static void display_boolean(void) { char **bools; int i, active, pending, nbool; if (security_get_boolean_names(&bools, &nbool) < 0) return; puts("\nPolicy booleans:"); for (i = 0; i < nbool; i++) { active = security_get_boolean_active(bools[i]); if (active < 0) goto skip; pending = security_get_boolean_pending(bools[i]); if (pending < 0) goto skip; printf(COL_FMT "%s", bools[i], active == 0 ? "off" : "on"); if (active != pending) printf(" (%sactivate pending)", pending == 0 ? "in" : ""); bb_putchar('\n'); skip: if (ENABLE_FEATURE_CLEAN_UP) free(bools[i]); } if (ENABLE_FEATURE_CLEAN_UP) free(bools); }
int getsebool_main(int argc, char **argv) { int i, rc = 0, active, pending, len = 0; char **names; unsigned opt; selinux_or_die(); opt = getopt32(argv, "a"); if (opt) { /* -a */ if (argc > 2) bb_show_usage(); rc = security_get_boolean_names(&names, &len); if (rc) bb_perror_msg_and_die("can't get boolean names"); if (!len) { puts("No booleans"); return 0; } } if (!len) { if (argc < 2) bb_show_usage(); len = argc - 1; names = xmalloc(sizeof(char *) * len); for (i = 0; i < len; i++) names[i] = xstrdup(argv[i + 1]); } for (i = 0; i < len; i++) { active = security_get_boolean_active(names[i]); if (active < 0) { bb_error_msg_and_die("error getting active value for %s", names[i]); } pending = security_get_boolean_pending(names[i]); if (pending < 0) { bb_error_msg_and_die("error getting pending value for %s", names[i]); } printf("%s --> %s", names[i], (active ? "on" : "off")); if (pending != active) printf(" pending: %s", (pending ? "on" : "off")); bb_putchar('\n'); } if (ENABLE_FEATURE_CLEAN_UP) { for (i = 0; i < len; i++) free(names[i]); free(names); } return rc; }
static int init_map(void) { #ifdef MESA_SELINUX if (is_selinux_enabled()) { if (!security_get_boolean_active("allow_execmem") || !security_get_boolean_pending("allow_execmem")) return 0; } #endif if (!exec_mem) exec_mem = mmap(NULL, EXEC_MAP_SIZE, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); return (exec_mem != MAP_FAILED); }
static int init_heap(void) { #ifdef MESA_SELINUX if (is_selinux_enabled()) { if (!security_get_boolean_active("allow_execmem") || !security_get_boolean_pending("allow_execmem")) return 0; } #endif if (!exec_heap) exec_heap = mmInit( 0, EXEC_HEAP_SIZE ); if (!exec_mem) exec_mem = (unsigned char *) mmap(0, EXEC_HEAP_SIZE, PROT_EXEC | PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); return (exec_mem != NULL); }
static int get_selinuxboolean(SEXP_t *ut_ent, probe_ctx *ctx) { int err = 1, active, pending, len, i; SEXP_t *boolean, *item; char **booleans; if ( ! is_selinux_enabled()) { probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); return 0; } if (security_get_boolean_names(&booleans, &len) == -1) { probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR); return err; } for (i = 0; i < len; i++) { boolean = SEXP_string_new(booleans[i], strlen(booleans[i])); if (probe_entobj_cmp(ut_ent, boolean) == OVAL_RESULT_TRUE) { active = security_get_boolean_active(booleans[i]); pending = security_get_boolean_pending(booleans[i]); item = probe_item_create( OVAL_LINUX_SELINUXBOOLEAN, NULL, "name", OVAL_DATATYPE_SEXP, boolean, "current_status", OVAL_DATATYPE_BOOLEAN, active, "pending_status", OVAL_DATATYPE_BOOLEAN, pending, NULL); probe_item_collect(ctx, item); } SEXP_free(boolean); } for (i = 0; i < len; i++) free(booleans[i]); free(booleans); return 0; }
int main(int argc, char **argv) { /* these vars are reused several times */ int rc, opt, i, c; char *context, *root_path; /* files that need context checks */ char *fc[MAX_CHECK]; char *cterm = ttyname(0); int nfc = 0; struct stat m; /* processes that need context checks */ char *pc[MAX_CHECK]; int npc = 0; /* booleans */ char **bools; int nbool; int verbose = 0; int show_bools = 0; /* policy */ const char *pol_name, *root_dir; char *pol_path; while (1) { opt = getopt(argc, argv, "vb"); if (opt == -1) break; switch (opt) { case 'v': verbose = 1; break; case 'b': show_bools = 1; break; default: /* invalid option */ printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); printf(" -v Verbose check of process and file contexts.\n"); printf(" -b Display current state of booleans.\n"); printf("\nWithout options, show SELinux status.\n"); return -1; } } printf_tab("SELinux status:"); rc = is_selinux_enabled(); switch (rc) { case 1: printf("enabled\n"); break; case 0: printf("disabled\n"); return 0; break; default: printf("unknown (%s)\n", strerror(errno)); return 0; break; } printf_tab("SELinuxfs mount:"); if (selinux_mnt != NULL) { printf("%s\n", selinux_mnt); } else { printf("not mounted\n\n"); printf("Please mount selinuxfs for proper results.\n"); return -1; } printf_tab("SELinux root directory:"); root_dir = selinux_path(); if (root_dir == NULL) { printf("error (%s)\n", strerror(errno)); return -1; } /* The path has a trailing '/' so duplicate to edit */ root_path = strdup(root_dir); if (!root_path) { printf("malloc error (%s)\n", strerror(errno)); return -1; } /* actually blank the '/' */ root_path[strlen(root_path) - 1] = '\0'; printf("%s\n", root_path); free(root_path); /* Dump all the path information */ printf_tab("Loaded policy name:"); pol_path = strdup(selinux_policy_root()); if (pol_path) { pol_name = basename(pol_path); puts(pol_name); free(pol_path); } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Current mode:"); rc = security_getenforce(); switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; default: printf("unknown (%s)\n", strerror(errno)); break; } printf_tab("Mode from config file:"); if (selinux_getenforcemode(&rc) == 0) { switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; case -1: printf("disabled\n"); break; } } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Policy MLS status:"); rc = is_selinux_mls_enabled(); switch (rc) { case 0: printf("disabled\n"); break; case 1: printf("enabled\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } printf_tab("Policy deny_unknown status:"); rc = security_deny_unknown(); switch (rc) { case 0: printf("allowed\n"); break; case 1: printf("denied\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } rc = security_policyvers(); printf_tab("Max kernel policy version:"); if (rc < 0) printf("unknown (%s)\n", strerror(errno)); else printf("%d\n", rc); if (show_bools) { /* show booleans */ if (security_get_boolean_names(&bools, &nbool) >= 0) { printf("\nPolicy booleans:\n"); for (i = 0; i < nbool; i++) { if (strlen(bools[i]) + 1 > COL) COL = strlen(bools[i]) + 1; } for (i = 0; i < nbool; i++) { printf_tab(bools[i]); rc = security_get_boolean_active(bools[i]); switch (rc) { case 1: printf("on"); break; case 0: printf("off"); break; default: printf("unknown (%s)", strerror(errno)); break; } c = security_get_boolean_pending(bools[i]); if (c != rc) switch (c) { case 1: printf(" (activate pending)"); break; case 0: printf(" (inactivate pending)"); break; default: printf(" (pending error: %s)", strerror(errno)); break; } printf("\n"); /* free up the booleans */ free(bools[i]); } free(bools); } } /* only show contexts if -v is given */ if (!verbose) return 0; load_checks(pc, &npc, fc, &nfc); printf("\nProcess contexts:\n"); printf_tab("Current context:"); if (getcon(&context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); printf_tab("Init context:"); if (getpidcon(1, &context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); for (i = 0; i < npc; i++) { rc = pidof(pc[i]); if (rc > 0) { if (getpidcon(rc, &context) < 0) continue; printf_tab(pc[i]); printf("%s\n", context); freecon(context); } } printf("\nFile contexts:\n"); /* controlling term */ printf_tab("Controlling terminal:"); if (lgetfilecon(cterm, &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } for (i = 0; i < nfc; i++) { if (lgetfilecon(fc[i], &context) >= 0) { printf_tab(fc[i]); /* check if this is a symlink */ if (lstat(fc[i], &m)) { printf ("%s (could not check link status (%s)!)\n", context, strerror(errno)); freecon(context); continue; } if (S_ISLNK(m.st_mode)) { /* print link target context */ printf("%s -> ", context); freecon(context); if (getfilecon(fc[i], &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } } else { printf("%s\n", context); freecon(context); } } } return 0; }