1554cb0c290406f5bba34908489db5382a69d0a9arpcraig/* 2554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Copyright (C) 2012 The Android Open Source Project 3554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 4554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Licensed under the Apache License, Version 2.0 (the "License"); 5554cb0c290406f5bba34908489db5382a69d0a9arpcraig * you may not use this file except in compliance with the License. 6554cb0c290406f5bba34908489db5382a69d0a9arpcraig * You may obtain a copy of the License at 7554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 8554cb0c290406f5bba34908489db5382a69d0a9arpcraig * http://www.apache.org/licenses/LICENSE-2.0 9554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 10554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Unless required by applicable law or agreed to in writing, software 11554cb0c290406f5bba34908489db5382a69d0a9arpcraig * distributed under the License is distributed on an "AS IS" BASIS, 12554cb0c290406f5bba34908489db5382a69d0a9arpcraig * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13554cb0c290406f5bba34908489db5382a69d0a9arpcraig * See the License for the specific language governing permissions and 14554cb0c290406f5bba34908489db5382a69d0a9arpcraig * limitations under the License. 15554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 16554cb0c290406f5bba34908489db5382a69d0a9arpcraig 17c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypackage android.os; 18c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 19554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport android.util.Slog; 20554cb0c290406f5bba34908489db5382a69d0a9arpcraig 21554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.IOException; 22554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.File; 23c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleyimport java.io.FileDescriptor; 24c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 25c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley/** 26c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * This class provides access to the centralized jni bindings for 27c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * SELinux interaction. 28c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * {@hide} 29c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 30c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypublic class SELinux { 31554cb0c290406f5bba34908489db5382a69d0a9arpcraig private static final String TAG = "SELinux"; 32554cb0c290406f5bba34908489db5382a69d0a9arpcraig 33d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey /** Keep in sync with ./external/libselinux/include/selinux/android.h */ 34d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static final int SELINUX_ANDROID_RESTORECON_NOCHANGE = 1; 35d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static final int SELINUX_ANDROID_RESTORECON_VERBOSE = 2; 36d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static final int SELINUX_ANDROID_RESTORECON_RECURSE = 4; 37d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static final int SELINUX_ANDROID_RESTORECON_FORCE = 8; 38d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static final int SELINUX_ANDROID_RESTORECON_DATADATA = 16; 39d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey 40c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 41c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is disabled or enabled. 42c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enabled. 43c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 44c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnabled(); 45c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 46c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 47c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is permissive or enforcing. 48c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enforcing. 49c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 50c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnforced(); 51c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 52c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 53c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Sets the security context for newly created file objects. 54c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param context a security context given as a String. 55c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 56c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 57c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFSCreateContext(String context); 58c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 59c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 60c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Change the security context of an existing file object. 61c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path representing the path of file object to relabel. 6266d5369e79182dbe65306b27a4da7f4a7e25c723Richard Haines * @param context new security context given as a String. 63c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 64c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 65c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFileContext(String path, String context); 66c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 67c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 68c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a file object. 69c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path the pathname of the file object. 70c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a security context given as a String. 71c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 72c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getFileContext(String path); 73c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 74c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 75c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a peer socket. 76c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param fd FileDescriptor class of the peer socket. 77c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the peer socket security context. 78c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 79c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPeerContext(FileDescriptor fd); 80c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 81c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 82c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of the current process. 83c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the current process. 84c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 85c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getContext(); 86c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 87c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 88c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of a given process id. 89c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param pid an int representing the process id to check. 90c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the given pid. 91c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 92c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPidContext(int pid); 93c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 94c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 95c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Check permissions between two security contexts. 96c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param scon The source or subject security context. 97c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tcon The target or object security context. 98c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tclass The object security class name. 99c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param perm The permission name. 100c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether permission was granted. 101c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 102c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm); 103554cb0c290406f5bba34908489db5382a69d0a9arpcraig 104554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 105554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 106554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 107554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 108554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 109554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 110554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 111554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 112554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 113554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the pathname is a null object. 114554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 115554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(String pathname) throws NullPointerException { 116554cb0c290406f5bba34908489db5382a69d0a9arpcraig if (pathname == null) { throw new NullPointerException(); } 117d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey return native_restorecon(pathname, 0); 118554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 119554cb0c290406f5bba34908489db5382a69d0a9arpcraig 120554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 121554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 122554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 123554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 124554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 125554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 126554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 127554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 128554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 129554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 130d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey private static native boolean native_restorecon(String pathname, int flags); 131554cb0c290406f5bba34908489db5382a69d0a9arpcraig 132554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 133554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 134554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 135554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 136554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 137554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 138554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 139554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param file The File object representing the path to be relabeled. 140554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 141554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the file is a null object. 142554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 143554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(File file) throws NullPointerException { 144554cb0c290406f5bba34908489db5382a69d0a9arpcraig try { 145d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey return native_restorecon(file.getCanonicalPath(), 0); 146554cb0c290406f5bba34908489db5382a69d0a9arpcraig } catch (IOException e) { 147554cb0c290406f5bba34908489db5382a69d0a9arpcraig Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 148d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey file.getPath(), e); 149554cb0c290406f5bba34908489db5382a69d0a9arpcraig return false; 150554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 151554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 15257dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey 15357dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey /** 15457dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * Recursively restores all files under the given path to their default 15557dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * SELinux security context. If the system is not compiled with SELinux, 15657dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * then {@code true} is automatically returned. If SELinux is compiled in, 15757dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * but disabled, then {@code true} is returned. 15857dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * 15957dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey * @return a boolean indicating whether the relabeling succeeded. 16057dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey */ 161d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey public static boolean restoreconRecursive(File file) { 162d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey try { 163d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey return native_restorecon(file.getCanonicalPath(), SELINUX_ANDROID_RESTORECON_RECURSE); 164d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey } catch (IOException e) { 165d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 166d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey file.getPath(), e); 167d746057f2414cba2bdc69257cc5be8cb681bb592Jeff Sharkey return false; 16857dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey } 16957dcf5b177b56195421535938544f32d8b591b42Jeff Sharkey } 170c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley} 171