SELinux.java revision 66d5369e79182dbe65306b27a4da7f4a7e25c723 
1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.os;
18
19import android.util.Slog;
20
21import java.io.IOException;
22import java.io.File;
23import java.io.FileDescriptor;
24
25/**
26 * This class provides access to the centralized jni bindings for
27 * SELinux interaction.
28 * {@hide}
29 */
30public class SELinux {
31
32    private static final String TAG = "SELinux";
33
34    /**
35     * Determine whether SELinux is disabled or enabled.
36     * @return a boolean indicating whether SELinux is enabled.
37     */
38    public static final native boolean isSELinuxEnabled();
39
40    /**
41     * Determine whether SELinux is permissive or enforcing.
42     * @return a boolean indicating whether SELinux is enforcing.
43     */
44    public static final native boolean isSELinuxEnforced();
45
46    /**
47     * Set whether SELinux is permissive or enforcing.
48     * @param value representing whether to set SELinux to enforcing
49     * @return a boolean representing whether the desired mode was set
50     */
51    public static final native boolean setSELinuxEnforce(boolean value);
52
53    /**
54     * Sets the security context for newly created file objects.
55     * @param context a security context given as a String.
56     * @return a boolean indicating whether the operation succeeded.
57     */
58    public static final native boolean setFSCreateContext(String context);
59
60    /**
61     * Change the security context of an existing file object.
62     * @param path representing the path of file object to relabel.
63     * @param context new security context given as a String.
64     * @return a boolean indicating whether the operation succeeded.
65     */
66    public static final native boolean setFileContext(String path, String context);
67
68    /**
69     * Get the security context of a file object.
70     * @param path the pathname of the file object.
71     * @return a security context given as a String.
72     */
73    public static final native String getFileContext(String path);
74
75    /**
76     * Get the security context of a peer socket.
77     * @param fd FileDescriptor class of the peer socket.
78     * @return a String representing the peer socket security context.
79     */
80    public static final native String getPeerContext(FileDescriptor fd);
81
82    /**
83     * Gets the security context of the current process.
84     * @return a String representing the security context of the current process.
85     */
86    public static final native String getContext();
87
88    /**
89     * Gets the security context of a given process id.
90     * @param pid an int representing the process id to check.
91     * @return a String representing the security context of the given pid.
92     */
93    public static final native String getPidContext(int pid);
94
95    /**
96     * Gets a list of the SELinux boolean names.
97     * @return an array of strings containing the SELinux boolean names.
98     */
99    public static final native String[] getBooleanNames();
100
101    /**
102     * Gets the value for the given SELinux boolean name.
103     * @param name The name of the SELinux boolean.
104     * @return a boolean indicating whether the SELinux boolean is set.
105     */
106    public static final native boolean getBooleanValue(String name);
107
108    /**
109     * Sets the value for the given SELinux boolean name.
110     * @param name The name of the SELinux boolean.
111     * @param value The new value of the SELinux boolean.
112     * @return a boolean indicating whether or not the operation succeeded.
113     */
114    public static final native boolean setBooleanValue(String name, boolean value);
115
116    /**
117     * Check permissions between two security contexts.
118     * @param scon The source or subject security context.
119     * @param tcon The target or object security context.
120     * @param tclass The object security class name.
121     * @param perm The permission name.
122     * @return a boolean indicating whether permission was granted.
123     */
124    public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
125
126    /**
127     * Restores a file to its default SELinux security context.
128     * If the system is not compiled with SELinux, then {@code true}
129     * is automatically returned.
130     * If SELinux is compiled in, but disabled, then {@code true} is
131     * returned.
132     *
133     * @param pathname The pathname of the file to be relabeled.
134     * @return a boolean indicating whether the relabeling succeeded.
135     * @exception NullPointerException if the pathname is a null object.
136     */
137    public static boolean restorecon(String pathname) throws NullPointerException {
138        if (pathname == null) { throw new NullPointerException(); }
139        return native_restorecon(pathname);
140    }
141
142    /**
143     * Restores a file to its default SELinux security context.
144     * If the system is not compiled with SELinux, then {@code true}
145     * is automatically returned.
146     * If SELinux is compiled in, but disabled, then {@code true} is
147     * returned.
148     *
149     * @param pathname The pathname of the file to be relabeled.
150     * @return a boolean indicating whether the relabeling succeeded.
151     */
152    private static native boolean native_restorecon(String pathname);
153
154    /**
155     * Restores a file to its default SELinux security context.
156     * If the system is not compiled with SELinux, then {@code true}
157     * is automatically returned.
158     * If SELinux is compiled in, but disabled, then {@code true} is
159     * returned.
160     *
161     * @param file The File object representing the path to be relabeled.
162     * @return a boolean indicating whether the relabeling succeeded.
163     * @exception NullPointerException if the file is a null object.
164     */
165    public static boolean restorecon(File file) throws NullPointerException {
166        try {
167            return native_restorecon(file.getCanonicalPath());
168        } catch (IOException e) {
169            Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
170                   file.getPath(), e);
171            return false;
172        }
173    }
174}
175