SELinux.java revision 554cb0c290406f5bba34908489db5382a69d0a9a
1554cb0c290406f5bba34908489db5382a69d0a9arpcraig/* 2554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Copyright (C) 2012 The Android Open Source Project 3554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 4554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Licensed under the Apache License, Version 2.0 (the "License"); 5554cb0c290406f5bba34908489db5382a69d0a9arpcraig * you may not use this file except in compliance with the License. 6554cb0c290406f5bba34908489db5382a69d0a9arpcraig * You may obtain a copy of the License at 7554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 8554cb0c290406f5bba34908489db5382a69d0a9arpcraig * http://www.apache.org/licenses/LICENSE-2.0 9554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 10554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Unless required by applicable law or agreed to in writing, software 11554cb0c290406f5bba34908489db5382a69d0a9arpcraig * distributed under the License is distributed on an "AS IS" BASIS, 12554cb0c290406f5bba34908489db5382a69d0a9arpcraig * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13554cb0c290406f5bba34908489db5382a69d0a9arpcraig * See the License for the specific language governing permissions and 14554cb0c290406f5bba34908489db5382a69d0a9arpcraig * limitations under the License. 15554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 16554cb0c290406f5bba34908489db5382a69d0a9arpcraig 17c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypackage android.os; 18c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 19554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport android.util.Slog; 20554cb0c290406f5bba34908489db5382a69d0a9arpcraig 21554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.IOException; 22554cb0c290406f5bba34908489db5382a69d0a9arpcraigimport java.io.File; 23c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleyimport java.io.FileDescriptor; 24c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 25c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley/** 26c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * This class provides access to the centralized jni bindings for 27c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * SELinux interaction. 28c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * {@hide} 29c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 30c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalleypublic class SELinux { 31c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 32554cb0c290406f5bba34908489db5382a69d0a9arpcraig private static final String TAG = "SELinux"; 33554cb0c290406f5bba34908489db5382a69d0a9arpcraig 34c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 35c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is disabled or enabled. 36c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enabled. 37c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 38c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnabled(); 39c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 40c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 41c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Determine whether SELinux is permissive or enforcing. 42c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether SELinux is enforcing. 43c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 44c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean isSELinuxEnforced(); 45c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 46c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 47c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Set whether SELinux is permissive or enforcing. 48c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param boolean representing whether to set SELinux to enforcing 49c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean representing whether the desired mode was set 50c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 51c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setSELinuxEnforce(boolean value); 52c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 53c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 54c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Sets the security context for newly created file objects. 55c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param context a security context given as a String. 56c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 57c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 58c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFSCreateContext(String context); 59c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 60c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 61c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Change the security context of an existing file object. 62c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path representing the path of file object to relabel. 63c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param con new security context given as a String. 64c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the operation succeeded. 65c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 66c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setFileContext(String path, String context); 67c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 68c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 69c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a file object. 70c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param path the pathname of the file object. 71c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a security context given as a String. 72c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 73c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getFileContext(String path); 74c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 75c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 76c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Get the security context of a peer socket. 77c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param fd FileDescriptor class of the peer socket. 78c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the peer socket security context. 79c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 80c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPeerContext(FileDescriptor fd); 81c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 82c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 83c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of the current process. 84c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the current process. 85c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 86c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getContext(); 87c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 88c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 89c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the security context of a given process id. 90c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Use of this function is discouraged for Binder transactions. 91c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Use Binder.getCallingSecctx() instead. 92c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param pid an int representing the process id to check. 93c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a String representing the security context of the given pid. 94c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 95c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String getPidContext(int pid); 96c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 97c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 98c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets a list of the SELinux boolean names. 99c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return an array of strings containing the SELinux boolean names. 100c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 101c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native String[] getBooleanNames(); 102c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 103c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 104c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Gets the value for the given SELinux boolean name. 105c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param String The name of the SELinux boolean. 106c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether the SELinux boolean is set. 107c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 108c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean getBooleanValue(String name); 109c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 110c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 111c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Sets the value for the given SELinux boolean name. 112c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param String The name of the SELinux boolean. 113c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param Boolean The new value of the SELinux boolean. 114c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether or not the operation succeeded. 115c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 116c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean setBooleanValue(String name, boolean value); 117c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley 118c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley /** 119c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * Check permissions between two security contexts. 120c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param scon The source or subject security context. 121c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tcon The target or object security context. 122c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param tclass The object security class name. 123c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @param perm The permission name. 124c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley * @return a boolean indicating whether permission was granted. 125c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley */ 126c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm); 127554cb0c290406f5bba34908489db5382a69d0a9arpcraig 128554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 129554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 130554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 131554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 132554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 133554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 134554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 135554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 136554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 137554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the pathname is a null object. 138554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 139554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(String pathname) throws NullPointerException { 140554cb0c290406f5bba34908489db5382a69d0a9arpcraig if (pathname == null) { throw new NullPointerException(); } 141554cb0c290406f5bba34908489db5382a69d0a9arpcraig return native_restorecon(pathname); 142554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 143554cb0c290406f5bba34908489db5382a69d0a9arpcraig 144554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 145554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 146554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 147554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 148554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 149554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 150554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 151554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param pathname The pathname of the file to be relabeled. 152554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 153554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 154554cb0c290406f5bba34908489db5382a69d0a9arpcraig private static native boolean native_restorecon(String pathname); 155554cb0c290406f5bba34908489db5382a69d0a9arpcraig 156554cb0c290406f5bba34908489db5382a69d0a9arpcraig /** 157554cb0c290406f5bba34908489db5382a69d0a9arpcraig * Restores a file to its default SELinux security context. 158554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If the system is not compiled with SELinux, then {@code true} 159554cb0c290406f5bba34908489db5382a69d0a9arpcraig * is automatically returned. 160554cb0c290406f5bba34908489db5382a69d0a9arpcraig * If SELinux is compiled in, but disabled, then {@code true} is 161554cb0c290406f5bba34908489db5382a69d0a9arpcraig * returned. 162554cb0c290406f5bba34908489db5382a69d0a9arpcraig * 163554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @param file The File object representing the path to be relabeled. 164554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @return a boolean indicating whether the relabeling succeeded. 165554cb0c290406f5bba34908489db5382a69d0a9arpcraig * @exception NullPointerException if the file is a null object. 166554cb0c290406f5bba34908489db5382a69d0a9arpcraig */ 167554cb0c290406f5bba34908489db5382a69d0a9arpcraig public static boolean restorecon(File file) throws NullPointerException { 168554cb0c290406f5bba34908489db5382a69d0a9arpcraig try { 169554cb0c290406f5bba34908489db5382a69d0a9arpcraig return native_restorecon(file.getCanonicalPath()); 170554cb0c290406f5bba34908489db5382a69d0a9arpcraig } catch (IOException e) { 171554cb0c290406f5bba34908489db5382a69d0a9arpcraig Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 172554cb0c290406f5bba34908489db5382a69d0a9arpcraig file.getPath(), e); 173554cb0c290406f5bba34908489db5382a69d0a9arpcraig return false; 174554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 175554cb0c290406f5bba34908489db5382a69d0a9arpcraig } 176c07fca3831baf4d812dd724f506b4ed23dcc39e0Stephen Smalley} 177