/* * Function: getBooleanNames * Purpose: Gets a list of the SELinux boolean names. * Parameters: None * Returns: an array of strings containing the SELinux boolean names. * returns NULL string on error * Exceptions: None */ static jobjectArray getBooleanNames(JNIEnv *env, JNIEnv clazz) { jclass stringClass = env->FindClass("java/lang/String"); jobjectArray stringArray = env->NewObjectArray(0, stringClass, NULL); #ifdef HAVE_SELINUX char **list; int i, len, ret; if (isSELinuxDisabled) return stringArray; if (security_get_boolean_names(&list, &len) == -1) return stringArray; env->DeleteLocalRef(stringArray); stringArray = env->NewObjectArray(len, stringClass, env->NewStringUTF("")); for (i = 0; i < len; i++) { jstring obj; obj = env->NewStringUTF(list[i]); env->SetObjectArrayElement(stringArray, i, obj); env->DeleteLocalRef(obj); free(list[i]); } free(list); #endif return stringArray; }
static void display_boolean(void) { char **bools; int i, active, pending, nbool; if (security_get_boolean_names(&bools, &nbool) < 0) return; puts("\nPolicy booleans:"); for (i = 0; i < nbool; i++) { active = security_get_boolean_active(bools[i]); if (active < 0) goto skip; pending = security_get_boolean_pending(bools[i]); if (pending < 0) goto skip; printf(COL_FMT "%s", bools[i], active == 0 ? "off" : "on"); if (active != pending) printf(" (%sactivate pending)", pending == 0 ? "in" : ""); bb_putchar('\n'); skip: if (ENABLE_FEATURE_CLEAN_UP) free(bools[i]); } if (ENABLE_FEATURE_CLEAN_UP) free(bools); }
int getsebool_main(int argc, char **argv) { int i, rc = 0, active, pending, len = 0; char **names; unsigned opt; selinux_or_die(); opt = getopt32(argv, "a"); if (opt) { /* -a */ if (argc > 2) bb_show_usage(); rc = security_get_boolean_names(&names, &len); if (rc) bb_perror_msg_and_die("can't get boolean names"); if (!len) { puts("No booleans"); return 0; } } if (!len) { if (argc < 2) bb_show_usage(); len = argc - 1; names = xmalloc(sizeof(char *) * len); for (i = 0; i < len; i++) names[i] = xstrdup(argv[i + 1]); } for (i = 0; i < len; i++) { active = security_get_boolean_active(names[i]); if (active < 0) { bb_error_msg_and_die("error getting active value for %s", names[i]); } pending = security_get_boolean_pending(names[i]); if (pending < 0) { bb_error_msg_and_die("error getting pending value for %s", names[i]); } printf("%s --> %s", names[i], (active ? "on" : "off")); if (pending != active) printf(" pending: %s", (pending ? "on" : "off")); bb_putchar('\n'); } if (ENABLE_FEATURE_CLEAN_UP) { for (i = 0; i < len; i++) free(names[i]); free(names); } return rc; }
/* * Function: getBooleanNames * Purpose: Gets a list of the SELinux boolean names. * Parameters: None * Returns: an array of strings containing the SELinux boolean names. * returns NULL string on error * Exceptions: None */ static jobjectArray getBooleanNames(JNIEnv *env, JNIEnv) { if (isSELinuxDisabled) { return NULL; } char **list; int len; if (security_get_boolean_names(&list, &len) == -1) { return NULL; } jclass stringClass = env->FindClass("java/lang/String"); jobjectArray stringArray = env->NewObjectArray(len, stringClass, NULL); for (int i = 0; i < len; i++) { ScopedLocalRef<jstring> obj(env, env->NewStringUTF(list[i])); env->SetObjectArrayElement(stringArray, i, obj.get()); free(list[i]); } free(list); return stringArray; }
static int get_selinuxboolean(SEXP_t *ut_ent, probe_ctx *ctx) { int err = 1, active, pending, len, i; SEXP_t *boolean, *item; char **booleans; if ( ! is_selinux_enabled()) { probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_NOT_APPLICABLE); return 0; } if (security_get_boolean_names(&booleans, &len) == -1) { probe_cobj_set_flag(probe_ctx_getresult(ctx), SYSCHAR_FLAG_ERROR); return err; } for (i = 0; i < len; i++) { boolean = SEXP_string_new(booleans[i], strlen(booleans[i])); if (probe_entobj_cmp(ut_ent, boolean) == OVAL_RESULT_TRUE) { active = security_get_boolean_active(booleans[i]); pending = security_get_boolean_pending(booleans[i]); item = probe_item_create( OVAL_LINUX_SELINUXBOOLEAN, NULL, "name", OVAL_DATATYPE_SEXP, boolean, "current_status", OVAL_DATATYPE_BOOLEAN, active, "pending_status", OVAL_DATATYPE_BOOLEAN, pending, NULL); probe_item_collect(ctx, item); } SEXP_free(boolean); } for (i = 0; i < len; i++) free(booleans[i]); free(booleans); return 0; }
int main(int argc, char **argv) { /* these vars are reused several times */ int rc, opt, i, c; char *context, *root_path; /* files that need context checks */ char *fc[MAX_CHECK]; char *cterm = ttyname(0); int nfc = 0; struct stat m; /* processes that need context checks */ char *pc[MAX_CHECK]; int npc = 0; /* booleans */ char **bools; int nbool; int verbose = 0; int show_bools = 0; /* policy */ const char *pol_name, *root_dir; char *pol_path; while (1) { opt = getopt(argc, argv, "vb"); if (opt == -1) break; switch (opt) { case 'v': verbose = 1; break; case 'b': show_bools = 1; break; default: /* invalid option */ printf("\nUsage: %s [OPTION]\n\n", basename(argv[0])); printf(" -v Verbose check of process and file contexts.\n"); printf(" -b Display current state of booleans.\n"); printf("\nWithout options, show SELinux status.\n"); return -1; } } printf_tab("SELinux status:"); rc = is_selinux_enabled(); switch (rc) { case 1: printf("enabled\n"); break; case 0: printf("disabled\n"); return 0; break; default: printf("unknown (%s)\n", strerror(errno)); return 0; break; } printf_tab("SELinuxfs mount:"); if (selinux_mnt != NULL) { printf("%s\n", selinux_mnt); } else { printf("not mounted\n\n"); printf("Please mount selinuxfs for proper results.\n"); return -1; } printf_tab("SELinux root directory:"); root_dir = selinux_path(); if (root_dir == NULL) { printf("error (%s)\n", strerror(errno)); return -1; } /* The path has a trailing '/' so duplicate to edit */ root_path = strdup(root_dir); if (!root_path) { printf("malloc error (%s)\n", strerror(errno)); return -1; } /* actually blank the '/' */ root_path[strlen(root_path) - 1] = '\0'; printf("%s\n", root_path); free(root_path); /* Dump all the path information */ printf_tab("Loaded policy name:"); pol_path = strdup(selinux_policy_root()); if (pol_path) { pol_name = basename(pol_path); puts(pol_name); free(pol_path); } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Current mode:"); rc = security_getenforce(); switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; default: printf("unknown (%s)\n", strerror(errno)); break; } printf_tab("Mode from config file:"); if (selinux_getenforcemode(&rc) == 0) { switch (rc) { case 1: printf("enforcing\n"); break; case 0: printf("permissive\n"); break; case -1: printf("disabled\n"); break; } } else { printf("error (%s)\n", strerror(errno)); } printf_tab("Policy MLS status:"); rc = is_selinux_mls_enabled(); switch (rc) { case 0: printf("disabled\n"); break; case 1: printf("enabled\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } printf_tab("Policy deny_unknown status:"); rc = security_deny_unknown(); switch (rc) { case 0: printf("allowed\n"); break; case 1: printf("denied\n"); break; default: printf("error (%s)\n", strerror(errno)); break; } rc = security_policyvers(); printf_tab("Max kernel policy version:"); if (rc < 0) printf("unknown (%s)\n", strerror(errno)); else printf("%d\n", rc); if (show_bools) { /* show booleans */ if (security_get_boolean_names(&bools, &nbool) >= 0) { printf("\nPolicy booleans:\n"); for (i = 0; i < nbool; i++) { if (strlen(bools[i]) + 1 > COL) COL = strlen(bools[i]) + 1; } for (i = 0; i < nbool; i++) { printf_tab(bools[i]); rc = security_get_boolean_active(bools[i]); switch (rc) { case 1: printf("on"); break; case 0: printf("off"); break; default: printf("unknown (%s)", strerror(errno)); break; } c = security_get_boolean_pending(bools[i]); if (c != rc) switch (c) { case 1: printf(" (activate pending)"); break; case 0: printf(" (inactivate pending)"); break; default: printf(" (pending error: %s)", strerror(errno)); break; } printf("\n"); /* free up the booleans */ free(bools[i]); } free(bools); } } /* only show contexts if -v is given */ if (!verbose) return 0; load_checks(pc, &npc, fc, &nfc); printf("\nProcess contexts:\n"); printf_tab("Current context:"); if (getcon(&context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); printf_tab("Init context:"); if (getpidcon(1, &context) >= 0) { printf("%s\n", context); freecon(context); } else printf("unknown (%s)\n", strerror(errno)); for (i = 0; i < npc; i++) { rc = pidof(pc[i]); if (rc > 0) { if (getpidcon(rc, &context) < 0) continue; printf_tab(pc[i]); printf("%s\n", context); freecon(context); } } printf("\nFile contexts:\n"); /* controlling term */ printf_tab("Controlling terminal:"); if (lgetfilecon(cterm, &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } for (i = 0; i < nfc; i++) { if (lgetfilecon(fc[i], &context) >= 0) { printf_tab(fc[i]); /* check if this is a symlink */ if (lstat(fc[i], &m)) { printf ("%s (could not check link status (%s)!)\n", context, strerror(errno)); freecon(context); continue; } if (S_ISLNK(m.st_mode)) { /* print link target context */ printf("%s -> ", context); freecon(context); if (getfilecon(fc[i], &context) >= 0) { printf("%s\n", context); freecon(context); } else { printf("unknown (%s)\n", strerror(errno)); } } else { printf("%s\n", context); freecon(context); } } } return 0; }
int selinux_mkload_policy(int preservebools) { int kernvers = security_policyvers(); int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers; int setlocaldefs = load_setlocaldefs; char path[PATH_MAX]; struct stat sb; struct utsname uts; size_t size; void *map, *data; int fd, rc = -1, prot; sepol_policydb_t *policydb; sepol_policy_file_t *pf; int usesepol = 0; int (*vers_max)(void) = NULL; int (*vers_min)(void) = NULL; int (*policy_file_create)(sepol_policy_file_t **) = NULL; void (*policy_file_free)(sepol_policy_file_t *) = NULL; void (*policy_file_set_mem)(sepol_policy_file_t *, char*, size_t) = NULL; int (*policydb_create)(sepol_policydb_t **) = NULL; void (*policydb_free)(sepol_policydb_t *) = NULL; int (*policydb_read)(sepol_policydb_t *, sepol_policy_file_t *) = NULL; int (*policydb_set_vers)(sepol_policydb_t *, unsigned int) = NULL; int (*policydb_to_image)(sepol_handle_t *, sepol_policydb_t *, void **, size_t *) = NULL; int (*genbools_array)(void *data, size_t len, char **names, int *values, int nel) = NULL; int (*genusers)(void *data, size_t len, const char *usersdir, void **newdata, size_t * newlen) = NULL; int (*genbools)(void *data, size_t len, char *boolpath) = NULL; #ifdef SHARED char *errormsg = NULL; void *libsepolh = NULL; libsepolh = dlopen("libsepol.so.1", RTLD_NOW); if (libsepolh) { usesepol = 1; dlerror(); #define DLERR() if ((errormsg = dlerror())) goto dlclose; vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max"); DLERR(); vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min"); DLERR(); policy_file_create = dlsym(libsepolh, "sepol_policy_file_create"); DLERR(); policy_file_free = dlsym(libsepolh, "sepol_policy_file_free"); DLERR(); policy_file_set_mem = dlsym(libsepolh, "sepol_policy_file_set_mem"); DLERR(); policydb_create = dlsym(libsepolh, "sepol_policydb_create"); DLERR(); policydb_free = dlsym(libsepolh, "sepol_policydb_free"); DLERR(); policydb_read = dlsym(libsepolh, "sepol_policydb_read"); DLERR(); policydb_set_vers = dlsym(libsepolh, "sepol_policydb_set_vers"); DLERR(); policydb_to_image = dlsym(libsepolh, "sepol_policydb_to_image"); DLERR(); genbools_array = dlsym(libsepolh, "sepol_genbools_array"); DLERR(); genusers = dlsym(libsepolh, "sepol_genusers"); DLERR(); genbools = dlsym(libsepolh, "sepol_genbools"); DLERR(); #undef DLERR } #else usesepol = 1; vers_max = sepol_policy_kern_vers_max; vers_min = sepol_policy_kern_vers_min; policy_file_create = sepol_policy_file_create; policy_file_free = sepol_policy_file_free; policy_file_set_mem = sepol_policy_file_set_mem; policydb_create = sepol_policydb_create; policydb_free = sepol_policydb_free; policydb_read = sepol_policydb_read; policydb_set_vers = sepol_policydb_set_vers; policydb_to_image = sepol_policydb_to_image; genbools_array = sepol_genbools_array; genusers = sepol_genusers; genbools = sepol_genbools; #endif /* * Check whether we need to support local boolean and user definitions. */ if (setlocaldefs) { if (access(selinux_booleans_path(), F_OK) == 0) goto checkbool; snprintf(path, sizeof path, "%s.local", selinux_booleans_path()); if (access(path, F_OK) == 0) goto checkbool; snprintf(path, sizeof path, "%s/local.users", selinux_users_path()); if (access(path, F_OK) == 0) goto checkbool; /* No local definition files, so disable setlocaldefs. */ setlocaldefs = 0; } checkbool: /* * As of Linux 2.6.22, the kernel preserves boolean * values across a reload, so we do not need to * preserve them in userspace. */ if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0) preservebools = 0; if (usesepol) { maxvers = vers_max(); minvers = vers_min(); if (!setlocaldefs && !preservebools) maxvers = max(kernvers, maxvers); } vers = maxvers; search: snprintf(path, sizeof(path), "%s.%d", selinux_binary_policy_path(), vers); fd = open(path, O_RDONLY); while (fd < 0 && errno == ENOENT && --vers >= minvers) { /* Check prior versions to see if old policy is available */ snprintf(path, sizeof(path), "%s.%d", selinux_binary_policy_path(), vers); fd = open(path, O_RDONLY); } if (fd < 0) { fprintf(stderr, "SELinux: Could not open policy file <= %s.%d: %s\n", selinux_binary_policy_path(), maxvers, strerror(errno)); goto dlclose; } if (fstat(fd, &sb) < 0) { fprintf(stderr, "SELinux: Could not stat policy file %s: %s\n", path, strerror(errno)); goto close; } prot = PROT_READ; if (setlocaldefs || preservebools) prot |= PROT_WRITE; size = sb.st_size; data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { fprintf(stderr, "SELinux: Could not map policy file %s: %s\n", path, strerror(errno)); goto close; } if (vers > kernvers && usesepol) { /* Need to downgrade to kernel-supported version. */ if (policy_file_create(&pf)) goto unmap; if (policydb_create(&policydb)) { policy_file_free(pf); goto unmap; } policy_file_set_mem(pf, data, size); if (policydb_read(policydb, pf)) { policy_file_free(pf); policydb_free(policydb); goto unmap; } if (policydb_set_vers(policydb, kernvers) || policydb_to_image(NULL, policydb, &data, &size)) { /* Downgrade failed, keep searching. */ fprintf(stderr, "SELinux: Could not downgrade policy file %s, searching for an older version.\n", path); policy_file_free(pf); policydb_free(policydb); munmap(map, sb.st_size); close(fd); vers--; goto search; } policy_file_free(pf); policydb_free(policydb); } if (usesepol) { if (setlocaldefs) { void *olddata = data; size_t oldsize = size; rc = genusers(olddata, oldsize, selinux_users_path(), &data, &size); if (rc < 0) { /* Fall back to the prior image if genusers failed. */ data = olddata; size = oldsize; rc = 0; } else { if (olddata != map) free(olddata); } } #ifndef DISABLE_BOOL if (preservebools) { int *values, len, i; char **names; rc = security_get_boolean_names(&names, &len); if (!rc) { values = malloc(sizeof(int) * len); if (!values) goto unmap; for (i = 0; i < len; i++) values[i] = security_get_boolean_active(names[i]); (void)genbools_array(data, size, names, values, len); free(values); for (i = 0; i < len; i++) free(names[i]); free(names); } } else if (setlocaldefs) { (void)genbools(data, size, (char *)selinux_booleans_path()); } #endif } rc = security_load_policy(data, size); if (rc) fprintf(stderr, "SELinux: Could not load policy file %s: %s\n", path, strerror(errno)); unmap: if (data != map) free(data); munmap(map, sb.st_size); close: close(fd); dlclose: #ifdef SHARED if (errormsg) fprintf(stderr, "libselinux: %s\n", errormsg); if (libsepolh) dlclose(libsepolh); #endif return rc; }