[dpkg] / src / selinux.c

/*
 * dpkg - main program for package management
 * selinux.c - SE Linux support
 *
 * Copyright © 2007-2015 Guillem Jover <guillem@debian.org>
 *
 * This is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */

#include <config.h>
#include <compat.h>

#include <sys/types.h>
#include <sys/stat.h>

#include <errno.h>
#include <unistd.h>

#include <dpkg/i18n.h>
#include <dpkg/dpkg.h>
#include <dpkg/dpkg-db.h>

#ifdef WITH_LIBSELINUX
#include <selinux/selinux.h>
#include <selinux/avc.h>
#include <selinux/label.h>
#endif

#include "main.h"

#ifdef WITH_LIBSELINUX
static struct selabel_handle *sehandle;
#endif

void
dpkg_selabel_load(void)
{
#ifdef WITH_LIBSELINUX
	static int selinux_enabled = -1;

	if (selinux_enabled < 0) {
		int rc;

		/* Set selinux_enabled if it is not already set (singleton). */
		selinux_enabled = (is_selinux_enabled() > 0);
		if (!selinux_enabled)
			return;

		/* Open the SELinux status notification channel, with fallback
		 * enabled for older kernels. */
		rc = selinux_status_open(1);
		if (rc < 0)
			ohshit(_("cannot open security status notification channel"));

		/* XXX: We could use selinux_set_callback() to redirect the
		 * errors from the other SELinux calls, but that does not seem
		 * worth it right now. */
	} else if (selinux_enabled && selinux_status_updated()) {
		/* The SELinux policy got updated in the kernel, usually after
		 * upgrading the package shipping it, we need to reload. */
		selabel_close(sehandle);
	} else {
		/* SELinux is either disabled or it does not need a reload. */
		return;
	}

	sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	if (sehandle == NULL && security_getenforce() == 1)
		ohshite(_("cannot get security labeling handle"));
#endif
}

void
dpkg_selabel_set_context(const char *matchpath, const char *path, mode_t mode)
{
#ifdef WITH_LIBSELINUX
	security_context_t scontext = NULL;
	int ret;

	/* If SELinux is not enabled just do nothing. */
	if (sehandle == NULL)
		return;

	/*
	 * We use the _raw function variants here so that no translation
	 * happens from computer to human readable forms, to avoid issues
	 * when mcstransd has disappeared during the unpack process.
	 */

	/* Do nothing if we can't figure out what the context is, or if it has
	 * no context; in which case the default context shall be applied. */
	ret = selabel_lookup_raw(sehandle, &scontext, matchpath, mode & S_IFMT);
	if (ret == -1 || (ret == 0 && scontext == NULL))
		return;

	ret = lsetfilecon_raw(path, scontext);
	if (ret < 0 && errno != ENOTSUP)
		ohshite(_("cannot set security context for file object '%s'"),
		        path);

	freecon(scontext);
#endif /* WITH_LIBSELINUX */
}

void
dpkg_selabel_close(void)
{
#ifdef WITH_LIBSELINUX
	if (sehandle == NULL)
		return;

	selinux_status_close();
	selabel_close(sehandle);
	sehandle = NULL;
#endif
}
Commit	Line	Data
1479465f GJ	1	/*
	2	* dpkg - main program for package management
	3	* selinux.c - SE Linux support
	4	*
	5	* Copyright © 2007-2015 Guillem Jover <guillem@debian.org>
	6	*
	7	* This is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License as published by
	9	* the Free Software Foundation; either version 2 of the License, or
	10	* (at your option) any later version.
	11	*
	12	* This is distributed in the hope that it will be useful,
	13	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	* GNU General Public License for more details.
	16	*
	17	* You should have received a copy of the GNU General Public License
	18	* along with this program. If not, see <https://www.gnu.org/licenses/>.
	19	*/
	20
	21	#include <config.h>
	22	#include <compat.h>
	23
	24	#include <sys/types.h>
	25	#include <sys/stat.h>
	26
	27	#include <errno.h>
	28	#include <unistd.h>
	29
	30	#include <dpkg/i18n.h>
	31	#include <dpkg/dpkg.h>
	32	#include <dpkg/dpkg-db.h>
	33
	34	#ifdef WITH_LIBSELINUX
	35	#include <selinux/selinux.h>
	36	#include <selinux/avc.h>
	37	#include <selinux/label.h>
	38	#endif
	39
	40	#include "main.h"
	41
	42	#ifdef WITH_LIBSELINUX
	43	static struct selabel_handle *sehandle;
	44	#endif
	45
	46	void
	47	dpkg_selabel_load(void)
	48	{
	49	#ifdef WITH_LIBSELINUX
	50	static int selinux_enabled = -1;
	51
	52	if (selinux_enabled < 0) {
	53	int rc;
	54
	55	/* Set selinux_enabled if it is not already set (singleton). */
	56	selinux_enabled = (is_selinux_enabled() > 0);
	57	if (!selinux_enabled)
	58	return;
	59
	60	/* Open the SELinux status notification channel, with fallback
	61	* enabled for older kernels. */
	62	rc = selinux_status_open(1);
	63	if (rc < 0)
	64	ohshit(_("cannot open security status notification channel"));
65
66	/* XXX: We could use selinux_set_callback() to redirect the
67	* errors from the other SELinux calls, but that does not seem
68	* worth it right now. */
69	} else if (selinux_enabled && selinux_status_updated()) {
70	/* The SELinux policy got updated in the kernel, usually after
71	* upgrading the package shipping it, we need to reload. */
72	selabel_close(sehandle);
73	} else {
74	/* SELinux is either disabled or it does not need a reload. */
75	return;
76	}
77
78	sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
79	if (sehandle == NULL && security_getenforce() == 1)
80	ohshite(_("cannot get security labeling handle"));
81	#endif
82	}
83
84	void
85	dpkg_selabel_set_context(const char matchpath, const char path, mode_t mode)
86	{
87	#ifdef WITH_LIBSELINUX
88	security_context_t scontext = NULL;
89	int ret;
90
91	/* If SELinux is not enabled just do nothing. */
92	if (sehandle == NULL)
93	return;
94
95	/*
96	* We use the _raw function variants here so that no translation
97	* happens from computer to human readable forms, to avoid issues
98	* when mcstransd has disappeared during the unpack process.
99	*/
100
101	/* Do nothing if we can't figure out what the context is, or if it has
102	* no context; in which case the default context shall be applied. */
103	ret = selabel_lookup_raw(sehandle, &scontext, matchpath, mode & S_IFMT);
104	if (ret == -1 \|\| (ret == 0 && scontext == NULL))
105	return;
106
107	ret = lsetfilecon_raw(path, scontext);
108	if (ret < 0 && errno != ENOTSUP)
109	ohshite(_("cannot set security context for file object '%s'"),
110	path);
111
112	freecon(scontext);
113	#endif /* WITH_LIBSELINUX */
114	}
115
116	void
117	dpkg_selabel_close(void)
118	{
119	#ifdef WITH_LIBSELINUX
120	if (sehandle == NULL)
121	return;
122
123	selinux_status_close();
124	selabel_close(sehandle);
125	sehandle = NULL;
126	#endif
127	}