picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/basic/selinux-util.c
Lennart Poettering 08c849815c label: rework label_fix() implementations (#8583) 
This reworks the SELinux and SMACK label fixing calls in a number of
ways:

1. The two separate boolean arguments of these functions are converted
   into a flags type LabelFixFlags.

2. The operations are now implemented based on O_PATH. This should
   resolve TTOCTTOU races between determining the label for the file
   system object and applying it, as it it allows to pin the object
   while we are operating on it.

3. When changing a label fails we'll query the label previously set, and
   if matches what we want to set anyway we'll suppress the error.

Also, all calls to label_fix() are now (void)ified, when we ignore the
return values.

Fixes: #8566
2018-03-27 07:38:26 +02:00

501 lines
13 KiB
C
Raw Blame History

/* SPDX-License-Identifier: LGPL-2.1+ */
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <errno.h>
#include <malloc.h>
#include <stddef.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/un.h>
#include <syslog.h>
#if HAVE_SELINUX
#include <selinux/context.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#endif
#include "alloc-util.h"
#include "fd-util.h"
#include "log.h"
#include "macro.h"
#include "path-util.h"
#include "selinux-util.h"
#include "stdio-util.h"
#include "time-util.h"
#include "util.h"
#if HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
#define _cleanup_freecon_ _cleanup_(freeconp)
#define _cleanup_context_free_ _cleanup_(context_freep)
static int cached_use = -1;
static struct selabel_handle *label_hnd = NULL;
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
#endif
bool mac_selinux_use(void) {
#if HAVE_SELINUX
if (cached_use < 0)
cached_use = is_selinux_enabled() > 0;
return cached_use;
#else
return false;
#endif
}
void mac_selinux_retest(void) {
#if HAVE_SELINUX
cached_use = -1;
#endif
}
int mac_selinux_init(void) {
int r = 0;
#if HAVE_SELINUX
usec_t before_timestamp, after_timestamp;
struct mallinfo before_mallinfo, after_mallinfo;
if (label_hnd)
return 0;
if (!mac_selinux_use())
return 0;
before_mallinfo = mallinfo();
before_timestamp = now(CLOCK_MONOTONIC);
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd) {
log_enforcing("Failed to initialize SELinux context: %m");
r = security_getenforce() == 1 ? -errno : 0;
} else {
char timespan[FORMAT_TIMESPAN_MAX];
int l;
after_timestamp = now(CLOCK_MONOTONIC);
after_mallinfo = mallinfo();
l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
(l+1023)/1024);
}
#endif
return r;
}
void mac_selinux_finish(void) {
#if HAVE_SELINUX
if (!label_hnd)
return;
selabel_close(label_hnd);
label_hnd = NULL;
#endif
}
int mac_selinux_fix(const char *path, LabelFixFlags flags) {
#if HAVE_SELINUX
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
_cleanup_freecon_ char* fcon = NULL;
_cleanup_close_ int fd = -1;
struct stat st;
int r;
assert(path);
/* if mac_selinux_init() wasn't called before we are a NOOP */
if (!label_hnd)
return 0;
/* Open the file as O_PATH, to pin it while we determine and adjust the label */
fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
if (fd < 0) {
if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
return 0;
return -errno;
}
if (fstat(fd, &st) < 0)
return -errno;
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
r = -errno;
/* If there's no label to set, then exit without warning */
if (r == -ENOENT)
return 0;
goto fail;
}
xsprintf(procfs_path, "/proc/self/fd/%i", fd);
if (setfilecon_raw(procfs_path, fcon) < 0) {
_cleanup_freecon_ char *oldcon = NULL;
r = -errno;
/* If the FS doesn't support labels, then exit without warning */
if (r == -EOPNOTSUPP)
return 0;
/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
return 0;
/* If the old label is identical to the new one, suppress any kind of error */
if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
return 0;
goto fail;
}
return 0;
fail:
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
if (security_getenforce() == 1)
return r;
#endif
return 0;
}
int mac_selinux_apply(const char *path, const char *label) {
#if HAVE_SELINUX
if (!mac_selinux_use())
return 0;
assert(path);
assert(label);
if (setfilecon(path, label) < 0) {
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
if (security_getenforce() > 0)
return -errno;
}
#endif
return 0;
}
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
int r = -EOPNOTSUPP;
#if HAVE_SELINUX
_cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
security_class_t sclass;
assert(exe);
assert(label);
if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
if (r < 0)
return -errno;
r = getfilecon_raw(exe, &fcon);
if (r < 0)
return -errno;
sclass = string_to_security_class("process");
r = security_compute_create_raw(mycon, fcon, sclass, label);
if (r < 0)
return -errno;
#endif
return r;
}
int mac_selinux_get_our_label(char **label) {
int r = -EOPNOTSUPP;
assert(label);
#if HAVE_SELINUX
if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(label);
if (r < 0)
return -errno;
#endif
return r;
}
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
int r = -EOPNOTSUPP;
#if HAVE_SELINUX
_cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
security_class_t sclass;
const char *range = NULL;
assert(socket_fd >= 0);
assert(exe);
assert(label);
if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
if (r < 0)
return -errno;
r = getpeercon_raw(socket_fd, &peercon);
if (r < 0)
return -errno;
if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon_raw(exe, &fcon);
if (r < 0)
return -errno;
}
bcon = context_new(mycon);
if (!bcon)
return -ENOMEM;
pcon = context_new(peercon);
if (!pcon)
return -ENOMEM;
range = context_range_get(pcon);
if (!range)
return -errno;
r = context_range_set(bcon, range);
if (r)
return -errno;
freecon(mycon);
mycon = strdup(context_str(bcon));
if (!mycon)
return -ENOMEM;
sclass = string_to_security_class("process");
r = security_compute_create_raw(mycon, fcon, sclass, label);
if (r < 0)
return -errno;
#endif
return r;
}
char* mac_selinux_free(char *label) {
#if HAVE_SELINUX
if (!label)
return NULL;
if (!mac_selinux_use())
return NULL;
freecon(label);
#endif
return NULL;
}
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
#if HAVE_SELINUX
_cleanup_freecon_ char *filecon = NULL;
int r;
assert(path);
if (!label_hnd)
return 0;
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
else {
_cleanup_free_ char *newpath = NULL;
r = path_make_absolute_cwd(path, &newpath);
if (r < 0)
return r;
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
if (r < 0) {
/* No context specified by the policy? Proceed without setting it. */
if (errno == ENOENT)
return 0;
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
} else {
if (setfscreatecon_raw(filecon) >= 0)
return 0; /* Success! */
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
}
if (security_getenforce() > 0)
return -errno;
#endif
return 0;
}
void mac_selinux_create_file_clear(void) {
#if HAVE_SELINUX
PROTECT_ERRNO;
if (!mac_selinux_use())
return;
setfscreatecon_raw(NULL);
#endif
}
int mac_selinux_create_socket_prepare(const char *label) {
#if HAVE_SELINUX
if (!mac_selinux_use())
return 0;
assert(label);
if (setsockcreatecon(label) < 0) {
log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
if (security_getenforce() == 1)
return -errno;
}
#endif
return 0;
}
void mac_selinux_create_socket_clear(void) {
#if HAVE_SELINUX
PROTECT_ERRNO;
if (!mac_selinux_use())
return;
setsockcreatecon_raw(NULL);
#endif
}
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
/* Binds a socket and label its file system object according to the SELinux policy */
#if HAVE_SELINUX
_cleanup_freecon_ char *fcon = NULL;
const struct sockaddr_un *un;
bool context_changed = false;
char *path;
int r;
assert(fd >= 0);
assert(addr);
assert(addrlen >= sizeof(sa_family_t));
if (!label_hnd)
goto skipped;
/* Filter out non-local sockets */
if (addr->sa_family != AF_UNIX)
goto skipped;
/* Filter out anonymous sockets */
if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
goto skipped;
/* Filter out abstract namespace sockets */
un = (const struct sockaddr_un*) addr;
if (un->sun_path[0] == 0)
goto skipped;
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
if (path_is_absolute(path))
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
else {
_cleanup_free_ char *newpath = NULL;
r = path_make_absolute_cwd(path, &newpath);
if (r < 0)
return r;
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
}
if (r < 0) {
/* No context specified by the policy? Proceed without setting it */
if (errno == ENOENT)
goto skipped;
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
if (security_getenforce() > 0)
return -errno;
} else {
if (setfscreatecon_raw(fcon) < 0) {
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
if (security_getenforce() > 0)
return -errno;
} else
context_changed = true;
}
r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
if (context_changed)
setfscreatecon_raw(NULL);
return r;
skipped:
#endif
if (bind(fd, addr, addrlen) < 0)
return -errno;
return 0;
}
Reference in a new issue View git blame Copy permalink