#include <stdio.h>
#include <stdio_ext.h>
#include <string.h>
#include <ctype.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <limits.h>
#include <unistd.h>
#include <pthread.h>
#include <errno.h>
#include "policy.h"
#include "selinux_internal.h"
#include "get_default_type_internal.h"
#define SELINUXDEFAULT "targeted"
#define SELINUXTYPETAG "SELINUXTYPE="
#define SELINUXTAG "SELINUX="
#define SETLOCALDEFS "SETLOCALDEFS="
#define REQUIRESEUSERS "REQUIRESEUSERS="
/* Indices for file paths arrays. */
#define BINPOLICY 0
#define CONTEXTS_DIR 1
#define FILE_CONTEXTS 2
#define HOMEDIR_CONTEXTS 3
#define DEFAULT_CONTEXTS 4
#define USER_CONTEXTS 5
#define FAILSAFE_CONTEXT 6
#define DEFAULT_TYPE 7
#define BOOLEANS 8
#define MEDIA_CONTEXTS 9
#define REMOVABLE_CONTEXT 10
#define CUSTOMIZABLE_TYPES 11
#define USERS_DIR 12
#define SEUSERS 13
#define TRANSLATIONS 14
#define NETFILTER_CONTEXTS 15
#define FILE_CONTEXTS_HOMEDIR 16
#define FILE_CONTEXTS_LOCAL 17
#define SECURETTY_TYPES 18
#define X_CONTEXTS 19
#define COLORS 20
#define VIRTUAL_DOMAIN 21
#define VIRTUAL_IMAGE 22
#define FILE_CONTEXT_SUBS 23
#define SEPGSQL_CONTEXTS 24
#define FILE_CONTEXT_SUBS_DIST 25
#define LXC_CONTEXTS 26
#define BOOLEAN_SUBS 27
#define OPENSSH_CONTEXTS 28
#define SYSTEMD_CONTEXTS 29
#define NEL 30
/* Part of one-time lazy init */
static pthread_once_t once = PTHREAD_ONCE_INIT;
static void init_selinux_config(void);
/* New layout is relative to SELINUXDIR/policytype. */
static char *file_paths[NEL];
#define L1(l) L2(l)
#define L2(l)str##l
static const union file_path_suffixes_data {
struct {
#define S_(n, s) char L1(__LINE__)[sizeof(s)];
#include "file_path_suffixes.h"
#undef S_
};
char str[0];
} file_path_suffixes_data = {
{
#define S_(n, s) s,
#include "file_path_suffixes.h"
#undef S_
}
};
static const uint16_t file_path_suffixes_idx[NEL] = {
#define S_(n, s) [n] = offsetof(union file_path_suffixes_data, L1(__LINE__)),
#include "file_path_suffixes.h"
#undef S_
};
#undef L1
#undef L2
int selinux_getenforcemode(int *enforce)
{
int ret = -1;
FILE *cfg = fopen(SELINUXCONFIG, "r");
if (cfg) {
char *buf;
int len = sizeof(SELINUXTAG) - 1;
buf = malloc(selinux_page_size);
if (!buf) {
fclose(cfg);
return -1;
}
while (fgets_unlocked(buf, selinux_page_size, cfg)) {
if (strncmp(buf, SELINUXTAG, len))
continue;
if (!strncasecmp
(buf + len, "enforcing", sizeof("enforcing") - 1)) {
*enforce = 1;
ret = 0;
break;
} else
if (!strncasecmp
(buf + len, "permissive",
sizeof("permissive") - 1)) {
*enforce = 0;
ret = 0;
break;
} else
if (!strncasecmp
(buf + len, "disabled",
sizeof("disabled") - 1)) {
*enforce = -1;
ret = 0;
break;
}
}
fclose(cfg);
free(buf);
}
return ret;
}
hidden_def(selinux_getenforcemode)
static char *selinux_policytype;
int selinux_getpolicytype(char **type)
{
__selinux_once(once, init_selinux_config);
if (!selinux_policytype)
return -1;
*type = strdup(selinux_policytype);
return *type ? 0 : -1;
}
hidden_def(selinux_getpolicytype)
static int setpolicytype(const char *type)
{
free(selinux_policytype);
selinux_policytype = strdup(type);
return selinux_policytype ? 0 : -1;
}
static char *selinux_policyroot = NULL;
static const char *selinux_rootpath = SELINUXDIR;
static void init_selinux_config(void)
{
int i, *intptr;
size_t line_len;
ssize_t len;
char *line_buf = NULL, *buf_p, *value, *type = NULL, *end;
FILE *fp;
if (selinux_policyroot)
return;
fp = fopen(SELINUXCONFIG, "r");
if (fp) {
__fsetlocking(fp, FSETLOCKING_BYCALLER);
while ((len = getline(&line_buf, &line_len, fp)) > 0) {
if (line_buf[len - 1] == '\n')
line_buf[len - 1] = 0;
buf_p = line_buf;
while (isspace(*buf_p))
buf_p++;
if (*buf_p == '#' || *buf_p == 0)
continue;
if (!strncasecmp(buf_p, SELINUXTYPETAG,
sizeof(SELINUXTYPETAG) - 1)) {
selinux_policytype = type =
strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
if (!type)
return;
end = type + strlen(type) - 1;
while ((end > type) &&
(isspace(*end) || iscntrl(*end))) {
*end = 0;
end--;
}
continue;
} else if (!strncmp(buf_p, SETLOCALDEFS,
sizeof(SETLOCALDEFS) - 1)) {
value = buf_p + sizeof(SETLOCALDEFS) - 1;
intptr = &load_setlocaldefs;
} else if (!strncmp(buf_p, REQUIRESEUSERS,
sizeof(REQUIRESEUSERS) - 1)) {
value = buf_p + sizeof(REQUIRESEUSERS) - 1;
intptr = &require_seusers;
} else {
continue;
}
if (isdigit(*value))
*intptr = atoi(value);
else if (strncasecmp(value, "true", sizeof("true") - 1))
*intptr = 1;
else if (strncasecmp
(value, "false", sizeof("false") - 1))
*intptr = 0;
}
free(line_buf);
fclose(fp);
}
if (!type) {
selinux_policytype = type = strdup(SELINUXDEFAULT);
if (!type)
return;
}
if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1)
return;
for (i = 0; i < NEL; i++)
if (asprintf(&file_paths[i], "%s%s",
selinux_policyroot,
file_path_suffixes_data.str +
file_path_suffixes_idx[i])
== -1)
return;
}
static void fini_selinux_policyroot(void) __attribute__ ((destructor));
static void fini_selinux_policyroot(void)
{
int i;
free(selinux_policyroot);
selinux_policyroot = NULL;
for (i = 0; i < NEL; i++) {
free(file_paths[i]);
file_paths[i] = NULL;
}
free(selinux_policytype);
selinux_policytype = NULL;
}
void selinux_reset_config(void)
{
fini_selinux_policyroot();
init_selinux_config();
}
hidden_def(selinux_reset_config)
static const char *get_path(int idx)
{
__selinux_once(once, init_selinux_config);
return file_paths[idx];
}
const char *selinux_default_type_path(void)
{
return get_path(DEFAULT_TYPE);
}
hidden_def(selinux_default_type_path)
const char *selinux_policy_root(void)
{
__selinux_once(once, init_selinux_config);
return selinux_policyroot;
}
int selinux_set_policy_root(const char *path)
{
int i;
char *policy_type = strrchr(path, '/');
if (!policy_type) {
errno = EINVAL;
return -1;
}
policy_type++;
fini_selinuxmnt();
fini_selinux_policyroot();
selinux_policyroot = strdup(path);
if (! selinux_policyroot)
return -1;
if (setpolicytype(policy_type) != 0)
return -1;
for (i = 0; i < NEL; i++)
if (asprintf(&file_paths[i], "%s%s",
selinux_policyroot,
file_path_suffixes_data.str +
file_path_suffixes_idx[i])
== -1)
return -1;
return 0;
}
const char *selinux_path(void)
{
return selinux_rootpath;
}
hidden_def(selinux_path)
const char *selinux_default_context_path(void)
{
return get_path(DEFAULT_CONTEXTS);
}
hidden_def(selinux_default_context_path)
const char *selinux_securetty_types_path(void)
{
return get_path(SECURETTY_TYPES);
}
hidden_def(selinux_securetty_types_path)
const char *selinux_failsafe_context_path(void)
{
return get_path(FAILSAFE_CONTEXT);
}
hidden_def(selinux_failsafe_context_path)
const char *selinux_removable_context_path(void)
{
return get_path(REMOVABLE_CONTEXT);
}
hidden_def(selinux_removable_context_path)
const char *selinux_binary_policy_path(void)
{
return get_path(BINPOLICY);
}
hidden_def(selinux_binary_policy_path)
const char *selinux_current_policy_path(void)
{
int rc = 0;
int vers = 0;
static char policy_path[PATH_MAX];
if (selinux_mnt) {
snprintf(policy_path, sizeof(policy_path), "%s/policy", selinux_mnt);
if (access(policy_path, F_OK) == 0 ) {
return policy_path;
}
}
vers = security_policyvers();
do {
/* Check prior versions to see if old policy is available */
snprintf(policy_path, sizeof(policy_path), "%s.%d",
selinux_binary_policy_path(), vers);
} while ((rc = access(policy_path, F_OK)) && --vers > 0);
if (rc) return NULL;
return policy_path;
}
hidden_def(selinux_current_policy_path)
const char *selinux_file_context_path(void)
{
return get_path(FILE_CONTEXTS);
}
hidden_def(selinux_file_context_path)
const char *selinux_homedir_context_path(void)
{
return get_path(HOMEDIR_CONTEXTS);
}
hidden_def(selinux_homedir_context_path)
const char *selinux_media_context_path(void)
{
return get_path(MEDIA_CONTEXTS);
}
hidden_def(selinux_media_context_path)
const char *selinux_customizable_types_path(void)
{
return get_path(CUSTOMIZABLE_TYPES);
}
hidden_def(selinux_customizable_types_path)
const char *selinux_contexts_path(void)
{
return get_path(CONTEXTS_DIR);
}
const char *selinux_user_contexts_path(void)
{
return get_path(USER_CONTEXTS);
}
hidden_def(selinux_user_contexts_path)
const char *selinux_booleans_path(void)
{
return get_path(BOOLEANS);
}
hidden_def(selinux_booleans_path)
const char *selinux_users_path(void)
{
return get_path(USERS_DIR);
}
hidden_def(selinux_users_path)
const char *selinux_usersconf_path(void)
{
return get_path(SEUSERS);
}
hidden_def(selinux_usersconf_path)
const char *selinux_translations_path(void)
{
return get_path(TRANSLATIONS);
}
hidden_def(selinux_translations_path)
const char *selinux_colors_path(void)
{
return get_path(COLORS);
}
hidden_def(selinux_colors_path)
const char *selinux_netfilter_context_path(void)
{
return get_path(NETFILTER_CONTEXTS);
}
hidden_def(selinux_netfilter_context_path)
const char *selinux_file_context_homedir_path(void)
{
return get_path(FILE_CONTEXTS_HOMEDIR);
}
hidden_def(selinux_file_context_homedir_path)
const char *selinux_file_context_local_path(void)
{
return get_path(FILE_CONTEXTS_LOCAL);
}
hidden_def(selinux_file_context_local_path)
const char *selinux_x_context_path(void)
{
return get_path(X_CONTEXTS);
}
hidden_def(selinux_x_context_path)
const char *selinux_virtual_domain_context_path(void)
{
return get_path(VIRTUAL_DOMAIN);
}
hidden_def(selinux_virtual_domain_context_path)
const char *selinux_virtual_image_context_path(void)
{
return get_path(VIRTUAL_IMAGE);
}
hidden_def(selinux_virtual_image_context_path)
const char *selinux_lxc_contexts_path(void)
{
return get_path(LXC_CONTEXTS);
}
hidden_def(selinux_lxc_contexts_path)
const char *selinux_openssh_contexts_path(void)
{
return get_path(OPENSSH_CONTEXTS);
}
hidden_def(selinux_openssh_contexts_path)
const char *selinux_systemd_contexts_path(void)
{
return get_path(SYSTEMD_CONTEXTS);
}
hidden_def(selinux_systemd_contexts_path)
const char * selinux_booleans_subs_path(void) {
return get_path(BOOLEAN_SUBS);
}
hidden_def(selinux_booleans_subs_path)
const char * selinux_file_context_subs_path(void) {
return get_path(FILE_CONTEXT_SUBS);
}
hidden_def(selinux_file_context_subs_path)
const char * selinux_file_context_subs_dist_path(void) {
return get_path(FILE_CONTEXT_SUBS_DIST);
}
hidden_def(selinux_file_context_subs_dist_path)
const char *selinux_sepgsql_context_path(void)
{
return get_path(SEPGSQL_CONTEXTS);
}
hidden_def(selinux_sepgsql_context_path)