]>
Commit | Line | Data |
---|---|---|
fe4de9a6 DE |
1 | /* |
2 | * lxc: linux Container library | |
3 | * | |
4 | * Authors: | |
5 | * Copyright © 2012 Serge Hallyn <serge.hallyn@ubuntu.com> | |
6 | * Copyright © 2012 Canonical Ltd. | |
7 | * Dwight Engen <dwight.engen@oracle.com> | |
8 | * | |
9 | * This library is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU Lesser General Public | |
11 | * License as published by the Free Software Foundation; either | |
12 | * version 2.1 of the License, or (at your option) any later version. | |
13 | * | |
14 | * This library is distributed in the hope that it will be useful, | |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
17 | * Lesser General Public License for more details. | |
18 | * | |
19 | * You should have received a copy of the GNU Lesser General Public | |
20 | * License along with this library; if not, write to the Free Software | |
21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA | |
22 | */ | |
23 | ||
9d465140 | 24 | #define _GNU_SOURCE |
fe4de9a6 DE |
25 | #include <errno.h> |
26 | #include <stdlib.h> | |
27 | #include <unistd.h> | |
28 | #include <sys/mount.h> | |
29 | #include <sys/param.h> | |
30 | ||
31 | #include "conf.h" | |
32 | #include "log.h" | |
1fb5e888 | 33 | #include "lsm.h" |
fe4de9a6 DE |
34 | |
35 | lxc_log_define(lxc_lsm, lxc); | |
36 | ||
37 | static struct lsm_drv *drv = NULL; | |
38 | ||
39 | extern struct lsm_drv *lsm_apparmor_drv_init(void); | |
40 | extern struct lsm_drv *lsm_selinux_drv_init(void); | |
41 | extern struct lsm_drv *lsm_nop_drv_init(void); | |
42 | ||
43 | __attribute__((constructor)) | |
44 | void lsm_init(void) | |
45 | { | |
46 | if (drv) { | |
47 | INFO("LSM security driver %s", drv->name); | |
48 | return; | |
49 | } | |
50 | ||
51 | #if HAVE_APPARMOR | |
52 | drv = lsm_apparmor_drv_init(); | |
53 | #endif | |
54 | #if HAVE_SELINUX | |
55 | if (!drv) | |
56 | drv = lsm_selinux_drv_init(); | |
57 | #endif | |
58 | ||
59 | if (!drv) | |
60 | drv = lsm_nop_drv_init(); | |
61 | INFO("Initialized LSM security driver %s", drv->name); | |
62 | } | |
63 | ||
41ca8908 | 64 | int lsm_enabled(void) |
9e4bf8b1 DE |
65 | { |
66 | if (drv) | |
67 | return drv->enabled(); | |
68 | return 0; | |
69 | } | |
70 | ||
41ca8908 DE |
71 | const char *lsm_name(void) |
72 | { | |
73 | if (drv) | |
74 | return drv->name; | |
75 | return "none"; | |
76 | } | |
77 | ||
fe4de9a6 DE |
78 | char *lsm_process_label_get(pid_t pid) |
79 | { | |
80 | if (!drv) { | |
81 | ERROR("LSM driver not inited"); | |
82 | return NULL; | |
83 | } | |
84 | return drv->process_label_get(pid); | |
85 | } | |
86 | ||
47ce2cb7 CB |
87 | int lsm_process_label_fd_get(pid_t pid, bool on_exec) |
88 | { | |
89 | int ret = -1; | |
90 | int labelfd = -1; | |
91 | const char *name; | |
92 | char path[LXC_LSMATTRLEN]; | |
93 | ||
94 | name = lsm_name(); | |
95 | ||
96 | if (strcmp(name, "nop") == 0) | |
97 | return 0; | |
98 | ||
99 | if (strcmp(name, "none") == 0) | |
100 | return 0; | |
101 | ||
102 | /* We don't support on-exec with AppArmor */ | |
103 | if (strcmp(name, "AppArmor") == 0) | |
104 | on_exec = 0; | |
105 | ||
106 | if (on_exec) | |
107 | ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/exec", pid); | |
108 | else | |
109 | ret = snprintf(path, LXC_LSMATTRLEN, "/proc/%d/attr/current", pid); | |
110 | if (ret < 0 || ret >= LXC_LSMATTRLEN) | |
111 | return -1; | |
112 | ||
113 | labelfd = open(path, O_RDWR); | |
114 | if (labelfd < 0) { | |
b5be6a7c | 115 | SYSERROR("Unable to %s LSM label file descriptor", name); |
47ce2cb7 CB |
116 | return -1; |
117 | } | |
118 | ||
119 | return labelfd; | |
120 | } | |
121 | ||
d3ba7c98 CB |
122 | int lsm_process_label_set_at(int label_fd, const char *label, bool on_exec) |
123 | { | |
124 | int ret = -1; | |
125 | const char *name; | |
126 | ||
127 | name = lsm_name(); | |
128 | ||
129 | if (strcmp(name, "nop") == 0) | |
130 | return 0; | |
131 | ||
132 | if (strcmp(name, "none") == 0) | |
133 | return 0; | |
134 | ||
135 | /* We don't support on-exec with AppArmor */ | |
136 | if (strcmp(name, "AppArmor") == 0) | |
137 | on_exec = false; | |
138 | ||
139 | if (strcmp(name, "AppArmor") == 0) { | |
140 | size_t len; | |
141 | char *command; | |
142 | ||
143 | if (on_exec) { | |
144 | ERROR("Changing AppArmor profile on exec not supported"); | |
145 | return -EINVAL; | |
146 | } | |
147 | ||
148 | len = strlen(label) + strlen("changeprofile ") + 1; | |
149 | command = malloc(len); | |
150 | if (!command) | |
151 | return -1; | |
152 | ||
153 | ret = snprintf(command, len, "changeprofile %s", label); | |
154 | if (ret < 0 || (size_t)ret >= len) { | |
155 | free(command); | |
156 | return -1; | |
157 | } | |
158 | ||
159 | ret = lxc_write_nointr(label_fd, command, len - 1); | |
160 | free(command); | |
161 | } else if (strcmp(name, "SELinux") == 0) { | |
162 | ret = lxc_write_nointr(label_fd, label, strlen(label)); | |
163 | } else { | |
164 | ret = -EINVAL; | |
165 | } | |
166 | if (ret < 0) { | |
167 | SYSERROR("Failed to set %s label \"%s\"", name, label); | |
168 | return -1; | |
169 | } | |
170 | ||
171 | INFO("Set %s label to \"%s\"", name, label); | |
172 | return 0; | |
173 | } | |
174 | ||
7aff4f43 | 175 | int lsm_process_label_set(const char *label, struct lxc_conf *conf, |
e6e89974 | 176 | bool use_default, bool on_exec) |
fe4de9a6 DE |
177 | { |
178 | if (!drv) { | |
179 | ERROR("LSM driver not inited"); | |
180 | return -1; | |
181 | } | |
7aff4f43 | 182 | return drv->process_label_set(label, conf, use_default, on_exec); |
fe4de9a6 | 183 | } |