[thirdparty/util-linux.git] / lib / selinux-utils.c

/*
 * No copyright is claimed.  This code is in the public domain; do with
 * it what you wish.
 *
 * Written by Karel Zak <kzak@redhat.com> [January 2021]
 */
#include <selinux/context.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <errno.h>

#include "selinux-utils.h"

/* set the SELinux security context used for _creating_ a new file system object
 *
 * returns 0 on success,
 *     or <0 on error
 */
int ul_setfscreatecon_from_file(char *orig_file)
{
	if (is_selinux_enabled() > 0) {
		char *scontext = NULL;

		if (getfilecon(orig_file, &scontext) < 0)
			return -1;
		if (setfscreatecon(scontext) < 0) {
			freecon(scontext);
			return -1;
		}
		freecon(scontext);
	}
	return 0;
}

/* returns 1 if user has access to @class and @perm ("passwd", "chfn")
 *	or 0 on error,
 *	or 0 if has no access -- in this case sets @user_cxt to user-context
 */
int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt)
{
	char *user;
	int rc;

	if (user_cxt)
		*user_cxt = NULL;

	if (getprevcon(&user) != 0)
		return 0;

	rc = selinux_check_access(user, user, classstr, perm, NULL);
	if (rc != 0 && user_cxt)
		*user_cxt = user;
	else
		freecon(user);

	return rc == 0 ? 1 : 0;
}

/* Gets the default context for @path and @st_mode.
 *
 * returns 0 on success,
 *     or <0 on error
 */
int ul_selinux_get_default_context(const char *path, int st_mode, char **cxt)
{
	struct selabel_handle *hnd;
	struct selinux_opt options[SELABEL_NOPT] = {};
	int rc = 0;

	*cxt = NULL;

	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
	if (!hnd)
		return -errno;

	if (selabel_lookup(hnd, cxt, path, st_mode) != 0)
		rc = -errno
			;
	selabel_close(hnd);

	return rc;
}
Commit	Line	Data
b105446e KZ	1	/*
	2	* No copyright is claimed. This code is in the public domain; do with
	3	* it what you wish.
	4	*
	5	* Written by Karel Zak <kzak@redhat.com> [January 2021]
	6	*/
d03dd608	7	#include <selinux/context.h>
fd2940f5	8	#include <selinux/selinux.h>
b105446e	9	#include <selinux/label.h>
fd2940f5 SK	10	#include <stdio.h>
	11	#include <string.h>
	12	#include <sys/types.h>
b105446e	13	#include <errno.h>
fd2940f5	14
68f4aa2a	15	#include "selinux-utils.h"
d03dd608	16
0735d0ef KZ	17	/* set the SELinux security context used for _creating_ a new file system object
	18	*
	19	* returns 0 on success,
	20	* or <0 on error
	21	*/
b5debf71	22	int ul_setfscreatecon_from_file(char *orig_file)
fd2940f5 SK	23	{
fd2940f5 SK	24	if (is_selinux_enabled() > 0) {
ca27216a KZ	25	char *scontext = NULL;
ca27216a KZ	26
fd2940f5	27	if (getfilecon(orig_file, &scontext) < 0)
0735d0ef	28	return -1;
fd2940f5 SK	29	if (setfscreatecon(scontext) < 0) {
fd2940f5 SK	30	freecon(scontext);
0735d0ef	31	return -1;
fd2940f5 SK	32	}
	33	freecon(scontext);
	34	}
	35	return 0;
d03dd608	36	}
e1de70b3 KZ	37
	38	/* returns 1 if user has access to @class and @perm ("passwd", "chfn")
	39	* or 0 on error,
	40	* or 0 if has no access -- in this case sets @user_cxt to user-context
	41	*/
	42	int ul_selinux_has_access(const char classstr, const char perm, char **user_cxt)
	43	{
	44	char *user;
	45	int rc;
	46
	47	if (user_cxt)
	48	*user_cxt = NULL;
	49
	50	if (getprevcon(&user) != 0)
	51	return 0;
	52
	53	rc = selinux_check_access(user, user, classstr, perm, NULL);
	54	if (rc != 0 && user_cxt)
	55	*user_cxt = user;
	56	else
	57	freecon(user);
	58
	59	return rc == 0 ? 1 : 0;
	60	}
	61
0735d0ef KZ	62	/* Gets the default context for @path and @st_mode.
	63	*
	64	* returns 0 on success,
	65	* or <0 on error
b105446e KZ	66	*/
	67	int ul_selinux_get_default_context(const char path, int st_mode, char *cxt)
	68	{
	69	struct selabel_handle *hnd;
	70	struct selinux_opt options[SELABEL_NOPT] = {};
	71	int rc = 0;
	72
	73	*cxt = NULL;
	74
	75	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
	76	if (!hnd)
	77	return -errno;
	78
	79	if (selabel_lookup(hnd, cxt, path, st_mode) != 0)
	80	rc = -errno
	81	;
	82	selabel_close(hnd);
	83
	84	return rc;
	85	}