]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/basic/selinux-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add SPDX license identifiers to source files under the LGPL
[thirdparty/systemd.git] / src / basic / selinux-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2010 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include <errno.h>
22 #include <malloc.h>
23 #include <stddef.h>
24 #include <string.h>
25 #include <sys/stat.h>
26 #include <sys/time.h>
27 #include <sys/un.h>
28 #include <syslog.h>
29
30 #if HAVE_SELINUX
31 #include <selinux/context.h>
32 #include <selinux/label.h>
33 #include <selinux/selinux.h>
34 #endif
35
36 #include "alloc-util.h"
37 #include "log.h"
38 #include "macro.h"
39 #include "path-util.h"
40 #include "selinux-util.h"
41 #include "time-util.h"
42 #include "util.h"
43
44 #if HAVE_SELINUX
45 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
46 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
47
48 #define _cleanup_freecon_ _cleanup_(freeconp)
49 #define _cleanup_context_free_ _cleanup_(context_freep)
50
51 static int cached_use = -1;
52 static struct selabel_handle *label_hnd = NULL;
53
54 #define log_enforcing(...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, errno, __VA_ARGS__)
55 #endif
56
57 bool mac_selinux_use(void) {
58 #if HAVE_SELINUX
59 if (cached_use < 0)
60 cached_use = is_selinux_enabled() > 0;
61
62 return cached_use;
63 #else
64 return false;
65 #endif
66 }
67
68 void mac_selinux_retest(void) {
69 #if HAVE_SELINUX
70 cached_use = -1;
71 #endif
72 }
73
74 int mac_selinux_init(void) {
75 int r = 0;
76
77 #if HAVE_SELINUX
78 usec_t before_timestamp, after_timestamp;
79 struct mallinfo before_mallinfo, after_mallinfo;
80
81 if (label_hnd)
82 return 0;
83
84 if (!mac_selinux_use())
85 return 0;
86
87 before_mallinfo = mallinfo();
88 before_timestamp = now(CLOCK_MONOTONIC);
89
90 label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
91 if (!label_hnd) {
92 log_enforcing("Failed to initialize SELinux context: %m");
93 r = security_getenforce() == 1 ? -errno : 0;
94 } else {
95 char timespan[FORMAT_TIMESPAN_MAX];
96 int l;
97
98 after_timestamp = now(CLOCK_MONOTONIC);
99 after_mallinfo = mallinfo();
100
101 l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
102
103 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
104 format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
105 (l+1023)/1024);
106 }
107 #endif
108
109 return r;
110 }
111
112 void mac_selinux_finish(void) {
113
114 #if HAVE_SELINUX
115 if (!label_hnd)
116 return;
117
118 selabel_close(label_hnd);
119 label_hnd = NULL;
120 #endif
121 }
122
123 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
124
125 #if HAVE_SELINUX
126 struct stat st;
127 int r;
128
129 assert(path);
130
131 /* if mac_selinux_init() wasn't called before we are a NOOP */
132 if (!label_hnd)
133 return 0;
134
135 r = lstat(path, &st);
136 if (r >= 0) {
137 _cleanup_freecon_ char* fcon = NULL;
138
139 r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
140
141 /* If there's no label to set, then exit without warning */
142 if (r < 0 && errno == ENOENT)
143 return 0;
144
145 if (r >= 0) {
146 r = lsetfilecon_raw(path, fcon);
147
148 /* If the FS doesn't support labels, then exit without warning */
149 if (r < 0 && errno == EOPNOTSUPP)
150 return 0;
151 }
152 }
153
154 if (r < 0) {
155 /* Ignore ENOENT in some cases */
156 if (ignore_enoent && errno == ENOENT)
157 return 0;
158
159 if (ignore_erofs && errno == EROFS)
160 return 0;
161
162 log_enforcing("Unable to fix SELinux security context of %s: %m", path);
163 if (security_getenforce() == 1)
164 return -errno;
165 }
166 #endif
167
168 return 0;
169 }
170
171 int mac_selinux_apply(const char *path, const char *label) {
172
173 #if HAVE_SELINUX
174 if (!mac_selinux_use())
175 return 0;
176
177 assert(path);
178 assert(label);
179
180 if (setfilecon(path, label) < 0) {
181 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
182 if (security_getenforce() > 0)
183 return -errno;
184 }
185 #endif
186 return 0;
187 }
188
189 int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
190 int r = -EOPNOTSUPP;
191
192 #if HAVE_SELINUX
193 _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
194 security_class_t sclass;
195
196 assert(exe);
197 assert(label);
198
199 if (!mac_selinux_use())
200 return -EOPNOTSUPP;
201
202 r = getcon_raw(&mycon);
203 if (r < 0)
204 return -errno;
205
206 r = getfilecon_raw(exe, &fcon);
207 if (r < 0)
208 return -errno;
209
210 sclass = string_to_security_class("process");
211 r = security_compute_create_raw(mycon, fcon, sclass, label);
212 if (r < 0)
213 return -errno;
214 #endif
215
216 return r;
217 }
218
219 int mac_selinux_get_our_label(char **label) {
220 int r = -EOPNOTSUPP;
221
222 assert(label);
223
224 #if HAVE_SELINUX
225 if (!mac_selinux_use())
226 return -EOPNOTSUPP;
227
228 r = getcon_raw(label);
229 if (r < 0)
230 return -errno;
231 #endif
232
233 return r;
234 }
235
236 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
237 int r = -EOPNOTSUPP;
238
239 #if HAVE_SELINUX
240 _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
241 _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
242 security_class_t sclass;
243 const char *range = NULL;
244
245 assert(socket_fd >= 0);
246 assert(exe);
247 assert(label);
248
249 if (!mac_selinux_use())
250 return -EOPNOTSUPP;
251
252 r = getcon_raw(&mycon);
253 if (r < 0)
254 return -errno;
255
256 r = getpeercon_raw(socket_fd, &peercon);
257 if (r < 0)
258 return -errno;
259
260 if (!exec_label) {
261 /* If there is no context set for next exec let's use context
262 of target executable */
263 r = getfilecon_raw(exe, &fcon);
264 if (r < 0)
265 return -errno;
266 }
267
268 bcon = context_new(mycon);
269 if (!bcon)
270 return -ENOMEM;
271
272 pcon = context_new(peercon);
273 if (!pcon)
274 return -ENOMEM;
275
276 range = context_range_get(pcon);
277 if (!range)
278 return -errno;
279
280 r = context_range_set(bcon, range);
281 if (r)
282 return -errno;
283
284 freecon(mycon);
285 mycon = strdup(context_str(bcon));
286 if (!mycon)
287 return -ENOMEM;
288
289 sclass = string_to_security_class("process");
290 r = security_compute_create_raw(mycon, fcon, sclass, label);
291 if (r < 0)
292 return -errno;
293 #endif
294
295 return r;
296 }
297
298 char* mac_selinux_free(char *label) {
299
300 #if HAVE_SELINUX
301 if (!label)
302 return NULL;
303
304 if (!mac_selinux_use())
305 return NULL;
306
307
308 freecon(label);
309 #endif
310
311 return NULL;
312 }
313
314 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
315
316 #if HAVE_SELINUX
317 _cleanup_freecon_ char *filecon = NULL;
318 int r;
319
320 assert(path);
321
322 if (!label_hnd)
323 return 0;
324
325 if (path_is_absolute(path))
326 r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
327 else {
328 _cleanup_free_ char *newpath = NULL;
329
330 r = path_make_absolute_cwd(path, &newpath);
331 if (r < 0)
332 return r;
333
334 r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
335 }
336
337 if (r < 0) {
338 /* No context specified by the policy? Proceed without setting it. */
339 if (errno == ENOENT)
340 return 0;
341
342 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
343 } else {
344 if (setfscreatecon_raw(filecon) >= 0)
345 return 0; /* Success! */
346
347 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
348 }
349
350 if (security_getenforce() > 0)
351 return -errno;
352
353 #endif
354 return 0;
355 }
356
357 void mac_selinux_create_file_clear(void) {
358
359 #if HAVE_SELINUX
360 PROTECT_ERRNO;
361
362 if (!mac_selinux_use())
363 return;
364
365 setfscreatecon_raw(NULL);
366 #endif
367 }
368
369 int mac_selinux_create_socket_prepare(const char *label) {
370
371 #if HAVE_SELINUX
372 if (!mac_selinux_use())
373 return 0;
374
375 assert(label);
376
377 if (setsockcreatecon(label) < 0) {
378 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
379
380 if (security_getenforce() == 1)
381 return -errno;
382 }
383 #endif
384
385 return 0;
386 }
387
388 void mac_selinux_create_socket_clear(void) {
389
390 #if HAVE_SELINUX
391 PROTECT_ERRNO;
392
393 if (!mac_selinux_use())
394 return;
395
396 setsockcreatecon_raw(NULL);
397 #endif
398 }
399
400 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
401
402 /* Binds a socket and label its file system object according to the SELinux policy */
403
404 #if HAVE_SELINUX
405 _cleanup_freecon_ char *fcon = NULL;
406 const struct sockaddr_un *un;
407 bool context_changed = false;
408 char *path;
409 int r;
410
411 assert(fd >= 0);
412 assert(addr);
413 assert(addrlen >= sizeof(sa_family_t));
414
415 if (!label_hnd)
416 goto skipped;
417
418 /* Filter out non-local sockets */
419 if (addr->sa_family != AF_UNIX)
420 goto skipped;
421
422 /* Filter out anonymous sockets */
423 if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
424 goto skipped;
425
426 /* Filter out abstract namespace sockets */
427 un = (const struct sockaddr_un*) addr;
428 if (un->sun_path[0] == 0)
429 goto skipped;
430
431 path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
432
433 if (path_is_absolute(path))
434 r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
435 else {
436 _cleanup_free_ char *newpath = NULL;
437
438 r = path_make_absolute_cwd(path, &newpath);
439 if (r < 0)
440 return r;
441
442 r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
443 }
444
445 if (r < 0) {
446 /* No context specified by the policy? Proceed without setting it */
447 if (errno == ENOENT)
448 goto skipped;
449
450 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
451 if (security_getenforce() > 0)
452 return -errno;
453
454 } else {
455 if (setfscreatecon_raw(fcon) < 0) {
456 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
457 if (security_getenforce() > 0)
458 return -errno;
459 } else
460 context_changed = true;
461 }
462
463 r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
464
465 if (context_changed)
466 setfscreatecon_raw(NULL);
467
468 return r;
469
470 skipped:
471 #endif
472 if (bind(fd, addr, addrlen) < 0)
473 return -errno;
474
475 return 0;
476 }
Unnamed repository; edit this file 'description' to name the repository.