5d13a15b1d
Double newlines (i.e. one empty lines) are great to structure code. But let's avoid triple newlines (i.e. two empty lines), quadruple newlines, quintuple newlines, …, that's just spurious whitespace. It's an easy way to drop 121 lines of code, and keeps the coding style of our sources a bit tigther.
487 lines
12 KiB
C
487 lines
12 KiB
C
/* SPDX-License-Identifier: LGPL-2.1+ */
|
|
/***
|
|
This file is part of systemd.
|
|
|
|
Copyright 2010 Lennart Poettering
|
|
***/
|
|
|
|
#include <errno.h>
|
|
#include <malloc.h>
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
#include <sys/stat.h>
|
|
#include <sys/time.h>
|
|
#include <sys/un.h>
|
|
#include <syslog.h>
|
|
|
|
#if HAVE_SELINUX
|
|
#include <selinux/context.h>
|
|
#include <selinux/label.h>
|
|
#include <selinux/selinux.h>
|
|
#endif
|
|
|
|
#include "alloc-util.h"
|
|
#include "fd-util.h"
|
|
#include "log.h"
|
|
#include "macro.h"
|
|
#include "path-util.h"
|
|
#include "selinux-util.h"
|
|
#include "stdio-util.h"
|
|
#include "time-util.h"
|
|
#include "util.h"
|
|
|
|
#if HAVE_SELINUX
|
|
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
|
|
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
|
|
|
#define _cleanup_freecon_ _cleanup_(freeconp)
|
|
#define _cleanup_context_free_ _cleanup_(context_freep)
|
|
|
|
static int cached_use = -1;
|
|
static struct selabel_handle *label_hnd = NULL;
|
|
|
|
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
|
|
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
|
|
#endif
|
|
|
|
bool mac_selinux_use(void) {
|
|
#if HAVE_SELINUX
|
|
if (cached_use < 0)
|
|
cached_use = is_selinux_enabled() > 0;
|
|
|
|
return cached_use;
|
|
#else
|
|
return false;
|
|
#endif
|
|
}
|
|
|
|
void mac_selinux_retest(void) {
|
|
#if HAVE_SELINUX
|
|
cached_use = -1;
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_init(void) {
|
|
int r = 0;
|
|
|
|
#if HAVE_SELINUX
|
|
usec_t before_timestamp, after_timestamp;
|
|
struct mallinfo before_mallinfo, after_mallinfo;
|
|
|
|
if (label_hnd)
|
|
return 0;
|
|
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
before_mallinfo = mallinfo();
|
|
before_timestamp = now(CLOCK_MONOTONIC);
|
|
|
|
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
|
if (!label_hnd) {
|
|
log_enforcing("Failed to initialize SELinux context: %m");
|
|
r = security_getenforce() == 1 ? -errno : 0;
|
|
} else {
|
|
char timespan[FORMAT_TIMESPAN_MAX];
|
|
int l;
|
|
|
|
after_timestamp = now(CLOCK_MONOTONIC);
|
|
after_mallinfo = mallinfo();
|
|
|
|
l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
|
|
|
|
log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
|
|
format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
|
|
(l+1023)/1024);
|
|
}
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
void mac_selinux_finish(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!label_hnd)
|
|
return;
|
|
|
|
selabel_close(label_hnd);
|
|
label_hnd = NULL;
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_fix(const char *path, LabelFixFlags flags) {
|
|
|
|
#if HAVE_SELINUX
|
|
char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
|
|
_cleanup_freecon_ char* fcon = NULL;
|
|
_cleanup_close_ int fd = -1;
|
|
struct stat st;
|
|
int r;
|
|
|
|
assert(path);
|
|
|
|
/* if mac_selinux_init() wasn't called before we are a NOOP */
|
|
if (!label_hnd)
|
|
return 0;
|
|
|
|
/* Open the file as O_PATH, to pin it while we determine and adjust the label */
|
|
fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
|
|
if (fd < 0) {
|
|
if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
|
|
return 0;
|
|
|
|
return -errno;
|
|
}
|
|
|
|
if (fstat(fd, &st) < 0)
|
|
return -errno;
|
|
|
|
if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
|
|
r = -errno;
|
|
|
|
/* If there's no label to set, then exit without warning */
|
|
if (r == -ENOENT)
|
|
return 0;
|
|
|
|
goto fail;
|
|
}
|
|
|
|
xsprintf(procfs_path, "/proc/self/fd/%i", fd);
|
|
if (setfilecon_raw(procfs_path, fcon) < 0) {
|
|
_cleanup_freecon_ char *oldcon = NULL;
|
|
|
|
r = -errno;
|
|
|
|
/* If the FS doesn't support labels, then exit without warning */
|
|
if (r == -EOPNOTSUPP)
|
|
return 0;
|
|
|
|
/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
|
|
if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
|
|
return 0;
|
|
|
|
/* If the old label is identical to the new one, suppress any kind of error */
|
|
if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
|
|
return 0;
|
|
|
|
goto fail;
|
|
}
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
|
|
if (security_getenforce() == 1)
|
|
return r;
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
int mac_selinux_apply(const char *path, const char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
assert(path);
|
|
assert(label);
|
|
|
|
if (setfilecon(path, label) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s on path %s: %m", label, path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
}
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
|
|
security_class_t sclass;
|
|
|
|
assert(exe);
|
|
assert(label);
|
|
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(&mycon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
r = getfilecon_raw(exe, &fcon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
sclass = string_to_security_class("process");
|
|
r = security_compute_create_raw(mycon, fcon, sclass, label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
int mac_selinux_get_our_label(char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
assert(label);
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
|
|
int r = -EOPNOTSUPP;
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
|
|
_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
|
|
security_class_t sclass;
|
|
const char *range = NULL;
|
|
|
|
assert(socket_fd >= 0);
|
|
assert(exe);
|
|
assert(label);
|
|
|
|
if (!mac_selinux_use())
|
|
return -EOPNOTSUPP;
|
|
|
|
r = getcon_raw(&mycon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
r = getpeercon_raw(socket_fd, &peercon);
|
|
if (r < 0)
|
|
return -errno;
|
|
|
|
if (!exec_label) {
|
|
/* If there is no context set for next exec let's use context
|
|
of target executable */
|
|
r = getfilecon_raw(exe, &fcon);
|
|
if (r < 0)
|
|
return -errno;
|
|
}
|
|
|
|
bcon = context_new(mycon);
|
|
if (!bcon)
|
|
return -ENOMEM;
|
|
|
|
pcon = context_new(peercon);
|
|
if (!pcon)
|
|
return -ENOMEM;
|
|
|
|
range = context_range_get(pcon);
|
|
if (!range)
|
|
return -errno;
|
|
|
|
r = context_range_set(bcon, range);
|
|
if (r)
|
|
return -errno;
|
|
|
|
freecon(mycon);
|
|
mycon = strdup(context_str(bcon));
|
|
if (!mycon)
|
|
return -ENOMEM;
|
|
|
|
sclass = string_to_security_class("process");
|
|
r = security_compute_create_raw(mycon, fcon, sclass, label);
|
|
if (r < 0)
|
|
return -errno;
|
|
#endif
|
|
|
|
return r;
|
|
}
|
|
|
|
char* mac_selinux_free(char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!label)
|
|
return NULL;
|
|
|
|
if (!mac_selinux_use())
|
|
return NULL;
|
|
|
|
freecon(label);
|
|
#endif
|
|
|
|
return NULL;
|
|
}
|
|
|
|
int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *filecon = NULL;
|
|
int r;
|
|
|
|
assert(path);
|
|
|
|
if (!label_hnd)
|
|
return 0;
|
|
|
|
if (path_is_absolute(path))
|
|
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
|
|
else {
|
|
_cleanup_free_ char *newpath = NULL;
|
|
|
|
r = path_make_absolute_cwd(path, &newpath);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
|
|
}
|
|
|
|
if (r < 0) {
|
|
/* No context specified by the policy? Proceed without setting it. */
|
|
if (errno == ENOENT)
|
|
return 0;
|
|
|
|
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
|
|
} else {
|
|
if (setfscreatecon_raw(filecon) >= 0)
|
|
return 0; /* Success! */
|
|
|
|
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
|
|
}
|
|
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
void mac_selinux_create_file_clear(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
PROTECT_ERRNO;
|
|
|
|
if (!mac_selinux_use())
|
|
return;
|
|
|
|
setfscreatecon_raw(NULL);
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_create_socket_prepare(const char *label) {
|
|
|
|
#if HAVE_SELINUX
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
assert(label);
|
|
|
|
if (setsockcreatecon(label) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s for sockets: %m", label);
|
|
|
|
if (security_getenforce() == 1)
|
|
return -errno;
|
|
}
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
void mac_selinux_create_socket_clear(void) {
|
|
|
|
#if HAVE_SELINUX
|
|
PROTECT_ERRNO;
|
|
|
|
if (!mac_selinux_use())
|
|
return;
|
|
|
|
setsockcreatecon_raw(NULL);
|
|
#endif
|
|
}
|
|
|
|
int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
|
|
|
|
/* Binds a socket and label its file system object according to the SELinux policy */
|
|
|
|
#if HAVE_SELINUX
|
|
_cleanup_freecon_ char *fcon = NULL;
|
|
const struct sockaddr_un *un;
|
|
bool context_changed = false;
|
|
char *path;
|
|
int r;
|
|
|
|
assert(fd >= 0);
|
|
assert(addr);
|
|
assert(addrlen >= sizeof(sa_family_t));
|
|
|
|
if (!label_hnd)
|
|
goto skipped;
|
|
|
|
/* Filter out non-local sockets */
|
|
if (addr->sa_family != AF_UNIX)
|
|
goto skipped;
|
|
|
|
/* Filter out anonymous sockets */
|
|
if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
|
|
goto skipped;
|
|
|
|
/* Filter out abstract namespace sockets */
|
|
un = (const struct sockaddr_un*) addr;
|
|
if (un->sun_path[0] == 0)
|
|
goto skipped;
|
|
|
|
path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
|
|
|
|
if (path_is_absolute(path))
|
|
r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
|
|
else {
|
|
_cleanup_free_ char *newpath = NULL;
|
|
|
|
r = path_make_absolute_cwd(path, &newpath);
|
|
if (r < 0)
|
|
return r;
|
|
|
|
r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
|
|
}
|
|
|
|
if (r < 0) {
|
|
/* No context specified by the policy? Proceed without setting it */
|
|
if (errno == ENOENT)
|
|
goto skipped;
|
|
|
|
log_enforcing("Failed to determine SELinux security context for %s: %m", path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
|
|
} else {
|
|
if (setfscreatecon_raw(fcon) < 0) {
|
|
log_enforcing("Failed to set SELinux security context %s for %s: %m", fcon, path);
|
|
if (security_getenforce() > 0)
|
|
return -errno;
|
|
} else
|
|
context_changed = true;
|
|
}
|
|
|
|
r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
|
|
|
|
if (context_changed)
|
|
setfscreatecon_raw(NULL);
|
|
|
|
return r;
|
|
|
|
skipped:
|
|
#endif
|
|
if (bind(fd, addr, addrlen) < 0)
|
|
return -errno;
|
|
|
|
return 0;
|
|
}
|