1 /*
2 * Author: Karl MacMillan <kmacmillan@tresys.com>
3 *
4 * Modified:
5 * Dan Walsh <dwalsh@redhat.com> - Added security_load_booleans().
6 */
7
8 #ifndef DISABLE_BOOL
9
10 #include <assert.h>
11 #include <sys/types.h>
12 #include <sys/stat.h>
13 #include <fcntl.h>
14 #include <stdlib.h>
15 #include <dirent.h>
16 #include <string.h>
17 #include <stdio.h>
18 #include <stdio_ext.h>
19 #include <unistd.h>
20 #include <fnmatch.h>
21 #include <limits.h>
22 #include <ctype.h>
23 #include <errno.h>
24
25 #include "selinux_internal.h"
26 #include "policy.h"
27
28 #define SELINUX_BOOL_DIR "/booleans/"
29
filename_select(const struct dirent * d)30 static int filename_select(const struct dirent *d)
31 {
32 if (d->d_name[0] == '.'
33 && (d->d_name[1] == '\0'
34 || (d->d_name[1] == '.' && d->d_name[2] == '\0')))
35 return 0;
36 return 1;
37 }
38
security_get_boolean_names(char *** names,int * len)39 int security_get_boolean_names(char ***names, int *len)
40 {
41 char path[PATH_MAX];
42 int i, rc;
43 struct dirent **namelist;
44 char **n;
45
46 if (!len || names == NULL) {
47 errno = EINVAL;
48 return -1;
49 }
50 if (!selinux_mnt) {
51 errno = ENOENT;
52 return -1;
53 }
54
55 snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
56 *len = scandir(path, &namelist, &filename_select, alphasort);
57 if (*len <= 0) {
58 return -1;
59 }
60
61 n = (char **)malloc(sizeof(char *) * *len);
62 if (!n) {
63 rc = -1;
64 goto bad;
65 }
66
67 for (i = 0; i < *len; i++) {
68 n[i] = strdup(namelist[i]->d_name);
69 if (!n[i]) {
70 rc = -1;
71 goto bad_freen;
72 }
73 }
74 rc = 0;
75 *names = n;
76 out:
77 for (i = 0; i < *len; i++) {
78 free(namelist[i]);
79 }
80 free(namelist);
81 return rc;
82 bad_freen:
83 for (--i; i >= 0; --i)
84 free(n[i]);
85 free(n);
86 bad:
87 goto out;
88 }
89
selinux_boolean_sub(const char * name)90 char *selinux_boolean_sub(const char *name)
91 {
92 char *sub = NULL;
93 char *line_buf = NULL;
94 size_t line_len;
95 FILE *cfg;
96
97 if (!name)
98 return NULL;
99
100 cfg = fopen(selinux_booleans_subs_path(), "r");
101 if (!cfg)
102 goto out;
103
104 while (getline(&line_buf, &line_len, cfg) != -1) {
105 char *ptr;
106 char *src = line_buf;
107 char *dst;
108 while (*src && isspace(*src))
109 src++;
110 if (!*src)
111 continue;
112 if (src[0] == '#')
113 continue;
114
115 ptr = src;
116 while (*ptr && !isspace(*ptr))
117 ptr++;
118 *ptr++ = '\0';
119 if (strcmp(src, name) != 0)
120 continue;
121
122 dst = ptr;
123 while (*dst && isspace(*dst))
124 dst++;
125 if (!*dst)
126 continue;
127 ptr=dst;
128 while (*ptr && !isspace(*ptr))
129 ptr++;
130 *ptr='\0';
131
132 sub = strdup(dst);
133
134 break;
135 }
136 free(line_buf);
137 fclose(cfg);
138 out:
139 if (!sub)
140 sub = strdup(name);
141 return sub;
142 }
143
bool_open(const char * name,int flag)144 static int bool_open(const char *name, int flag) {
145 char *fname = NULL;
146 char *alt_name = NULL;
147 int len;
148 int fd = -1;
149 int ret;
150 char *ptr;
151
152 if (!name) {
153 errno = EINVAL;
154 return -1;
155 }
156
157 /* note the 'sizeof' gets us enough room for the '\0' */
158 len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
159 fname = malloc(sizeof(char) * len);
160 if (!fname)
161 return -1;
162
163 ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
164 if (ret < 0)
165 goto out;
166 assert(ret < len);
167
168 fd = open(fname, flag);
169 if (fd >= 0 || errno != ENOENT)
170 goto out;
171
172 alt_name = selinux_boolean_sub(name);
173 if (!alt_name)
174 goto out;
175
176 /* note the 'sizeof' gets us enough room for the '\0' */
177 len = strlen(alt_name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
178 ptr = realloc(fname, len);
179 if (!ptr)
180 goto out;
181 fname = ptr;
182
183 ret = snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, alt_name);
184 if (ret < 0)
185 goto out;
186 assert(ret < len);
187
188 fd = open(fname, flag);
189 out:
190 free(fname);
191 free(alt_name);
192
193 return fd;
194 }
195
196 #define STRBUF_SIZE 3
get_bool_value(const char * name,char ** buf)197 static int get_bool_value(const char *name, char **buf)
198 {
199 int fd, len;
200 int errno_tmp;
201
202 if (!selinux_mnt) {
203 errno = ENOENT;
204 return -1;
205 }
206
207 *buf = malloc(sizeof(char) * (STRBUF_SIZE + 1));
208 if (!*buf)
209 return -1;
210
211 (*buf)[STRBUF_SIZE] = 0;
212
213 fd = bool_open(name, O_RDONLY);
214 if (fd < 0)
215 goto out_err;
216
217 len = read(fd, *buf, STRBUF_SIZE);
218 errno_tmp = errno;
219 close(fd);
220 errno = errno_tmp;
221 if (len != STRBUF_SIZE)
222 goto out_err;
223
224 return 0;
225 out_err:
226 free(*buf);
227 return -1;
228 }
229
security_get_boolean_pending(const char * name)230 int security_get_boolean_pending(const char *name)
231 {
232 char *buf;
233 int val;
234
235 if (get_bool_value(name, &buf))
236 return -1;
237
238 if (atoi(&buf[1]))
239 val = 1;
240 else
241 val = 0;
242 free(buf);
243 return val;
244 }
245
security_get_boolean_active(const char * name)246 int security_get_boolean_active(const char *name)
247 {
248 char *buf;
249 int val;
250
251 if (get_bool_value(name, &buf))
252 return -1;
253
254 buf[1] = '\0';
255 if (atoi(buf))
256 val = 1;
257 else
258 val = 0;
259 free(buf);
260 return val;
261 }
262
security_set_boolean(const char * name,int value)263 int security_set_boolean(const char *name, int value)
264 {
265 int fd, ret;
266 char buf[2];
267
268 if (!selinux_mnt) {
269 errno = ENOENT;
270 return -1;
271 }
272 if (value < 0 || value > 1) {
273 errno = EINVAL;
274 return -1;
275 }
276
277 fd = bool_open(name, O_WRONLY);
278 if (fd < 0)
279 return -1;
280
281 if (value)
282 buf[0] = '1';
283 else
284 buf[0] = '0';
285 buf[1] = '\0';
286
287 ret = write(fd, buf, 2);
288 close(fd);
289
290 if (ret > 0)
291 return 0;
292 else
293 return -1;
294 }
295
security_commit_booleans(void)296 int security_commit_booleans(void)
297 {
298 int fd, ret;
299 char buf[2];
300 char path[PATH_MAX];
301
302 if (!selinux_mnt) {
303 errno = ENOENT;
304 return -1;
305 }
306
307 snprintf(path, sizeof path, "%s/commit_pending_bools", selinux_mnt);
308 fd = open(path, O_WRONLY);
309 if (fd < 0)
310 return -1;
311
312 buf[0] = '1';
313 buf[1] = '\0';
314
315 ret = write(fd, buf, 2);
316 close(fd);
317
318 if (ret > 0)
319 return 0;
320 else
321 return -1;
322 }
323
strtrim(char * dest,char * source,int size)324 static char *strtrim(char *dest, char *source, int size)
325 {
326 int i = 0;
327 char *ptr = source;
328 i = 0;
329 while (isspace(*ptr) && i < size) {
330 ptr++;
331 i++;
332 }
333 strncpy(dest, ptr, size);
334 for (i = strlen(dest) - 1; i > 0; i--) {
335 if (!isspace(dest[i]))
336 break;
337 }
338 dest[i + 1] = '\0';
339 return dest;
340 }
process_boolean(char * buffer,char * name,int namesize,int * val)341 static int process_boolean(char *buffer, char *name, int namesize, int *val)
342 {
343 char name1[BUFSIZ];
344 char *ptr = NULL;
345 char *tok = strtok_r(buffer, "=", &ptr);
346 if (tok) {
347 strncpy(name1, tok, BUFSIZ - 1);
348 strtrim(name, name1, namesize - 1);
349 if (name[0] == '#')
350 return 0;
351 tok = strtok_r(NULL, "\0", &ptr);
352 if (tok) {
353 while (isspace(*tok))
354 tok++;
355 *val = -1;
356 if (isdigit(tok[0]))
357 *val = atoi(tok);
358 else if (!strncasecmp(tok, "true", sizeof("true") - 1))
359 *val = 1;
360 else if (!strncasecmp
361 (tok, "false", sizeof("false") - 1))
362 *val = 0;
363 if (*val != 0 && *val != 1) {
364 errno = EINVAL;
365 return -1;
366 }
367
368 }
369 }
370 return 1;
371 }
save_booleans(size_t boolcnt,SELboolean * boollist)372 static int save_booleans(size_t boolcnt, SELboolean * boollist)
373 {
374 ssize_t len;
375 size_t i;
376 char outbuf[BUFSIZ];
377 char *inbuf = NULL;
378
379 /* Open file */
380 const char *bool_file = selinux_booleans_path();
381 char local_bool_file[PATH_MAX];
382 char tmp_bool_file[PATH_MAX];
383 FILE *boolf;
384 int fd;
385 int *used = (int *)malloc(sizeof(int) * boolcnt);
386 if (!used) {
387 return -1;
388 }
389 /* zero out used field */
390 for (i = 0; i < boolcnt; i++)
391 used[i] = 0;
392
393 snprintf(tmp_bool_file, sizeof(tmp_bool_file), "%s.XXXXXX", bool_file);
394 fd = mkstemp(tmp_bool_file);
395 if (fd < 0) {
396 free(used);
397 return -1;
398 }
399
400 snprintf(local_bool_file, sizeof(local_bool_file), "%s.local",
401 bool_file);
402 boolf = fopen(local_bool_file, "r");
403 if (boolf != NULL) {
404 ssize_t ret;
405 size_t size = 0;
406 int val;
407 char boolname[BUFSIZ];
408 char *buffer;
409 inbuf = NULL;
410 __fsetlocking(boolf, FSETLOCKING_BYCALLER);
411 while ((len = getline(&inbuf, &size, boolf)) > 0) {
412 buffer = strdup(inbuf);
413 if (!buffer)
414 goto close_remove_fail;
415 ret =
416 process_boolean(inbuf, boolname, sizeof(boolname),
417 &val);
418 if (ret != 1) {
419 ret = write(fd, buffer, len);
420 free(buffer);
421 if (ret != len)
422 goto close_remove_fail;
423 } else {
424 free(buffer);
425 for (i = 0; i < boolcnt; i++) {
426 if (strcmp(boollist[i].name, boolname)
427 == 0) {
428 snprintf(outbuf, sizeof(outbuf),
429 "%s=%d\n", boolname,
430 boollist[i].value);
431 len = strlen(outbuf);
432 used[i] = 1;
433 if (write(fd, outbuf, len) !=
434 len)
435 goto close_remove_fail;
436 else
437 break;
438 }
439 }
440 if (i == boolcnt) {
441 snprintf(outbuf, sizeof(outbuf),
442 "%s=%d\n", boolname, val);
443 len = strlen(outbuf);
444 if (write(fd, outbuf, len) != len)
445 goto close_remove_fail;
446 }
447 }
448 free(inbuf);
449 inbuf = NULL;
450 }
451 fclose(boolf);
452 }
453
454 for (i = 0; i < boolcnt; i++) {
455 if (used[i] == 0) {
456 snprintf(outbuf, sizeof(outbuf), "%s=%d\n",
457 boollist[i].name, boollist[i].value);
458 len = strlen(outbuf);
459 if (write(fd, outbuf, len) != len) {
460 close_remove_fail:
461 free(inbuf);
462 close(fd);
463 remove_fail:
464 unlink(tmp_bool_file);
465 free(used);
466 return -1;
467 }
468 }
469
470 }
471 if (fchmod(fd, S_IRUSR | S_IWUSR) != 0)
472 goto close_remove_fail;
473 close(fd);
474 if (rename(tmp_bool_file, local_bool_file) != 0)
475 goto remove_fail;
476
477 free(used);
478 return 0;
479 }
rollback(SELboolean * boollist,int end)480 static void rollback(SELboolean * boollist, int end)
481 {
482 int i;
483
484 for (i = 0; i < end; i++)
485 security_set_boolean(boollist[i].name,
486 security_get_boolean_active(boollist[i].
487 name));
488 }
489
security_set_boolean_list(size_t boolcnt,SELboolean * boollist,int permanent)490 int security_set_boolean_list(size_t boolcnt, SELboolean * boollist,
491 int permanent)
492 {
493
494 size_t i;
495 for (i = 0; i < boolcnt; i++) {
496 if (security_set_boolean(boollist[i].name, boollist[i].value)) {
497 rollback(boollist, i);
498 return -1;
499 }
500 }
501
502 /* OK, let's do the commit */
503 if (security_commit_booleans()) {
504 return -1;
505 }
506
507 if (permanent)
508 return save_booleans(boolcnt, boollist);
509
510 return 0;
511 }
security_load_booleans(char * path)512 int security_load_booleans(char *path)
513 {
514 FILE *boolf;
515 char *inbuf;
516 char localbools[BUFSIZ];
517 size_t len = 0, errors = 0;
518 int val;
519 char name[BUFSIZ];
520
521 boolf = fopen(path ? path : selinux_booleans_path(), "r");
522 if (boolf == NULL)
523 goto localbool;
524
525 __fsetlocking(boolf, FSETLOCKING_BYCALLER);
526 while (getline(&inbuf, &len, boolf) > 0) {
527 int ret = process_boolean(inbuf, name, sizeof(name), &val);
528 if (ret == -1)
529 errors++;
530 if (ret == 1)
531 if (security_set_boolean(name, val) < 0) {
532 errors++;
533 }
534 }
535 fclose(boolf);
536 localbool:
537 snprintf(localbools, sizeof(localbools), "%s.local",
538 (path ? path : selinux_booleans_path()));
539 boolf = fopen(localbools, "r");
540
541 if (boolf != NULL) {
542 int ret;
543 __fsetlocking(boolf, FSETLOCKING_BYCALLER);
544 while (getline(&inbuf, &len, boolf) > 0) {
545 ret = process_boolean(inbuf, name, sizeof(name), &val);
546 if (ret == -1)
547 errors++;
548 if (ret == 1)
549 if (security_set_boolean(name, val) < 0) {
550 errors++;
551 }
552 }
553 fclose(boolf);
554 }
555 if (security_commit_booleans() < 0)
556 return -1;
557
558 if (errors)
559 errno = EINVAL;
560 return errors ? -1 : 0;
561 }
562
563 #else
564
565 #include <stdlib.h>
566 #include "selinux_internal.h"
567
security_set_boolean_list(size_t boolcnt,SELboolean * boollist,int permanent)568 int security_set_boolean_list(size_t boolcnt __attribute__((unused)),
569 SELboolean * boollist __attribute__((unused)),
570 int permanent __attribute__((unused)))
571 {
572 return -1;
573 }
574
security_load_booleans(char * path)575 int security_load_booleans(char *path __attribute__((unused)))
576 {
577 return -1;
578 }
579
security_get_boolean_names(char *** names,int * len)580 int security_get_boolean_names(char ***names __attribute__((unused)),
581 int *len __attribute__((unused)))
582 {
583 return -1;
584 }
585
security_get_boolean_pending(const char * name)586 int security_get_boolean_pending(const char *name __attribute__((unused)))
587 {
588 return -1;
589 }
590
security_get_boolean_active(const char * name)591 int security_get_boolean_active(const char *name __attribute__((unused)))
592 {
593 return -1;
594 }
595
security_set_boolean(const char * name,int value)596 int security_set_boolean(const char *name __attribute__((unused)),
597 int value __attribute__((unused)))
598 {
599 return -1;
600 }
601
security_commit_booleans(void)602 int security_commit_booleans(void)
603 {
604 return -1;
605 }
606
selinux_boolean_sub(const char * name)607 char *selinux_boolean_sub(const char *name __attribute__((unused)))
608 {
609 return NULL;
610 }
611 #endif
612
613 hidden_def(security_get_boolean_names)
614 hidden_def(selinux_boolean_sub)
615 hidden_def(security_get_boolean_active)
616 hidden_def(security_set_boolean)
617 hidden_def(security_commit_booleans)
618