SELinux.java revision 66d5369e79182dbe65306b27a4da7f4a7e25c723 
1554cb0c290406f5bba34908489db5382a69d0a9arpcraig/*
2554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Copyright (C) 2012 The Android Open Source Project
3554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
4554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Licensed under the Apache License, Version 2.0 (the "License");
5554cb0c290406f5bba34908489db5382a69d0a9arpcraig * you may not use this file except in compliance with the License.
6554cb0c290406f5bba34908489db5382a69d0a9arpcraig * You may obtain a copy of the License at
7554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
8554cb0c290406f5bba34908489db5382a69d0a9arpcraig *      http://www.apache.org/licenses/LICENSE-2.0
9554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
10554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Unless required by applicable law or agreed to in writing, software
11554cb0c290406f5bba34908489db5382a69d0a9arpcraig * distributed under the License is distributed on an "AS IS" BASIS,
12554cb0c290406f5bba34908489db5382a69d0a9arpcraig * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13554cb0c290406f5bba34908489db5382a69d0a9arpcraig * See the License for the specific language governing permissions and
14554cb0c290406f5bba34908489db5382a69d0a9arpcraig * limitations under the License.
15554cb0c290406f5bba34908489db5382a69d0a9arpcraig */
16554cb0c290406f5bba34908489db5382a69d0a9arpcraig
17c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypackage android.os;
18c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
19554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport android.util.Slog;
20554cb0c290406f5bba34908489db5382a69d0a9arpcraig
21554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.IOException;
22554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.File;
23c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleyimport java.io.FileDescriptor;
24c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
25c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley/**
26c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * This class provides access to the centralized jni bindings for
27c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * SELinux interaction.
28c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * {@hide}
29c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */
30c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypublic class SELinux {
31c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
32554cb0c290406f5bba34908489db5382a69d0a9arpcraig    private static final String TAG = "SELinux";
33554cb0c290406f5bba34908489db5382a69d0a9arpcraig
34c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
35c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Determine whether SELinux is disabled or enabled.
36c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether SELinux is enabled.
37c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
38c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean isSELinuxEnabled();
39c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
40c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
41c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Determine whether SELinux is permissive or enforcing.
42c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether SELinux is enforcing.
43c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
44c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean isSELinuxEnforced();
45c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
46c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
47c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Set whether SELinux is permissive or enforcing.
4866d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines     * @param value representing whether to set SELinux to enforcing
49c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean representing whether the desired mode was set
50c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
51c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setSELinuxEnforce(boolean value);
52c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
53c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
54c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Sets the security context for newly created file objects.
55c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param context a security context given as a String.
56c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the operation succeeded.
57c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
58c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setFSCreateContext(String context);
59c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
60c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
61c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Change the security context of an existing file object.
62c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param path representing the path of file object to relabel.
6366d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines     * @param context new security context given as a String.
64c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the operation succeeded.
65c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
66c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setFileContext(String path, String context);
67c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
68c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
69c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Get the security context of a file object.
70c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param path the pathname of the file object.
71c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a security context given as a String.
72c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
73c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getFileContext(String path);
74c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
75c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
76c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Get the security context of a peer socket.
77c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param fd FileDescriptor class of the peer socket.
78c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the peer socket security context.
79c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
80c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getPeerContext(FileDescriptor fd);
81c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
82c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
83c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the security context of the current process.
84c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the security context of the current process.
85c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
86c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getContext();
87c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
88c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
89c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the security context of a given process id.
90c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param pid an int representing the process id to check.
91c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the security context of the given pid.
92c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
93c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getPidContext(int pid);
94c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
95c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
96c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets a list of the SELinux boolean names.
97c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return an array of strings containing the SELinux boolean names.
98c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
99c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String[] getBooleanNames();
100c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
101c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
102c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the value for the given SELinux boolean name.
10366d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines     * @param name The name of the SELinux boolean.
104c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the SELinux boolean is set.
105c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
106c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean getBooleanValue(String name);
107c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
108c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
109c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Sets the value for the given SELinux boolean name.
11066d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines     * @param name The name of the SELinux boolean.
11166d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines     * @param value The new value of the SELinux boolean.
112c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether or not the operation succeeded.
113c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
114c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setBooleanValue(String name, boolean value);
115c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
116c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
117c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Check permissions between two security contexts.
118c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param scon The source or subject security context.
119c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param tcon The target or object security context.
120c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param tclass The object security class name.
121c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param perm The permission name.
122c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether permission was granted.
123c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
124c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
125554cb0c290406f5bba34908489db5382a69d0a9arpcraig
126554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
127554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
128554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
129554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
130554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
131554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
132554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
133554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param pathname The pathname of the file to be relabeled.
134554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
135554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @exception NullPointerException if the pathname is a null object.
136554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
137554cb0c290406f5bba34908489db5382a69d0a9arpcraig    public static boolean restorecon(String pathname) throws NullPointerException {
138554cb0c290406f5bba34908489db5382a69d0a9arpcraig        if (pathname == null) { throw new NullPointerException(); }
139554cb0c290406f5bba34908489db5382a69d0a9arpcraig        return native_restorecon(pathname);
140554cb0c290406f5bba34908489db5382a69d0a9arpcraig    }
141554cb0c290406f5bba34908489db5382a69d0a9arpcraig
142554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
143554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
144554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
145554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
146554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
147554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
148554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
149554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param pathname The pathname of the file to be relabeled.
150554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
151554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
152554cb0c290406f5bba34908489db5382a69d0a9arpcraig    private static native boolean native_restorecon(String pathname);
153554cb0c290406f5bba34908489db5382a69d0a9arpcraig
154554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
155554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
156554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
157554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
158554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
159554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
160554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
161554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param file The File object representing the path to be relabeled.
162554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
163554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @exception NullPointerException if the file is a null object.
164554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
165554cb0c290406f5bba34908489db5382a69d0a9arpcraig    public static boolean restorecon(File file) throws NullPointerException {
166554cb0c290406f5bba34908489db5382a69d0a9arpcraig        try {
167554cb0c290406f5bba34908489db5382a69d0a9arpcraig            return native_restorecon(file.getCanonicalPath());
168554cb0c290406f5bba34908489db5382a69d0a9arpcraig        } catch (IOException e) {
169554cb0c290406f5bba34908489db5382a69d0a9arpcraig            Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
170554cb0c290406f5bba34908489db5382a69d0a9arpcraig                   file.getPath(), e);
171554cb0c290406f5bba34908489db5382a69d0a9arpcraig            return false;
172554cb0c290406f5bba34908489db5382a69d0a9arpcraig        }
173554cb0c290406f5bba34908489db5382a69d0a9arpcraig    }
174c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley}
175