/*
* Function: getBooleanNames
* Purpose: Gets a list of the SELinux boolean names.
* Parameters: None
* Returns: an array of strings containing the SELinux boolean names.
* returns NULL string on error
* Exceptions: None
*/
static jobjectArray getBooleanNames(JNIEnv *env, JNIEnv clazz) {
jclass stringClass = env->FindClass("java/lang/String");
jobjectArray stringArray = env->NewObjectArray(0, stringClass, NULL);
#ifdef HAVE_SELINUX
char **list;
int i, len, ret;
if (isSELinuxDisabled)
return stringArray;
if (security_get_boolean_names(&list, &len) == -1)
return stringArray;
env->DeleteLocalRef(stringArray);
stringArray = env->NewObjectArray(len, stringClass, env->NewStringUTF(""));
for (i = 0; i < len; i++) {
jstring obj;
obj = env->NewStringUTF(list[i]);
env->SetObjectArrayElement(stringArray, i, obj);
env->DeleteLocalRef(obj);
free(list[i]);
}
free(list);
#endif
return stringArray;
}
static void display_boolean(void)
{
char **bools;
int i, active, pending, nbool;
if (security_get_boolean_names(&bools, &nbool) < 0)
return;
puts("\nPolicy booleans:");
for (i = 0; i < nbool; i++) {
active = security_get_boolean_active(bools[i]);
if (active < 0)
goto skip;
pending = security_get_boolean_pending(bools[i]);
if (pending < 0)
goto skip;
printf(COL_FMT "%s",
bools[i], active == 0 ? "off" : "on");
if (active != pending)
printf(" (%sactivate pending)", pending == 0 ? "in" : "");
bb_putchar('\n');
skip:
if (ENABLE_FEATURE_CLEAN_UP)
free(bools[i]);
}
if (ENABLE_FEATURE_CLEAN_UP)
free(bools);
}
int getsebool_main(int argc, char **argv)
{
int i, rc = 0, active, pending, len = 0;
char **names;
unsigned opt;
selinux_or_die();
opt = getopt32(argv, "a");
if (opt) { /* -a */
if (argc > 2)
bb_show_usage();
rc = security_get_boolean_names(&names, &len);
if (rc)
bb_perror_msg_and_die("can't get boolean names");
if (!len) {
puts("No booleans");
return 0;
}
}
if (!len) {
if (argc < 2)
bb_show_usage();
len = argc - 1;
names = xmalloc(sizeof(char *) * len);
for (i = 0; i < len; i++)
names[i] = xstrdup(argv[i + 1]);
}
for (i = 0; i < len; i++) {
active = security_get_boolean_active(names[i]);
if (active < 0) {
bb_error_msg_and_die("error getting active value for %s", names[i]);
}
pending = security_get_boolean_pending(names[i]);
if (pending < 0) {
bb_error_msg_and_die("error getting pending value for %s", names[i]);
}
printf("%s --> %s", names[i], (active ? "on" : "off"));
if (pending != active)
printf(" pending: %s", (pending ? "on" : "off"));
bb_putchar('\n');
}
if (ENABLE_FEATURE_CLEAN_UP) {
for (i = 0; i < len; i++)
free(names[i]);
free(names);
}
return rc;
}
/*
* Function: getBooleanNames
* Purpose: Gets a list of the SELinux boolean names.
* Parameters: None
* Returns: an array of strings containing the SELinux boolean names.
* returns NULL string on error
* Exceptions: None
*/
static jobjectArray getBooleanNames(JNIEnv *env, JNIEnv) {
if (isSELinuxDisabled) {
return NULL;
}
char **list;
int len;
if (security_get_boolean_names(&list, &len) == -1) {
return NULL;
}
jclass stringClass = env->FindClass("java/lang/String");
jobjectArray stringArray = env->NewObjectArray(len, stringClass, NULL);
for (int i = 0; i < len; i++) {
ScopedLocalRef<jstring> obj(env, env->NewStringUTF(list[i]));
env->SetObjectArrayElement(stringArray, i, obj.get());
free(list[i]);
}
free(list);
return stringArray;
}
static int get_selinuxboolean(SEXP_t *ut_ent, probe_ctx *ctx)
{
int err = 1, active, pending, len, i;
SEXP_t *boolean, *item;
char **booleans;
if ( ! is_selinux_enabled()) {
probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE);
return 0;
}
if (security_get_boolean_names(&booleans, &len) == -1) {
probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR);
return err;
}
for (i = 0; i < len; i++) {
boolean = SEXP_string_new(booleans[i], strlen(booleans[i]));
if (probe_entobj_cmp(ut_ent, boolean) == OVAL_RESULT_TRUE) {
active = security_get_boolean_active(booleans[i]);
pending = security_get_boolean_pending(booleans[i]);
item = probe_item_create(
OVAL_LINUX_SELINUXBOOLEAN, NULL,
"name", OVAL_DATATYPE_SEXP, boolean,
"current_status", OVAL_DATATYPE_BOOLEAN, active,
"pending_status", OVAL_DATATYPE_BOOLEAN, pending,
NULL);
probe_item_collect(ctx, item);
}
SEXP_free(boolean);
}
for (i = 0; i < len; i++)
free(booleans[i]);
free(booleans);
return 0;
}
int main(int argc, char **argv)
{
/* these vars are reused several times */
int rc, opt, i, c;
char *context, *root_path;
/* files that need context checks */
char *fc[MAX_CHECK];
char *cterm = ttyname(0);
int nfc = 0;
struct stat m;
/* processes that need context checks */
char *pc[MAX_CHECK];
int npc = 0;
/* booleans */
char **bools;
int nbool;
int verbose = 0;
int show_bools = 0;
/* policy */
const char *pol_name, *root_dir;
char *pol_path;
while (1) {
opt = getopt(argc, argv, "vb");
if (opt == -1)
break;
switch (opt) {
case 'v':
verbose = 1;
break;
case 'b':
show_bools = 1;
break;
default:
/* invalid option */
printf("\nUsage: %s [OPTION]\n\n", basename(argv[0]));
printf(" -v Verbose check of process and file contexts.\n");
printf(" -b Display current state of booleans.\n");
printf("\nWithout options, show SELinux status.\n");
return -1;
}
}
printf_tab("SELinux status:");
rc = is_selinux_enabled();
switch (rc) {
case 1:
printf("enabled\n");
break;
case 0:
printf("disabled\n");
return 0;
break;
default:
printf("unknown (%s)\n", strerror(errno));
return 0;
break;
}
printf_tab("SELinuxfs mount:");
if (selinux_mnt != NULL) {
printf("%s\n", selinux_mnt);
} else {
printf("not mounted\n\n");
printf("Please mount selinuxfs for proper results.\n");
return -1;
}
printf_tab("SELinux root directory:");
root_dir = selinux_path();
if (root_dir == NULL) {
printf("error (%s)\n", strerror(errno));
return -1;
}
/* The path has a trailing '/' so duplicate to edit */
root_path = strdup(root_dir);
if (!root_path) {
printf("malloc error (%s)\n", strerror(errno));
return -1;
}
/* actually blank the '/' */
root_path[strlen(root_path) - 1] = '\0';
printf("%s\n", root_path);
free(root_path);
/* Dump all the path information */
printf_tab("Loaded policy name:");
pol_path = strdup(selinux_policy_root());
if (pol_path) {
pol_name = basename(pol_path);
puts(pol_name);
free(pol_path);
} else {
printf("error (%s)\n", strerror(errno));
}
printf_tab("Current mode:");
rc = security_getenforce();
switch (rc) {
case 1:
printf("enforcing\n");
break;
case 0:
printf("permissive\n");
break;
default:
printf("unknown (%s)\n", strerror(errno));
break;
}
printf_tab("Mode from config file:");
if (selinux_getenforcemode(&rc) == 0) {
switch (rc) {
case 1:
printf("enforcing\n");
break;
case 0:
printf("permissive\n");
break;
case -1:
printf("disabled\n");
break;
}
} else {
printf("error (%s)\n", strerror(errno));
}
printf_tab("Policy MLS status:");
rc = is_selinux_mls_enabled();
switch (rc) {
case 0:
printf("disabled\n");
break;
case 1:
printf("enabled\n");
break;
default:
printf("error (%s)\n", strerror(errno));
break;
}
printf_tab("Policy deny_unknown status:");
rc = security_deny_unknown();
switch (rc) {
case 0:
printf("allowed\n");
break;
case 1:
printf("denied\n");
break;
default:
printf("error (%s)\n", strerror(errno));
break;
}
rc = security_policyvers();
printf_tab("Max kernel policy version:");
if (rc < 0)
printf("unknown (%s)\n", strerror(errno));
else
printf("%d\n", rc);
if (show_bools) {
/* show booleans */
if (security_get_boolean_names(&bools, &nbool) >= 0) {
printf("\nPolicy booleans:\n");
for (i = 0; i < nbool; i++) {
if (strlen(bools[i]) + 1 > COL)
COL = strlen(bools[i]) + 1;
}
for (i = 0; i < nbool; i++) {
printf_tab(bools[i]);
rc = security_get_boolean_active(bools[i]);
switch (rc) {
case 1:
printf("on");
break;
case 0:
printf("off");
break;
default:
printf("unknown (%s)", strerror(errno));
break;
}
c = security_get_boolean_pending(bools[i]);
if (c != rc)
switch (c) {
case 1:
printf(" (activate pending)");
break;
case 0:
printf(" (inactivate pending)");
break;
default:
printf(" (pending error: %s)",
strerror(errno));
break;
}
printf("\n");
/* free up the booleans */
free(bools[i]);
}
free(bools);
}
}
/* only show contexts if -v is given */
if (!verbose)
return 0;
load_checks(pc, &npc, fc, &nfc);
printf("\nProcess contexts:\n");
printf_tab("Current context:");
if (getcon(&context) >= 0) {
printf("%s\n", context);
freecon(context);
} else
printf("unknown (%s)\n", strerror(errno));
printf_tab("Init context:");
if (getpidcon(1, &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else
printf("unknown (%s)\n", strerror(errno));
for (i = 0; i < npc; i++) {
rc = pidof(pc[i]);
if (rc > 0) {
if (getpidcon(rc, &context) < 0)
continue;
printf_tab(pc[i]);
printf("%s\n", context);
freecon(context);
}
}
printf("\nFile contexts:\n");
/* controlling term */
printf_tab("Controlling terminal:");
if (lgetfilecon(cterm, &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else {
printf("unknown (%s)\n", strerror(errno));
}
for (i = 0; i < nfc; i++) {
if (lgetfilecon(fc[i], &context) >= 0) {
printf_tab(fc[i]);
/* check if this is a symlink */
if (lstat(fc[i], &m)) {
printf
("%s (could not check link status (%s)!)\n",
context, strerror(errno));
freecon(context);
continue;
}
if (S_ISLNK(m.st_mode)) {
/* print link target context */
printf("%s -> ", context);
freecon(context);
if (getfilecon(fc[i], &context) >= 0) {
printf("%s\n", context);
freecon(context);
} else {
printf("unknown (%s)\n",
strerror(errno));
}
} else {
printf("%s\n", context);
freecon(context);
}
}
}
return 0;
}
int selinux_mkload_policy(int preservebools)
{
int kernvers = security_policyvers();
int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers;
int setlocaldefs = load_setlocaldefs;
char path[PATH_MAX];
struct stat sb;
struct utsname uts;
size_t size;
void *map, *data;
int fd, rc = -1, prot;
sepol_policydb_t *policydb;
sepol_policy_file_t *pf;
int usesepol = 0;
int (*vers_max)(void) = NULL;
int (*vers_min)(void) = NULL;
int (*policy_file_create)(sepol_policy_file_t **) = NULL;
void (*policy_file_free)(sepol_policy_file_t *) = NULL;
void (*policy_file_set_mem)(sepol_policy_file_t *, char*, size_t) = NULL;
int (*policydb_create)(sepol_policydb_t **) = NULL;
void (*policydb_free)(sepol_policydb_t *) = NULL;
int (*policydb_read)(sepol_policydb_t *, sepol_policy_file_t *) = NULL;
int (*policydb_set_vers)(sepol_policydb_t *, unsigned int) = NULL;
int (*policydb_to_image)(sepol_handle_t *, sepol_policydb_t *, void **, size_t *) = NULL;
int (*genbools_array)(void *data, size_t len, char **names, int *values, int nel) = NULL;
int (*genusers)(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen) = NULL;
int (*genbools)(void *data, size_t len, char *boolpath) = NULL;
#ifdef SHARED
char *errormsg = NULL;
void *libsepolh = NULL;
libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
if (libsepolh) {
usesepol = 1;
dlerror();
#define DLERR() if ((errormsg = dlerror())) goto dlclose;
vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
DLERR();
vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
DLERR();
policy_file_create = dlsym(libsepolh, "sepol_policy_file_create");
DLERR();
policy_file_free = dlsym(libsepolh, "sepol_policy_file_free");
DLERR();
policy_file_set_mem = dlsym(libsepolh, "sepol_policy_file_set_mem");
DLERR();
policydb_create = dlsym(libsepolh, "sepol_policydb_create");
DLERR();
policydb_free = dlsym(libsepolh, "sepol_policydb_free");
DLERR();
policydb_read = dlsym(libsepolh, "sepol_policydb_read");
DLERR();
policydb_set_vers = dlsym(libsepolh, "sepol_policydb_set_vers");
DLERR();
policydb_to_image = dlsym(libsepolh, "sepol_policydb_to_image");
DLERR();
genbools_array = dlsym(libsepolh, "sepol_genbools_array");
DLERR();
genusers = dlsym(libsepolh, "sepol_genusers");
DLERR();
genbools = dlsym(libsepolh, "sepol_genbools");
DLERR();
#undef DLERR
}
#else
usesepol = 1;
vers_max = sepol_policy_kern_vers_max;
vers_min = sepol_policy_kern_vers_min;
policy_file_create = sepol_policy_file_create;
policy_file_free = sepol_policy_file_free;
policy_file_set_mem = sepol_policy_file_set_mem;
policydb_create = sepol_policydb_create;
policydb_free = sepol_policydb_free;
policydb_read = sepol_policydb_read;
policydb_set_vers = sepol_policydb_set_vers;
policydb_to_image = sepol_policydb_to_image;
genbools_array = sepol_genbools_array;
genusers = sepol_genusers;
genbools = sepol_genbools;
#endif
/*
* Check whether we need to support local boolean and user definitions.
*/
if (setlocaldefs) {
if (access(selinux_booleans_path(), F_OK) == 0)
goto checkbool;
snprintf(path, sizeof path, "%s.local", selinux_booleans_path());
if (access(path, F_OK) == 0)
goto checkbool;
snprintf(path, sizeof path, "%s/local.users", selinux_users_path());
if (access(path, F_OK) == 0)
goto checkbool;
/* No local definition files, so disable setlocaldefs. */
setlocaldefs = 0;
}
checkbool:
/*
* As of Linux 2.6.22, the kernel preserves boolean
* values across a reload, so we do not need to
* preserve them in userspace.
*/
if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
preservebools = 0;
if (usesepol) {
maxvers = vers_max();
minvers = vers_min();
if (!setlocaldefs && !preservebools)
maxvers = max(kernvers, maxvers);
}
vers = maxvers;
search:
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
while (fd < 0 && errno == ENOENT
&& --vers >= minvers) {
/* Check prior versions to see if old policy is available */
snprintf(path, sizeof(path), "%s.%d",
selinux_binary_policy_path(), vers);
fd = open(path, O_RDONLY);
}
if (fd < 0) {
fprintf(stderr,
"SELinux: Could not open policy file <= %s.%d: %s\n",
selinux_binary_policy_path(), maxvers, strerror(errno));
goto dlclose;
}
if (fstat(fd, &sb) < 0) {
fprintf(stderr,
"SELinux: Could not stat policy file %s: %s\n",
path, strerror(errno));
goto close;
}
prot = PROT_READ;
if (setlocaldefs || preservebools)
prot |= PROT_WRITE;
size = sb.st_size;
data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
fprintf(stderr,
"SELinux: Could not map policy file %s: %s\n",
path, strerror(errno));
goto close;
}
if (vers > kernvers && usesepol) {
/* Need to downgrade to kernel-supported version. */
if (policy_file_create(&pf))
goto unmap;
if (policydb_create(&policydb)) {
policy_file_free(pf);
goto unmap;
}
policy_file_set_mem(pf, data, size);
if (policydb_read(policydb, pf)) {
policy_file_free(pf);
policydb_free(policydb);
goto unmap;
}
if (policydb_set_vers(policydb, kernvers) ||
policydb_to_image(NULL, policydb, &data, &size)) {
/* Downgrade failed, keep searching. */
fprintf(stderr,
"SELinux: Could not downgrade policy file %s, searching for an older version.\n",
path);
policy_file_free(pf);
policydb_free(policydb);
munmap(map, sb.st_size);
close(fd);
vers--;
goto search;
}
policy_file_free(pf);
policydb_free(policydb);
}
if (usesepol) {
if (setlocaldefs) {
void *olddata = data;
size_t oldsize = size;
rc = genusers(olddata, oldsize, selinux_users_path(),
&data, &size);
if (rc < 0) {
/* Fall back to the prior image if genusers failed. */
data = olddata;
size = oldsize;
rc = 0;
} else {
if (olddata != map)
free(olddata);
}
}
#ifndef DISABLE_BOOL
if (preservebools) {
int *values, len, i;
char **names;
rc = security_get_boolean_names(&names, &len);
if (!rc) {
values = malloc(sizeof(int) * len);
if (!values)
goto unmap;
for (i = 0; i < len; i++)
values[i] =
security_get_boolean_active(names[i]);
(void)genbools_array(data, size, names, values,
len);
free(values);
for (i = 0; i < len; i++)
free(names[i]);
free(names);
}
} else if (setlocaldefs) {
(void)genbools(data, size,
(char *)selinux_booleans_path());
}
#endif
}
rc = security_load_policy(data, size);
if (rc)
fprintf(stderr,
"SELinux: Could not load policy file %s: %s\n",
path, strerror(errno));
unmap:
if (data != map)
free(data);
munmap(map, sb.st_size);
close:
close(fd);
dlclose:
#ifdef SHARED
if (errormsg)
fprintf(stderr, "libselinux: %s\n", errormsg);
if (libsepolh)
dlclose(libsepolh);
#endif
return rc;
}
