SELinux.java revision 66d5369e79182dbe65306b27a4da7f4a7e25c723
1554cb0c290406f5bba34908489db5382a69d0a9arpcraig/* 2554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Copyright (C) 2012 The Android Open Source Project 3554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 4554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Licensed under the Apache License, Version 2.0 (the "License"); 5554cb0c290406f5bba34908489db5382a69d0a9arpcraig * you may not use this file except in compliance with the License. 6554cb0c290406f5bba34908489db5382a69d0a9arpcraig * You may obtain a copy of the License at 7554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 8554cb0c290406f5bba34908489db5382a69d0a9arpcraig * http://www.apache.org/licenses/LICENSE-2.0 9554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 10554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Unless required by applicable law or agreed to in writing, software 11554cb0c290406f5bba34908489db5382a69d0a9arpcraig * distributed under the License is distributed on an "AS IS" BASIS, 12554cb0c290406f5bba34908489db5382a69d0a9arpcraig * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13554cb0c290406f5bba34908489db5382a69d0a9arpcraig * See the License for the specific language governing permissions and 14554cb0c290406f5bba34908489db5382a69d0a9arpcraig * limitations under the License. 15554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 16554cb0c290406f5bba34908489db5382a69d0a9arpcraig 17c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypackage android.os; 18c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 19554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport android.util.Slog; 20554cb0c290406f5bba34908489db5382a69d0a9arpcraig 21554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.IOException; 22554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.File; 23c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleyimport java.io.FileDescriptor; 24c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 25c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley/** 26c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * This class provides access to the centralized jni bindings for 27c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * SELinux interaction. 28c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * {@hide} 29c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 30c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypublic class SELinux { 31c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 32554cb0c290406f5bba34908489db5382a69d0a9arpcraig private static final String TAG = "SELinux"; 33554cb0c290406f5bba34908489db5382a69d0a9arpcraig 34c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 35c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is disabled or enabled. 36c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enabled. 37c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 38c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnabled(); 39c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 40c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 41c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is permissive or enforcing. 42c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enforcing. 43c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 44c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnforced(); 45c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 46c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 47c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Set whether SELinux is permissive or enforcing. 4866d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param value representing whether to set SELinux to enforcing 49c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean representing whether the desired mode was set 50c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 51c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setSELinuxEnforce(boolean value); 52c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 53c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 54c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Sets the security context for newly created file objects. 55c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param context a security context given as a String. 56c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 57c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 58c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFSCreateContext(String context); 59c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 60c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 61c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Change the security context of an existing file object. 62c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path representing the path of file object to relabel. 6366d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param context new security context given as a String. 64c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 65c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 66c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFileContext(String path, String context); 67c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 68c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 69c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a file object. 70c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path the pathname of the file object. 71c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a security context given as a String. 72c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 73c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getFileContext(String path); 74c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 75c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 76c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a peer socket. 77c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param fd FileDescriptor class of the peer socket. 78c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the peer socket security context. 79c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 80c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPeerContext(FileDescriptor fd); 81c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 82c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 83c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of the current process. 84c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the current process. 85c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 86c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getContext(); 87c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 88c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 89c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of a given process id. 90c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param pid an int representing the process id to check. 91c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the given pid. 92c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 93c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPidContext(int pid); 94c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 95c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 96c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets a list of the SELinux boolean names. 97c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return an array of strings containing the SELinux boolean names. 98c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 99c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String[] getBooleanNames(); 100c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 101c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 102c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the value for the given SELinux boolean name. 10366d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param name The name of the SELinux boolean. 104c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the SELinux boolean is set. 105c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 106c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean getBooleanValue(String name); 107c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 108c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 109c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Sets the value for the given SELinux boolean name. 11066d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param name The name of the SELinux boolean. 11166d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param value The new value of the SELinux boolean. 112c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether or not the operation succeeded. 113c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 114c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setBooleanValue(String name, boolean value); 115c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 116c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 117c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Check permissions between two security contexts. 118c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param scon The source or subject security context. 119c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tcon The target or object security context. 120c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tclass The object security class name. 121c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param perm The permission name. 122c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether permission was granted. 123c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 124c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm); 125554cb0c290406f5bba34908489db5382a69d0a9arpcraig 126554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 127554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 128554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 129554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 130554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 131554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 132554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 133554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 134554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 135554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the pathname is a null object. 136554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 137554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(String pathname) throws NullPointerException { 138554cb0c290406f5bba34908489db5382a69d0a9arpcraig if (pathname == null) { throw new NullPointerException(); } 139554cb0c290406f5bba34908489db5382a69d0a9arpcraig return native_restorecon(pathname); 140554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 141554cb0c290406f5bba34908489db5382a69d0a9arpcraig 142554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 143554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 144554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 145554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 146554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 147554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 148554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 149554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 150554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 151554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 152554cb0c290406f5bba34908489db5382a69d0a9arpcraig private static native boolean native_restorecon(String pathname); 153554cb0c290406f5bba34908489db5382a69d0a9arpcraig 154554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 155554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 156554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 157554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 158554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 159554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 160554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 161554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param file The File object representing the path to be relabeled. 162554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 163554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the file is a null object. 164554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 165554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(File file) throws NullPointerException { 166554cb0c290406f5bba34908489db5382a69d0a9arpcraig try { 167554cb0c290406f5bba34908489db5382a69d0a9arpcraig return native_restorecon(file.getCanonicalPath()); 168554cb0c290406f5bba34908489db5382a69d0a9arpcraig } catch (IOException e) { 169554cb0c290406f5bba34908489db5382a69d0a9arpcraig Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 170554cb0c290406f5bba34908489db5382a69d0a9arpcraig file.getPath(), e); 171554cb0c290406f5bba34908489db5382a69d0a9arpcraig return false; 172554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 173554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 174c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley} 175