Attachment #380736 for bug #516956

Lines 6-8 PKG_PREFIX?= /usr Link Here

(-)a/mk/os-Linux.mk (+6 lines)
6		6
7	CPPFLAGS+= -D_BSD_SOURCE -D_XOPEN_SOURCE=700	7	CPPFLAGS+= -D_BSD_SOURCE -D_XOPEN_SOURCE=700
8	LIBDL= -Wl,-Bdynamic -ldl	8	LIBDL= -Wl,-Bdynamic -ldl
		9
		10	ifeq (${MKSELINUX},yes)
		11	CPPFLAGS+= -DHAVE_SELINUX
		12	LIBSELINUX= -lselinux
		13	LDADD += $(LIBSELINUX)
		14	endif

Lines 4-9 SRCS= checkpath.c fstabinfo.c mountinfo.c start-stop-daemon.c \ Link Here

(-)a/src/rc/Makefile (+4 lines)
4	rc-misc.c rc-plugin.c rc-service.c rc-status.c rc-update.c \	4	rc-misc.c rc-plugin.c rc-service.c rc-status.c rc-update.c \
5	runscript.c rc.c swclock.c	5	runscript.c rc.c swclock.c
6		6
		7	ifeq (${MKSELINUX},yes)
		8	SRCS+= rc-selinux-util.c
		9	endif
		10
7	CLEANFILES= version.h	11	CLEANFILES= version.h
8		12
9	BINDIR= ${PREFIX}/bin	13	BINDIR= ${PREFIX}/bin

Lines 46-51 Link Here

(-)a/src/rc/checkpath.c (-6 / +22 lines)
46	#include "einfo.h"	46	#include "einfo.h"
47	#include "rc-misc.h"	47	#include "rc-misc.h"
48		48
		49	#ifdef HAVE_SELINUX
		50	#include "rc-selinux-util.h"
		51	#endif
		52
49	typedef enum {	53	typedef enum {
50	inode_unknown = 0,	54	inode_unknown = 0,
51	inode_file = 1,	55	inode_file = 1,
Lines 55-67 typedef enum { Link Here
55		59
56	extern const char *applet;	60	extern const char *applet;
57		61
58	/* TODO: SELinux
59	* This needs a LOT of SELinux loving
60	* See systemd's src/label.c:label_mkdir
61	*/
62	static int	62	static int
63	do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type,	63	do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type,
64	bool trunc, bool chowner)	64	bool trunc, bool chowner, bool selinux_on)
65	{	65	{
66	struct stat st;	66	struct stat st;
67	int fd, flags;	67	int fd, flags;
Lines 149-154 do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type, Link Here
149	}	149	}
150	}	150	}
151		151
		152	#ifdef HAVE_SELINUX
		153	if (selinux_on)
		154	selinux_util_label(path);
		155	#endif
		156
152	return 0;	157	return 0;
153	}	158	}
154		159
Lines 226-231 checkpath(int argc, char **argv) Link Here
226	bool trunc = false;	231	bool trunc = false;
227	bool chowner = false;	232	bool chowner = false;
228	bool writable = false;	233	bool writable = false;
		234	bool selinux_on = false;
229		235
230	while ((opt = getopt_long(argc, argv, getoptstring,	236	while ((opt = getopt_long(argc, argv, getoptstring,
231	longopts, (int *) 0)) != -1)	237	longopts, (int *) 0)) != -1)
Lines 276-288 checkpath(int argc, char **argv) Link Here
276	if (gr)	282	if (gr)
277	gid = gr->gr_gid;	283	gid = gr->gr_gid;
278		284
		285	#ifdef HAVE_SELINUX
		286	if (1 == selinux_util_open())
		287	selinux_on = true;
		288	#endif
		289
279	while (optind < argc) {	290	while (optind < argc) {
280	if (writable)	291	if (writable)
281	exit(!is_writable(argv[optind]));	292	exit(!is_writable(argv[optind]));
282	if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner))	293	if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on))
283	retval = EXIT_FAILURE;	294	retval = EXIT_FAILURE;
284	optind++;	295	optind++;
285	}	296	}
286		297
		298	#ifdef HAVE_SELINUX
		299	if (selinux_on)
		300	selinux_util_close();
		301	#endif
		302
287	return retval;	303	return retval;
288	}	304	}




/*
  rc-selinux.c
  SELinux helpers to get and set contexts.
*/

/*
 * Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

// TODO: take out the printf's
#include <stdio.h>

#include <errno.h>
#include <sys/stat.h>

#include <selinux/selinux.h>
#include <selinux/label.h>

#include "rc-selinux-util.h"

static struct selabel_handle *hnd = NULL;

int
selinux_util_label(const char *path)
{
	int retval = 0;
	int enforce;
	struct stat st;
	security_context_t con;

	printf("Labelling file: %s\n", path);

	enforce = security_getenforce();
	if (retval < 0)
		return retval;

	if (NULL == hnd)
		return (enforce) ? -1 : 0;

	retval = lstat(path, &st);
	if (retval < 0) {
		if (ENOENT == errno)
			return 0;
		return (enforce) ? -1 : 0;
	}

	/* lookup the context */
	retval = selabel_lookup_raw(hnd, &con, path, st.st_mode);
	if (retval < 0) {
		if (ENOENT == errno)
			return 0;
		return (enforce) ? -1 : 0;
	}

	/* apply the context */
	retval = lsetfilecon(path, con);
	freecon(con);
	if (retval < 0) {
		if (ENOENT == errno)
			return 0;
		if (ENOTSUP == errno)
			return 0;
		return (enforce) ? -1 : 0;
	}

	return 0;
}

/*
 * Open the label handle
 * returns 1 on success, 0 if no selinux, negative on error
 */
int
selinux_util_open(void)
{
	int retval = 0;

	printf("Opening selinux handle\n");

	retval = is_selinux_enabled();
	if (retval <= 0)
		return retval;

	hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
	if (NULL == hnd)
		return -2;

	printf("Opened selinux handle\n");
	return 1;
}

/*
 * Close the label handle
 * returns 1 on success, 0 if no selinux, negative on error
 */
int
selinux_util_close(void)
{
	int retval = 0;

	printf("Closing selinux handle\n");

	retval = is_selinux_enabled();
	if (retval <= 0)
		return retval;

	if (hnd) {
		selabel_close(hnd);
		hnd = NULL;
	}

	return 0;
}





/*
 * Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef RC_SELINUX_UTIL_H
#define RC_SELINUX_UTIL_H

int selinux_util_open(void);
int selinux_util_label(const char *path);
int selinux_util_close(void);

#endif

Return to bug 516956

Line 0 Link Here

(-)a/src/rc/rc-selinux-util.c (+135 lines)
		1	/*
		2	rc-selinux.c
		3	SELinux helpers to get and set contexts.
		4	*/
		5
		6	/*
		7	* Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
		8	*
		9	* Redistribution and use in source and binary forms, with or without
		10	* modification, are permitted provided that the following conditions
		11	* are met:
		12	* 1. Redistributions of source code must retain the above copyright
		13	* notice, this list of conditions and the following disclaimer.
		14	* 2. Redistributions in binary form must reproduce the above copyright
		15	* notice, this list of conditions and the following disclaimer in the
		16	* documentation and/or other materials provided with the distribution.
		17	*
		18	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
		19	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		20	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		21	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
		22	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
		23	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
		24	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		25	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
		26	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
		27	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		28	* SUCH DAMAGE.
		29	*/
		30
		31	// TODO: take out the printf's
		32	#include <stdio.h>
		33
		34	#include <errno.h>
		35	#include <sys/stat.h>
		36
		37	#include <selinux/selinux.h>
		38	#include <selinux/label.h>
		39
		40	#include "rc-selinux-util.h"
		41
		42	static struct selabel_handle *hnd = NULL;
		43
		44	int
		45	selinux_util_label(const char *path)
		46	{
		47	int retval = 0;
		48	int enforce;
		49	struct stat st;
		50	security_context_t con;
		51
		52	printf("Labelling file: %s\n", path);
		53
		54	enforce = security_getenforce();
		55	if (retval < 0)
		56	return retval;
		57
		58	if (NULL == hnd)
		59	return (enforce) ? -1 : 0;
		60
		61	retval = lstat(path, &st);
		62	if (retval < 0) {
		63	if (ENOENT == errno)
		64	return 0;
65	return (enforce) ? -1 : 0;
66	}
67
68	/* lookup the context */
69	retval = selabel_lookup_raw(hnd, &con, path, st.st_mode);
70	if (retval < 0) {
71	if (ENOENT == errno)
72	return 0;
73	return (enforce) ? -1 : 0;
74	}
75
76	/* apply the context */
77	retval = lsetfilecon(path, con);
78	freecon(con);
79	if (retval < 0) {
80	if (ENOENT == errno)
81	return 0;
82	if (ENOTSUP == errno)
83	return 0;
84	return (enforce) ? -1 : 0;
85	}
86
87	return 0;
88	}
89
90	/*
91	* Open the label handle
92	* returns 1 on success, 0 if no selinux, negative on error
93	*/
94	int
95	selinux_util_open(void)
96	{
97	int retval = 0;
98
99	printf("Opening selinux handle\n");
100
101	retval = is_selinux_enabled();
102	if (retval <= 0)
103	return retval;
104
105	hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
106	if (NULL == hnd)
107	return -2;
108
109	printf("Opened selinux handle\n");
110	return 1;
111	}
112
113	/*
114	* Close the label handle
115	* returns 1 on success, 0 if no selinux, negative on error
116	*/
117	int
118	selinux_util_close(void)
119	{
120	int retval = 0;
121
122	printf("Closing selinux handle\n");
123
124	retval = is_selinux_enabled();
125	if (retval <= 0)
126	return retval;
127
128	if (hnd) {
129	selabel_close(hnd);
130	hnd = NULL;
131	}
132
133	return 0;
134	}
135

Line 0 Link Here

(-)a/src/rc/rc-selinux-util.h (-1 / +33 lines)
0	-	1	/*
		2	* Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
		3	*
		4	* Redistribution and use in source and binary forms, with or without
		5	* modification, are permitted provided that the following conditions
		6	* are met:
		7	* 1. Redistributions of source code must retain the above copyright
		8	* notice, this list of conditions and the following disclaimer.
		9	* 2. Redistributions in binary form must reproduce the above copyright
		10	* notice, this list of conditions and the following disclaimer in the
		11	* documentation and/or other materials provided with the distribution.
		12	*
		13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
		14	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
		15	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
		16	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
		17	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
		18	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
		19	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
		20	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
		21	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
		22	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
		23	* SUCH DAMAGE.
		24	*/
		25
		26	#ifndef RC_SELINUX_UTIL_H
		27	#define RC_SELINUX_UTIL_H
		28
		29	int selinux_util_open(void);
		30	int selinux_util_label(const char *path);
		31	int selinux_util_close(void);
		32
		33	#endif