08c849815c
This reworks the SELinux and SMACK label fixing calls in a number of ways: 1. The two separate boolean arguments of these functions are converted into a flags type LabelFixFlags. 2. The operations are now implemented based on O_PATH. This should resolve TTOCTTOU races between determining the label for the file system object and applying it, as it it allows to pin the object while we are operating on it. 3. When changing a label fails we'll query the label previously set, and if matches what we want to set anyway we'll suppress the error. Also, all calls to label_fix() are now (void)ified, when we ignore the return values. Fixes: #8566
501 lines
13 KiB
C
501 lines
13 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
/***
|
|
This file is part of systemd.
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
(at your option) any later version.
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
***/
|
|
|
|
#include <errno.h>
|
|
#include <malloc.h>
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/time.h>
|
|
#include <sys/un.h>
|
|
#include <syslog.h>
|
|
|
|
#if HAVE_SELINUX
|
|
#include <selinux/context.h>
|
|
#include <selinux/label.h>
|
|
#include <selinux/selinux.h>
|
|
#endif
|
|
|
|
#include "alloc-util.h"
|
|
#include "fd-util.h"
|
|
#include "log.h"
|
|
#include "macro.h"
|
|
#include "path-util.h"
|
|
#include "selinux-util.h"
|
|
#include "stdio-util.h"
|
|
#include "time-util.h"
|
|
#include "util.h"
|
|
|
|
#if HAVE_SELINUX
|
|
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
|
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
|
|
|
#define _cleanup_freecon_ _cleanup_(freeconp)
|
|
#define _cleanup_context_free_ _cleanup_(context_freep)
|
|
|
|
static int cached_use = -1;
|
|
static struct selabel_handle *label_hnd = NULL;
|
|
|
|
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
|
|
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
|
|
#endif
|
|
|
|
bool mac_selinux_use(void) {
|
|
#if HAVE_SELINUX
|
|
if (cached_use < 0)
|
|
cached_use = is_selinux_enabled() > 0;
|
|
|
|
return cached_use;
|
|
#else
|
|
return false;
|
|
#endif
|
|
}
|
|
|
|
void mac_selinux_retest(void) {
|
|
#if HAVE_SELINUX
|
|
cached_use = -1;
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_init(void) {
|
|
int r = 0;
|
|
|
|
#if HAVE_SELINUX
|
|
usec_t before_timestamp, after_timestamp;
|
|
struct mallinfo before_mallinfo, after_mallinfo;
|
|
|
|
if (label_hnd)
|
|
return 0;
|
|
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
before_mallinfo = mallinfo();
|
|
before_timestamp = now(CLOCK_MONOTONIC);
|
|
|
|
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
|
if (!label_hnd) {
|
|
log_enforcing("Failed to initialize SELinux context: %m");
|
|
r = security_getenforce() == 1 ? -errno : 0;
|
|
} else {
|
|
char timespan[FORMAT_TIMESPAN_MAX];
|
|
int l;
|
|
|
|
after_timestamp = now(CLOCK_MONOTONIC);
|
|
after_mallinfo = mallinfo();
|
|
|
|
l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
|
|
|
|
log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
|
|
format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
|
|
(l+1023)/1024);
|
|
}
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
void mac_selinux_finish(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!label_hnd)
|
|
return;
|
|
|
|
selabel_close(label_hnd);
|
|
label_hnd = NULL;
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
|
|
|
#if HAVE_SELINUX
|
|
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
|
|
_cleanup_freecon_ char* fcon = NULL;
|
|
_cleanup_close_ int fd = -1;
|
|
struct stat st;
|
|
int r;
|
|
|
|
assert(path);
|
|
|
|
/* if mac_selinux_init() wasn't called before we are a NOOP */
|
|
if (!label_hnd)
|
|
return 0;
|
|
|
|
/* Open the file as O_PATH, to pin it while we determine and adjust the label */
|
|
fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
|
|
if (fd < 0) {
|
|
if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
|
|
return 0;
|
|
|
|
return -errno;
|
|
}
|
|
|
|
if (fstat(fd, &st) < 0)
|
|
return -errno;
|
|
|
|
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
|
|
r = -errno;
|
|
|
|
/* If there's no label to set, then exit without warning */
|
|
if (r == -ENOENT)
|
|
return 0;
|
|
|
|
goto fail;
|
|
}
|
|
|
|
xsprintf(procfs_path, "/proc/self/fd/%i", fd);
|
|
if (setfilecon_raw(procfs_path, fcon) < 0) {
|
|
_cleanup_freecon_ char *oldcon = NULL;
|
|
|
|
r = -errno;
|
|
|
|
/* If the FS doesn't support labels, then exit without warning */
|
|
if (r == -EOPNOTSUPP)
|
|
return 0;
|
|
|
|
/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
|
|
if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
|
|
return 0;
|
|
|
|
/* If the old label is identical to the new one, suppress any kind of error */
|
|
if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
|
|
return 0;
|
|
|
|
goto fail;
|
|
}
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
|
|
if (security_getenforce() == 1)
|
|
return r;
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
int mac_selinux_apply(const char *path, const char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
assert(path);
|
|
assert(label);
|
|
|
|
if (setfilecon(path, label) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
}
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
|
|
security_class_t sclass;
|
|
|
|
assert(exe);
|
|
assert(label);
|
|
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(&mycon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
r = getfilecon_raw(exe, &fcon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
sclass = string_to_security_class("process");
|
|
r = security_compute_create_raw(mycon, fcon, sclass, label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
int mac_selinux_get_our_label(char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
assert(label);
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
|
|
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
|
|
security_class_t sclass;
|
|
const char *range = NULL;
|
|
|
|
assert(socket_fd >= 0);
|
|
assert(exe);
|
|
assert(label);
|
|
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(&mycon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
r = getpeercon_raw(socket_fd, &peercon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
if (!exec_label) {
|
|
/* If there is no context set for next exec let's use context
|
|
of target executable */
|
|
r = getfilecon_raw(exe, &fcon);
|
|
if (r < 0)
|
|
return -errno;
|
|
}
|
|
|
|
bcon = context_new(mycon);
|
|
if (!bcon)
|
|
return -ENOMEM;
|
|
|
|
pcon = context_new(peercon);
|
|
if (!pcon)
|
|
return -ENOMEM;
|
|
|
|
range = context_range_get(pcon);
|
|
if (!range)
|
|
return -errno;
|
|
|
|
r = context_range_set(bcon, range);
|
|
if (r)
|
|
return -errno;
|
|
|
|
freecon(mycon);
|
|
mycon = strdup(context_str(bcon));
|
|
if (!mycon)
|
|
return -ENOMEM;
|
|
|
|
sclass = string_to_security_class("process");
|
|
r = security_compute_create_raw(mycon, fcon, sclass, label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
char* mac_selinux_free(char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!label)
|
|
return NULL;
|
|
|
|
if (!mac_selinux_use())
|
|
return NULL;
|
|
|
|
|
|
freecon(label);
|
|
#endif
|
|
|
|
return NULL;
|
|
}
|
|
|
|
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *filecon = NULL;
|
|
int r;
|
|
|
|
assert(path);
|
|
|
|
if (!label_hnd)
|
|
return 0;
|
|
|
|
if (path_is_absolute(path))
|
|
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
|
|
else {
|
|
_cleanup_free_ char *newpath = NULL;
|
|
|
|
r = path_make_absolute_cwd(path, &newpath);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
|
|
}
|
|
|
|
if (r < 0) {
|
|
/* No context specified by the policy? Proceed without setting it. */
|
|
if (errno == ENOENT)
|
|
return 0;
|
|
|
|
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
|
|
} else {
|
|
if (setfscreatecon_raw(filecon) >= 0)
|
|
return 0; /* Success! */
|
|
|
|
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
|
|
}
|
|
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
void mac_selinux_create_file_clear(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
PROTECT_ERRNO;
|
|
|
|
if (!mac_selinux_use())
|
|
return;
|
|
|
|
setfscreatecon_raw(NULL);
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_create_socket_prepare(const char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
assert(label);
|
|
|
|
if (setsockcreatecon(label) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
|
|
|
|
if (security_getenforce() == 1)
|
|
return -errno;
|
|
}
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
void mac_selinux_create_socket_clear(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
PROTECT_ERRNO;
|
|
|
|
if (!mac_selinux_use())
|
|
return;
|
|
|
|
setsockcreatecon_raw(NULL);
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
|
|
|
|
/* Binds a socket and label its file system object according to the SELinux policy */
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *fcon = NULL;
|
|
const struct sockaddr_un *un;
|
|
bool context_changed = false;
|
|
char *path;
|
|
int r;
|
|
|
|
assert(fd >= 0);
|
|
assert(addr);
|
|
assert(addrlen >= sizeof(sa_family_t));
|
|
|
|
if (!label_hnd)
|
|
goto skipped;
|
|
|
|
/* Filter out non-local sockets */
|
|
if (addr->sa_family != AF_UNIX)
|
|
goto skipped;
|
|
|
|
/* Filter out anonymous sockets */
|
|
if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
|
|
goto skipped;
|
|
|
|
/* Filter out abstract namespace sockets */
|
|
un = (const struct sockaddr_un*) addr;
|
|
if (un->sun_path[0] == 0)
|
|
goto skipped;
|
|
|
|
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
|
|
|
|
if (path_is_absolute(path))
|
|
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
|
|
else {
|
|
_cleanup_free_ char *newpath = NULL;
|
|
|
|
r = path_make_absolute_cwd(path, &newpath);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
|
|
}
|
|
|
|
if (r < 0) {
|
|
/* No context specified by the policy? Proceed without setting it */
|
|
if (errno == ENOENT)
|
|
goto skipped;
|
|
|
|
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
|
|
} else {
|
|
if (setfscreatecon_raw(fcon) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
} else
|
|
context_changed = true;
|
|
}
|
|
|
|
r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
|
|
|
|
if (context_changed)
|
|
setfscreatecon_raw(NULL);
|
|
|
|
return r;
|
|
|
|
skipped:
|
|
#endif
|
|
if (bind(fd, addr, addrlen) < 0)
|
|
return -errno;
|
|
|
|
return 0;
|
|
}
|