2
* Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
4
* Borrowed heavily from newrole source code
8
* Steve Grubb <sgrubb@redhat.com>
9
* Darrel Goeddel <DGoeddel@trustedcs.com>
10
* Michael Thompson <mcthomps@us.ibm.com>
11
* Dan Walsh <dwalsh@redhat.com>
13
* Permission to use, copy, modify, and distribute this software for any
14
* purpose with or without fee is hereby granted, provided that the above
15
* copyright notice and this permission notice appear in all copies.
17
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
18
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
19
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
20
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
21
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
22
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
23
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
28
#include <sys/types.h>
43
#include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
44
#include <selinux/selinux.h> /* for is_selinux_enabled() */
45
#include <selinux/context.h> /* for context-mangling functions */
46
#include <selinux/get_default_type.h>
47
#include <selinux/get_context_list.h>
50
#include "pathnames.h"
53
__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.2.2.4 2008/02/22 20:33:10 millert Exp $";
57
* This function attempts to revert the relabeling done to the tty.
58
* fd - referencing the opened ttyn
59
* ttyn - name of tty to restore
60
* tty_context - original context of the tty
61
* new_tty_context - context tty was relabeled to
63
* Returns zero on success, non-zero otherwise
66
restore_tty_label(int fd, const char *ttyn, security_context_t tty_context,
67
security_context_t new_tty_context)
70
security_context_t chk_tty_context = NULL;
78
/* Verify that the tty still has the context set by sudo. */
79
if ((rc = fgetfilecon(fd, &chk_tty_context)) < 0) {
80
warn("unable to fgetfilecon %s", ttyn);
84
if ((rc = strcmp(chk_tty_context, new_tty_context))) {
85
warnx("%s changed labels.", ttyn);
89
if ((rc = fsetfilecon(fd, tty_context)) < 0)
90
warn("unable to restore context for %s", ttyn);
93
freecon(chk_tty_context);
98
* This function attempts to relabel the tty. If this function fails, then
99
* the fd is closed, the contexts are free'd and -1 is returned. On success,
100
* a valid fd is returned and tty_context and new_tty_context are set.
102
* This function will not fail if it can not relabel the tty when selinux is
103
* in permissive mode.
106
relabel_tty(const char *ttyn, security_context_t new_context,
107
security_context_t * tty_context, security_context_t * new_tty_context,
111
security_context_t tty_con = NULL;
112
security_context_t new_tty_con = NULL;
117
/* Re-open TTY descriptor */
118
fd = open(ttyn, O_RDWR | O_NONBLOCK);
120
warn("unable to open %s", ttyn);
123
(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
125
if (fgetfilecon(fd, &tty_con) < 0) {
126
warn("unable to get current context for %s, not relabeling tty",
132
if (tty_con && (security_compute_relabel(new_context, tty_con,
133
SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
134
warn("unable to get new context for %s, not relabeling tty", ttyn);
139
if (new_tty_con != NULL) {
140
if (fsetfilecon(fd, new_tty_con) < 0) {
141
warn("unable to set new context for %s", ttyn);
147
*tty_context = tty_con;
148
*new_tty_context = new_tty_con;
158
* Returns a new security context based on the old context and the
159
* specified role and type.
162
get_exec_context(security_context_t old_context, char *role, char *type)
164
security_context_t new_context = NULL;
165
context_t context = NULL;
166
char *typebuf = NULL;
168
/* We must have a role, the type is optional (we can use the default). */
170
warnx("you must specify a role.");
174
if (get_default_type(role, &typebuf)) {
175
warnx("unable to get default type");
182
* Expand old_context into a context_t so that we extract and modify
183
* its components easily.
185
context = context_new(old_context);
188
* Replace the role and type in "context" with the role and
189
* type we will be running the command as.
191
if (context_role_set(context, role)) {
192
warnx("failed to set new role %s", role);
195
if (context_type_set(context, type)) {
196
warnx("failed to set new type %s", type);
201
* Convert "context" back into a string and verify it.
203
new_context = estrdup(context_str(context));
204
if (security_check_context(new_context) < 0) {
205
warnx("%s is not a valid context", new_context);
210
warnx("Your new context is %s", new_context);
213
context_free(context);
218
context_free(context);
219
freecon(new_context);
224
* If the program is being run with a different security context we
225
* need to go through an intermediary process for the transition to
226
* be allowed by the policy. We use the "sesh" shell for this, which
227
* will simply execute the command pass to it on the command line.
230
selinux_exec(char *role, char *type, char **argv, char **envp, int login_shell)
232
security_context_t old_context = NULL;
233
security_context_t new_context = NULL;
234
security_context_t tty_context = NULL;
235
security_context_t new_tty_context = NULL;
237
int enforcing, ttyfd;
239
/* Must have a tty. */
240
if (user_ttypath == NULL || *user_ttypath == '\0')
241
err(EXIT_FAILURE, "unable to determine tty");
243
/* Store the caller's SID in old_context. */
244
if (getprevcon(&old_context))
245
err(EXIT_FAILURE, "failed to get old_context");
247
enforcing = security_getenforce();
249
err(EXIT_FAILURE, "unable to determine enforcing mode.");
253
warnx("your old context was %s", old_context);
255
new_context = get_exec_context(old_context, role, type);
259
ttyfd = relabel_tty(user_ttypath, new_context, &tty_context,
260
&new_tty_context, enforcing);
262
err(EXIT_FAILURE, "unable to setup tty context for %s", new_context);
265
warnx("your old tty context is %s", tty_context);
266
warnx("your new tty context is %s", new_tty_context);
271
/* fork failed, no child to worry about */
272
warn("unable to fork");
273
if (restore_tty_label(ttyfd, user_ttypath, tty_context, new_tty_context))
274
warnx("unable to restore tty label");
276
} else if (childPid) {
280
/* Parent, wait for child to finish. */
282
pid = waitpid(childPid, &status, 0);
283
} while (pid == -1 && errno == EINTR);
286
err(EXIT_FAILURE, "waitpid");
288
if (restore_tty_label(ttyfd, user_ttypath, tty_context, new_tty_context))
289
errx(EXIT_FAILURE, "unable to restore tty label");
291
/* Preserve child exit status. */
292
if (WIFEXITED(status))
293
exit(WEXITSTATUS(status));
297
/* Close the tty and reopen descriptors 0 through 2 */
298
if (close(ttyfd) || close(STDIN_FILENO) || close(STDOUT_FILENO) ||
299
close(STDERR_FILENO)) {
300
warn("could not close descriptors");
303
ttyfd = open(user_ttypath, O_RDONLY | O_NONBLOCK);
304
if (ttyfd != STDIN_FILENO)
306
fcntl(ttyfd, F_SETFL, fcntl(ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
307
ttyfd = open(user_ttypath, O_RDWR | O_NONBLOCK);
308
if (ttyfd != STDOUT_FILENO)
310
fcntl(ttyfd, F_SETFL, fcntl(ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
311
ttyfd = dup(STDOUT_FILENO);
312
if (ttyfd != STDERR_FILENO)
315
if (setexeccon(new_context)) {
316
warn("unable to set exec context to %s", new_context);
321
if (setkeycreatecon(new_context)) {
322
warn("unable to set key creation context to %s", new_context);
328
if (send_audit_message(1, old_context, new_context, user_ttypath))
332
/* We use the "spare" slot in argv to store sesh. */
334
argv[0] = login_shell ? "-sesh" : "sesh";
337
execve(_PATH_SUDO_SESH, argv, envp);
338
warn("%s", safe_cmnd);