1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <selinux/context.h>
32 #include "alloc-util.h"
34 #include "path-util.h"
35 #include "selinux-util.h"
38 DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t
, freecon
);
39 DEFINE_TRIVIAL_CLEANUP_FUNC(context_t
, context_free
);
41 #define _cleanup_security_context_free_ _cleanup_(freeconp)
42 #define _cleanup_context_free_ _cleanup_(context_freep)
44 static int cached_use
= -1;
45 static struct selabel_handle
*label_hnd
= NULL
;
47 #define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
50 bool mac_selinux_use(void) {
53 cached_use
= is_selinux_enabled() > 0;
61 void mac_selinux_retest(void) {
67 int mac_selinux_init(const char *prefix
) {
71 usec_t before_timestamp
, after_timestamp
;
72 struct mallinfo before_mallinfo
, after_mallinfo
;
74 if (!mac_selinux_use())
80 before_mallinfo
= mallinfo();
81 before_timestamp
= now(CLOCK_MONOTONIC
);
84 struct selinux_opt options
[] = {
85 { .type
= SELABEL_OPT_SUBSET
, .value
= prefix
},
88 label_hnd
= selabel_open(SELABEL_CTX_FILE
, options
, ELEMENTSOF(options
));
90 label_hnd
= selabel_open(SELABEL_CTX_FILE
, NULL
, 0);
93 log_enforcing("Failed to initialize SELinux context: %m");
94 r
= security_getenforce() == 1 ? -errno
: 0;
96 char timespan
[FORMAT_TIMESPAN_MAX
];
99 after_timestamp
= now(CLOCK_MONOTONIC
);
100 after_mallinfo
= mallinfo();
102 l
= after_mallinfo
.uordblks
> before_mallinfo
.uordblks
? after_mallinfo
.uordblks
- before_mallinfo
.uordblks
: 0;
104 log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
105 format_timespan(timespan
, sizeof(timespan
), after_timestamp
- before_timestamp
, 0),
113 void mac_selinux_finish(void) {
119 selabel_close(label_hnd
);
124 int mac_selinux_fix(const char *path
, bool ignore_enoent
, bool ignore_erofs
) {
132 /* if mac_selinux_init() wasn't called before we are a NOOP */
136 r
= lstat(path
, &st
);
138 _cleanup_security_context_free_ security_context_t fcon
= NULL
;
140 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, st
.st_mode
);
142 /* If there's no label to set, then exit without warning */
143 if (r
< 0 && errno
== ENOENT
)
147 r
= lsetfilecon(path
, fcon
);
149 /* If the FS doesn't support labels, then exit without warning */
150 if (r
< 0 && errno
== EOPNOTSUPP
)
156 /* Ignore ENOENT in some cases */
157 if (ignore_enoent
&& errno
== ENOENT
)
160 if (ignore_erofs
&& errno
== EROFS
)
163 log_enforcing("Unable to fix SELinux security context of %s: %m", path
);
164 if (security_getenforce() == 1)
172 int mac_selinux_apply(const char *path
, const char *label
) {
175 if (!mac_selinux_use())
181 if (setfilecon(path
, (security_context_t
) label
) < 0) {
182 log_enforcing("Failed to set SELinux security context %s on path %s: %m", label
, path
);
183 if (security_getenforce() > 0)
190 int mac_selinux_get_create_label_from_exe(const char *exe
, char **label
) {
194 _cleanup_security_context_free_ security_context_t mycon
= NULL
, fcon
= NULL
;
195 security_class_t sclass
;
200 if (!mac_selinux_use())
203 r
= getcon_raw(&mycon
);
207 r
= getfilecon_raw(exe
, &fcon
);
211 sclass
= string_to_security_class("process");
212 r
= security_compute_create(mycon
, fcon
, sclass
, (security_context_t
*) label
);
220 int mac_selinux_get_our_label(char **label
) {
226 if (!mac_selinux_use())
229 r
= getcon_raw(label
);
237 int mac_selinux_get_child_mls_label(int socket_fd
, const char *exe
, const char *exec_label
, char **label
) {
241 _cleanup_security_context_free_ security_context_t mycon
= NULL
, peercon
= NULL
, fcon
= NULL
;
242 _cleanup_context_free_ context_t pcon
= NULL
, bcon
= NULL
;
243 security_class_t sclass
;
244 const char *range
= NULL
;
246 assert(socket_fd
>= 0);
250 if (!mac_selinux_use())
253 r
= getcon_raw(&mycon
);
257 r
= getpeercon(socket_fd
, &peercon
);
262 /* If there is no context set for next exec let's use context
263 of target executable */
264 r
= getfilecon_raw(exe
, &fcon
);
269 bcon
= context_new(mycon
);
273 pcon
= context_new(peercon
);
277 range
= context_range_get(pcon
);
281 r
= context_range_set(bcon
, range
);
286 mycon
= strdup(context_str(bcon
));
290 sclass
= string_to_security_class("process");
291 r
= security_compute_create(mycon
, fcon
, sclass
, (security_context_t
*) label
);
299 char* mac_selinux_free(char *label
) {
305 if (!mac_selinux_use())
309 freecon((security_context_t
) label
);
315 int mac_selinux_create_file_prepare(const char *path
, mode_t mode
) {
318 _cleanup_security_context_free_ security_context_t filecon
= NULL
;
326 if (path_is_absolute(path
))
327 r
= selabel_lookup_raw(label_hnd
, &filecon
, path
, mode
);
329 _cleanup_free_
char *newpath
= NULL
;
331 r
= path_make_absolute_cwd(path
, &newpath
);
335 r
= selabel_lookup_raw(label_hnd
, &filecon
, newpath
, mode
);
339 /* No context specified by the policy? Proceed without setting it. */
343 log_enforcing("Failed to determine SELinux security context for %s: %m", path
);
345 if (setfscreatecon(filecon
) >= 0)
346 return 0; /* Success! */
348 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon
, path
);
351 if (security_getenforce() > 0)
358 void mac_selinux_create_file_clear(void) {
363 if (!mac_selinux_use())
366 setfscreatecon(NULL
);
370 int mac_selinux_create_socket_prepare(const char *label
) {
373 if (!mac_selinux_use())
378 if (setsockcreatecon((security_context_t
) label
) < 0) {
379 log_enforcing("Failed to set SELinux security context %s for sockets: %m", label
);
381 if (security_getenforce() == 1)
389 void mac_selinux_create_socket_clear(void) {
394 if (!mac_selinux_use())
397 setsockcreatecon(NULL
);
401 int mac_selinux_bind(int fd
, const struct sockaddr
*addr
, socklen_t addrlen
) {
403 /* Binds a socket and label its file system object according to the SELinux policy */
406 _cleanup_security_context_free_ security_context_t fcon
= NULL
;
407 const struct sockaddr_un
*un
;
408 bool context_changed
= false;
414 assert(addrlen
>= sizeof(sa_family_t
));
419 /* Filter out non-local sockets */
420 if (addr
->sa_family
!= AF_UNIX
)
423 /* Filter out anonymous sockets */
424 if (addrlen
< offsetof(struct sockaddr_un
, sun_path
) + 1)
427 /* Filter out abstract namespace sockets */
428 un
= (const struct sockaddr_un
*) addr
;
429 if (un
->sun_path
[0] == 0)
432 path
= strndupa(un
->sun_path
, addrlen
- offsetof(struct sockaddr_un
, sun_path
));
434 if (path_is_absolute(path
))
435 r
= selabel_lookup_raw(label_hnd
, &fcon
, path
, S_IFSOCK
);
437 _cleanup_free_
char *newpath
= NULL
;
439 r
= path_make_absolute_cwd(path
, &newpath
);
443 r
= selabel_lookup_raw(label_hnd
, &fcon
, newpath
, S_IFSOCK
);
447 /* No context specified by the policy? Proceed without setting it */
451 log_enforcing("Failed to determine SELinux security context for %s: %m", path
);
452 if (security_getenforce() > 0)
456 if (setfscreatecon(fcon
) < 0) {
457 log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon
, path
);
458 if (security_getenforce() > 0)
461 context_changed
= true;
464 r
= bind(fd
, addr
, addrlen
) < 0 ? -errno
: 0;
467 setfscreatecon(NULL
);
473 if (bind(fd
, addr
, addrlen
) < 0)