1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2012 Dan Walsh
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include "selinux-access.h"
26 #include <selinux/avc.h>
27 #include <selinux/selinux.h>
35 #include "alloc-util.h"
39 #include "path-util.h"
40 #include "selinux-util.h"
41 #include "stdio-util.h"
45 static bool initialized
= false;
54 Any time an access gets denied this callback will be called
55 with the audit data. We then need to just copy the audit data into the msgbuf.
57 static int audit_callback(
63 const struct audit_info
*audit
= auditdata
;
64 uid_t uid
= 0, login_uid
= 0;
66 char login_uid_buf
[DECIMAL_STR_MAX(uid_t
) + 1] = "n/a";
67 char uid_buf
[DECIMAL_STR_MAX(uid_t
) + 1] = "n/a";
68 char gid_buf
[DECIMAL_STR_MAX(gid_t
) + 1] = "n/a";
70 if (sd_bus_creds_get_audit_login_uid(audit
->creds
, &login_uid
) >= 0)
71 xsprintf(login_uid_buf
, UID_FMT
, login_uid
);
72 if (sd_bus_creds_get_euid(audit
->creds
, &uid
) >= 0)
73 xsprintf(uid_buf
, UID_FMT
, uid
);
74 if (sd_bus_creds_get_egid(audit
->creds
, &gid
) >= 0)
75 xsprintf(gid_buf
, GID_FMT
, gid
);
77 snprintf(msgbuf
, msgbufsize
,
78 "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
79 login_uid_buf
, uid_buf
, gid_buf
,
80 audit
->path
? " path=\"" : "", strempty(audit
->path
), audit
->path
? "\"" : "",
81 audit
->cmdline
? " cmdline=\"" : "", strempty(audit
->cmdline
), audit
->cmdline
? "\"" : "");
86 static int callback_type_to_priority(int type
) {
105 libselinux uses this callback when access gets denied or other
106 events happen. If audit is turned on, messages will be reported
107 using audit netlink, otherwise they will be logged using the usual
110 Code copied from dbus and modified.
112 _printf_(2, 3) static int log_callback(int type
, const char *fmt
, ...) {
122 _cleanup_free_
char *buf
= NULL
;
126 r
= vasprintf(&buf
, fmt
, ap
);
130 audit_log_user_avc_message(fd
, AUDIT_USER_AVC
, buf
, NULL
, NULL
, NULL
, 0);
136 fmt2
= strjoina("selinux: ", fmt
);
139 #pragma GCC diagnostic push
140 #pragma GCC diagnostic ignored "-Wformat-nonliteral"
141 log_internalv(LOG_AUTH
| callback_type_to_priority(type
),
142 0, __FILE__
, __LINE__
, __FUNCTION__
,
144 #pragma GCC diagnostic pop
150 static int access_init(sd_bus_error
*error
) {
152 if (!mac_selinux_use())
158 if (avc_open(NULL
, 0) != 0) {
159 int enforce
, saved_errno
= errno
;
161 enforce
= security_getenforce();
162 log_full_errno(enforce
!= 0 ? LOG_ERR
: LOG_WARNING
, saved_errno
, "Failed to open the SELinux AVC: %m");
164 /* If enforcement isn't on, then let's suppress this
165 * error, and just don't do any AVC checks. The
166 * warning we printed is hence all the admin will
171 /* Return an access denied error, if we couldn't load
172 * the AVC but enforcing mode was on, or we couldn't
173 * determine whether it is one. */
174 return sd_bus_error_setf(error
, SD_BUS_ERROR_ACCESS_DENIED
, "Failed to open the SELinux AVC: %s", strerror(saved_errno
));
177 selinux_set_callback(SELINUX_CB_AUDIT
, (union selinux_callback
) audit_callback
);
178 selinux_set_callback(SELINUX_CB_LOG
, (union selinux_callback
) log_callback
);
185 This function communicates with the kernel to check whether or not it should
187 If the machine is in permissive mode it will return ok. Audit messages will
188 still be generated if the access would be denied in enforcing mode.
190 int mac_selinux_generic_access_check(
191 sd_bus_message
*message
,
193 const char *permission
,
194 sd_bus_error
*error
) {
196 _cleanup_(sd_bus_creds_unrefp
) sd_bus_creds
*creds
= NULL
;
197 const char *tclass
= NULL
, *scon
= NULL
;
198 struct audit_info audit_info
= {};
199 _cleanup_free_
char *cl
= NULL
;
201 char **cmdline
= NULL
;
208 r
= access_init(error
);
212 r
= sd_bus_query_sender_creds(
214 SD_BUS_CREDS_PID
|SD_BUS_CREDS_EUID
|SD_BUS_CREDS_EGID
|
215 SD_BUS_CREDS_CMDLINE
|SD_BUS_CREDS_AUDIT_LOGIN_UID
|
216 SD_BUS_CREDS_SELINUX_CONTEXT
|
217 SD_BUS_CREDS_AUGMENT
/* get more bits from /proc */,
222 /* The SELinux context is something we really should have
223 * gotten directly from the message or sender, and not be an
224 * augmented field. If it was augmented we cannot use it for
225 * authorization, since this is racy and vulnerable. Let's add
226 * an extra check, just in case, even though this really
227 * shouldn't be possible. */
228 assert_return((sd_bus_creds_get_augmented_mask(creds
) & SD_BUS_CREDS_SELINUX_CONTEXT
) == 0, -EPERM
);
230 r
= sd_bus_creds_get_selinux_context(creds
, &scon
);
235 /* Get the file context of the unit file */
237 r
= getfilecon_raw(path
, &fcon
);
239 r
= sd_bus_error_setf(error
, SD_BUS_ERROR_ACCESS_DENIED
, "Failed to get file context on %s.", path
);
245 r
= getcon_raw(&fcon
);
247 r
= sd_bus_error_setf(error
, SD_BUS_ERROR_ACCESS_DENIED
, "Failed to get current context.");
254 sd_bus_creds_get_cmdline(creds
, &cmdline
);
255 cl
= strv_join(cmdline
, " ");
257 audit_info
.creds
= creds
;
258 audit_info
.path
= path
;
259 audit_info
.cmdline
= cl
;
261 r
= selinux_check_access(scon
, fcon
, tclass
, permission
, &audit_info
);
263 r
= sd_bus_error_setf(error
, SD_BUS_ERROR_ACCESS_DENIED
, "SELinux policy denies access.");
265 log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon
, fcon
, tclass
, permission
, path
, cl
, r
);
270 if (r
< 0 && security_getenforce() != 1) {
271 sd_bus_error_free(error
);
280 int mac_selinux_generic_access_check(
281 sd_bus_message
*message
,
283 const char *permission
,
284 sd_bus_error
*error
) {