src/core/selinux-access.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2012 Dan Walsh
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include "selinux-access.h"
  23
  24 #ifdef HAVE_SELINUX
  25
  26 #include <stdio.h>
  27 #include <string.h>
  28 #include <errno.h>
  29 #include <limits.h>
  30 #include <selinux/selinux.h>
  31 #include <selinux/avc.h>
  32 #include <sys/socket.h>
  33 #ifdef HAVE_AUDIT
  34 #include <libaudit.h>
  35 #endif
  36
  37 #include "sd-bus.h"
  38 #include "bus-util.h"
  39 #include "util.h"
  40 #include "log.h"
  41 #include "audit.h"
  42 #include "selinux-util.h"
  43 #include "audit-fd.h"
  44 #include "strv.h"
  45
  46 static bool initialized = false;
  47
  48 struct audit_info {
  49         sd_bus_creds *creds;
  50         const char *path;
  51         const char *cmdline;
  52 };
  53
  54 /*
  55    Any time an access gets denied this callback will be called
  56    with the audit data.  We then need to just copy the audit data into the msgbuf.
  57 */
  58 static int audit_callback(
  59                 void *auditdata,
  60                 security_class_t cls,
  61                 char *msgbuf,
  62                 size_t msgbufsize) {
  63
  64         const struct audit_info *audit = auditdata;
  65         uid_t uid = 0, login_uid = 0;
  66         gid_t gid = 0;
  67         char login_uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
  68         char uid_buf[DECIMAL_STR_MAX(uid_t)] = "n/a";
  69         char gid_buf[DECIMAL_STR_MAX(gid_t)] = "n/a";
  70
  71         if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
  72                 snprintf(login_uid_buf, sizeof(login_uid_buf), UID_FMT, login_uid);
  73         if (sd_bus_creds_get_uid(audit->creds, &uid) >= 0)
  74                 snprintf(uid_buf, sizeof(uid_buf), UID_FMT, uid);
  75         if (sd_bus_creds_get_gid(audit->creds, &gid) >= 0)
  76                 snprintf(gid_buf, sizeof(gid_buf), GID_FMT, gid);
  77
  78         snprintf(msgbuf, msgbufsize,
  79                  "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
  80                  login_uid_buf, uid_buf, gid_buf,
  81                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
  82                  audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
  83
  84         msgbuf[msgbufsize-1] = 0;
  85
  86         return 0;
  87 }
  88
  89 /*
  90    Any time an access gets denied this callback will be called
  91    code copied from dbus. If audit is turned on the messages will go as
  92    user_avc's into the /var/log/audit/audit.log, otherwise they will be
  93    sent to syslog.
  94 */
  95 _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
  96         va_list ap;
  97
  98 #ifdef HAVE_AUDIT
  99         if (get_audit_fd() >= 0) {
 100                 _cleanup_free_ char *buf = NULL;
 101                 int r;
 102
 103                 va_start(ap, fmt);
 104                 r = vasprintf(&buf, fmt, ap);
 105                 va_end(ap);
 106
 107                 if (r >= 0) {
 108                         audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
 109                         return 0;
 110                 }
 111         }
 112 #endif
 113
 114         va_start(ap, fmt);
 115         log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
 116         va_end(ap);
 117
 118         return 0;
 119 }
 120
 121 /*
 122    Function must be called once to initialize the SELinux AVC environment.
 123    Sets up callbacks.
 124    If you want to cleanup memory you should need to call selinux_access_finish.
 125 */
 126 static int access_init(void) {
 127         int r = 0;
 128
 129         if (avc_open(NULL, 0)) {
 130                 log_error_errno(errno, "avc_open() failed: %m");
 131                 return -errno;
 132         }
 133
 134         selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
 135         selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
 136
 137         if (security_getenforce() < 0){
 138                 r = -errno;
 139                 avc_destroy();
 140         }
 141
 142         return r;
 143 }
 144
 145 static int mac_selinux_access_init(sd_bus_error *error) {
 146         int r;
 147
 148         if (initialized)
 149                 return 0;
 150
 151         if (!mac_selinux_use())
 152                 return 0;
 153
 154         r = access_init();
 155         if (r < 0)
 156                 return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
 157
 158         initialized = true;
 159         return 0;
 160 }
 161 #endif
 162
 163 void mac_selinux_access_free(void) {
 164
 165 #ifdef HAVE_SELINUX
 166         if (!initialized)
 167                 return;
 168
 169         avc_destroy();
 170         initialized = false;
 171 #endif
 172 }
 173
 174 /*
 175    This function communicates with the kernel to check whether or not it should
 176    allow the access.
 177    If the machine is in permissive mode it will return ok.  Audit messages will
 178    still be generated if the access would be denied in enforcing mode.
 179 */
 180 int mac_selinux_generic_access_check(
 181                 sd_bus_message *message,
 182                 const char *path,
 183                 const char *permission,
 184                 sd_bus_error *error) {
 185
 186 #ifdef HAVE_SELINUX
 187         _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
 188         const char *tclass = NULL, *scon = NULL;
 189         struct audit_info audit_info = {};
 190         _cleanup_free_ char *cl = NULL;
 191         security_context_t fcon = NULL;
 192         char **cmdline = NULL;
 193         int r = 0;
 194
 195         assert(message);
 196         assert(permission);
 197         assert(error);
 198
 199         if (!mac_selinux_use())
 200                 return 0;
 201
 202         r = mac_selinux_access_init(error);
 203         if (r < 0)
 204                 return r;
 205
 206         r = sd_bus_query_sender_creds(
 207                         message,
 208                         SD_BUS_CREDS_PID|SD_BUS_CREDS_UID|SD_BUS_CREDS_GID|
 209                         SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
 210                         SD_BUS_CREDS_SELINUX_CONTEXT|
 211                         SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
 212                         &creds);
 213         if (r < 0)
 214                 goto finish;
 215
 216         r = sd_bus_creds_get_selinux_context(creds, &scon);
 217         if (r < 0)
 218                 goto finish;
 219
 220         if (path) {
 221                 /* Get the file context of the unit file */
 222
 223                 r = getfilecon(path, &fcon);
 224                 if (r < 0) {
 225                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
 226                         goto finish;
 227                 }
 228
 229                 tclass = "service";
 230         } else {
 231                 r = getcon(&fcon);
 232                 if (r < 0) {
 233                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
 234                         goto finish;
 235                 }
 236
 237                 tclass = "system";
 238         }
 239
 240         sd_bus_creds_get_cmdline(creds, &cmdline);
 241         cl = strv_join(cmdline, " ");
 242
 243         audit_info.creds = creds;
 244         audit_info.path = path;
 245         audit_info.cmdline = cl;
 246
 247         r = selinux_check_access((security_context_t) scon, fcon, tclass, permission, &audit_info);
 248         if (r < 0)
 249                 r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
 250
 251         log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
 252
 253 finish:
 254         freecon(fcon);
 255
 256         if (r < 0 && security_getenforce() != 1) {
 257                 sd_bus_error_free(error);
 258                 r = 0;
 259         }
 260
 261         return r;
 262 #else
 263         return 0;
 264 #endif
 265 }
 266
 267 int mac_selinux_unit_access_check_strv(char **units,
 268                                 sd_bus_message *message,
 269                                 Manager *m,
 270                                 const char *permission,
 271                                 sd_bus_error *error) {
 272 #ifdef HAVE_SELINUX
 273         char **i;
 274         Unit *u;
 275         int r;
 276
 277         STRV_FOREACH(i, units) {
 278                 u = manager_get_unit(m, *i);
 279                 if (u) {
 280                         r = mac_selinux_unit_access_check(u, message, permission, error);
 281                         if (r < 0)
 282                                 return r;
 283                 }
 284         }
 285 #endif
 286         return 0;
 287 }