src/core/selinux-access.c

   1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2012 Dan Walsh
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include "selinux-access.h"
  23
  24 #ifdef HAVE_SELINUX
  25
  26 #include <stdio.h>
  27 #include <errno.h>
  28 #include <selinux/selinux.h>
  29 #include <selinux/avc.h>
  30 #ifdef HAVE_AUDIT
  31 #include <libaudit.h>
  32 #endif
  33
  34 #include "sd-bus.h"
  35 #include "bus-util.h"
  36 #include "util.h"
  37 #include "log.h"
  38 #include "selinux-util.h"
  39 #include "audit-fd.h"
  40 #include "strv.h"
  41 #include "path-util.h"
  42
  43 static bool initialized = false;
  44
  45 struct audit_info {
  46         sd_bus_creds *creds;
  47         const char *path;
  48         const char *cmdline;
  49 };
  50
  51 /*
  52    Any time an access gets denied this callback will be called
  53    with the audit data.  We then need to just copy the audit data into the msgbuf.
  54 */
  55 static int audit_callback(
  56                 void *auditdata,
  57                 security_class_t cls,
  58                 char *msgbuf,
  59                 size_t msgbufsize) {
  60
  61         const struct audit_info *audit = auditdata;
  62         uid_t uid = 0, login_uid = 0;
  63         gid_t gid = 0;
  64         char login_uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  65         char uid_buf[DECIMAL_STR_MAX(uid_t) + 1] = "n/a";
  66         char gid_buf[DECIMAL_STR_MAX(gid_t) + 1] = "n/a";
  67
  68         if (sd_bus_creds_get_audit_login_uid(audit->creds, &login_uid) >= 0)
  69                 xsprintf(login_uid_buf, UID_FMT, login_uid);
  70         if (sd_bus_creds_get_euid(audit->creds, &uid) >= 0)
  71                 xsprintf(uid_buf, UID_FMT, uid);
  72         if (sd_bus_creds_get_egid(audit->creds, &gid) >= 0)
  73                 xsprintf(gid_buf, GID_FMT, gid);
  74
  75         snprintf(msgbuf, msgbufsize,
  76                  "auid=%s uid=%s gid=%s%s%s%s%s%s%s",
  77                  login_uid_buf, uid_buf, gid_buf,
  78                  audit->path ? " path=\"" : "", strempty(audit->path), audit->path ? "\"" : "",
  79                  audit->cmdline ? " cmdline=\"" : "", strempty(audit->cmdline), audit->cmdline ? "\"" : "");
  80
  81         return 0;
  82 }
  83
  84 static int callback_type_to_priority(int type) {
  85         switch(type) {
  86
  87         case SELINUX_ERROR:
  88                 return LOG_ERR;
  89
  90         case SELINUX_WARNING:
  91                 return LOG_WARNING;
  92
  93         case SELINUX_INFO:
  94                 return LOG_INFO;
  95
  96         case SELINUX_AVC:
  97         default:
  98                 return LOG_NOTICE;
  99         }
 100 }
 101
 102 /*
 103    libselinux uses this callback when access gets denied or other
 104    events happen. If audit is turned on, messages will be reported
 105    using audit netlink, otherwise they will be logged using the usual
 106    channels.
 107
 108    Code copied from dbus and modified.
 109 */
 110 _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
 111         va_list ap;
 112
 113 #ifdef HAVE_AUDIT
 114         int fd;
 115
 116         fd = get_audit_fd();
 117
 118         if (fd >= 0) {
 119                 _cleanup_free_ char *buf = NULL;
 120                 int r;
 121
 122                 va_start(ap, fmt);
 123                 r = vasprintf(&buf, fmt, ap);
 124                 va_end(ap);
 125
 126                 if (r >= 0) {
 127                         audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
 128                         return 0;
 129                 }
 130         }
 131 #endif
 132
 133         va_start(ap, fmt);
 134         log_internalv(LOG_AUTH | callback_type_to_priority(type),
 135                       0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
 136         va_end(ap);
 137
 138         return 0;
 139 }
 140
 141 /*
 142    Function must be called once to initialize the SELinux AVC environment.
 143    Sets up callbacks.
 144    If you want to cleanup memory you should need to call selinux_access_finish.
 145 */
 146 static int access_init(void) {
 147         int r = 0;
 148
 149         if (avc_open(NULL, 0))
 150                 return log_error_errno(errno, "avc_open() failed: %m");
 151
 152         selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
 153         selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
 154
 155         if (security_getenforce() < 0){
 156                 r = -errno;
 157                 avc_destroy();
 158         }
 159
 160         return r;
 161 }
 162
 163 static int mac_selinux_access_init(sd_bus_error *error) {
 164         int r;
 165
 166         if (initialized)
 167                 return 0;
 168
 169         if (!mac_selinux_use())
 170                 return 0;
 171
 172         r = access_init();
 173         if (r < 0)
 174                 return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
 175
 176         initialized = true;
 177         return 0;
 178 }
 179 #endif
 180
 181 /*
 182    This function communicates with the kernel to check whether or not it should
 183    allow the access.
 184    If the machine is in permissive mode it will return ok.  Audit messages will
 185    still be generated if the access would be denied in enforcing mode.
 186 */
 187 int mac_selinux_generic_access_check(
 188                 sd_bus_message *message,
 189                 const char *path,
 190                 const char *permission,
 191                 sd_bus_error *error) {
 192
 193 #ifdef HAVE_SELINUX
 194         _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
 195         const char *tclass = NULL, *scon = NULL;
 196         struct audit_info audit_info = {};
 197         _cleanup_free_ char *cl = NULL;
 198         security_context_t fcon = NULL;
 199         char **cmdline = NULL;
 200         int r = 0;
 201
 202         assert(message);
 203         assert(permission);
 204         assert(error);
 205
 206         if (!mac_selinux_use())
 207                 return 0;
 208
 209         r = mac_selinux_access_init(error);
 210         if (r < 0)
 211                 return r;
 212
 213         r = sd_bus_query_sender_creds(
 214                         message,
 215                         SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|
 216                         SD_BUS_CREDS_CMDLINE|SD_BUS_CREDS_AUDIT_LOGIN_UID|
 217                         SD_BUS_CREDS_SELINUX_CONTEXT|
 218                         SD_BUS_CREDS_AUGMENT /* get more bits from /proc */,
 219                         &creds);
 220         if (r < 0)
 221                 goto finish;
 222
 223         /* The SELinux context is something we really should have
 224          * gotten directly from the message or sender, and not be an
 225          * augmented field. If it was augmented we cannot use it for
 226          * authorization, since this is racy and vulnerable. Let's add
 227          * an extra check, just in case, even though this really
 228          * shouldn't be possible. */
 229         assert_return((sd_bus_creds_get_augmented_mask(creds) & SD_BUS_CREDS_SELINUX_CONTEXT) == 0, -EPERM);
 230
 231         r = sd_bus_creds_get_selinux_context(creds, &scon);
 232         if (r < 0)
 233                 goto finish;
 234
 235         if (path) {
 236                 /* Get the file context of the unit file */
 237
 238                 r = getfilecon_raw(path, &fcon);
 239                 if (r < 0) {
 240                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
 241                         goto finish;
 242                 }
 243
 244                 tclass = "service";
 245         } else {
 246                 r = getcon_raw(&fcon);
 247                 if (r < 0) {
 248                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
 249                         goto finish;
 250                 }
 251
 252                 tclass = "system";
 253         }
 254
 255         sd_bus_creds_get_cmdline(creds, &cmdline);
 256         cl = strv_join(cmdline, " ");
 257
 258         audit_info.creds = creds;
 259         audit_info.path = path;
 260         audit_info.cmdline = cl;
 261
 262         r = selinux_check_access(scon, fcon, tclass, permission, &audit_info);
 263         if (r < 0)
 264                 r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
 265
 266         log_debug("SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %i", scon, fcon, tclass, permission, path, cl, r);
 267
 268 finish:
 269         freecon(fcon);
 270
 271         if (r < 0 && security_getenforce() != 1) {
 272                 sd_bus_error_free(error);
 273                 r = 0;
 274         }
 275
 276         return r;
 277 #else
 278         return 0;
 279 #endif
 280 }