matchpathcon.c revision 7bfaa63839955b2f743f84f2d873fc13298f5777 
1#include <sys/stat.h>
2#include <string.h>
3#include <errno.h>
4#include <stdio.h>
5#include "selinux_internal.h"
6#include "label_internal.h"
7#include "callbacks.h"
8#include <limits.h>
9
10static __thread struct selabel_handle *hnd;
11
12/*
13 * An array for mapping integers to contexts
14 */
15static __thread char **con_array;
16static __thread int con_array_size;
17static __thread int con_array_used;
18
19static pthread_once_t once = PTHREAD_ONCE_INIT;
20static pthread_key_t destructor_key;
21static int destructor_key_initialized = 0;
22
23static int add_array_elt(char *con)
24{
25	if (con_array_size) {
26		while (con_array_used >= con_array_size) {
27			con_array_size *= 2;
28			con_array = (char **)realloc(con_array, sizeof(char*) *
29						     con_array_size);
30			if (!con_array) {
31				con_array_size = con_array_used = 0;
32				return -1;
33			}
34		}
35	} else {
36		con_array_size = 1000;
37		con_array = (char **)malloc(sizeof(char*) * con_array_size);
38		if (!con_array) {
39			con_array_size = con_array_used = 0;
40			return -1;
41		}
42	}
43
44	con_array[con_array_used] = strdup(con);
45	if (!con_array[con_array_used])
46		return -1;
47	return con_array_used++;
48}
49
50static void free_array_elts(void)
51{
52	con_array_size = con_array_used = 0;
53	free(con_array);
54	con_array = NULL;
55}
56
57static void
58#ifdef __GNUC__
59    __attribute__ ((format(printf, 1, 2)))
60#endif
61    default_printf(const char *fmt, ...)
62{
63	va_list ap;
64	va_start(ap, fmt);
65	vfprintf(stderr, fmt, ap);
66	va_end(ap);
67}
68
69void
70#ifdef __GNUC__
71    __attribute__ ((format(printf, 1, 2)))
72#endif
73    (*myprintf) (const char *fmt,...) = &default_printf;
74int myprintf_compat = 0;
75
76void set_matchpathcon_printf(void (*f) (const char *fmt, ...))
77{
78	myprintf = f ? f : &default_printf;
79	myprintf_compat = 1;
80}
81
82static int (*myinvalidcon) (const char *p, unsigned l, char *c) = NULL;
83
84void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c))
85{
86	myinvalidcon = f;
87}
88
89static int default_canoncon(const char *path, unsigned lineno, char **context)
90{
91	char *tmpcon;
92	if (security_canonicalize_context_raw(*context, &tmpcon) < 0) {
93		if (errno == ENOENT)
94			return 0;
95		if (lineno)
96			myprintf("%s:  line %u has invalid context %s\n", path,
97				 lineno, *context);
98		else
99			myprintf("%s:  invalid context %s\n", path, *context);
100		return 1;
101	}
102	free(*context);
103	*context = tmpcon;
104	return 0;
105}
106
107static int (*mycanoncon) (const char *p, unsigned l, char **c) =
108    NULL;
109
110void set_matchpathcon_canoncon(int (*f) (const char *p, unsigned l, char **c))
111{
112	if (f)
113		mycanoncon = f;
114	else
115		mycanoncon = &default_canoncon;
116}
117
118static __thread struct selinux_opt options[SELABEL_NOPT];
119static __thread int notrans;
120
121void set_matchpathcon_flags(unsigned int flags)
122{
123	int i;
124	memset(options, 0, sizeof(options));
125	i = SELABEL_OPT_BASEONLY;
126	options[i].type = i;
127	options[i].value = (flags & MATCHPATHCON_BASEONLY) ? (char*)1 : NULL;
128	i = SELABEL_OPT_VALIDATE;
129	options[i].type = i;
130	options[i].value = (flags & MATCHPATHCON_VALIDATE) ? (char*)1 : NULL;
131	notrans = flags & MATCHPATHCON_NOTRANS;
132}
133
134/*
135 * An association between an inode and a
136 * specification.
137 */
138typedef struct file_spec {
139	ino_t ino;		/* inode number */
140	int specind;		/* index of specification in spec */
141	char *file;		/* full pathname for diagnostic messages about conflicts */
142	struct file_spec *next;	/* next association in hash bucket chain */
143} file_spec_t;
144
145/*
146 * The hash table of associations, hashed by inode number.
147 * Chaining is used for collisions, with elements ordered
148 * by inode number in each bucket.  Each hash bucket has a dummy
149 * header.
150 */
151#define HASH_BITS 16
152#define HASH_BUCKETS (1 << HASH_BITS)
153#define HASH_MASK (HASH_BUCKETS-1)
154static file_spec_t *fl_head;
155
156/*
157 * Try to add an association between an inode and
158 * a specification.  If there is already an association
159 * for the inode and it conflicts with this specification,
160 * then use the specification that occurs later in the
161 * specification array.
162 */
163int matchpathcon_filespec_add(ino_t ino, int specind, const char *file)
164{
165	file_spec_t *prevfl, *fl;
166	int h, ret;
167	struct stat sb;
168
169	if (!fl_head) {
170		fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS);
171		if (!fl_head)
172			goto oom;
173		memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS);
174	}
175
176	h = (ino + (ino >> HASH_BITS)) & HASH_MASK;
177	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
178	     prevfl = fl, fl = fl->next) {
179		if (ino == fl->ino) {
180			ret = lstat(fl->file, &sb);
181			if (ret < 0 || sb.st_ino != ino) {
182				fl->specind = specind;
183				free(fl->file);
184				fl->file = malloc(strlen(file) + 1);
185				if (!fl->file)
186					goto oom;
187				strcpy(fl->file, file);
188				return fl->specind;
189
190			}
191
192			if (!strcmp(con_array[fl->specind],
193				    con_array[specind]))
194				return fl->specind;
195
196			myprintf
197			    ("%s:  conflicting specifications for %s and %s, using %s.\n",
198			     __FUNCTION__, file, fl->file,
199			     con_array[fl->specind]);
200			free(fl->file);
201			fl->file = malloc(strlen(file) + 1);
202			if (!fl->file)
203				goto oom;
204			strcpy(fl->file, file);
205			return fl->specind;
206		}
207
208		if (ino > fl->ino)
209			break;
210	}
211
212	fl = malloc(sizeof(file_spec_t));
213	if (!fl)
214		goto oom;
215	fl->ino = ino;
216	fl->specind = specind;
217	fl->file = malloc(strlen(file) + 1);
218	if (!fl->file)
219		goto oom_freefl;
220	strcpy(fl->file, file);
221	fl->next = prevfl->next;
222	prevfl->next = fl;
223	return fl->specind;
224      oom_freefl:
225	free(fl);
226      oom:
227	myprintf("%s:  insufficient memory for file label entry for %s\n",
228		 __FUNCTION__, file);
229	return -1;
230}
231
232/*
233 * Evaluate the association hash table distribution.
234 */
235void matchpathcon_filespec_eval(void)
236{
237	file_spec_t *fl;
238	int h, used, nel, len, longest;
239
240	if (!fl_head)
241		return;
242
243	used = 0;
244	longest = 0;
245	nel = 0;
246	for (h = 0; h < HASH_BUCKETS; h++) {
247		len = 0;
248		for (fl = fl_head[h].next; fl; fl = fl->next) {
249			len++;
250		}
251		if (len)
252			used++;
253		if (len > longest)
254			longest = len;
255		nel += len;
256	}
257
258	myprintf
259	    ("%s:  hash table stats: %d elements, %d/%d buckets used, longest chain length %d\n",
260	     __FUNCTION__, nel, used, HASH_BUCKETS, longest);
261}
262
263/*
264 * Destroy the association hash table.
265 */
266void matchpathcon_filespec_destroy(void)
267{
268	file_spec_t *fl, *tmp;
269	int h;
270
271	free_array_elts();
272
273	if (!fl_head)
274		return;
275
276	for (h = 0; h < HASH_BUCKETS; h++) {
277		fl = fl_head[h].next;
278		while (fl) {
279			tmp = fl;
280			fl = fl->next;
281			free(tmp->file);
282			free(tmp);
283		}
284		fl_head[h].next = NULL;
285	}
286	free(fl_head);
287	fl_head = NULL;
288}
289
290static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
291{
292	matchpathcon_fini();
293}
294
295void __attribute__((destructor)) matchpathcon_lib_destructor(void)
296{
297	if (destructor_key_initialized)
298		__selinux_key_delete(destructor_key);
299}
300
301static void matchpathcon_init_once(void)
302{
303	if (__selinux_key_create(&destructor_key, matchpathcon_thread_destructor) == 0)
304		destructor_key_initialized = 1;
305}
306
307int matchpathcon_init_prefix(const char *path, const char *subset)
308{
309	if (!mycanoncon)
310		mycanoncon = default_canoncon;
311
312	__selinux_once(once, matchpathcon_init_once);
313	__selinux_setspecific(destructor_key, (void *)1);
314
315	options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
316	options[SELABEL_OPT_SUBSET].value = subset;
317	options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
318	options[SELABEL_OPT_PATH].value = path;
319
320	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
321	return hnd ? 0 : -1;
322}
323
324hidden_def(matchpathcon_init_prefix)
325
326int matchpathcon_init(const char *path)
327{
328	return matchpathcon_init_prefix(path, NULL);
329}
330
331void matchpathcon_fini(void)
332{
333	free_array_elts();
334
335	if (hnd) {
336		selabel_close(hnd);
337		hnd = NULL;
338	}
339}
340
341/*
342 * We do not want to resolve a symlink to a real path if it is the final
343 * component of the name.  Thus we split the pathname on the last "/" and
344 * determine a real path component of the first portion.  We then have to
345 * copy the last part back on to get the final real path.  Wheww.
346 */
347static int symlink_realpath(const char *name, char *resolved_path)
348{
349	char *last_component;
350	char *tmp_path, *p;
351	size_t len = 0;
352	int rc = 0;
353
354	tmp_path = strdup(name);
355	if (!tmp_path) {
356		myprintf("symlink_realpath(%s) strdup() failed: %s\n",
357			name, strerror(errno));
358		rc = -1;
359		goto out;
360	}
361
362	last_component = strrchr(tmp_path, '/');
363
364	if (last_component == tmp_path) {
365		last_component++;
366		p = strcpy(resolved_path, "/");
367	} else if (last_component) {
368		*last_component = '\0';
369		last_component++;
370		p = realpath(tmp_path, resolved_path);
371	} else {
372		last_component = tmp_path;
373		p = realpath("./", resolved_path);
374	}
375
376	if (!p) {
377		myprintf("symlink_realpath(%s) realpath() failed: %s\n",
378			name, strerror(errno));
379		rc = -1;
380		goto out;
381	}
382
383	len = strlen(p);
384	if (len + strlen(last_component) + 2 > PATH_MAX) {
385		myprintf("symlink_realpath(%s) failed: Filename too long \n",
386			name);
387		errno=ENAMETOOLONG;
388		rc = -1;
389		goto out;
390	}
391
392	resolved_path += len;
393	strcpy(resolved_path, "/");
394	resolved_path += 1;
395	strcpy(resolved_path, last_component);
396out:
397	free(tmp_path);
398	return rc;
399}
400
401int matchpathcon(const char *path, mode_t mode, security_context_t * con)
402{
403	char stackpath[PATH_MAX + 1];
404	char *p = NULL;
405	if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
406			return -1;
407
408	if (S_ISLNK(mode)) {
409		if (!symlink_realpath(path, stackpath))
410			path = stackpath;
411	} else {
412		p = realpath(path, stackpath);
413		if (p)
414			path = p;
415	}
416
417	return notrans ?
418		selabel_lookup_raw(hnd, con, path, mode) :
419		selabel_lookup(hnd, con, path, mode);
420}
421
422int matchpathcon_index(const char *name, mode_t mode, security_context_t * con)
423{
424	int i = matchpathcon(name, mode, con);
425
426	if (i < 0)
427		return -1;
428
429	return add_array_elt(*con);
430}
431
432void matchpathcon_checkmatches(char *str __attribute__((unused)))
433{
434	selabel_stats(hnd);
435}
436
437/* Compare two contexts to see if their differences are "significant",
438 * or whether the only difference is in the user. */
439int selinux_file_context_cmp(const security_context_t a,
440			     const security_context_t b)
441{
442	char *rest_a, *rest_b;	/* Rest of the context after the user */
443	if (!a && !b)
444		return 0;
445	if (!a)
446		return -1;
447	if (!b)
448		return 1;
449	rest_a = strchr((char *)a, ':');
450	rest_b = strchr((char *)b, ':');
451	if (!rest_a && !rest_b)
452		return 0;
453	if (!rest_a)
454		return -1;
455	if (!rest_b)
456		return 1;
457	return strcmp(rest_a, rest_b);
458}
459
460int selinux_file_context_verify(const char *path, mode_t mode)
461{
462	security_context_t con = NULL;
463	security_context_t fcontext = NULL;
464	int rc = 0;
465
466	rc = lgetfilecon_raw(path, &con);
467	if (rc == -1) {
468		if (errno != ENOTSUP)
469			return -1;
470		else
471			return 0;
472	}
473
474	if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
475			return -1;
476
477	if (selabel_lookup_raw(hnd, &fcontext, path, mode) != 0) {
478		if (errno != ENOENT)
479			rc = -1;
480		else
481			rc = 0;
482	} else {
483		/*
484		 * Need to set errno to 0 as it can be set to ENOENT if the
485		 * file_contexts.subs file does not exist (see selabel_open in
486		 * label.c), thus causing confusion if errno is checked on return.
487		 */
488		errno = 0;
489		rc = (selinux_file_context_cmp(fcontext, con) == 0);
490	}
491
492	freecon(con);
493	freecon(fcontext);
494	return rc;
495}
496
497int selinux_lsetfilecon_default(const char *path)
498{
499	struct stat st;
500	int rc = -1;
501	security_context_t scontext = NULL;
502	if (lstat(path, &st) != 0)
503		return rc;
504
505	if (!hnd && (matchpathcon_init_prefix(NULL, NULL) < 0))
506			return -1;
507
508	/* If there's an error determining the context, or it has none,
509	   return to allow default context */
510	if (selabel_lookup_raw(hnd, &scontext, path, st.st_mode)) {
511		if (errno == ENOENT)
512			rc = 0;
513	} else {
514		rc = lsetfilecon_raw(path, scontext);
515		freecon(scontext);
516	}
517	return rc;
518}
519
520int compat_validate(struct selabel_handle *rec,
521		    struct selabel_lookup_rec *contexts,
522		    const char *path, unsigned lineno)
523{
524	int rc;
525	char **ctx = &contexts->ctx_raw;
526
527	if (myinvalidcon)
528		rc = myinvalidcon(path, lineno, *ctx);
529	else if (mycanoncon)
530		rc = mycanoncon(path, lineno, ctx);
531	else {
532		rc = selabel_validate(rec, contexts);
533		if (rc < 0) {
534			COMPAT_LOG(SELINUX_WARNING,
535				    "%s:  line %d has invalid context %s\n",
536				    path, lineno, *ctx);
537		}
538	}
539
540	return rc ? -1 : 0;
541}
542