1f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <unistd.h>
2f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <fcntl.h>
3f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <string.h>
4f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include "selinux_internal.h"
5f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdlib.h>
6f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <errno.h>
7f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <limits.h>
8f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include <stdio.h>
9f074036424618c130dacb3464465a8b40bffef5Stephen Smalley#include "policy.h"
10f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
11f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint is_selinux_enabled(void)
12f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{
13f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	char buf[BUFSIZ];
14f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	FILE *fp;
15f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	char *bufp;
16f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	int enabled = 0;
17f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	security_context_t con;
18f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
19f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	/* init_selinuxmnt() gets called before this function. We
20f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 	 * will assume that if a selinux file system is mounted, then
21f074036424618c130dacb3464465a8b40bffef5Stephen Smalley 	 * selinux is enabled. */
22f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (selinux_mnt) {
23f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
24f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		/* Since a file system is mounted, we consider selinux
25f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		 * enabled. If getcon fails, selinux is still enabled.
26f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		 * We only consider it disabled if no policy is loaded. */
27f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		enabled = 1;
28f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		if (getcon(&con) == 0) {
29f074036424618c130dacb3464465a8b40bffef5Stephen Smalley			if (!strcmp(con, "kernel"))
30f074036424618c130dacb3464465a8b40bffef5Stephen Smalley				enabled = 0;
31f074036424618c130dacb3464465a8b40bffef5Stephen Smalley			freecon(con);
32f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		}
33f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		return enabled;
34f074036424618c130dacb3464465a8b40bffef5Stephen Smalley        }
35f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
36f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	/* Drop back to detecting it the long way. */
37f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	fp = fopen("/proc/filesystems", "r");
38f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (!fp)
39f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		return -1;
40f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
41f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	while ((bufp = fgets(buf, sizeof buf - 1, fp)) != NULL) {
42f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		if (strstr(buf, "selinuxfs")) {
43f074036424618c130dacb3464465a8b40bffef5Stephen Smalley			enabled = 1;
44f074036424618c130dacb3464465a8b40bffef5Stephen Smalley			break;
45f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		}
46f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	}
47f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
48f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (!bufp)
49f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		goto out;
50f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
51f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	/* Since an selinux file system is available, we consider
52f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	 * selinux enabled. If getcon fails, selinux is still
53f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	 * enabled. We only consider it disabled if no policy is loaded. */
54f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (getcon(&con) == 0) {
55f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		if (!strcmp(con, "kernel"))
56f074036424618c130dacb3464465a8b40bffef5Stephen Smalley			enabled = 0;
57f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		freecon(con);
58f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	}
59f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
60f074036424618c130dacb3464465a8b40bffef5Stephen Smalley      out:
61f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	fclose(fp);
62f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	return enabled;
63f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}
64f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
65f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyhidden_def(is_selinux_enabled)
66f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
67f074036424618c130dacb3464465a8b40bffef5Stephen Smalley/*
68f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Function: is_selinux_mls_enabled()
69f074036424618c130dacb3464465a8b40bffef5Stephen Smalley * Return:   1 on success
70f074036424618c130dacb3464465a8b40bffef5Stephen Smalley *	     0 on failure
71f074036424618c130dacb3464465a8b40bffef5Stephen Smalley */
72f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyint is_selinux_mls_enabled(void)
73f074036424618c130dacb3464465a8b40bffef5Stephen Smalley{
74f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	char buf[20], path[PATH_MAX];
75f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	int fd, ret, enabled = 0;
76f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
77f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (!selinux_mnt)
78f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		return enabled;
79f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
80f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	snprintf(path, sizeof path, "%s/mls", selinux_mnt);
81f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	fd = open(path, O_RDONLY);
82f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (fd < 0)
83f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		return enabled;
84f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
85f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	memset(buf, 0, sizeof buf);
86f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
87f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	do {
88f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		ret = read(fd, buf, sizeof buf - 1);
89f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	} while (ret < 0 && errno == EINTR);
90f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	close(fd);
91f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (ret < 0)
92f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		return enabled;
93f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
94f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	if (!strcmp(buf, "1"))
95f074036424618c130dacb3464465a8b40bffef5Stephen Smalley		enabled = 1;
96f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
97f074036424618c130dacb3464465a8b40bffef5Stephen Smalley	return enabled;
98f074036424618c130dacb3464465a8b40bffef5Stephen Smalley}
99f074036424618c130dacb3464465a8b40bffef5Stephen Smalley
100f074036424618c130dacb3464465a8b40bffef5Stephen Smalleyhidden_def(is_selinux_mls_enabled)
101