]>
Commit | Line | Data |
---|---|---|
cad45ba1 LP |
1 | /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ |
2 | ||
3 | /*** | |
4 | This file is part of systemd. | |
5 | ||
6 | Copyright 2010 Lennart Poettering | |
7 | ||
8 | systemd is free software; you can redistribute it and/or modify it | |
9 | under the terms of the GNU Lesser General Public License as published by | |
10 | the Free Software Foundation; either version 2.1 of the License, or | |
11 | (at your option) any later version. | |
12 | ||
13 | systemd is distributed in the hope that it will be useful, but | |
14 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
16 | Lesser General Public License for more details. | |
17 | ||
18 | You should have received a copy of the GNU Lesser General Public License | |
19 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
20 | ***/ | |
21 | ||
66b6d9d5 WC |
22 | #include <errno.h> |
23 | #include <unistd.h> | |
24 | #include <malloc.h> | |
25 | #include <sys/un.h> | |
26 | #ifdef HAVE_SELINUX | |
27 | #include <selinux/selinux.h> | |
28 | #include <selinux/label.h> | |
29 | #include <selinux/context.h> | |
30 | #endif | |
31 | ||
32 | #include "strv.h" | |
33 | #include "path-util.h" | |
cad45ba1 LP |
34 | #include "selinux-util.h" |
35 | ||
0b6018f3 | 36 | #ifdef HAVE_SELINUX |
66b6d9d5 WC |
37 | DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon); |
38 | DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); | |
0b6018f3 | 39 | |
66b6d9d5 WC |
40 | #define _cleanup_security_context_free_ _cleanup_(freeconp) |
41 | #define _cleanup_context_free_ _cleanup_(context_freep) | |
0b6018f3 | 42 | |
6baa7db0 | 43 | static int cached_use = -1; |
66b6d9d5 | 44 | static struct selabel_handle *label_hnd = NULL; |
66cedb30 LP |
45 | |
46 | #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__) | |
66b6d9d5 | 47 | #endif |
cad45ba1 | 48 | |
6baa7db0 | 49 | bool mac_selinux_use(void) { |
66b6d9d5 | 50 | #ifdef HAVE_SELINUX |
6baa7db0 LP |
51 | if (cached_use < 0) |
52 | cached_use = is_selinux_enabled() > 0; | |
cad45ba1 | 53 | |
6baa7db0 | 54 | return cached_use; |
66b6d9d5 WC |
55 | #else |
56 | return false; | |
57 | #endif | |
cad45ba1 LP |
58 | } |
59 | ||
6baa7db0 | 60 | void mac_selinux_retest(void) { |
66b6d9d5 | 61 | #ifdef HAVE_SELINUX |
6baa7db0 | 62 | cached_use = -1; |
66b6d9d5 | 63 | #endif |
cad45ba1 | 64 | } |
0b6018f3 | 65 | |
cc56fafe | 66 | int mac_selinux_init(const char *prefix) { |
66b6d9d5 | 67 | int r = 0; |
d682b3a7 | 68 | |
66b6d9d5 WC |
69 | #ifdef HAVE_SELINUX |
70 | usec_t before_timestamp, after_timestamp; | |
71 | struct mallinfo before_mallinfo, after_mallinfo; | |
72 | ||
6baa7db0 | 73 | if (!mac_selinux_use()) |
66b6d9d5 WC |
74 | return 0; |
75 | ||
76 | if (label_hnd) | |
77 | return 0; | |
78 | ||
79 | before_mallinfo = mallinfo(); | |
80 | before_timestamp = now(CLOCK_MONOTONIC); | |
81 | ||
82 | if (prefix) { | |
83 | struct selinux_opt options[] = { | |
84 | { .type = SELABEL_OPT_SUBSET, .value = prefix }, | |
85 | }; | |
86 | ||
87 | label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options)); | |
88 | } else | |
89 | label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); | |
90 | ||
91 | if (!label_hnd) { | |
66cedb30 | 92 | log_enforcing("Failed to initialize SELinux context: %m"); |
66b6d9d5 WC |
93 | r = security_getenforce() == 1 ? -errno : 0; |
94 | } else { | |
95 | char timespan[FORMAT_TIMESPAN_MAX]; | |
96 | int l; | |
97 | ||
98 | after_timestamp = now(CLOCK_MONOTONIC); | |
99 | after_mallinfo = mallinfo(); | |
100 | ||
101 | l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0; | |
102 | ||
103 | log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.", | |
104 | format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0), | |
105 | (l+1023)/1024); | |
106 | } | |
107 | #endif | |
108 | ||
109 | return r; | |
d682b3a7 LP |
110 | } |
111 | ||
ecabcf8b LP |
112 | void mac_selinux_finish(void) { |
113 | ||
114 | #ifdef HAVE_SELINUX | |
115 | if (!label_hnd) | |
116 | return; | |
117 | ||
118 | selabel_close(label_hnd); | |
119 | #endif | |
120 | } | |
121 | ||
cc56fafe | 122 | int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { |
66b6d9d5 WC |
123 | |
124 | #ifdef HAVE_SELINUX | |
125 | struct stat st; | |
ecabcf8b | 126 | int r; |
66b6d9d5 | 127 | |
5dfc5461 LP |
128 | assert(path); |
129 | ||
130 | /* if mac_selinux_init() wasn't called before we are a NOOP */ | |
66b6d9d5 WC |
131 | if (!label_hnd) |
132 | return 0; | |
133 | ||
134 | r = lstat(path, &st); | |
5dfc5461 LP |
135 | if (r >= 0) { |
136 | _cleanup_security_context_free_ security_context_t fcon = NULL; | |
137 | ||
66b6d9d5 WC |
138 | r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); |
139 | ||
140 | /* If there's no label to set, then exit without warning */ | |
141 | if (r < 0 && errno == ENOENT) | |
142 | return 0; | |
143 | ||
5dfc5461 | 144 | if (r >= 0) { |
66b6d9d5 | 145 | r = lsetfilecon(path, fcon); |
66b6d9d5 WC |
146 | |
147 | /* If the FS doesn't support labels, then exit without warning */ | |
148 | if (r < 0 && errno == ENOTSUP) | |
149 | return 0; | |
150 | } | |
151 | } | |
152 | ||
153 | if (r < 0) { | |
154 | /* Ignore ENOENT in some cases */ | |
155 | if (ignore_enoent && errno == ENOENT) | |
156 | return 0; | |
157 | ||
158 | if (ignore_erofs && errno == EROFS) | |
159 | return 0; | |
160 | ||
ecabcf8b LP |
161 | log_enforcing("Unable to fix SELinux security context of %s: %m", path); |
162 | if (security_getenforce() == 1) | |
163 | return -errno; | |
66b6d9d5 WC |
164 | } |
165 | #endif | |
166 | ||
ecabcf8b | 167 | return 0; |
66b6d9d5 WC |
168 | } |
169 | ||
ecabcf8b | 170 | int mac_selinux_apply(const char *path, const char *label) { |
66b6d9d5 WC |
171 | |
172 | #ifdef HAVE_SELINUX | |
ecabcf8b LP |
173 | assert(path); |
174 | assert(label); | |
66b6d9d5 | 175 | |
ecabcf8b LP |
176 | if (!mac_selinux_use()) |
177 | return 0; | |
178 | ||
179 | if (setfilecon(path, (security_context_t) label) < 0) { | |
180 | log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path); | |
181 | if (security_getenforce() == 1) | |
182 | return -errno; | |
183 | } | |
66b6d9d5 | 184 | #endif |
ecabcf8b | 185 | return 0; |
d682b3a7 LP |
186 | } |
187 | ||
cc56fafe | 188 | int mac_selinux_get_create_label_from_exe(const char *exe, char **label) { |
7f416dae | 189 | int r = -EOPNOTSUPP; |
66b6d9d5 WC |
190 | |
191 | #ifdef HAVE_SELINUX | |
1ec220bc | 192 | _cleanup_security_context_free_ security_context_t mycon = NULL, fcon = NULL; |
66b6d9d5 WC |
193 | security_class_t sclass; |
194 | ||
7f416dae LP |
195 | assert(exe); |
196 | assert(label); | |
197 | ||
198 | if (!mac_selinux_use()) | |
199 | return -EOPNOTSUPP; | |
66b6d9d5 WC |
200 | |
201 | r = getcon(&mycon); | |
202 | if (r < 0) | |
7f416dae | 203 | return -errno; |
66b6d9d5 WC |
204 | |
205 | r = getfilecon(exe, &fcon); | |
206 | if (r < 0) | |
7f416dae | 207 | return -errno; |
66b6d9d5 WC |
208 | |
209 | sclass = string_to_security_class("process"); | |
210 | r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); | |
7f416dae LP |
211 | if (r < 0) |
212 | return -errno; | |
66b6d9d5 WC |
213 | #endif |
214 | ||
215 | return r; | |
216 | } | |
217 | ||
cc56fafe | 218 | int mac_selinux_get_our_label(char **label) { |
66b6d9d5 WC |
219 | int r = -EOPNOTSUPP; |
220 | ||
7f416dae LP |
221 | assert(label); |
222 | ||
66b6d9d5 | 223 | #ifdef HAVE_SELINUX |
7f416dae LP |
224 | if (!mac_selinux_use()) |
225 | return -EOPNOTSUPP; | |
66b6d9d5 | 226 | |
7f416dae | 227 | r = getcon(label); |
66b6d9d5 | 228 | if (r < 0) |
7f416dae | 229 | return -errno; |
0b6018f3 | 230 | #endif |
66b6d9d5 WC |
231 | |
232 | return r; | |
233 | } | |
234 | ||
cc56fafe | 235 | int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) { |
66b6d9d5 WC |
236 | int r = -EOPNOTSUPP; |
237 | ||
238 | #ifdef HAVE_SELINUX | |
7f416dae | 239 | _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL; |
66b6d9d5 WC |
240 | _cleanup_context_free_ context_t pcon = NULL, bcon = NULL; |
241 | security_class_t sclass; | |
66b6d9d5 WC |
242 | const char *range = NULL; |
243 | ||
244 | assert(socket_fd >= 0); | |
245 | assert(exe); | |
246 | assert(label); | |
247 | ||
7f416dae LP |
248 | if (!mac_selinux_use()) |
249 | return -EOPNOTSUPP; | |
250 | ||
66b6d9d5 | 251 | r = getcon(&mycon); |
7f416dae LP |
252 | if (r < 0) |
253 | return -errno; | |
66b6d9d5 WC |
254 | |
255 | r = getpeercon(socket_fd, &peercon); | |
7f416dae LP |
256 | if (r < 0) |
257 | return -errno; | |
66b6d9d5 WC |
258 | |
259 | r = getexeccon(&fcon); | |
7f416dae LP |
260 | if (r < 0) |
261 | return -errno; | |
66b6d9d5 WC |
262 | |
263 | if (!fcon) { | |
264 | /* If there is no context set for next exec let's use context | |
265 | of target executable */ | |
266 | r = getfilecon(exe, &fcon); | |
7f416dae LP |
267 | if (r < 0) |
268 | return -errno; | |
66b6d9d5 WC |
269 | } |
270 | ||
271 | bcon = context_new(mycon); | |
7f416dae LP |
272 | if (!bcon) |
273 | return -ENOMEM; | |
66b6d9d5 WC |
274 | |
275 | pcon = context_new(peercon); | |
7f416dae LP |
276 | if (!pcon) |
277 | return -ENOMEM; | |
66b6d9d5 WC |
278 | |
279 | range = context_range_get(pcon); | |
7f416dae LP |
280 | if (!range) |
281 | return -errno; | |
66b6d9d5 WC |
282 | |
283 | r = context_range_set(bcon, range); | |
7f416dae LP |
284 | if (r) |
285 | return -errno; | |
66b6d9d5 WC |
286 | |
287 | freecon(mycon); | |
288 | mycon = strdup(context_str(bcon)); | |
7f416dae LP |
289 | if (!mycon) |
290 | return -ENOMEM; | |
66b6d9d5 WC |
291 | |
292 | sclass = string_to_security_class("process"); | |
7f416dae LP |
293 | r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label); |
294 | if (r < 0) | |
295 | return -errno; | |
66b6d9d5 | 296 | #endif |
7f416dae | 297 | |
66b6d9d5 WC |
298 | return r; |
299 | } | |
300 | ||
ecabcf8b LP |
301 | void mac_selinux_free(char *label) { |
302 | ||
303 | #ifdef HAVE_SELINUX | |
304 | if (!mac_selinux_use()) | |
305 | return; | |
306 | ||
307 | freecon((security_context_t) label); | |
308 | #endif | |
309 | } | |
310 | ||
311 | int mac_selinux_create_file_prepare(const char *path, mode_t mode) { | |
66b6d9d5 WC |
312 | int r = 0; |
313 | ||
314 | #ifdef HAVE_SELINUX | |
1ec220bc | 315 | _cleanup_security_context_free_ security_context_t filecon = NULL; |
66b6d9d5 | 316 | |
ecabcf8b LP |
317 | assert(path); |
318 | ||
66cedb30 | 319 | if (!label_hnd) |
66b6d9d5 WC |
320 | return 0; |
321 | ||
322 | r = selabel_lookup_raw(label_hnd, &filecon, path, mode); | |
323 | if (r < 0 && errno != ENOENT) | |
324 | r = -errno; | |
325 | else if (r == 0) { | |
326 | r = setfscreatecon(filecon); | |
327 | if (r < 0) { | |
ecabcf8b | 328 | log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path); |
66b6d9d5 WC |
329 | r = -errno; |
330 | } | |
66b6d9d5 WC |
331 | } |
332 | ||
333 | if (r < 0 && security_getenforce() == 0) | |
334 | r = 0; | |
335 | #endif | |
336 | ||
337 | return r; | |
338 | } | |
339 | ||
ecabcf8b | 340 | void mac_selinux_create_file_clear(void) { |
66b6d9d5 WC |
341 | |
342 | #ifdef HAVE_SELINUX | |
343 | PROTECT_ERRNO; | |
344 | ||
6baa7db0 | 345 | if (!mac_selinux_use()) |
66b6d9d5 WC |
346 | return; |
347 | ||
348 | setfscreatecon(NULL); | |
349 | #endif | |
350 | } | |
351 | ||
ecabcf8b | 352 | int mac_selinux_create_socket_prepare(const char *label) { |
66b6d9d5 WC |
353 | |
354 | #ifdef HAVE_SELINUX | |
6baa7db0 | 355 | if (!mac_selinux_use()) |
ecabcf8b | 356 | return 0; |
66b6d9d5 | 357 | |
ecabcf8b LP |
358 | assert(label); |
359 | ||
360 | if (setsockcreatecon((security_context_t) label) < 0) { | |
361 | log_enforcing("Failed to set SELinux security context %s for sockets: %m", label); | |
362 | ||
363 | if (security_getenforce() == 1) | |
364 | return -errno; | |
365 | } | |
66b6d9d5 | 366 | #endif |
ecabcf8b LP |
367 | |
368 | return 0; | |
66b6d9d5 WC |
369 | } |
370 | ||
ecabcf8b | 371 | void mac_selinux_create_socket_clear(void) { |
66b6d9d5 WC |
372 | |
373 | #ifdef HAVE_SELINUX | |
ecabcf8b LP |
374 | PROTECT_ERRNO; |
375 | ||
6baa7db0 | 376 | if (!mac_selinux_use()) |
66b6d9d5 WC |
377 | return; |
378 | ||
ecabcf8b | 379 | setsockcreatecon(NULL); |
66b6d9d5 WC |
380 | #endif |
381 | } | |
382 | ||
cc56fafe | 383 | int mac_selinux_mkdir(const char *path, mode_t mode) { |
66b6d9d5 | 384 | |
66b6d9d5 | 385 | /* Creates a directory and labels it according to the SELinux policy */ |
ecabcf8b LP |
386 | |
387 | #ifdef HAVE_SELINUX | |
1ec220bc | 388 | _cleanup_security_context_free_ security_context_t fcon = NULL; |
ecabcf8b LP |
389 | int r; |
390 | ||
391 | assert(path); | |
66b6d9d5 WC |
392 | |
393 | if (!label_hnd) | |
ecabcf8b | 394 | goto skipped; |
66b6d9d5 WC |
395 | |
396 | if (path_is_absolute(path)) | |
397 | r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFDIR); | |
398 | else { | |
399 | _cleanup_free_ char *newpath; | |
400 | ||
401 | newpath = path_make_absolute_cwd(path); | |
402 | if (!newpath) | |
403 | return -ENOMEM; | |
404 | ||
405 | r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFDIR); | |
406 | } | |
407 | ||
408 | if (r == 0) | |
409 | r = setfscreatecon(fcon); | |
410 | ||
411 | if (r < 0 && errno != ENOENT) { | |
ecabcf8b | 412 | log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path); |
66b6d9d5 WC |
413 | |
414 | if (security_getenforce() == 1) { | |
415 | r = -errno; | |
416 | goto finish; | |
417 | } | |
418 | } | |
419 | ||
420 | r = mkdir(path, mode); | |
421 | if (r < 0) | |
422 | r = -errno; | |
423 | ||
424 | finish: | |
425 | setfscreatecon(NULL); | |
66b6d9d5 | 426 | return r; |
ecabcf8b LP |
427 | |
428 | skipped: | |
429 | #endif | |
430 | return mkdir(path, mode) < 0 ? -errno : 0; | |
66b6d9d5 WC |
431 | } |
432 | ||
cc56fafe | 433 | int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) { |
66b6d9d5 WC |
434 | |
435 | /* Binds a socket and label its file system object according to the SELinux policy */ | |
436 | ||
437 | #ifdef HAVE_SELINUX | |
1ec220bc | 438 | _cleanup_security_context_free_ security_context_t fcon = NULL; |
66b6d9d5 WC |
439 | const struct sockaddr_un *un; |
440 | char *path; | |
441 | int r; | |
442 | ||
443 | assert(fd >= 0); | |
444 | assert(addr); | |
445 | assert(addrlen >= sizeof(sa_family_t)); | |
446 | ||
ecabcf8b | 447 | if (!label_hnd) |
66b6d9d5 WC |
448 | goto skipped; |
449 | ||
450 | /* Filter out non-local sockets */ | |
451 | if (addr->sa_family != AF_UNIX) | |
452 | goto skipped; | |
453 | ||
454 | /* Filter out anonymous sockets */ | |
455 | if (addrlen < sizeof(sa_family_t) + 1) | |
456 | goto skipped; | |
457 | ||
458 | /* Filter out abstract namespace sockets */ | |
459 | un = (const struct sockaddr_un*) addr; | |
460 | if (un->sun_path[0] == 0) | |
461 | goto skipped; | |
462 | ||
463 | path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path)); | |
464 | ||
465 | if (path_is_absolute(path)) | |
466 | r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK); | |
467 | else { | |
468 | _cleanup_free_ char *newpath; | |
469 | ||
470 | newpath = path_make_absolute_cwd(path); | |
471 | if (!newpath) | |
472 | return -ENOMEM; | |
473 | ||
474 | r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK); | |
475 | } | |
476 | ||
477 | if (r == 0) | |
478 | r = setfscreatecon(fcon); | |
479 | ||
480 | if (r < 0 && errno != ENOENT) { | |
ecabcf8b | 481 | log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path); |
66b6d9d5 WC |
482 | |
483 | if (security_getenforce() == 1) { | |
484 | r = -errno; | |
485 | goto finish; | |
486 | } | |
487 | } | |
488 | ||
489 | r = bind(fd, addr, addrlen); | |
490 | if (r < 0) | |
491 | r = -errno; | |
492 | ||
493 | finish: | |
494 | setfscreatecon(NULL); | |
66b6d9d5 WC |
495 | return r; |
496 | ||
497 | skipped: | |
498 | #endif | |
499 | return bind(fd, addr, addrlen) < 0 ? -errno : 0; | |
500 | } |