/* * selinux_process_label_get: Get SELinux context of a process * * @pid : the pid to get, or 0 for self * * Returns the context of the given pid. The caller must free() * the returned string. * * Note that this relies on /proc being available. */ static char *selinux_process_label_get(pid_t pid) { security_context_t ctx; char *label; if (getpidcon_raw(pid, &ctx) < 0) { SYSERROR("failed to get SELinux context for pid %d", pid); return NULL; } label = strdup((char *)ctx); freecon(ctx); return label; }
static int selinux_get_label(pid_t pid, char **output) { security_context_t ctx; char *pos, *last; int i; if (getpidcon_raw(pid, &ctx) < 0) { pr_perror("getting selinux profile failed"); return -1; } *output = NULL; /* * Since SELinux attributes can be finer grained than at the task * level, and we currently don't try to dump any of these other bits, * let's only allow unconfined profiles, which look something like: * * unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 */ pos = (char*)ctx; for (i = 0; i < 3; i++) { last = pos; pos = strstr(pos, ":"); if (!pos) { pr_err("Invalid selinux context %s\n", (char *)ctx); freecon(ctx); return -1; } *pos = 0; if (!strstartswith(last, "unconfined_")) { pr_err("Non unconfined selinux contexts not supported %s\n", last); freecon(ctx); return -1; } pos++; } freecon(ctx); return 0; }
static security_context_t get_scon(void) { static char dummy_NIL[1] = ""; security_context_t con = NULL; int ret = -1; int raw = TRUE; switch (opts->from_type) { case OPTS_FROM_ARG: if (!(con = strdup(opts->f.arg))) err(EXIT_FAILURE, " Couldn't allocate security context"); raw = !opts->disp_raw; /* always do conversion */ break; case OPTS_FROM_STDIN: { char buf[4096] = ""; char *ptr = buf; while (!*ptr) { if (!(ptr = fgets(buf, sizeof(buf), stdin))) err(EXIT_FAILURE, " Couldn't read security context"); ptr += strspn(ptr, " \n\t"); ptr[strcspn(ptr, " \n\t")] = 0; } if (!(con = strdup(ptr))) err(EXIT_FAILURE, " Couldn't allocate security context"); raw = !opts->disp_raw; /* always do conversion */ break; } case OPTS_FROM_CUR: ret = getcon_raw(&con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get current security context"); break; case OPTS_FROM_CUREXE: ret = getexeccon_raw(&con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get current exec security context"); if (!con) con = strdup(dummy_NIL); break; case OPTS_FROM_CURFS: ret = getfscreatecon_raw(&con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get current fs security context"); if (!con) con = strdup(dummy_NIL); break; case OPTS_FROM_CURKEY: ret = getkeycreatecon_raw(&con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get current key security context"); if (!con) con = strdup(dummy_NIL); break; case OPTS_FROM_PROC: ret = getpidcon_raw(opts->f.pid, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for pid %lu", (unsigned long)opts->f.pid); break; case OPTS_FROM_PROCEXE: ret = my_getpidexeccon_raw(opts->f.pid, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for pid %lu", (unsigned long)opts->f.pid); if (!con) con = strdup(dummy_NIL); break; case OPTS_FROM_PROCFS: ret = my_getpidfscreatecon_raw(opts->f.pid, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for pid %lu", (unsigned long)opts->f.pid); if (!con) con = strdup(dummy_NIL); /* disabled -- override with normal context ... { opts->from_type = OPTS_FROM_PROC; return (get_scon()); } */ break; case OPTS_FROM_PROCKEY: ret = my_getpidkeycreatecon_raw(opts->f.pid, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for pid %lu", (unsigned long)opts->f.pid); if (!con) con = strdup(dummy_NIL); break; case OPTS_FROM_FILE: ret = getfilecon_raw(opts->f.file, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for file %s", opts->f.file); break; case OPTS_FROM_LINK: ret = lgetfilecon_raw(opts->f.link, &con); if (ret == -1) err(EXIT_FAILURE, " Couldn't get security context for symlink %s", opts->f.link); break; default: assert(FALSE); } if (opts->disp_raw != raw) { security_context_t ncon = NULL; if (opts->disp_raw) selinux_trans_to_raw_context(con, &ncon); else selinux_raw_to_trans_context(con, &ncon); freecon(con); con = ncon; } return (con); }
int getpidcon(pid_t pid, security_context_t *context) { return getpidcon_raw(pid, context); }