src/basic/selinux-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <errno.h>
   4 #include <malloc.h>
   5 #include <stddef.h>
   6 #include <string.h>
   7 #include <sys/stat.h>
   8 #include <sys/time.h>
   9 #include <sys/un.h>
  10 #include <syslog.h>
  11
  12 #if HAVE_SELINUX
  13 #include <selinux/context.h>
  14 #include <selinux/label.h>
  15 #include <selinux/selinux.h>
  16 #endif
  17
  18 #include "alloc-util.h"
  19 #include "fd-util.h"
  20 #include "log.h"
  21 #include "macro.h"
  22 #include "path-util.h"
  23 #include "selinux-util.h"
  24 #include "stdio-util.h"
  25 #include "time-util.h"
  26 #include "util.h"
  27
  28 #if HAVE_SELINUX
  29 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
  30 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
  31
  32 #define _cleanup_freecon_ _cleanup_(freeconp)
  33 #define _cleanup_context_free_ _cleanup_(context_freep)
  34
  35 static int cached_use = -1;
  36 static struct selabel_handle *label_hnd = NULL;
  37
  38 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
  39 #define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
  40 #endif
  41
  42 bool mac_selinux_use(void) {
  43 #if HAVE_SELINUX
  44         if (cached_use < 0)
  45                 cached_use = is_selinux_enabled() > 0;
  46
  47         return cached_use;
  48 #else
  49         return false;
  50 #endif
  51 }
  52
  53 void mac_selinux_retest(void) {
  54 #if HAVE_SELINUX
  55         cached_use = -1;
  56 #endif
  57 }
  58
  59 int mac_selinux_init(void) {
  60         int r = 0;
  61
  62 #if HAVE_SELINUX
  63         usec_t before_timestamp, after_timestamp;
  64         struct mallinfo before_mallinfo, after_mallinfo;
  65
  66         if (label_hnd)
  67                 return 0;
  68
  69         if (!mac_selinux_use())
  70                 return 0;
  71
  72         before_mallinfo = mallinfo();
  73         before_timestamp = now(CLOCK_MONOTONIC);
  74
  75         label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
  76         if (!label_hnd) {
  77                 log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
  78                 r = security_getenforce() == 1 ? -errno : 0;
  79         } else  {
  80                 char timespan[FORMAT_TIMESPAN_MAX];
  81                 int l;
  82
  83                 after_timestamp = now(CLOCK_MONOTONIC);
  84                 after_mallinfo = mallinfo();
  85
  86                 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
  87
  88                 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
  89                           format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
  90                           (l+1023)/1024);
  91         }
  92 #endif
  93
  94         return r;
  95 }
  96
  97 void mac_selinux_finish(void) {
  98
  99 #if HAVE_SELINUX
 100         if (!label_hnd)
 101                 return;
 102
 103         selabel_close(label_hnd);
 104         label_hnd = NULL;
 105 #endif
 106 }
 107
 108 int mac_selinux_fix(const char *path, LabelFixFlags flags) {
 109
 110 #if HAVE_SELINUX
 111         char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
 112         _cleanup_freecon_ char* fcon = NULL;
 113         _cleanup_close_ int fd = -1;
 114         struct stat st;
 115         int r;
 116
 117         assert(path);
 118
 119         /* if mac_selinux_init() wasn't called before we are a NOOP */
 120         if (!label_hnd)
 121                 return 0;
 122
 123         /* Open the file as O_PATH, to pin it while we determine and adjust the label */
 124         fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
 125         if (fd < 0) {
 126                 if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
 127                         return 0;
 128
 129                 return -errno;
 130         }
 131
 132         if (fstat(fd, &st) < 0)
 133                 return -errno;
 134
 135         if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
 136                 r = -errno;
 137
 138                 /* If there's no label to set, then exit without warning */
 139                 if (r == -ENOENT)
 140                         return 0;
 141
 142                 goto fail;
 143         }
 144
 145         xsprintf(procfs_path, "/proc/self/fd/%i", fd);
 146         if (setfilecon_raw(procfs_path, fcon) < 0) {
 147                 _cleanup_freecon_ char *oldcon = NULL;
 148
 149                 r = -errno;
 150
 151                 /* If the FS doesn't support labels, then exit without warning */
 152                 if (r == -EOPNOTSUPP)
 153                         return 0;
 154
 155                 /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
 156                 if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
 157                         return 0;
 158
 159                 /* If the old label is identical to the new one, suppress any kind of error */
 160                 if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
 161                         return 0;
 162
 163                 goto fail;
 164         }
 165
 166         return 0;
 167
 168 fail:
 169         log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
 170         if (security_getenforce() == 1)
 171                 return r;
 172 #endif
 173
 174         return 0;
 175 }
 176
 177 int mac_selinux_apply(const char *path, const char *label) {
 178
 179 #if HAVE_SELINUX
 180         if (!mac_selinux_use())
 181                 return 0;
 182
 183         assert(path);
 184         assert(label);
 185
 186         if (setfilecon(path, label) < 0) {
 187                 log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
 188                 if (security_getenforce() > 0)
 189                         return -errno;
 190         }
 191 #endif
 192         return 0;
 193 }
 194
 195 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
 196         int r = -EOPNOTSUPP;
 197
 198 #if HAVE_SELINUX
 199         _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
 200         security_class_t sclass;
 201
 202         assert(exe);
 203         assert(label);
 204
 205         if (!mac_selinux_use())
 206                 return -EOPNOTSUPP;
 207
 208         r = getcon_raw(&mycon);
 209         if (r < 0)
 210                 return -errno;
 211
 212         r = getfilecon_raw(exe, &fcon);
 213         if (r < 0)
 214                 return -errno;
 215
 216         sclass = string_to_security_class("process");
 217         r = security_compute_create_raw(mycon, fcon, sclass, label);
 218         if (r < 0)
 219                 return -errno;
 220 #endif
 221
 222         return r;
 223 }
 224
 225 int mac_selinux_get_our_label(char **label) {
 226         int r = -EOPNOTSUPP;
 227
 228         assert(label);
 229
 230 #if HAVE_SELINUX
 231         if (!mac_selinux_use())
 232                 return -EOPNOTSUPP;
 233
 234         r = getcon_raw(label);
 235         if (r < 0)
 236                 return -errno;
 237 #endif
 238
 239         return r;
 240 }
 241
 242 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
 243         int r = -EOPNOTSUPP;
 244
 245 #if HAVE_SELINUX
 246         _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
 247         _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
 248         security_class_t sclass;
 249         const char *range = NULL;
 250
 251         assert(socket_fd >= 0);
 252         assert(exe);
 253         assert(label);
 254
 255         if (!mac_selinux_use())
 256                 return -EOPNOTSUPP;
 257
 258         r = getcon_raw(&mycon);
 259         if (r < 0)
 260                 return -errno;
 261
 262         r = getpeercon_raw(socket_fd, &peercon);
 263         if (r < 0)
 264                 return -errno;
 265
 266         if (!exec_label) {
 267                 /* If there is no context set for next exec let's use context
 268                    of target executable */
 269                 r = getfilecon_raw(exe, &fcon);
 270                 if (r < 0)
 271                         return -errno;
 272         }
 273
 274         bcon = context_new(mycon);
 275         if (!bcon)
 276                 return -ENOMEM;
 277
 278         pcon = context_new(peercon);
 279         if (!pcon)
 280                 return -ENOMEM;
 281
 282         range = context_range_get(pcon);
 283         if (!range)
 284                 return -errno;
 285
 286         r = context_range_set(bcon, range);
 287         if (r)
 288                 return -errno;
 289
 290         freecon(mycon);
 291         mycon = strdup(context_str(bcon));
 292         if (!mycon)
 293                 return -ENOMEM;
 294
 295         sclass = string_to_security_class("process");
 296         r = security_compute_create_raw(mycon, fcon, sclass, label);
 297         if (r < 0)
 298                 return -errno;
 299 #endif
 300
 301         return r;
 302 }
 303
 304 char* mac_selinux_free(char *label) {
 305
 306 #if HAVE_SELINUX
 307         if (!label)
 308                 return NULL;
 309
 310         if (!mac_selinux_use())
 311                 return NULL;
 312
 313         freecon(label);
 314 #endif
 315
 316         return NULL;
 317 }
 318
 319 #if HAVE_SELINUX
 320 static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
 321         _cleanup_freecon_ char *filecon = NULL;
 322         int r;
 323
 324         assert(abspath);
 325         assert(path_is_absolute(abspath));
 326
 327         r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
 328         if (r < 0) {
 329                 /* No context specified by the policy? Proceed without setting it. */
 330                 if (errno == ENOENT)
 331                         return 0;
 332
 333                 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
 334         } else {
 335                 if (setfscreatecon_raw(filecon) >= 0)
 336                         return 0; /* Success! */
 337
 338                 log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
 339         }
 340
 341         if (security_getenforce() > 0)
 342                 return -errno;
 343
 344         return 0;
 345 }
 346 #endif
 347
 348 int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
 349         int r = 0;
 350
 351 #if HAVE_SELINUX
 352         _cleanup_free_ char *abspath = NULL;
 353
 354         assert(path);
 355
 356         if (!label_hnd)
 357                 return 0;
 358
 359         if (!path_is_absolute(path)) {
 360                 _cleanup_free_ char *p = NULL;
 361
 362                 if (dirfd == AT_FDCWD)
 363                         r = safe_getcwd(&p);
 364                 else
 365                         r = fd_get_path(dirfd, &p);
 366                 if (r < 0)
 367                         return r;
 368
 369                 abspath = path_join(NULL, p, path);
 370                 if (!abspath)
 371                         return -ENOMEM;
 372
 373                 path = abspath;
 374         }
 375
 376         r = selinux_create_file_prepare_abspath(path, mode);
 377 #endif
 378         return r;
 379 }
 380
 381 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 382         int r = 0;
 383
 384 #if HAVE_SELINUX
 385         _cleanup_free_ char *abspath = NULL;
 386
 387         assert(path);
 388
 389         if (!label_hnd)
 390                 return 0;
 391
 392         r = path_make_absolute_cwd(path, &abspath);
 393         if (r < 0)
 394                 return r;
 395
 396         r = selinux_create_file_prepare_abspath(abspath, mode);
 397 #endif
 398         return r;
 399 }
 400
 401 void mac_selinux_create_file_clear(void) {
 402
 403 #if HAVE_SELINUX
 404         PROTECT_ERRNO;
 405
 406         if (!mac_selinux_use())
 407                 return;
 408
 409         setfscreatecon_raw(NULL);
 410 #endif
 411 }
 412
 413 int mac_selinux_create_socket_prepare(const char *label) {
 414
 415 #if HAVE_SELINUX
 416         if (!mac_selinux_use())
 417                 return 0;
 418
 419         assert(label);
 420
 421         if (setsockcreatecon(label) < 0) {
 422                 log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
 423
 424                 if (security_getenforce() == 1)
 425                         return -errno;
 426         }
 427 #endif
 428
 429         return 0;
 430 }
 431
 432 void mac_selinux_create_socket_clear(void) {
 433
 434 #if HAVE_SELINUX
 435         PROTECT_ERRNO;
 436
 437         if (!mac_selinux_use())
 438                 return;
 439
 440         setsockcreatecon_raw(NULL);
 441 #endif
 442 }
 443
 444 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
 445
 446         /* Binds a socket and label its file system object according to the SELinux policy */
 447
 448 #if HAVE_SELINUX
 449         _cleanup_freecon_ char *fcon = NULL;
 450         const struct sockaddr_un *un;
 451         bool context_changed = false;
 452         char *path;
 453         int r;
 454
 455         assert(fd >= 0);
 456         assert(addr);
 457         assert(addrlen >= sizeof(sa_family_t));
 458
 459         if (!label_hnd)
 460                 goto skipped;
 461
 462         /* Filter out non-local sockets */
 463         if (addr->sa_family != AF_UNIX)
 464                 goto skipped;
 465
 466         /* Filter out anonymous sockets */
 467         if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
 468                 goto skipped;
 469
 470         /* Filter out abstract namespace sockets */
 471         un = (const struct sockaddr_un*) addr;
 472         if (un->sun_path[0] == 0)
 473                 goto skipped;
 474
 475         path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
 476
 477         if (path_is_absolute(path))
 478                 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
 479         else {
 480                 _cleanup_free_ char *newpath = NULL;
 481
 482                 r = path_make_absolute_cwd(path, &newpath);
 483                 if (r < 0)
 484                         return r;
 485
 486                 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
 487         }
 488
 489         if (r < 0) {
 490                 /* No context specified by the policy? Proceed without setting it */
 491                 if (errno == ENOENT)
 492                         goto skipped;
 493
 494                 log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
 495                 if (security_getenforce() > 0)
 496                         return -errno;
 497
 498         } else {
 499                 if (setfscreatecon_raw(fcon) < 0) {
 500                         log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
 501                         if (security_getenforce() > 0)
 502                                 return -errno;
 503                 } else
 504                         context_changed = true;
 505         }
 506
 507         r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
 508
 509         if (context_changed)
 510                 setfscreatecon_raw(NULL);
 511
 512         return r;
 513
 514 skipped:
 515 #endif
 516         if (bind(fd, addr, addrlen) < 0)
 517                 return -errno;
 518
 519         return 0;
 520 }