int do_setsebool(int nargs, char **args) {
#ifdef HAVE_SELINUX
SELboolean *b = alloca(nargs * sizeof(SELboolean));
char *v;
int i;
if (is_selinux_enabled() <= 0)
return 0;
for (i = 1; i < nargs; i++) {
char *name = args[i];
v = strchr(name, '=');
if (!v) {
ERROR("setsebool: argument %s had no =\n", name);
return -EINVAL;
}
*v++ = 0;
b[i-1].name = name;
if (!strcmp(v, "1") || !strcasecmp(v, "true") || !strcasecmp(v, "on"))
b[i-1].value = 1;
else if (!strcmp(v, "0") || !strcasecmp(v, "false") || !strcasecmp(v, "off"))
b[i-1].value = 0;
else {
ERROR("setsebool: invalid value %s\n", v);
return -EINVAL;
}
}
if (security_set_boolean_list(nargs - 1, b, 0) < 0)
return -errno;
#endif
return 0;
}
int setenforce_main(int argc, char **argv)
{
int rc = 0;
if (argc != 2) {
bb_show_usage();
}
if (is_selinux_enabled() <= 0) {
bb_error_msg("SELinux is disabled");
return 1;
}
if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
rc = security_setenforce(atoi(argv[1]));
} else {
if (strcasecmp(argv[1], "enforcing") == 0) {
rc = security_setenforce(1);
} else if (strcasecmp(argv[1], "permissive") == 0) {
rc = security_setenforce(0);
} else
bb_show_usage();
}
if (rc < 0) {
bb_error_msg("setenforce() failed");
return 2;
}
return 0;
}
int main(int argc __attribute__ ((unused)), char **argv)
{
int rc;
rc = is_selinux_enabled();
if (rc < 0) {
fputs("getenforce: is_selinux_enabled() failed", stderr);
return 2;
}
if (rc == 1) {
rc = security_getenforce();
if (rc < 0) {
fputs("getenforce: getenforce() failed", stderr);
return 2;
}
if (rc)
puts("Enforcing");
else
puts("Permissive");
} else {
puts("Disabled");
}
return 0;
}
static int check_mac_perms(const char *name, char *sctx, struct ucred *cr)
{
if (is_selinux_enabled() <= 0)
return 1;
char *tctx = NULL;
int result = 0;
property_audit_data audit_data;
if (!sctx)
goto err;
if (!sehandle_prop)
goto err;
if (selabel_lookup(sehandle_prop, &tctx, name, 1) != 0)
goto err;
audit_data.name = name;
audit_data.cr = cr;
if (selinux_check_access(sctx, tctx, "property_service", "set", reinterpret_cast<void*>(&audit_data)) == 0)
result = 1;
freecon(tctx);
err:
return result;
}
int main(int argc, char** argv) {
union selinux_callback cb;
if (argc == 1) {
selinux_enabled = is_selinux_enabled();
cb.func_log = selinux_log_callback;
selinux_set_callback(SELINUX_CB_LOG, cb);
return do_server();
}
bool dump_backtrace = false;
bool have_tid = false;
pid_t tid = 0;
for (int i = 1; i < argc; i++) {
if (!strcmp(argv[i], "-b")) {
dump_backtrace = true;
} else if (!have_tid) {
tid = atoi(argv[i]);
have_tid = true;
} else {
usage();
return 1;
}
}
if (!have_tid) {
usage();
return 1;
}
return do_explicit_dump(tid, dump_backtrace);
}
int output_security_context(const char *from_file)
{
#ifdef WITH_SELINUX
security_context_t scontext;
if (selinux_enabled == -1)
selinux_enabled = (is_selinux_enabled() > 0);
if (!selinux_enabled)
return 0;
if (getfilecon(from_file, &scontext) < 0) {
/*
* If the filesystem doesn't support extended
* attributes, the original had no special security
* context and the target cannot have one either.
*/
if (errno == EOPNOTSUPP)
return 0;
error(0, errno,joe_gettext(_("Could not get security context for %s")),
from_file);
return 1;
}
error(0, 0, joe_gettext(_("%s Security Context %s")), from_file, scontext);
freecon(scontext);
#endif
return 0;
}
static void setdefaultfilecon(const char *path)
{
struct stat s;
security_context_t scontext = NULL;
if (!is_selinux_enabled()) {
return;
}
if (lstat(path, &s) != 0) {
return;
}
if (matchpathcon(path, s.st_mode, &scontext) < 0) {
goto out;
}
if (strcmp(scontext, "<<none>>") == 0) {
goto out;
}
if (lsetfilecon(path, scontext) < 0) {
if (errno != ENOTSUP) {
bb_perror_msg("warning: can't change context"
" of %s to %s", path, scontext);
}
}
out:
freecon(scontext);
}
static int check_mac_perms(const char *name, char *sctx)
{
if (is_selinux_enabled() <= 0)
return 1;
char *tctx = NULL;
const char *class = "property_service";
const char *perm = "set";
int result = 0;
if (!sctx)
goto err;
if (!sehandle_prop)
goto err;
if (selabel_lookup(sehandle_prop, &tctx, name, 1) != 0)
goto err;
if (selinux_check_access(sctx, tctx, class, perm, (void*) name) == 0)
result = 1;
freecon(tctx);
err:
return result;
}
/* translates SELinux context from human to raw format and
* appends it to the mount extra options.
*
* returns -1 on error and 0 on success
*/
static int
append_context(const char *optname, char *optdata, char **extra_opts)
{
security_context_t raw = NULL;
char *data = NULL;
if (is_selinux_enabled() != 1)
/* ignore the option if we running without selinux */
return 0;
if (optdata == NULL || *optdata == '\0' || optname == NULL)
return -1;
/* TODO: use strip_quotes() for all mount options? */
data = *optdata == '"' ? strip_quotes(optdata) : optdata;
if (selinux_trans_to_raw_context(
(security_context_t) data, &raw) == -1 ||
raw == NULL)
return -1;
if (verbose)
printf(_("%s: translated %s '%s' to '%s'\n"),
progname, optname, data, (char *) raw);
*extra_opts = append_opt(*extra_opts, optname, NULL);
*extra_opts = xstrconcat4(*extra_opts, "\"", (char *) raw, "\"");
freecon(raw);
return 0;
}
bool use_selinux(void) {
if (use_selinux_cached < 0)
use_selinux_cached = is_selinux_enabled() > 0;
return use_selinux_cached;
}
static void
pw_unlock(void) {
char tmp[FILENAMELEN+4];
sprintf(tmp, "%s%s", orig_file, ".OLD");
unlink(tmp);
link(orig_file, tmp);
#ifdef HAVE_LIBSELINUX
if (is_selinux_enabled()) {
security_context_t passwd_context=NULL;
int ret=0;
if (getfilecon(orig_file,&passwd_context) < 0) {
(void) fprintf(stderr,_("%s: Can't get context for %s"),progname,orig_file);
pw_error(orig_file, 1, 1);
}
ret=setfilecon(tmp_file,passwd_context);
freecon(passwd_context);
if (ret!=0) {
(void) fprintf(stderr,_("%s: Can't set context for %s"),progname,tmp_file);
pw_error(tmp_file, 1, 1);
}
}
#endif
if (rename(tmp_file, orig_file) == -1) {
int errsv = errno;
fprintf(stderr,
_("%s: can't unlock %s: %s (your changes are still in %s)\n"),
progname, orig_file, strerror(errsv), tmp_file);
exit(1);
}
unlink(tmp_file);
}
int getenforce_main(int argc, char **argv)
{
int rc;
rc = is_selinux_enabled();
if (rc < 0) {
bb_error_msg("is_selinux_enabled() failed");
return 2;
}
if (rc == 1) {
rc = security_getenforce();
if (rc < 0) {
bb_error_msg("getenforce() failed");
return 2;
}
if (rc)
puts("Enforcing");
else
puts("Permissive");
} else {
puts("Disabled");
}
return 0;
}
void
setup_selinux_pty(const char *name, const char *tty)
{
if (is_selinux_enabled() > 0) {
security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
user_context=selinux_get_user_context(name);
if (getfilecon(tty, &old_tty_context) < 0) {
error("getfilecon(%.100s) failed: %.100s",
tty, strerror(errno));
} else {
if (security_compute_relabel(user_context,old_tty_context,
SECCLASS_CHR_FILE, &new_tty_context) != 0) {
error("security_compute_relabel(%.100s) failed: "
"%.100s", tty, strerror(errno));
} else {
if (setfilecon (tty, new_tty_context) != 0)
error("setfilecon(%.100s, %s) failed: %.100s",
tty, new_tty_context, strerror(errno));
freecon(new_tty_context);
}
freecon(old_tty_context);
}
if (user_context) {
freecon(user_context);
}
}
}
/*
* selinux_file_context - Set the security context before any file or
* directory creation.
*
* selinux_file_context () should be called before any creation of file,
* symlink, directory, ...
*
* Callers may have to Reset SELinux to create files with default
* contexts:
* setfscreatecon (NULL);
*/
int selinux_file_context (const char *dst_name)
{
static bool selinux_checked = false;
static bool selinux_enabled;
security_context_t scontext = NULL;
if (!selinux_checked) {
selinux_enabled = is_selinux_enabled () > 0;
selinux_checked = true;
}
if (selinux_enabled) {
/* Get the default security context for this file */
if (matchpathcon (dst_name, 0, &scontext) < 0) {
if (security_getenforce () != 0) {
return 1;
}
}
/* Set the security context for the next created file */
if (setfscreatecon (scontext) < 0) {
if (security_getenforce () != 0) {
return 1;
}
}
freecon (scontext);
}
return 0;
}
int do_setsebool(int nargs, char **args) {
const char *name = args[1];
const char *value = args[2];
SELboolean b;
int ret;
if (is_selinux_enabled() <= 0)
return 0;
b.name = name;
if (!strcmp(value, "1") || !strcasecmp(value, "true") || !strcasecmp(value, "on"))
b.value = 1;
else if (!strcmp(value, "0") || !strcasecmp(value, "false") || !strcasecmp(value, "off"))
b.value = 0;
else {
ERROR("setsebool: invalid value %s\n", value);
return -EINVAL;
}
if (security_set_boolean_list(1, &b, 0) < 0) {
ret = -errno;
ERROR("setsebool: could not set %s to %s\n", name, value);
return ret;
}
return 0;
}
int main(int argc, char **argv)
{
int rc = 0;
if (argc != 2) {
usage(argv[0]);
}
if (is_selinux_enabled() <= 0) {
fprintf(stderr, "%s: SELinux is disabled\n", argv[0]);
return 1;
}
if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
rc = security_setenforce(atoi(argv[1]));
} else {
if (strcasecmp(argv[1], "enforcing") == 0) {
rc = security_setenforce(1);
} else if (strcasecmp(argv[1], "permissive") == 0) {
rc = security_setenforce(0);
} else
usage(argv[0]);
}
if (rc < 0) {
fprintf(stderr, "%s: setenforce() failed\n", argv[0]);
return 2;
}
return 0;
}
void
SELinuxExtensionInit(INITARGS)
{
ExtensionEntry *extEntry;
/* Check SELinux mode on system, configuration file, and boolean */
if (!is_selinux_enabled()) {
LogMessage(X_INFO, "SELinux: Disabled on system\n");
return;
}
if (selinuxEnforcingState == SELINUX_MODE_DISABLED) {
LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
return;
}
if (!security_get_boolean_active("xserver_object_manager")) {
LogMessage(X_INFO, "SELinux: Disabled by boolean\n");
return;
}
/* Set up XACE hooks */
SELinuxLabelInit();
SELinuxFlaskInit();
/* Add extension to server */
extEntry = AddExtension(SELINUX_EXTENSION_NAME,
SELinuxNumberEvents, SELinuxNumberErrors,
ProcSELinuxDispatch, SProcSELinuxDispatch,
SELinuxResetProc, StandardMinorOpcode);
AddExtensionAlias("Flask", extEntry);
}
/*
* Verify expected failures, and then let the test to continue.
*
* Return 0 when a problem errno is found.
* Return 1 when a known issue is found.
*
*/
static int found_errno(const char *syscall, const char *obj, int tmperr)
{
int i;
/* Should not see any error for certain entries if a LSM is enabled. */
#ifdef HAVE_LIBSELINUX_DEVEL
if (is_selinux_enabled()) {
for (i = 0; lsm_should_work[i][0] != '\0'; i++) {
if (!strcmp(obj, lsm_should_work[i]) ||
!fnmatch(lsm_should_work[i], obj, FNM_PATHNAME)) {
return 0;
}
}
}
#endif
for (i = 0; known_issues[i].err != 0; i++) {
if (tmperr == known_issues[i].err &&
(!strcmp(obj, known_issues[i].file) ||
!fnmatch(known_issues[i].file, obj, FNM_PATHNAME)) &&
!strcmp(syscall, known_issues[i].func)) {
/* Using strcmp / fnmatch could have messed up the
* errno value. */
errno = tmperr;
tst_resm(TINFO | TERRNO, "%s: known issue", obj);
return 1;
}
}
return 0;
}
static inline bool use_selinux(void) {
static int use_selinux_ind = -1;
if (use_selinux_ind < 0)
use_selinux_ind = is_selinux_enabled() > 0;
return use_selinux_ind;
}
int setcon_raw(security_context_t context)
{
if (!is_selinux_enabled()) {
errno = EINVAL;
return -1;
}
return setenv("FAKE_SELINUX_CONTEXT", context, 1);
}
int do_setenforce(int nargs, char **args) {
if (is_selinux_enabled() <= 0)
return 0;
if (security_setenforce(atoi(args[1])) < 0) {
return -errno;
}
return 0;
}
int do_setcon(int nargs, char **args) {
if (is_selinux_enabled() <= 0)
return 0;
if (setcon(args[1]) < 0) {
return -errno;
}
return 0;
}
int sestatus_main(int argc, char **argv)
{
unsigned opts;
const char *pol_path;
int rc;
opt_complementary = "?0"; /* no arguments are required. */
opts = getopt32(argv, "vb");
/* SELinux status: line */
rc = is_selinux_enabled();
if (rc < 0)
goto error;
printf(COL_FMT "%s\n", "SELinux status:",
rc == 1 ? "enabled" : "disabled");
/* SELinuxfs mount: line */
if (!selinux_mnt)
goto error;
printf(COL_FMT "%s\n", "SELinuxfs mount:",
selinux_mnt);
/* Current mode: line */
rc = security_getenforce();
if (rc < 0)
goto error;
printf(COL_FMT "%s\n", "Current mode:",
rc == 0 ? "permissive" : "enforcing");
/* Mode from config file: line */
if (selinux_getenforcemode(&rc) != 0)
goto error;
printf(COL_FMT "%s\n", "Mode from config file:",
rc < 0 ? "disabled" : (rc == 0 ? "permissive" : "enforcing"));
/* Policy version: line */
rc = security_policyvers();
if (rc < 0)
goto error;
printf(COL_FMT "%u\n", "Policy version:", rc);
/* Policy from config file: line */
pol_path = selinux_policy_root();
if (!pol_path)
goto error;
printf(COL_FMT "%s\n", "Policy from config file:",
bb_basename(pol_path));
if (opts & OPT_BOOLEAN)
display_boolean();
if (opts & OPT_VERBOSE)
display_verbose();
return 0;
error:
bb_perror_msg_and_die("libselinux returns unknown state");
}
UINT32 aerofgt_state::screen_update_turbofrc(screen_device &screen, bitmap_ind16 &bitmap, const rectangle &cliprect)
{
int i, scrolly;
m_bg1_tilemap->set_scroll_rows(512);
scrolly = m_bg1scrolly + 2;
for (i = 0; i < 256; i++)
// m_bg1_tilemap->set_scrollx((i + scrolly) & 0x1ff, m_rasterram[i] - 11);
m_bg1_tilemap->set_scrollx((i + scrolly) & 0x1ff, m_rasterram[7] - 11);
int register_android_os_SELinux(JNIEnv *env) {
union selinux_callback cb;
cb.func_log = log_callback;
selinux_set_callback(SELINUX_CB_LOG, cb);
isSELinuxDisabled = (is_selinux_enabled() != 1) ? true : false;
return RegisterMethodsOrDie(env, "android/os/SELinux", method_table, NELEM(method_table));
}
int
label_create_file (const char *file_label)
{
#ifdef HAVE_SELINUX
if (is_selinux_enabled () > 0 && file_label)
return setfscreatecon ((security_context_t) file_label);
#endif
return 0;
}
int security_disable(void)
{
if (!is_selinux_enabled()) {
errno = ENOENT;
return -1;
}
return setenv("FAKE_SELINUX_DISABLED", "1", 1);
}
/**
* virIdentityGetSystem:
*
* Returns an identity that represents the system itself.
* This is the identity that the process is running as
*
* Returns a reference to the system identity, or NULL
*/
virIdentityPtr virIdentityGetSystem(void)
{
VIR_AUTOFREE(char *) username = NULL;
VIR_AUTOFREE(char *) groupname = NULL;
unsigned long long startTime;
virIdentityPtr ret = NULL;
#if WITH_SELINUX
security_context_t con;
#endif
if (!(ret = virIdentityNew()))
goto error;
if (virIdentitySetUNIXProcessID(ret, getpid()) < 0)
goto error;
if (virProcessGetStartTime(getpid(), &startTime) < 0)
goto error;
if (startTime != 0 &&
virIdentitySetUNIXProcessTime(ret, startTime) < 0)
goto error;
if (!(username = virGetUserName(geteuid())))
return ret;
if (virIdentitySetUNIXUserName(ret, username) < 0)
goto error;
if (virIdentitySetUNIXUserID(ret, getuid()) < 0)
goto error;
if (!(groupname = virGetGroupName(getegid())))
return ret;
if (virIdentitySetUNIXGroupName(ret, groupname) < 0)
goto error;
if (virIdentitySetUNIXGroupID(ret, getgid()) < 0)
goto error;
#if WITH_SELINUX
if (is_selinux_enabled() > 0) {
if (getcon(&con) < 0) {
virReportSystemError(errno, "%s",
_("Unable to lookup SELinux process context"));
return ret;
}
if (virIdentitySetSELinuxContext(ret, con) < 0) {
freecon(con);
goto error;
}
freecon(con);
}
#endif
return ret;
error:
virObjectUnref(ret);
return NULL;
}
int
label_exec (const char *exec_label)
{
#ifdef HAVE_SELINUX
if (is_selinux_enabled () > 0 && exec_label)
return setexeccon ((security_context_t) exec_label);
#endif
return 0;
}
int do_setenforce(int nargs, char **args) {
#ifdef HAVE_SELINUX
if (is_selinux_enabled() <= 0)
return 0;
if (security_setenforce(atoi(args[1])) < 0) {
return -errno;
}
#endif
return 0;
}