Commit | Line | Data |
---|---|---|
1479465f GJ |
1 | /* |
2 | * dpkg - main program for package management | |
3 | * selinux.c - SE Linux support | |
4 | * | |
5 | * Copyright © 2007-2015 Guillem Jover <guillem@debian.org> | |
6 | * | |
7 | * This is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program. If not, see <https://www.gnu.org/licenses/>. | |
19 | */ | |
20 | ||
21 | #include <config.h> | |
22 | #include <compat.h> | |
23 | ||
24 | #include <sys/types.h> | |
25 | #include <sys/stat.h> | |
26 | ||
27 | #include <errno.h> | |
28 | #include <unistd.h> | |
29 | ||
30 | #include <dpkg/i18n.h> | |
31 | #include <dpkg/dpkg.h> | |
32 | #include <dpkg/dpkg-db.h> | |
33 | ||
34 | #ifdef WITH_LIBSELINUX | |
35 | #include <selinux/selinux.h> | |
36 | #include <selinux/avc.h> | |
37 | #include <selinux/label.h> | |
38 | #endif | |
39 | ||
40 | #include "main.h" | |
41 | ||
42 | #ifdef WITH_LIBSELINUX | |
43 | static struct selabel_handle *sehandle; | |
44 | #endif | |
45 | ||
46 | void | |
47 | dpkg_selabel_load(void) | |
48 | { | |
49 | #ifdef WITH_LIBSELINUX | |
50 | static int selinux_enabled = -1; | |
51 | ||
52 | if (selinux_enabled < 0) { | |
53 | int rc; | |
54 | ||
55 | /* Set selinux_enabled if it is not already set (singleton). */ | |
56 | selinux_enabled = (is_selinux_enabled() > 0); | |
57 | if (!selinux_enabled) | |
58 | return; | |
59 | ||
60 | /* Open the SELinux status notification channel, with fallback | |
61 | * enabled for older kernels. */ | |
62 | rc = selinux_status_open(1); | |
63 | if (rc < 0) | |
64 | ohshit(_("cannot open security status notification channel")); | |
65 | ||
66 | /* XXX: We could use selinux_set_callback() to redirect the | |
67 | * errors from the other SELinux calls, but that does not seem | |
68 | * worth it right now. */ | |
69 | } else if (selinux_enabled && selinux_status_updated()) { | |
70 | /* The SELinux policy got updated in the kernel, usually after | |
71 | * upgrading the package shipping it, we need to reload. */ | |
72 | selabel_close(sehandle); | |
73 | } else { | |
74 | /* SELinux is either disabled or it does not need a reload. */ | |
75 | return; | |
76 | } | |
77 | ||
78 | sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0); | |
79 | if (sehandle == NULL && security_getenforce() == 1) | |
80 | ohshite(_("cannot get security labeling handle")); | |
81 | #endif | |
82 | } | |
83 | ||
84 | void | |
85 | dpkg_selabel_set_context(const char *matchpath, const char *path, mode_t mode) | |
86 | { | |
87 | #ifdef WITH_LIBSELINUX | |
88 | security_context_t scontext = NULL; | |
89 | int ret; | |
90 | ||
91 | /* If SELinux is not enabled just do nothing. */ | |
92 | if (sehandle == NULL) | |
93 | return; | |
94 | ||
95 | /* | |
96 | * We use the _raw function variants here so that no translation | |
97 | * happens from computer to human readable forms, to avoid issues | |
98 | * when mcstransd has disappeared during the unpack process. | |
99 | */ | |
100 | ||
101 | /* Do nothing if we can't figure out what the context is, or if it has | |
102 | * no context; in which case the default context shall be applied. */ | |
103 | ret = selabel_lookup_raw(sehandle, &scontext, matchpath, mode & S_IFMT); | |
104 | if (ret == -1 || (ret == 0 && scontext == NULL)) | |
105 | return; | |
106 | ||
107 | ret = lsetfilecon_raw(path, scontext); | |
108 | if (ret < 0 && errno != ENOTSUP) | |
109 | ohshite(_("cannot set security context for file object '%s'"), | |
110 | path); | |
111 | ||
112 | freecon(scontext); | |
113 | #endif /* WITH_LIBSELINUX */ | |
114 | } | |
115 | ||
116 | void | |
117 | dpkg_selabel_close(void) | |
118 | { | |
119 | #ifdef WITH_LIBSELINUX | |
120 | if (sehandle == NULL) | |
121 | return; | |
122 | ||
123 | selinux_status_close(); | |
124 | selabel_close(sehandle); | |
125 | sehandle = NULL; | |
126 | #endif | |
127 | } |