SELinux.java revision d746057f2414cba2bdc69257cc5be8cb681bb592 
1/*
2 * Copyright (C) 2012 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.os;
18
19import android.util.Slog;
20
21import java.io.IOException;
22import java.io.File;
23import java.io.FileDescriptor;
24
25/**
26 * This class provides access to the centralized jni bindings for
27 * SELinux interaction.
28 * {@hide}
29 */
30public class SELinux {
31    private static final String TAG = "SELinux";
32
33    /** Keep in sync with ./external/libselinux/include/selinux/android.h */
34    private static final int SELINUX_ANDROID_RESTORECON_NOCHANGE = 1;
35    private static final int SELINUX_ANDROID_RESTORECON_VERBOSE = 2;
36    private static final int SELINUX_ANDROID_RESTORECON_RECURSE = 4;
37    private static final int SELINUX_ANDROID_RESTORECON_FORCE = 8;
38    private static final int SELINUX_ANDROID_RESTORECON_DATADATA = 16;
39
40    /**
41     * Determine whether SELinux is disabled or enabled.
42     * @return a boolean indicating whether SELinux is enabled.
43     */
44    public static final native boolean isSELinuxEnabled();
45
46    /**
47     * Determine whether SELinux is permissive or enforcing.
48     * @return a boolean indicating whether SELinux is enforcing.
49     */
50    public static final native boolean isSELinuxEnforced();
51
52    /**
53     * Set whether SELinux is permissive or enforcing.
54     * @param value representing whether to set SELinux to enforcing
55     * @return a boolean representing whether the desired mode was set
56     */
57    public static final native boolean setSELinuxEnforce(boolean value);
58
59    /**
60     * Sets the security context for newly created file objects.
61     * @param context a security context given as a String.
62     * @return a boolean indicating whether the operation succeeded.
63     */
64    public static final native boolean setFSCreateContext(String context);
65
66    /**
67     * Change the security context of an existing file object.
68     * @param path representing the path of file object to relabel.
69     * @param context new security context given as a String.
70     * @return a boolean indicating whether the operation succeeded.
71     */
72    public static final native boolean setFileContext(String path, String context);
73
74    /**
75     * Get the security context of a file object.
76     * @param path the pathname of the file object.
77     * @return a security context given as a String.
78     */
79    public static final native String getFileContext(String path);
80
81    /**
82     * Get the security context of a peer socket.
83     * @param fd FileDescriptor class of the peer socket.
84     * @return a String representing the peer socket security context.
85     */
86    public static final native String getPeerContext(FileDescriptor fd);
87
88    /**
89     * Gets the security context of the current process.
90     * @return a String representing the security context of the current process.
91     */
92    public static final native String getContext();
93
94    /**
95     * Gets the security context of a given process id.
96     * @param pid an int representing the process id to check.
97     * @return a String representing the security context of the given pid.
98     */
99    public static final native String getPidContext(int pid);
100
101    /**
102     * Gets a list of the SELinux boolean names.
103     * @return an array of strings containing the SELinux boolean names.
104     */
105    public static final native String[] getBooleanNames();
106
107    /**
108     * Gets the value for the given SELinux boolean name.
109     * @param name The name of the SELinux boolean.
110     * @return a boolean indicating whether the SELinux boolean is set.
111     */
112    public static final native boolean getBooleanValue(String name);
113
114    /**
115     * Sets the value for the given SELinux boolean name.
116     * @param name The name of the SELinux boolean.
117     * @param value The new value of the SELinux boolean.
118     * @return a boolean indicating whether or not the operation succeeded.
119     */
120    public static final native boolean setBooleanValue(String name, boolean value);
121
122    /**
123     * Check permissions between two security contexts.
124     * @param scon The source or subject security context.
125     * @param tcon The target or object security context.
126     * @param tclass The object security class name.
127     * @param perm The permission name.
128     * @return a boolean indicating whether permission was granted.
129     */
130    public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
131
132    /**
133     * Restores a file to its default SELinux security context.
134     * If the system is not compiled with SELinux, then {@code true}
135     * is automatically returned.
136     * If SELinux is compiled in, but disabled, then {@code true} is
137     * returned.
138     *
139     * @param pathname The pathname of the file to be relabeled.
140     * @return a boolean indicating whether the relabeling succeeded.
141     * @exception NullPointerException if the pathname is a null object.
142     */
143    public static boolean restorecon(String pathname) throws NullPointerException {
144        if (pathname == null) { throw new NullPointerException(); }
145        return native_restorecon(pathname, 0);
146    }
147
148    /**
149     * Restores a file to its default SELinux security context.
150     * If the system is not compiled with SELinux, then {@code true}
151     * is automatically returned.
152     * If SELinux is compiled in, but disabled, then {@code true} is
153     * returned.
154     *
155     * @param pathname The pathname of the file to be relabeled.
156     * @return a boolean indicating whether the relabeling succeeded.
157     */
158    private static native boolean native_restorecon(String pathname, int flags);
159
160    /**
161     * Restores a file to its default SELinux security context.
162     * If the system is not compiled with SELinux, then {@code true}
163     * is automatically returned.
164     * If SELinux is compiled in, but disabled, then {@code true} is
165     * returned.
166     *
167     * @param file The File object representing the path to be relabeled.
168     * @return a boolean indicating whether the relabeling succeeded.
169     * @exception NullPointerException if the file is a null object.
170     */
171    public static boolean restorecon(File file) throws NullPointerException {
172        try {
173            return native_restorecon(file.getCanonicalPath(), 0);
174        } catch (IOException e) {
175            Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
176                    file.getPath(), e);
177            return false;
178        }
179    }
180
181    /**
182     * Recursively restores all files under the given path to their default
183     * SELinux security context. If the system is not compiled with SELinux,
184     * then {@code true} is automatically returned. If SELinux is compiled in,
185     * but disabled, then {@code true} is returned.
186     *
187     * @return a boolean indicating whether the relabeling succeeded.
188     */
189    public static boolean restoreconRecursive(File file) {
190        try {
191            return native_restorecon(file.getCanonicalPath(), SELINUX_ANDROID_RESTORECON_RECURSE);
192        } catch (IOException e) {
193            Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
194                    file.getPath(), e);
195            return false;
196        }
197    }
198}
199