1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
32 #include <selinux/context.h>
33 #include <selinux/label.h>
34 #include <selinux/selinux.h>
37 #include "alloc-util.h"
40 #include "path-util.h"
41 #include "selinux-util.h"
42 #include "time-util.h"
46 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t
, freecon
);
47 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t
, context_free
);
49 #define _cleanup_security_context_free_ _cleanup_(freeconp)
50 #define _cleanup_context_free_ _cleanup_(context_freep)
52 static int cached_use
= -1;
53 static struct selabel_handle
*label_hnd
= NULL
;
55 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
58 bool mac_selinux_have(void) {
61 cached_use
= is_selinux_enabled() > 0;
69 bool mac_selinux_use(void) {
70 if (!mac_selinux_have())
73 /* Never try to configure SELinux features if we aren't
79 void mac_selinux_retest(void) {
85 int mac_selinux_init(const char *prefix
) {
89 usec_t before_timestamp
, after_timestamp
;
90 struct mallinfo before_mallinfo
, after_mallinfo
;
92 if (!mac_selinux_use())
98 before_mallinfo
= mallinfo();
99 before_timestamp
= now(CLOCK_MONOTONIC
);
102 struct selinux_opt options
[] = {
103 { .type
= SELABEL_OPT_SUBSET
, .value
= prefix
},
106 label_hnd
= selabel_open(SELABEL_CTX_FILE
, options
, ELEMENTSOF(options
));
108 label_hnd
= selabel_open(SELABEL_CTX_FILE
, NULL
, 0);
111 log_enforcing("Failed to initialize SELinux context: %m");
112 r
= security_getenforce() == 1 ? -errno
: 0;
114 char timespan
[FORMAT_TIMESPAN_MAX
];
117 after_timestamp
= now(CLOCK_MONOTONIC
);
118 after_mallinfo
= mallinfo();
120 l
= after_mallinfo
.uordblks
> before_mallinfo
.uordblks
? after_mallinfo
.uordblks
- before_mallinfo
.uordblks
: 0;
122 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
123 format_timespan(timespan
, sizeof(timespan
), after_timestamp
- before_timestamp
, 0),
131 void mac_selinux_finish(void) {
137 selabel_close(label_hnd
);
142 int mac_selinux_fix(const char *path
, bool ignore_enoent
, bool ignore_erofs
) {
150 /* if mac_selinux_init() wasn't called before we are a NOOP */
154 r
= lstat(path
, &st
);
156 _cleanup_security_context_free_ security_context_t fcon
= NULL
;
158 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, st
.st_mode
);
160 /* If there's no label to set, then exit without warning */
161 if (r
< 0 && errno
== ENOENT
)
165 r
= lsetfilecon(path
, fcon
);
167 /* If the FS doesn't support labels, then exit without warning */
168 if (r
< 0 && errno
== EOPNOTSUPP
)
174 /* Ignore ENOENT in some cases */
175 if (ignore_enoent
&& errno
== ENOENT
)
178 if (ignore_erofs
&& errno
== EROFS
)
181 log_enforcing("Unable to fix SELinux security context of %s: %m", path
);
182 if (security_getenforce() == 1)
190 int mac_selinux_apply(const char *path
, const char *label
) {
193 if (!mac_selinux_use())
199 if (setfilecon(path
, (security_context_t
) label
) < 0) {
200 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label
, path
);
201 if (security_getenforce() > 0)
208 int mac_selinux_get_create_label_from_exe(const char *exe
, char **label
) {
212 _cleanup_security_context_free_ security_context_t mycon
= NULL
, fcon
= NULL
;
213 security_class_t sclass
;
218 if (!mac_selinux_have())
221 r
= getcon_raw(&mycon
);
225 r
= getfilecon_raw(exe
, &fcon
);
229 sclass
= string_to_security_class("process");
230 r
= security_compute_create(mycon
, fcon
, sclass
, (security_context_t
*) label
);
238 int mac_selinux_get_our_label(char **label
) {
244 if (!mac_selinux_have())
247 r
= getcon_raw(label
);
255 int mac_selinux_get_child_mls_label(int socket_fd
, const char *exe
, const char *exec_label
, char **label
) {
259 _cleanup_security_context_free_ security_context_t mycon
= NULL
, peercon
= NULL
, fcon
= NULL
;
260 _cleanup_context_free_ context_t pcon
= NULL
, bcon
= NULL
;
261 security_class_t sclass
;
262 const char *range
= NULL
;
264 assert(socket_fd
>= 0);
268 if (!mac_selinux_have())
271 r
= getcon_raw(&mycon
);
275 r
= getpeercon(socket_fd
, &peercon
);
280 /* If there is no context set for next exec let's use context
281 of target executable */
282 r
= getfilecon_raw(exe
, &fcon
);
287 bcon
= context_new(mycon
);
291 pcon
= context_new(peercon
);
295 range
= context_range_get(pcon
);
299 r
= context_range_set(bcon
, range
);
304 mycon
= strdup(context_str(bcon
));
308 sclass
= string_to_security_class("process");
309 r
= security_compute_create(mycon
, fcon
, sclass
, (security_context_t
*) label
);
317 char* mac_selinux_free(char *label
) {
323 if (!mac_selinux_have())
327 freecon((security_context_t
) label
);
333 int mac_selinux_create_file_prepare(const char *path
, mode_t mode
) {
336 _cleanup_security_context_free_ security_context_t filecon
= NULL
;
344 if (path_is_absolute(path
))
345 r
= selabel_lookup_raw(label_hnd
, &filecon
, path
, mode
);
347 _cleanup_free_
char *newpath
= NULL
;
349 r
= path_make_absolute_cwd(path
, &newpath
);
353 r
= selabel_lookup_raw(label_hnd
, &filecon
, newpath
, mode
);
357 /* No context specified by the policy? Proceed without setting it. */
361 log_enforcing("Failed to determine SELinux security context for %s: %m", path
);
363 if (setfscreatecon(filecon
) >= 0)
364 return 0; /* Success! */
366 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon
, path
);
369 if (security_getenforce() > 0)
376 void mac_selinux_create_file_clear(void) {
381 if (!mac_selinux_use())
384 setfscreatecon(NULL
);
388 int mac_selinux_create_socket_prepare(const char *label
) {
391 if (!mac_selinux_use())
396 if (setsockcreatecon((security_context_t
) label
) < 0) {
397 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label
);
399 if (security_getenforce() == 1)
407 void mac_selinux_create_socket_clear(void) {
412 if (!mac_selinux_use())
415 setsockcreatecon(NULL
);
419 int mac_selinux_bind(int fd
, const struct sockaddr
*addr
, socklen_t addrlen
) {
421 /* Binds a socket and label its file system object according to the SELinux policy */
424 _cleanup_security_context_free_ security_context_t fcon
= NULL
;
425 const struct sockaddr_un
*un
;
426 bool context_changed
= false;
432 assert(addrlen
>= sizeof(sa_family_t
));
437 /* Filter out non-local sockets */
438 if (addr
->sa_family
!= AF_UNIX
)
441 /* Filter out anonymous sockets */
442 if (addrlen
< offsetof(struct sockaddr_un
, sun_path
) + 1)
445 /* Filter out abstract namespace sockets */
446 un
= (const struct sockaddr_un
*) addr
;
447 if (un
->sun_path
[0] == 0)
450 path
= strndupa(un
->sun_path
, addrlen
- offsetof(struct sockaddr_un
, sun_path
));
452 if (path_is_absolute(path
))
453 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFSOCK
);
455 _cleanup_free_
char *newpath
= NULL
;
457 r
= path_make_absolute_cwd(path
, &newpath
);
461 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFSOCK
);
465 /* No context specified by the policy? Proceed without setting it */
469 log_enforcing("Failed to determine SELinux security context for %s: %m", path
);
470 if (security_getenforce() > 0)
474 if (setfscreatecon(fcon
) < 0) {
475 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon
, path
);
476 if (security_getenforce() > 0)
479 context_changed
= true;
482 r
= bind(fd
, addr
, addrlen
) < 0 ? -errno
: 0;
485 setfscreatecon(NULL
);
491 if (bind(fd
, addr
, addrlen
) < 0)