1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.os; 18 19 import android.util.Slog; 20 21 import java.io.IOException; 22 import java.io.File; 23 import java.io.FileDescriptor; 24 25 /** 26 * This class provides access to the centralized jni bindings for 27 * SELinux interaction. 28 * {@hide} 29 */ 30 public class SELinux { 31 private static final String TAG = "SELinux"; 32 33 /** Keep in sync with ./external/libselinux/include/selinux/android.h */ 34 private static final int SELINUX_ANDROID_RESTORECON_NOCHANGE = 1; 35 private static final int SELINUX_ANDROID_RESTORECON_VERBOSE = 2; 36 private static final int SELINUX_ANDROID_RESTORECON_RECURSE = 4; 37 private static final int SELINUX_ANDROID_RESTORECON_FORCE = 8; 38 private static final int SELINUX_ANDROID_RESTORECON_DATADATA = 16; 39 40 /** 41 * Determine whether SELinux is disabled or enabled. 42 * @return a boolean indicating whether SELinux is enabled. 43 */ isSELinuxEnabled()44 public static final native boolean isSELinuxEnabled(); 45 46 /** 47 * Determine whether SELinux is permissive or enforcing. 48 * @return a boolean indicating whether SELinux is enforcing. 49 */ isSELinuxEnforced()50 public static final native boolean isSELinuxEnforced(); 51 52 /** 53 * Set whether SELinux is permissive or enforcing. 54 * @param value representing whether to set SELinux to enforcing 55 * @return a boolean representing whether the desired mode was set 56 */ setSELinuxEnforce(boolean value)57 public static final native boolean setSELinuxEnforce(boolean value); 58 59 /** 60 * Sets the security context for newly created file objects. 61 * @param context a security context given as a String. 62 * @return a boolean indicating whether the operation succeeded. 63 */ setFSCreateContext(String context)64 public static final native boolean setFSCreateContext(String context); 65 66 /** 67 * Change the security context of an existing file object. 68 * @param path representing the path of file object to relabel. 69 * @param context new security context given as a String. 70 * @return a boolean indicating whether the operation succeeded. 71 */ setFileContext(String path, String context)72 public static final native boolean setFileContext(String path, String context); 73 74 /** 75 * Get the security context of a file object. 76 * @param path the pathname of the file object. 77 * @return a security context given as a String. 78 */ getFileContext(String path)79 public static final native String getFileContext(String path); 80 81 /** 82 * Get the security context of a peer socket. 83 * @param fd FileDescriptor class of the peer socket. 84 * @return a String representing the peer socket security context. 85 */ getPeerContext(FileDescriptor fd)86 public static final native String getPeerContext(FileDescriptor fd); 87 88 /** 89 * Gets the security context of the current process. 90 * @return a String representing the security context of the current process. 91 */ getContext()92 public static final native String getContext(); 93 94 /** 95 * Gets the security context of a given process id. 96 * @param pid an int representing the process id to check. 97 * @return a String representing the security context of the given pid. 98 */ getPidContext(int pid)99 public static final native String getPidContext(int pid); 100 101 /** 102 * Gets a list of the SELinux boolean names. 103 * @return an array of strings containing the SELinux boolean names. 104 */ getBooleanNames()105 public static final native String[] getBooleanNames(); 106 107 /** 108 * Gets the value for the given SELinux boolean name. 109 * @param name The name of the SELinux boolean. 110 * @return a boolean indicating whether the SELinux boolean is set. 111 */ getBooleanValue(String name)112 public static final native boolean getBooleanValue(String name); 113 114 /** 115 * Sets the value for the given SELinux boolean name. 116 * @param name The name of the SELinux boolean. 117 * @param value The new value of the SELinux boolean. 118 * @return a boolean indicating whether or not the operation succeeded. 119 */ setBooleanValue(String name, boolean value)120 public static final native boolean setBooleanValue(String name, boolean value); 121 122 /** 123 * Check permissions between two security contexts. 124 * @param scon The source or subject security context. 125 * @param tcon The target or object security context. 126 * @param tclass The object security class name. 127 * @param perm The permission name. 128 * @return a boolean indicating whether permission was granted. 129 */ checkSELinuxAccess(String scon, String tcon, String tclass, String perm)130 public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm); 131 132 /** 133 * Restores a file to its default SELinux security context. 134 * If the system is not compiled with SELinux, then {@code true} 135 * is automatically returned. 136 * If SELinux is compiled in, but disabled, then {@code true} is 137 * returned. 138 * 139 * @param pathname The pathname of the file to be relabeled. 140 * @return a boolean indicating whether the relabeling succeeded. 141 * @exception NullPointerException if the pathname is a null object. 142 */ restorecon(String pathname)143 public static boolean restorecon(String pathname) throws NullPointerException { 144 if (pathname == null) { throw new NullPointerException(); } 145 return native_restorecon(pathname, 0); 146 } 147 148 /** 149 * Restores a file to its default SELinux security context. 150 * If the system is not compiled with SELinux, then {@code true} 151 * is automatically returned. 152 * If SELinux is compiled in, but disabled, then {@code true} is 153 * returned. 154 * 155 * @param pathname The pathname of the file to be relabeled. 156 * @return a boolean indicating whether the relabeling succeeded. 157 */ native_restorecon(String pathname, int flags)158 private static native boolean native_restorecon(String pathname, int flags); 159 160 /** 161 * Restores a file to its default SELinux security context. 162 * If the system is not compiled with SELinux, then {@code true} 163 * is automatically returned. 164 * If SELinux is compiled in, but disabled, then {@code true} is 165 * returned. 166 * 167 * @param file The File object representing the path to be relabeled. 168 * @return a boolean indicating whether the relabeling succeeded. 169 * @exception NullPointerException if the file is a null object. 170 */ restorecon(File file)171 public static boolean restorecon(File file) throws NullPointerException { 172 try { 173 return native_restorecon(file.getCanonicalPath(), 0); 174 } catch (IOException e) { 175 Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 176 file.getPath(), e); 177 return false; 178 } 179 } 180 181 /** 182 * Recursively restores all files under the given path to their default 183 * SELinux security context. If the system is not compiled with SELinux, 184 * then {@code true} is automatically returned. If SELinux is compiled in, 185 * but disabled, then {@code true} is returned. 186 * 187 * @return a boolean indicating whether the relabeling succeeded. 188 */ restoreconRecursive(File file)189 public static boolean restoreconRecursive(File file) { 190 try { 191 return native_restorecon(file.getCanonicalPath(), SELINUX_ANDROID_RESTORECON_RECURSE); 192 } catch (IOException e) { 193 Slog.e(TAG, "Error getting canonical path. Restorecon failed for " + 194 file.getPath(), e); 195 return false; 196 } 197 } 198 } 199