int security_compute_create_name(const char * scon,
const char * tcon,
security_class_t tclass,
const char *objname,
char ** newcon)
{
int ret;
char * rscon;
char * rtcon;
char * rnewcon;
if (selinux_trans_to_raw_context(scon, &rscon))
return -1;
if (selinux_trans_to_raw_context(tcon, &rtcon)) {
freecon(rscon);
return -1;
}
ret = security_compute_create_name_raw(rscon, rtcon, tclass,
objname, &rnewcon);
freecon(rscon);
freecon(rtcon);
if (!ret) {
ret = selinux_raw_to_trans_context(rnewcon, newcon);
freecon(rnewcon);
}
return ret;
}
Datum
sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
{
text *label = PG_GETARG_TEXT_P(0);
char *qual_label;
char *result;
if (!sepgsql_is_enabled())
ereport(ERROR,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
errmsg("sepgsql is not currently enabled")));
if (selinux_raw_to_trans_context(text_to_cstring(label),
&qual_label) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: could not translate security label: %m")));
PG_TRY();
{
result = pstrdup(qual_label);
}
PG_CATCH();
{
freecon(qual_label);
PG_RE_THROW();
}
PG_END_TRY();
freecon(qual_label);
PG_RETURN_TEXT_P(cstring_to_text(result));
}
int security_compute_member(const char * scon,
const char * tcon,
security_class_t tclass,
char ** newcon)
{
int ret;
char * rscon;
char * rtcon;
char * rnewcon;
if (selinux_trans_to_raw_context(scon, &rscon))
return -1;
if (selinux_trans_to_raw_context(tcon, &rtcon)) {
freecon(rscon);
return -1;
}
ret = security_compute_member_raw(rscon, rtcon, tclass, &rnewcon);
freecon(rscon);
freecon(rtcon);
if (!ret) {
if (selinux_raw_to_trans_context(rnewcon, newcon)) {
*newcon = NULL;
ret = -1;
}
freecon(rnewcon);
}
return ret;
}
int security_get_initial_context(const char * name, char ** con)
{
int ret;
char * rcon;
ret = security_get_initial_context_raw(name, &rcon);
if (!ret) {
ret = selinux_raw_to_trans_context(rcon, con);
freecon(rcon);
}
return ret;
}
static int selabel_fini(struct selabel_handle *rec,
struct selabel_lookup_rec *lr,
int translating)
{
if (compat_validate(rec, lr, rec->spec_file, 0))
return -1;
if (translating && !lr->ctx_trans &&
selinux_raw_to_trans_context(lr->ctx_raw, &lr->ctx_trans))
return -1;
return 0;
}
int lgetfilecon(const char *path, char ** context)
{
int ret;
char * rcontext;
*context = NULL;
ret = lgetfilecon_raw(path, &rcontext);
if (ret > 0) {
ret = selinux_raw_to_trans_context(rcontext, context);
freecon(rcontext);
}
if (ret >= 0 && *context)
return strlen(*context) + 1;
return ret;
}
int fgetfilecon(int fd, security_context_t * context)
{
security_context_t rcontext;
int ret;
*context = NULL;
ret = fgetfilecon_raw(fd, &rcontext);
if (ret > 0) {
ret = selinux_raw_to_trans_context(rcontext, context);
freecon(rcontext);
}
if (ret >= 0 && *context)
return strlen(*context) + 1;
return ret;
}
int security_canonicalize_context(const char * con,
char ** canoncon)
{
int ret;
char * rcon;
char * rcanoncon;
if (selinux_trans_to_raw_context(con, &rcon))
return -1;
ret = security_canonicalize_context_raw(rcon, &rcanoncon);
freecon(rcon);
if (!ret) {
ret = selinux_raw_to_trans_context(rcanoncon, canoncon);
freecon(rcanoncon);
}
return ret;
}
static struct selabel_lookup_rec *
selabel_lookup_common(struct selabel_handle *rec, int translating,
const char *key, int type)
{
struct selabel_lookup_rec *lr;
char *ptr = NULL;
char *dptr = NULL;
if (key == NULL) {
errno = EINVAL;
return NULL;
}
ptr = selabel_sub(rec->subs, key);
if (ptr) {
dptr = selabel_sub(rec->dist_subs, ptr);
if (dptr) {
free(ptr);
ptr = dptr;
}
} else {
ptr = selabel_sub(rec->dist_subs, key);
}
if (ptr) {
lr = rec->func_lookup(rec, ptr, type);
free(ptr);
} else {
lr = rec->func_lookup(rec, key, type);
}
if (!lr)
return NULL;
if (compat_validate(rec, lr, rec->spec_file, 0))
return NULL;
if (translating && !lr->ctx_trans &&
selinux_raw_to_trans_context(lr->ctx_raw, &lr->ctx_trans))
return NULL;
return lr;
}
static security_context_t get_scon(void)
{
static char dummy_NIL[1] = "";
security_context_t con = NULL;
int ret = -1;
int raw = TRUE;
switch (opts->from_type) {
case OPTS_FROM_ARG:
if (!(con = strdup(opts->f.arg)))
err(EXIT_FAILURE,
" Couldn't allocate security context");
raw = !opts->disp_raw; /* always do conversion */
break;
case OPTS_FROM_STDIN:
{
char buf[4096] = "";
char *ptr = buf;
while (!*ptr) {
if (!(ptr = fgets(buf, sizeof(buf), stdin)))
err(EXIT_FAILURE,
" Couldn't read security context");
ptr += strspn(ptr, " \n\t");
ptr[strcspn(ptr, " \n\t")] = 0;
}
if (!(con = strdup(ptr)))
err(EXIT_FAILURE,
" Couldn't allocate security context");
raw = !opts->disp_raw; /* always do conversion */
break;
}
case OPTS_FROM_CUR:
ret = getcon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current security context");
break;
case OPTS_FROM_CUREXE:
ret = getexeccon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current exec security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_CURFS:
ret = getfscreatecon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current fs security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_CURKEY:
ret = getkeycreatecon_raw(&con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get current key security context");
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_PROC:
ret = getpidcon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
break;
case OPTS_FROM_PROCEXE:
ret = my_getpidexeccon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_PROCFS:
ret = my_getpidfscreatecon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
/* disabled -- override with normal context ...
{
opts->from_type = OPTS_FROM_PROC;
return (get_scon());
} */
break;
case OPTS_FROM_PROCKEY:
ret = my_getpidkeycreatecon_raw(opts->f.pid, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for pid %lu",
(unsigned long)opts->f.pid);
if (!con)
con = strdup(dummy_NIL);
break;
case OPTS_FROM_FILE:
ret = getfilecon_raw(opts->f.file, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for file %s",
opts->f.file);
break;
case OPTS_FROM_LINK:
ret = lgetfilecon_raw(opts->f.link, &con);
if (ret == -1)
err(EXIT_FAILURE,
" Couldn't get security context for symlink %s",
opts->f.link);
break;
default:
assert(FALSE);
}
if (opts->disp_raw != raw) {
security_context_t ncon = NULL;
if (opts->disp_raw)
selinux_trans_to_raw_context(con, &ncon);
else
selinux_raw_to_trans_context(con, &ncon);
freecon(con);
con = ncon;
}
return (con);
}
