2
* Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
3
* Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
5
* Borrowed heavily from newrole source code
9
* Steve Grubb <sgrubb@redhat.com>
10
* Darrel Goeddel <DGoeddel@trustedcs.com>
11
* Michael Thompson <mcthomps@us.ibm.com>
12
* Dan Walsh <dwalsh@redhat.com>
14
* Permission to use, copy, modify, and distribute this software for any
15
* purpose with or without fee is hereby granted, provided that the above
16
* copyright notice and this permission notice appear in all copies.
18
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
19
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
20
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
21
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
22
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
23
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
24
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
29
#include <sys/types.h>
39
#ifdef HAVE_LINUX_AUDIT
43
#include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
44
#include <selinux/selinux.h> /* for is_selinux_enabled() */
45
#include <selinux/context.h> /* for context-mangling functions */
46
#include <selinux/get_default_type.h>
47
#include <selinux/get_context_list.h>
50
#include "linux_audit.h"
52
static struct selinux_state {
53
security_context_t old_context;
54
security_context_t new_context;
55
security_context_t tty_context;
56
security_context_t new_tty_context;
63
* This function attempts to revert the relabeling done to the tty.
64
* fd - referencing the opened ttyn
65
* ttyn - name of tty to restore
67
* Returns zero on success, non-zero otherwise
70
selinux_restore_tty(void)
73
security_context_t chk_tty_context = NULL;
75
if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
78
/* Verify that the tty still has the context set by sudo. */
79
if ((retval = fgetfilecon(se_state.ttyfd, &chk_tty_context)) < 0) {
80
warning("unable to fgetfilecon %s", se_state.ttyn);
84
if ((retval = strcmp(chk_tty_context, se_state.new_tty_context))) {
85
warningx("%s changed labels.", se_state.ttyn);
89
if ((retval = fsetfilecon(se_state.ttyfd, se_state.tty_context)) < 0)
90
warning("unable to restore context for %s", se_state.ttyn);
93
if (se_state.ttyfd != -1) {
94
close(se_state.ttyfd);
97
if (chk_tty_context != NULL) {
98
freecon(chk_tty_context);
99
chk_tty_context = NULL;
105
* This function attempts to relabel the tty. If this function fails, then
106
* the contexts are free'd and -1 is returned. On success, 0 is returned
107
* and tty_context and new_tty_context are set.
109
* This function will not fail if it can not relabel the tty when selinux is
110
* in permissive mode.
113
relabel_tty(const char *ttyn, int ptyfd)
115
security_context_t tty_con = NULL;
116
security_context_t new_tty_con = NULL;
119
se_state.ttyfd = ptyfd;
121
/* It is perfectly legal to have no tty. */
122
if (ptyfd == -1 && ttyn == NULL)
125
/* If sudo is not allocating a pty for the command, open current tty. */
127
se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
128
if (se_state.ttyfd == -1) {
129
warning("unable to open %s, not relabeling tty", ttyn);
130
if (se_state.enforcing)
133
(void)fcntl(se_state.ttyfd, F_SETFL,
134
fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
137
if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
138
warning("unable to get current tty context, not relabeling tty");
139
if (se_state.enforcing)
143
if (tty_con && (security_compute_relabel(se_state.new_context, tty_con,
144
SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
145
warning("unable to get new tty context, not relabeling tty");
146
if (se_state.enforcing)
150
if (new_tty_con != NULL) {
151
if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
152
warning("unable to set new tty context");
153
if (se_state.enforcing)
159
/* Reopen pty that was relabeled, std{in,out,err} are reset later. */
160
se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
161
if (se_state.ttyfd == -1) {
162
warning("cannot open %s", ttyn);
163
if (se_state.enforcing)
166
if (dup2(se_state.ttyfd, ptyfd) == -1) {
171
/* Re-open tty to get new label and reset std{in,out,err} */
172
close(se_state.ttyfd);
173
se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
174
if (se_state.ttyfd == -1) {
175
warning("unable to open %s", ttyn);
178
(void)fcntl(se_state.ttyfd, F_SETFL,
179
fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
180
for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
181
if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
187
/* Retain se_state.ttyfd so we can restore label when command finishes. */
188
(void)fcntl(se_state.ttyfd, F_SETFD, FD_CLOEXEC);
190
se_state.ttyn = ttyn;
191
se_state.tty_context = tty_con;
192
se_state.new_tty_context = new_tty_con;
196
if (se_state.ttyfd != -1 && se_state.ttyfd != ptyfd) {
197
close(se_state.ttyfd);
205
* Returns a new security context based on the old context and the
206
* specified role and type.
209
get_exec_context(security_context_t old_context, const char *role, const char *type)
211
security_context_t new_context = NULL;
212
context_t context = NULL;
213
char *typebuf = NULL;
215
/* We must have a role, the type is optional (we can use the default). */
217
warningx("you must specify a role for type %s", type);
222
if (get_default_type(role, &typebuf)) {
223
warningx("unable to get default type for role %s", role);
231
* Expand old_context into a context_t so that we extract and modify
232
* its components easily.
234
context = context_new(old_context);
237
* Replace the role and type in "context" with the role and
238
* type we will be running the command as.
240
if (context_role_set(context, role)) {
241
warning("failed to set new role %s", role);
244
if (context_type_set(context, type)) {
245
warning("failed to set new type %s", type);
250
* Convert "context" back into a string and verify it.
252
new_context = estrdup(context_str(context));
253
if (security_check_context(new_context) < 0) {
254
warningx("%s is not a valid context", new_context);
260
warningx("Your new context is %s", new_context);
263
context_free(context);
268
context_free(context);
269
freecon(new_context);
274
* Set the exec and tty contexts in preparation for fork/exec.
275
* Must run as root, before the uid change.
276
* If ptyfd is not -1, it indicates we are running
277
* in a pty and do not need to reset std{in,out,err}.
278
* Returns 0 on success and -1 on failure.
281
selinux_setup(const char *role, const char *type, const char *ttyn,
286
/* Store the caller's SID in old_context. */
287
if (getprevcon(&se_state.old_context)) {
288
warning("failed to get old_context");
292
se_state.enforcing = security_getenforce();
293
if (se_state.enforcing < 0) {
294
warning("unable to determine enforcing mode.");
299
warningx("your old context was %s", se_state.old_context);
301
se_state.new_context = get_exec_context(se_state.old_context, role, type);
302
if (!se_state.new_context)
305
if (relabel_tty(ttyn, ptyfd) < 0) {
306
warning("unable to setup tty context for %s", se_state.new_context);
311
if (se_state.ttyfd != -1) {
312
warningx("your old tty context is %s", se_state.tty_context);
313
warningx("your new tty context is %s", se_state.new_tty_context);
317
#ifdef HAVE_LINUX_AUDIT
318
linux_audit_role_change(se_state.old_context, se_state.new_context,
329
selinux_execve(const char *path, char *argv[], char *envp[])
331
if (setexeccon(se_state.new_context)) {
332
warning("unable to set exec context to %s", se_state.new_context);
333
if (se_state.enforcing)
337
#ifdef HAVE_SETKEYCREATECON
338
if (setkeycreatecon(se_state.new_context)) {
339
warning("unable to set key creation context to %s", se_state.new_context);
340
if (se_state.enforcing)
343
#endif /* HAVE_SETKEYCREATECON */
345
/* We use the "spare" slot in argv to store sesh. */
347
argv[0] = *argv[1] == '-' ? "-sesh" : "sesh";
348
argv[1] = (char *)path;
350
execve(_PATH_SUDO_SESH, argv, envp);