/src/systemd/src/basic/selinux-util.c

Source (jump to first uncovered line)
/* SPDX-License-Identifier: LGPL-2.1+ */

#include <errno.h>
#include <fcntl.h>
#include <malloc.h>
#include <stddef.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/un.h>
#include <syslog.h>

#if HAVE_SELINUX
#include <selinux/context.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#endif

#include "alloc-util.h"
#include "errno-util.h"
#include "fd-util.h"
#include "log.h"
#include "macro.h"
#include "path-util.h"
#include "selinux-util.h"
#include "stdio-util.h"
#include "time-util.h"

#if HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);

#define _cleanup_freecon_ _cleanup_(freeconp)
#define _cleanup_context_free_ _cleanup_(context_freep)

static int cached_use = -1;
static struct selabel_handle *label_hnd = NULL;

#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
#endif

bool mac_selinux_use(void) {
#if HAVE_SELINUX
        if (cached_use < 0)
                cached_use = is_selinux_enabled() > 0;

        return cached_use;
#else
        return false;
#endif
}

void mac_selinux_retest(void) {
#if HAVE_SELINUX
        cached_use = -1;
#endif
}

int mac_selinux_init(void) {
        int r = 0;

#if HAVE_SELINUX
        usec_t before_timestamp, after_timestamp;
        struct mallinfo before_mallinfo, after_mallinfo;

        if (label_hnd)
                return 0;

        if (!mac_selinux_use())
                return 0;

        before_mallinfo = mallinfo();
        before_timestamp = now(CLOCK_MONOTONIC);

        label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
        if (!label_hnd) {
                log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
                r = security_getenforce() == 1 ? -errno : 0;
        } else  {
                char timespan[FORMAT_TIMESPAN_MAX];
                int l;

                after_timestamp = now(CLOCK_MONOTONIC);
                after_mallinfo = mallinfo();

                l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;

                log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
                          format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
                          (l+1023)/1024);
        }
#endif

        return r;
}

void mac_selinux_finish(void) {

#if HAVE_SELINUX
        if (!label_hnd)
                return;

        selabel_close(label_hnd);
        label_hnd = NULL;
#endif
}

int mac_selinux_fix(const char *path, LabelFixFlags flags) {

#if HAVE_SELINUX
        char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
        _cleanup_freecon_ char* fcon = NULL;
        _cleanup_close_ int fd = -1;
        struct stat st;
        int r;

        assert(path);

        /* if mac_selinux_init() wasn't called before we are a NOOP */
        if (!label_hnd)
                return 0;

        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
        if (fd < 0) {
                if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
                        return 0;

                return -errno;
        }

        if (fstat(fd, &st) < 0)
                return -errno;

        if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
                r = -errno;

                /* If there's no label to set, then exit without warning */
                if (r == -ENOENT)
                        return 0;

                goto fail;
        }

        xsprintf(procfs_path, "/proc/self/fd/%i", fd);
        if (setfilecon_raw(procfs_path, fcon) < 0) {
                _cleanup_freecon_ char *oldcon = NULL;

                r = -errno;

                /* If the FS doesn't support labels, then exit without warning */
                if (r == -EOPNOTSUPP)
                        return 0;

                /* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
                if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
                        return 0;

                /* If the old label is identical to the new one, suppress any kind of error */
                if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
                        return 0;

                goto fail;
        }

        return 0;

fail:
        log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
        if (security_getenforce() == 1)
                return r;
#endif

        return 0;
}

int mac_selinux_apply(const char *path, const char *label) {

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return 0;

        assert(path);
        assert(label);

        if (setfilecon(path, label) < 0) {
                log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
                if (security_getenforce() > 0)
                        return -errno;
        }
#endif
        return 0;
}

int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
        int r = -EOPNOTSUPP;

#if HAVE_SELINUX
        _cleanup_freecon_ char *mycon = NULL, *fcon = NULL;
        security_class_t sclass;

        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(&mycon);
        if (r < 0)
                return -errno;

        r = getfilecon_raw(exe, &fcon);
        if (r < 0)
                return -errno;

        sclass = string_to_security_class("process");
        r = security_compute_create_raw(mycon, fcon, sclass, label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_our_label(char **label) {
        int r = -EOPNOTSUPP;

        assert(label);

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
        int r = -EOPNOTSUPP;

#if HAVE_SELINUX
        _cleanup_freecon_ char *mycon = NULL, *peercon = NULL, *fcon = NULL;
        _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
        security_class_t sclass;
        const char *range = NULL;

        assert(socket_fd >= 0);
        assert(exe);
        assert(label);

        if (!mac_selinux_use())
                return -EOPNOTSUPP;

        r = getcon_raw(&mycon);
        if (r < 0)
                return -errno;

        r = getpeercon_raw(socket_fd, &peercon);
        if (r < 0)
                return -errno;

        if (!exec_label) {
                /* If there is no context set for next exec let's use context
                   of target executable */
                r = getfilecon_raw(exe, &fcon);
                if (r < 0)
                        return -errno;
        }

        bcon = context_new(mycon);
        if (!bcon)
                return -ENOMEM;

        pcon = context_new(peercon);
        if (!pcon)
                return -ENOMEM;

        range = context_range_get(pcon);
        if (!range)
                return -errno;

        r = context_range_set(bcon, range);
        if (r)
                return -errno;

        freecon(mycon);
        mycon = strdup(context_str(bcon));
        if (!mycon)
                return -ENOMEM;

        sclass = string_to_security_class("process");
        r = security_compute_create_raw(mycon, fcon, sclass, label);
        if (r < 0)
                return -errno;
#endif

        return r;
}

char* mac_selinux_free(char *label) {

#if HAVE_SELINUX
        if (!label)
                return NULL;

        if (!mac_selinux_use())
                return NULL;

        freecon(label);
#endif

        return NULL;
}

#if HAVE_SELINUX
static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
        _cleanup_freecon_ char *filecon = NULL;
        int r;

        assert(abspath);
        assert(path_is_absolute(abspath));

        r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
        if (r < 0) {
                /* No context specified by the policy? Proceed without setting it. */
                if (errno == ENOENT)
                        return 0;

                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
        } else {
                if (setfscreatecon_raw(filecon) >= 0)
                        return 0; /* Success! */

                log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
        }

        if (security_getenforce() > 0)
                return -errno;

        return 0;
}
#endif

int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
        int r = 0;

#if HAVE_SELINUX
        _cleanup_free_ char *abspath = NULL;

        assert(path);

        if (!label_hnd)
                return 0;

        if (!path_is_absolute(path)) {
                _cleanup_free_ char *p = NULL;

                if (dirfd == AT_FDCWD)
                        r = safe_getcwd(&p);
                else
                        r = fd_get_path(dirfd, &p);
                if (r < 0)
                        return r;

                path = abspath = path_join(p, path);
                if (!path)
                        return -ENOMEM;
        }

        r = selinux_create_file_prepare_abspath(path, mode);
#endif
        return r;
}

int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
        int r = 0;

#if HAVE_SELINUX
        _cleanup_free_ char *abspath = NULL;

        assert(path);

        if (!label_hnd)
                return 0;

        r = path_make_absolute_cwd(path, &abspath);
        if (r < 0)
                return r;

        r = selinux_create_file_prepare_abspath(abspath, mode);
#endif
        return r;
}

void mac_selinux_create_file_clear(void) {

#if HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setfscreatecon_raw(NULL);
#endif
}

int mac_selinux_create_socket_prepare(const char *label) {

#if HAVE_SELINUX
        if (!mac_selinux_use())
                return 0;

        assert(label);

        if (setsockcreatecon(label) < 0) {
                log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);

                if (security_getenforce() == 1)
                        return -errno;
        }
#endif

        return 0;
}

void mac_selinux_create_socket_clear(void) {

#if HAVE_SELINUX
        PROTECT_ERRNO;

        if (!mac_selinux_use())
                return;

        setsockcreatecon_raw(NULL);
#endif
}

int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {

        /* Binds a socket and label its file system object according to the SELinux policy */

#if HAVE_SELINUX
        _cleanup_freecon_ char *fcon = NULL;
        const struct sockaddr_un *un;
        bool context_changed = false;
        char *path;
        int r;

        assert(fd >= 0);
        assert(addr);
        assert(addrlen >= sizeof(sa_family_t));

        if (!label_hnd)
                goto skipped;

        /* Filter out non-local sockets */
        if (addr->sa_family != AF_UNIX)
                goto skipped;

        /* Filter out anonymous sockets */
        if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
                goto skipped;

        /* Filter out abstract namespace sockets */
        un = (const struct sockaddr_un*) addr;
        if (un->sun_path[0] == 0)
                goto skipped;

        path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));

        if (path_is_absolute(path))
                r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
        else {
                _cleanup_free_ char *newpath = NULL;

                r = path_make_absolute_cwd(path, &newpath);
                if (r < 0)
                        return r;

                r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
        }

        if (r < 0) {
                /* No context specified by the policy? Proceed without setting it */
                if (errno == ENOENT)
                        goto skipped;

                log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
                if (security_getenforce() > 0)
                        return -errno;

        } else {
                if (setfscreatecon_raw(fcon) < 0) {
                        log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
                        if (security_getenforce() > 0)
                                return -errno;
                } else
                        context_changed = true;
        }

        r = bind(fd, addr, addrlen) < 0 ? -errno : 0;

        if (context_changed)
                setfscreatecon_raw(NULL);

        return r;

skipped:
#endif
        if (bind(fd, addr, addrlen) < 0)
                return -errno;

        return 0;
}

Coverage Report

Created: 2019-06-19 13:33

Line	Count	Source (jump to first uncovered line)
1		/* SPDX-License-Identifier: LGPL-2.1+ */
2
3		#include <errno.h>
4		#include <fcntl.h>
5		#include <malloc.h>
6		#include <stddef.h>
7		#include <string.h>
8		#include <sys/stat.h>
9		#include <sys/time.h>
10		#include <sys/types.h>
11		#include <sys/un.h>
12		#include <syslog.h>
13
14		#if HAVE_SELINUX
15		#include <selinux/context.h>
16		#include <selinux/label.h>
17		#include <selinux/selinux.h>
18		#endif
19
20		#include "alloc-util.h"
21		#include "errno-util.h"
22		#include "fd-util.h"
23		#include "log.h"
24		#include "macro.h"
25		#include "path-util.h"
26		#include "selinux-util.h"
27		#include "stdio-util.h"
28		#include "time-util.h"
29
30		#if HAVE_SELINUX
31		DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
32		DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
33
34		#define _cleanup_freecon_ _cleanup_(freeconp)
35		#define _cleanup_context_free_ _cleanup_(context_freep)
36
37		static int cached_use = -1;
38		static struct selabel_handle *label_hnd = NULL;
39
40		#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
41		#define log_enforcing_errno(r, ...) log_full_errno(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, r, __VA_ARGS__)
42		#endif
43
44	1.10k	bool mac_selinux_use(void) {
45		#if HAVE_SELINUX
46		if (cached_use < 0)
47		cached_use = is_selinux_enabled() > 0;
48
49		return cached_use;
50		#else
51		return false;
52	1.10k	#endif
53	1.10k	}
54
55	0	void mac_selinux_retest(void) {
56		#if HAVE_SELINUX
57		cached_use = -1;
58		#endif
59		}
60
61	0	int mac_selinux_init(void) {
62	0	int r = 0;
63	0
64		#if HAVE_SELINUX
65		usec_t before_timestamp, after_timestamp;
66		struct mallinfo before_mallinfo, after_mallinfo;
67
68		if (label_hnd)
69		return 0;
70
71		if (!mac_selinux_use())
72		return 0;
73
74		before_mallinfo = mallinfo();
75		before_timestamp = now(CLOCK_MONOTONIC);
76
77		label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
78		if (!label_hnd) {
79		log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
80		r = security_getenforce() == 1 ? -errno : 0;
81		} else {
82		char timespan[FORMAT_TIMESPAN_MAX];
83		int l;
84
85		after_timestamp = now(CLOCK_MONOTONIC);
86		after_mallinfo = mallinfo();
87
88		l = after_mallinfo.uordblks > before_mallinfo.uordblks ? after_mallinfo.uordblks - before_mallinfo.uordblks : 0;
89
90		log_debug("Successfully loaded SELinux database in %s, size on heap is %iK.",
91		format_timespan(timespan, sizeof(timespan), after_timestamp - before_timestamp, 0),
92		(l+1023)/1024);
93		}
94		#endif
95
96	0	return r;
97	0	}
98
99	0	void mac_selinux_finish(void) {
100	0
101		#if HAVE_SELINUX
102		if (!label_hnd)
103		return;
104
105		selabel_close(label_hnd);
106		label_hnd = NULL;
107		#endif
108		}
109
110	0	int mac_selinux_fix(const char *path, LabelFixFlags flags) {
111	0
112		#if HAVE_SELINUX
113		char procfs_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)];
114		_cleanup_freecon_ char* fcon = NULL;
115		_cleanup_close_ int fd = -1;
116		struct stat st;
117		int r;
118
119		assert(path);
120
121		/* if mac_selinux_init() wasn't called before we are a NOOP */
122		if (!label_hnd)
123		return 0;
124
125		/* Open the file as O_PATH, to pin it while we determine and adjust the label */
126		fd = open(path, O_NOFOLLOW\|O_CLOEXEC\|O_PATH);
127		if (fd < 0) {
128		if ((flags & LABEL_IGNORE_ENOENT) && errno == ENOENT)
129		return 0;
130
131		return -errno;
132		}
133
134		if (fstat(fd, &st) < 0)
135		return -errno;
136
137		if (selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode) < 0) {
138		r = -errno;
139
140		/* If there's no label to set, then exit without warning */
141		if (r == -ENOENT)
142		return 0;
143
144		goto fail;
145		}
146
147		xsprintf(procfs_path, "/proc/self/fd/%i", fd);
148		if (setfilecon_raw(procfs_path, fcon) < 0) {
149		_cleanup_freecon_ char *oldcon = NULL;
150
151		r = -errno;
152
153		/* If the FS doesn't support labels, then exit without warning */
154		if (r == -EOPNOTSUPP)
155		return 0;
156
157		/* It the FS is read-only and we were told to ignore failures caused by that, suppress error */
158		if (r == -EROFS && (flags & LABEL_IGNORE_EROFS))
159		return 0;
160
161		/* If the old label is identical to the new one, suppress any kind of error */
162		if (getfilecon_raw(procfs_path, &oldcon) >= 0 && streq(fcon, oldcon))
163		return 0;
164
165		goto fail;
166		}
167
168		return 0;
169
170		fail:
171		log_enforcing_errno(r, "Unable to fix SELinux security context of %s: %m", path);
172		if (security_getenforce() == 1)
173		return r;
174		#endif
175
176	0	return 0;
177	0	}
178
179	0	int mac_selinux_apply(const char path, const char label) {
180	0
181		#if HAVE_SELINUX
182		if (!mac_selinux_use())
183		return 0;
184
185		assert(path);
186		assert(label);
187
188		if (setfilecon(path, label) < 0) {
189		log_enforcing_errno(errno, "Failed to set SELinux security context %s on path %s: %m", label, path);
190		if (security_getenforce() > 0)
191		return -errno;
192		}
193		#endif
194		return 0;
195	0	}
196
197	0	int mac_selinux_get_create_label_from_exe(const char exe, char *label) {
198	0	int r = -EOPNOTSUPP;
199	0
200		#if HAVE_SELINUX
201		_cleanup_freecon_ char mycon = NULL, fcon = NULL;
202		security_class_t sclass;
203
204		assert(exe);
205		assert(label);
206
207		if (!mac_selinux_use())
208		return -EOPNOTSUPP;
209
210		r = getcon_raw(&mycon);
211		if (r < 0)
212		return -errno;
213
214		r = getfilecon_raw(exe, &fcon);
215		if (r < 0)
216		return -errno;
217
218		sclass = string_to_security_class("process");
219		r = security_compute_create_raw(mycon, fcon, sclass, label);
220		if (r < 0)
221		return -errno;
222		#endif
223
224	0	return r;
225	0	}
226
227	0	int mac_selinux_get_our_label(char **label) {
228	0	int r = -EOPNOTSUPP;
229	0
230	0	assert(label);
231	0
232		#if HAVE_SELINUX
233		if (!mac_selinux_use())
234		return -EOPNOTSUPP;
235
236		r = getcon_raw(label);
237		if (r < 0)
238		return -errno;
239		#endif
240
241	0	return r;
242	0	}
243
244	0	int mac_selinux_get_child_mls_label(int socket_fd, const char exe, const char exec_label, char **label) {
245	0	int r = -EOPNOTSUPP;
246	0
247		#if HAVE_SELINUX
248		_cleanup_freecon_ char mycon = NULL, peercon = NULL, *fcon = NULL;
249		_cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
250		security_class_t sclass;
251		const char *range = NULL;
252
253		assert(socket_fd >= 0);
254		assert(exe);
255		assert(label);
256
257		if (!mac_selinux_use())
258		return -EOPNOTSUPP;
259
260		r = getcon_raw(&mycon);
261		if (r < 0)
262		return -errno;
263
264		r = getpeercon_raw(socket_fd, &peercon);
265		if (r < 0)
266		return -errno;
267
268		if (!exec_label) {
269		/* If there is no context set for next exec let's use context
270		of target executable */
271		r = getfilecon_raw(exe, &fcon);
272		if (r < 0)
273		return -errno;
274		}
275
276		bcon = context_new(mycon);
277		if (!bcon)
278		return -ENOMEM;
279
280		pcon = context_new(peercon);
281		if (!pcon)
282		return -ENOMEM;
283
284		range = context_range_get(pcon);
285		if (!range)
286		return -errno;
287
288		r = context_range_set(bcon, range);
289		if (r)
290		return -errno;
291
292		freecon(mycon);
293		mycon = strdup(context_str(bcon));
294		if (!mycon)
295		return -ENOMEM;
296
297		sclass = string_to_security_class("process");
298		r = security_compute_create_raw(mycon, fcon, sclass, label);
299		if (r < 0)
300		return -errno;
301		#endif
302
303	0	return r;
304	0	}
305
306	0	char* mac_selinux_free(char *label) {
307	0
308		#if HAVE_SELINUX
309		if (!label)
310		return NULL;
311
312		if (!mac_selinux_use())
313		return NULL;
314
315		freecon(label);
316		#endif
317
318	0	return NULL;
319	0	}
320
321		#if HAVE_SELINUX
322		static int selinux_create_file_prepare_abspath(const char *abspath, mode_t mode) {
323		_cleanup_freecon_ char *filecon = NULL;
324		int r;
325
326		assert(abspath);
327		assert(path_is_absolute(abspath));
328
329		r = selabel_lookup_raw(label_hnd, &filecon, abspath, mode);
330		if (r < 0) {
331		/* No context specified by the policy? Proceed without setting it. */
332		if (errno == ENOENT)
333		return 0;
334
335		log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", abspath);
336		} else {
337		if (setfscreatecon_raw(filecon) >= 0)
338		return 0; /* Success! */
339
340		log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", filecon, abspath);
341		}
342
343		if (security_getenforce() > 0)
344		return -errno;
345
346		return 0;
347		}
348		#endif
349
350	0	int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode) {
351	0	int r = 0;
352	0
353		#if HAVE_SELINUX
354		_cleanup_free_ char *abspath = NULL;
355
356		assert(path);
357
358		if (!label_hnd)
359		return 0;
360
361		if (!path_is_absolute(path)) {
362		_cleanup_free_ char *p = NULL;
363
364		if (dirfd == AT_FDCWD)
365		r = safe_getcwd(&p);
366		else
367		r = fd_get_path(dirfd, &p);
368		if (r < 0)
369		return r;
370
371		path = abspath = path_join(p, path);
372		if (!path)
373		return -ENOMEM;
374		}
375
376		r = selinux_create_file_prepare_abspath(path, mode);
377		#endif
378		return r;
379	0	}
380
381	0	int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
382	0	int r = 0;
383	0
384		#if HAVE_SELINUX
385		_cleanup_free_ char *abspath = NULL;
386
387		assert(path);
388
389		if (!label_hnd)
390		return 0;
391
392		r = path_make_absolute_cwd(path, &abspath);
393		if (r < 0)
394		return r;
395
396		r = selinux_create_file_prepare_abspath(abspath, mode);
397		#endif
398		return r;
399	0	}
400
401	0	void mac_selinux_create_file_clear(void) {
402	0
403		#if HAVE_SELINUX
404		PROTECT_ERRNO;
405
406		if (!mac_selinux_use())
407		return;
408
409		setfscreatecon_raw(NULL);
410		#endif
411		}
412
413	0	int mac_selinux_create_socket_prepare(const char *label) {
414	0
415		#if HAVE_SELINUX
416		if (!mac_selinux_use())
417		return 0;
418
419		assert(label);
420
421		if (setsockcreatecon(label) < 0) {
422		log_enforcing_errno(errno, "Failed to set SELinux security context %s for sockets: %m", label);
423
424		if (security_getenforce() == 1)
425		return -errno;
426		}
427		#endif
428
429	0	return 0;
430	0	}
431
432	0	void mac_selinux_create_socket_clear(void) {
433	0
434		#if HAVE_SELINUX
435		PROTECT_ERRNO;
436
437		if (!mac_selinux_use())
438		return;
439
440		setsockcreatecon_raw(NULL);
441		#endif
442		}
443
444	0	int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
445	0
446	0	/* Binds a socket and label its file system object according to the SELinux policy */
447	0
448		#if HAVE_SELINUX
449		_cleanup_freecon_ char *fcon = NULL;
450		const struct sockaddr_un *un;
451		bool context_changed = false;
452		char *path;
453		int r;
454
455		assert(fd >= 0);
456		assert(addr);
457		assert(addrlen >= sizeof(sa_family_t));
458
459		if (!label_hnd)
460		goto skipped;
461
462		/* Filter out non-local sockets */
463		if (addr->sa_family != AF_UNIX)
464		goto skipped;
465
466		/* Filter out anonymous sockets */
467		if (addrlen < offsetof(struct sockaddr_un, sun_path) + 1)
468		goto skipped;
469
470		/* Filter out abstract namespace sockets */
471		un = (const struct sockaddr_un*) addr;
472		if (un->sun_path[0] == 0)
473		goto skipped;
474
475		path = strndupa(un->sun_path, addrlen - offsetof(struct sockaddr_un, sun_path));
476
477		if (path_is_absolute(path))
478		r = selabel_lookup_raw(label_hnd, &fcon, path, S_IFSOCK);
479		else {
480		_cleanup_free_ char *newpath = NULL;
481
482		r = path_make_absolute_cwd(path, &newpath);
483		if (r < 0)
484		return r;
485
486		r = selabel_lookup_raw(label_hnd, &fcon, newpath, S_IFSOCK);
487		}
488
489		if (r < 0) {
490		/* No context specified by the policy? Proceed without setting it */
491		if (errno == ENOENT)
492		goto skipped;
493
494		log_enforcing_errno(errno, "Failed to determine SELinux security context for %s: %m", path);
495		if (security_getenforce() > 0)
496		return -errno;
497
498		} else {
499		if (setfscreatecon_raw(fcon) < 0) {
500		log_enforcing_errno(errno, "Failed to set SELinux security context %s for %s: %m", fcon, path);
501		if (security_getenforce() > 0)
502		return -errno;
503		} else
504		context_changed = true;
505		}
506
507		r = bind(fd, addr, addrlen) < 0 ? -errno : 0;
508
509		if (context_changed)
510		setfscreatecon_raw(NULL);
511
512		return r;
513
514		skipped:
515		#endif
516	0	if (bind(fd, addr, addrlen) < 0)
517	0	return -errno;
518	0
519	0	return 0;
520	0	}