[gentoo-commits] proj/openrc:master commit in: src/rc/

["William Hubbs" <williamh@gentoo.org>]

commit:     9c689542c3246e793310db938374bc97600435e6
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 15 18:27:34 2014 +0000
Commit:     William Hubbs <williamh <AT> gentoo <DOT> org>
CommitDate: Wed Jul 16 18:09:38 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/openrc.git;a=commit;h=9c689542

checkpath: restore the SELinux context

X-Gentoo-Bug: 516956
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=516956

---
 src/rc/Makefile          |   6 ++-
 src/rc/checkpath.c       |  28 ++++++++---
 src/rc/rc-selinux-util.c | 126 +++++++++++++++++++++++++++++++++++++++++++++++
 src/rc/rc-selinux-util.h |  33 +++++++++++++
 4 files changed, 186 insertions(+), 7 deletions(-)

diff --git a/src/rc/Makefile b/src/rc/Makefile
index 5f5aa63..fb5265c 100644
--- a/src/rc/Makefile
+++ b/src/rc/Makefile
@@ -4,7 +4,11 @@ SRCS=		checkpath.c fstabinfo.c mountinfo.c start-stop-daemon.c \
 		rc-misc.c rc-plugin.c rc-service.c rc-status.c rc-update.c \
 		runscript.c rc.c swclock.c
 
-CLEANFILES=	version.h
+ifeq (${MKSELINUX},yes)
+SRCS+=		rc-selinux-util.c
+endif
+
+CLEANFILES=	version.h rc-selinux-util.o
 
 BINDIR=		${PREFIX}/bin
 SBINDIR=	${PREFIX}/sbin

diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
index 6a0f893..6945b67 100644
--- a/src/rc/checkpath.c
+++ b/src/rc/checkpath.c
@@ -46,6 +46,10 @@
 #include "einfo.h"
 #include "rc-misc.h"
 
+#ifdef HAVE_SELINUX
+#include "rc-selinux-util.h"
+#endif
+
 typedef enum {
 	inode_unknown = 0,
 	inode_file = 1,
@@ -55,13 +59,9 @@ typedef enum {
 
 extern const char *applet;
 
-/* TODO: SELinux
- * This needs a LOT of SELinux loving
- * See systemd's src/label.c:label_mkdir
- */
 static int
 do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type,
-		bool trunc, bool chowner)
+		bool trunc, bool chowner, bool selinux_on)
 {
 	struct stat st;
 	int fd, flags;
@@ -149,6 +149,11 @@ do_check(char *path, uid_t uid, gid_t gid, mode_t mode, inode_t type,
 		}
 	}
 
+#ifdef HAVE_SELINUX
+	if (selinux_on)
+		selinux_util_label(path);
+#endif
+
 	return 0;
 }
 
@@ -226,6 +231,7 @@ checkpath(int argc, char **argv)
 	bool trunc = false;
 	bool chowner = false;
 	bool writable = false;
+	bool selinux_on = false;
 
 	while ((opt = getopt_long(argc, argv, getoptstring,
 		    longopts, (int *) 0)) != -1)
@@ -276,13 +282,23 @@ checkpath(int argc, char **argv)
 	if (gr)
 		gid = gr->gr_gid;
 
+#ifdef HAVE_SELINUX
+	if (1 == selinux_util_open())
+		selinux_on = true;
+#endif
+
 	while (optind < argc) {
 		if (writable)
 			exit(!is_writable(argv[optind]));
-		if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner))
+		if (do_check(argv[optind], uid, gid, mode, type, trunc, chowner, selinux_on))
 			retval = EXIT_FAILURE;
 		optind++;
 	}
 
+#ifdef HAVE_SELINUX
+	if (selinux_on)
+		selinux_util_close();
+#endif
+
 	return retval;
 }

diff --git a/src/rc/rc-selinux-util.c b/src/rc/rc-selinux-util.c
new file mode 100644
index 0000000..6cbb5db
--- /dev/null
+++ b/src/rc/rc-selinux-util.c
@@ -0,0 +1,126 @@
+/*
+  rc-selinux.c
+  SELinux helpers to get and set contexts.
+*/
+
+/*
+ * Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stddef.h>
+#include <errno.h>
+
+#include <sys/stat.h>
+
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+#include "rc-selinux-util.h"
+
+static struct selabel_handle *hnd = NULL;
+
+int
+selinux_util_label(const char *path)
+{
+	int retval = 0;
+	int enforce;
+	struct stat st;
+	security_context_t con;
+
+	enforce = security_getenforce();
+	if (retval < 0)
+		return retval;
+
+	if (NULL == hnd)
+		return (enforce) ? -1 : 0;
+
+	retval = lstat(path, &st);
+	if (retval < 0) {
+		if (ENOENT == errno)
+			return 0;
+		return (enforce) ? -1 : 0;
+	}
+
+	/* lookup the context */
+	retval = selabel_lookup_raw(hnd, &con, path, st.st_mode);
+	if (retval < 0) {
+		if (ENOENT == errno)
+			return 0;
+		return (enforce) ? -1 : 0;
+	}
+
+	/* apply the context */
+	retval = lsetfilecon(path, con);
+	freecon(con);
+	if (retval < 0) {
+		if (ENOENT == errno)
+			return 0;
+		if (ENOTSUP == errno)
+			return 0;
+		return (enforce) ? -1 : 0;
+	}
+
+	return 0;
+}
+
+/*
+ * Open the label handle
+ * returns 1 on success, 0 if no selinux, negative on error
+ */
+int
+selinux_util_open(void)
+{
+	int retval = 0;
+
+	retval = is_selinux_enabled();
+	if (retval <= 0)
+		return retval;
+
+	hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+	if (NULL == hnd)
+		return -2;
+
+	return 1;
+}
+
+/*
+ * Close the label handle
+ * returns 1 on success, 0 if no selinux, negative on error
+ */
+int
+selinux_util_close(void)
+{
+	int retval = 0;
+
+	retval = is_selinux_enabled();
+	if (retval <= 0)
+		return retval;
+
+	if (hnd) {
+		selabel_close(hnd);
+		hnd = NULL;
+	}
+
+	return 0;
+}

diff --git a/src/rc/rc-selinux-util.h b/src/rc/rc-selinux-util.h
new file mode 100644
index 0000000..69624b3
--- /dev/null
+++ b/src/rc/rc-selinux-util.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef RC_SELINUX_UTIL_H
+#define RC_SELINUX_UTIL_H
+
+int selinux_util_open(void);
+int selinux_util_label(const char *path);
+int selinux_util_close(void);
+
+#endif