56fafe	235	int mac_selinux_get_child_mls_label(int socket_fd, const char exe, char *label) {
66b6d9d5 WC	236	int r = -EOPNOTSUPP;
	237
	238	#ifdef HAVE_SELINUX
7f416dae	239	_cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL;
66b6d9d5 WC	240	_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
66b6d9d5 WC	241	security_class_t sclass;
66b6d9d5 WC	242	const char *range = NULL;
	243
	244	assert(socket_fd >= 0);
	245	assert(exe);
	246	assert(label);
	247
7f416dae LP	248	if (!mac_selinux_use())
	249	return -EOPNOTSUPP;
	250
66b6d9d5	251	r = getcon(&mycon);
7f416dae LP	252	if (r < 0)
7f416dae LP	253	return -errno;
66b6d9d5 WC	254
66b6d9d5 WC	255	r = getpeercon(socket_fd, &peercon);
7f416dae LP	256	if (r < 0)
7f416dae LP	257	return -errno;
66b6d9d5 WC	258
66b6d9d5 WC	259	r = getexeccon(&fcon);
7f416dae LP	260	if (r < 0)
7f416dae LP	261	return -errno;
66b6d9d5 WC	262
	263	if (!fcon) {
	264	/* If there is no context set for next exec let's use context
	265	of target executable */
	266	r = getfilecon(exe, &fcon);
7f416dae LP	267	if (r < 0)
7f416dae LP	268	return -errno;
66b6d9d5 WC	269	}
	270
	271	bcon = context_new(mycon);
7f416dae LP	272	if (!bcon)
7f416dae LP	273	return -ENOMEM;
66b6d9d5 WC	274
66b6d9d5 WC	275	pcon = context_new(peercon);
7f416dae LP	276	if (!pcon)
7f416dae LP	277	return -ENOMEM;
66b6d9d5 WC	278
66b6d9d5 WC	279	range = context_range_get(pcon);
7f416dae LP	280	if (!range)
7f416dae LP	281	return -errno;
66b6d9d5 WC	282
66b6d9d5 WC	283	r = context_range_set(bcon, range);
7f416dae LP	284	if (r)
7f416dae LP	285	return -errno;
66b6d9d5 WC	286
	287	freecon(mycon);
	288	mycon = strdup(context_str(bcon));
7f416dae LP	289	if (!mycon)
7f416dae LP	290	return -ENOMEM;
66b6d9d5 WC	291
66b6d9d5 WC	292	sclass = string_to_security_class("process");
7f416dae LP	293	r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
	294	if (r < 0)
	295	return -errno;
66b6d9d5	296	#endif
7f416dae	297
66b6d9d5 WC	298	return r;
	299	}
	300
ecabcf8b LP	301	void mac_selinux_free(char *label) {
	302
	303	#ifdef HAVE_SELINUX
	304	if (!mac_selinux_use())
	305	return;
	306
	307	freecon((security_context_t) label);
	308	#endif
	309	}
	310
	311	int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
66b6d9d5 WC	312	int r = 0;
	313
	314	#ifdef HAVE_SELINUX
1ec220bc	315	_cleanup_security_context_free_ security_context_t filecon = NULL;
66b6d9d5	316
ecabcf8b LP	317	assert(path);
ecabcf8b LP	318
66cedb30	319	if (!label_hnd)
66b6d9d5 WC	320	return 0;
	321
	322	r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
	323	if (r < 0 && errno != ENOENT)
	324	r = -errno;
	325	else if (r == 0) {
	326	r = setfscreatecon(filecon);
	327	if (r < 0) {
ecabcf8b	328	log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
66b6d9d5 WC	329	r = -errno;
66b6d9d5 WC	330	}
66b6d9d5 WC	331	}
	332
	333	if (r < 0 && security_getenforce() == 0)
	334	r = 0;
	335	#endif
	336
	337	return r;
	338	}
	339
ecabcf8b	340	void mac_selinux_create_file_clear(void) {
66b6d9d5 WC	341
	342	#ifdef HAVE_SELINUX
	343	PROTECT_ERRNO;
	344
6baa7db0	345	if (!mac_selinux_use())
66b6d9d5 WC	346	return;
	347
	348	setfscreatecon(NULL);
	349	#endif
	350	}
	351
ecabcf8b	352	int mac_selinux_create_socket_prepare(const char *label) {
66b6d9d5 WC	353
66b6d9d5 WC	354	#ifdef HAVE_SELINUX
6baa7db0	355	if (!mac_selinux_use())
ecabcf8b	356	return 0;
66b6d9d5	357
ecabcf8b LP	358	assert(label);
	359
	360	if (setsockcreatecon((security_context_t) label) < 0) {
	361	log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
	362
	363	if (security_getenforce() == 1)
	364	return -errno;
	365	}
66b6d9d5	366	#endif
ecabcf8b LP	367
ecabcf8b LP	368	return 0;
66b6d9d5 WC	369	}
66b6d9d5 WC	370
ecabcf8b	371	void mac_selinux_create_socket_clear(void) {
66b6d9d5 WC	372
66b6d9d5 WC	373	#ifdef HAVE_SELINUX
ecabcf8b LP	374	PROTECT_ERRNO;
ecabcf8b LP	375
6baa7db0	376	if (!mac_selinux_use())
66b6d9d5 WC	377	return;
66b6d9d5 WC	378
ecabcf8b	379	setsockcreatecon(NULL);
66b6d9d5 WC	380	#endif
	381	}
	382
cc56fafe	383	int mac_selinux_mkdir(const char *path, mode_t mode) {
66b6d9d5	384
66b6d9d5	385	/* Creates a directory and labels it according to the SELinux policy */
ecabcf8b LP	386
ecabcf8b LP	387	#ifdef HAVE_SELINUX
1ec220bc	388	_cleanup_security_context_free_ security_context_t fcon = NULL;
ecabcf8b LP	389	int r;
	390
	391	assert(path);
66b6d9d5 WC	392
66b6d9d5 WC	393	if (!label_hnd)
ecabcf8b	394	goto skipped;
66b6d9d5 WC	395
	396	if (path_is_absolute(path))
	397	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR);
	398	else {
	399	_cleanup_free_ char *newpath;
	400
	401	newpath = path_make_absolute_cwd(path);
	402	if (!newpath)
	403	return -ENOMEM;
	404
	405	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR);
	406	}
	407
	408	if (r == 0)
	409	r = setfscreatecon(fcon);
	410
	411	if (r < 0 && errno != ENOENT) {
ecabcf8b	412	log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
66b6d9d5 WC	413
	414	if (security_getenforce() == 1) {
	415	r = -errno;
	416	goto finish;
	417	}
	418	}
	419
	420	r = mkdir(path, mode);
	421	if (r < 0)
	422	r = -errno;
	423
	424	finish:
	425	setfscreatecon(NULL);
66b6d9d5	426	return r;
ecabcf8b LP	427
	428	skipped:
	429	#endif
	430	return mkdir(path, mode) < 0 ? -errno : 0;
66b6d9d5 WC	431	}
66b6d9d5 WC	432
cc56fafe	433	int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
66b6d9d5 WC	434
	435	/* Binds a socket and label its file system object according to the SELinux policy */
	436
	437	#ifdef HAVE_SELINUX
1ec220bc	438	_cleanup_security_context_free_ security_context_t fcon = NULL;
66b6d9d5 WC	439	const struct sockaddr_un *un;
	440	char *path;
	441	int r;
	442
	443	assert(fd >= 0);
	444	assert(addr);
	445	assert(addrlen >= sizeof(sa_family_t));
	446
ecabcf8b	447	if (!label_hnd)
66b6d9d5 WC	448	goto skipped;
	449
	450	/* Filter out non-local sockets */
	451	if (addr->sa_family != AF_UNIX)
	452	goto skipped;
	453
	454	/* Filter out anonymous sockets */
	455	if (addrlen < sizeof(sa_family_t) + 1)
	456	goto skipped;
	457
	458	/* Filter out abstract namespace sockets */
	459	un = (const struct sockaddr_un*) addr;
	460	if (un->sun_path[0] == 0)
	461	goto skipped;
	462
	463	path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
	464
	465	if (path_is_absolute(path))
	466	r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
	467	else {
	468	_cleanup_free_ char *newpath;
	469
	470	newpath = path_make_absolute_cwd(path);
	471	if (!newpath)
	472	return -ENOMEM;
	473
	474	r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
	475	}
	476
	477	if (r == 0)
	478	r = setfscreatecon(fcon);
	479
	480	if (r < 0 && errno != ENOENT) {
ecabcf8b	481	log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
66b6d9d5 WC	482
	483	if (security_getenforce() == 1) {
	484	r = -errno;
	485	goto finish;
	486	}
	487	}
	488
	489	r = bind(fd, addr, addrlen);
	490	if (r < 0)
	491	r = -errno;
	492
	493	finish:
	494	setfscreatecon(NULL);
66b6d9d5 WC	495	return r;
	496
	497	skipped:
	498	#endif
	499	return bind(fd, addr, addrlen) < 0 ? -errno : 0;
	500	}