SELinux.java revision 554cb0c290406f5bba34908489db5382a69d0a9a 
1554cb0c290406f5bba34908489db5382a69d0a9arpcraig/*
2554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Copyright (C) 2012 The Android Open Source Project
3554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
4554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Licensed under the Apache License, Version 2.0 (the "License");
5554cb0c290406f5bba34908489db5382a69d0a9arpcraig * you may not use this file except in compliance with the License.
6554cb0c290406f5bba34908489db5382a69d0a9arpcraig * You may obtain a copy of the License at
7554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
8554cb0c290406f5bba34908489db5382a69d0a9arpcraig *      http://www.apache.org/licenses/LICENSE-2.0
9554cb0c290406f5bba34908489db5382a69d0a9arpcraig *
10554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Unless required by applicable law or agreed to in writing, software
11554cb0c290406f5bba34908489db5382a69d0a9arpcraig * distributed under the License is distributed on an "AS IS" BASIS,
12554cb0c290406f5bba34908489db5382a69d0a9arpcraig * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13554cb0c290406f5bba34908489db5382a69d0a9arpcraig * See the License for the specific language governing permissions and
14554cb0c290406f5bba34908489db5382a69d0a9arpcraig * limitations under the License.
15554cb0c290406f5bba34908489db5382a69d0a9arpcraig */
16554cb0c290406f5bba34908489db5382a69d0a9arpcraig
17c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypackage android.os;
18c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
19554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport android.util.Slog;
20554cb0c290406f5bba34908489db5382a69d0a9arpcraig
21554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.IOException;
22554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.File;
23c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleyimport java.io.FileDescriptor;
24c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
25c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley/**
26c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * This class provides access to the centralized jni bindings for
27c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * SELinux interaction.
28c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * {@hide}
29c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */
30c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypublic class SELinux {
31c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
32554cb0c290406f5bba34908489db5382a69d0a9arpcraig    private static final String TAG = "SELinux";
33554cb0c290406f5bba34908489db5382a69d0a9arpcraig
34c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
35c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Determine whether SELinux is disabled or enabled.
36c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether SELinux is enabled.
37c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
38c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean isSELinuxEnabled();
39c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
40c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
41c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Determine whether SELinux is permissive or enforcing.
42c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether SELinux is enforcing.
43c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
44c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean isSELinuxEnforced();
45c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
46c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
47c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Set whether SELinux is permissive or enforcing.
48c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param boolean representing whether to set SELinux to enforcing
49c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean representing whether the desired mode was set
50c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
51c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setSELinuxEnforce(boolean value);
52c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
53c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
54c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Sets the security context for newly created file objects.
55c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param context a security context given as a String.
56c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the operation succeeded.
57c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
58c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setFSCreateContext(String context);
59c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
60c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
61c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Change the security context of an existing file object.
62c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param path representing the path of file object to relabel.
63c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param con new security context given as a String.
64c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the operation succeeded.
65c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
66c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setFileContext(String path, String context);
67c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
68c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
69c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Get the security context of a file object.
70c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param path the pathname of the file object.
71c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a security context given as a String.
72c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
73c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getFileContext(String path);
74c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
75c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
76c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Get the security context of a peer socket.
77c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param fd FileDescriptor class of the peer socket.
78c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the peer socket security context.
79c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
80c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getPeerContext(FileDescriptor fd);
81c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
82c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
83c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the security context of the current process.
84c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the security context of the current process.
85c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
86c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getContext();
87c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
88c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
89c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the security context of a given process id.
90c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Use of this function is discouraged for Binder transactions.
91c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Use Binder.getCallingSecctx() instead.
92c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param pid an int representing the process id to check.
93c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a String representing the security context of the given pid.
94c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
95c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String getPidContext(int pid);
96c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
97c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
98c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets a list of the SELinux boolean names.
99c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return an array of strings containing the SELinux boolean names.
100c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
101c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native String[] getBooleanNames();
102c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
103c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
104c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Gets the value for the given SELinux boolean name.
105c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param String The name of the SELinux boolean.
106c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether the SELinux boolean is set.
107c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
108c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean getBooleanValue(String name);
109c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
110c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
111c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Sets the value for the given SELinux boolean name.
112c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param String The name of the SELinux boolean.
113c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param Boolean The new value of the SELinux boolean.
114c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether or not the operation succeeded.
115c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
116c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean setBooleanValue(String name, boolean value);
117c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley
118c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    /**
119c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * Check permissions between two security contexts.
120c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param scon The source or subject security context.
121c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param tcon The target or object security context.
122c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param tclass The object security class name.
123c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @param perm The permission name.
124c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     * @return a boolean indicating whether permission was granted.
125c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley     */
126c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley    public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
127554cb0c290406f5bba34908489db5382a69d0a9arpcraig
128554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
129554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
130554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
131554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
132554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
133554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
134554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
135554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param pathname The pathname of the file to be relabeled.
136554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
137554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @exception NullPointerException if the pathname is a null object.
138554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
139554cb0c290406f5bba34908489db5382a69d0a9arpcraig    public static boolean restorecon(String pathname) throws NullPointerException {
140554cb0c290406f5bba34908489db5382a69d0a9arpcraig        if (pathname == null) { throw new NullPointerException(); }
141554cb0c290406f5bba34908489db5382a69d0a9arpcraig        return native_restorecon(pathname);
142554cb0c290406f5bba34908489db5382a69d0a9arpcraig    }
143554cb0c290406f5bba34908489db5382a69d0a9arpcraig
144554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
145554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
146554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
147554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
148554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
149554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
150554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
151554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param pathname The pathname of the file to be relabeled.
152554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
153554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
154554cb0c290406f5bba34908489db5382a69d0a9arpcraig    private static native boolean native_restorecon(String pathname);
155554cb0c290406f5bba34908489db5382a69d0a9arpcraig
156554cb0c290406f5bba34908489db5382a69d0a9arpcraig    /**
157554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * Restores a file to its default SELinux security context.
158554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If the system is not compiled with SELinux, then {@code true}
159554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * is automatically returned.
160554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * If SELinux is compiled in, but disabled, then {@code true} is
161554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * returned.
162554cb0c290406f5bba34908489db5382a69d0a9arpcraig     *
163554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @param file The File object representing the path to be relabeled.
164554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @return a boolean indicating whether the relabeling succeeded.
165554cb0c290406f5bba34908489db5382a69d0a9arpcraig     * @exception NullPointerException if the file is a null object.
166554cb0c290406f5bba34908489db5382a69d0a9arpcraig     */
167554cb0c290406f5bba34908489db5382a69d0a9arpcraig    public static boolean restorecon(File file) throws NullPointerException {
168554cb0c290406f5bba34908489db5382a69d0a9arpcraig        try {
169554cb0c290406f5bba34908489db5382a69d0a9arpcraig            return native_restorecon(file.getCanonicalPath());
170554cb0c290406f5bba34908489db5382a69d0a9arpcraig        } catch (IOException e) {
171554cb0c290406f5bba34908489db5382a69d0a9arpcraig            Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
172554cb0c290406f5bba34908489db5382a69d0a9arpcraig                   file.getPath(), e);
173554cb0c290406f5bba34908489db5382a69d0a9arpcraig            return false;
174554cb0c290406f5bba34908489db5382a69d0a9arpcraig        }
175554cb0c290406f5bba34908489db5382a69d0a9arpcraig    }
176c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley}
177