1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15 #include "selinux_adp.h"
16
17 #include <errno.h>
18
19 #include "init_hook.h"
20 #include "init_module_engine.h"
21 #include "plugin_adapter.h"
22 #include "securec.h"
23
24 #include <policycoreutils.h>
25 #include <selinux/selinux.h>
26
27 enum {
28 CMD_LOAD_POLICY = 0,
29 CMD_SET_SERVICE_CONTEXTS = 1,
30 CMD_SET_SOCKET_CONTEXTS = 2,
31 CMD_RESTORE_INDEX = 3,
32 };
33
34 extern char *__progname;
35
LoadSelinuxPolicy(int id,const char * name,int argc,const char ** argv)36 static int LoadSelinuxPolicy(int id, const char *name, int argc, const char **argv)
37 {
38 int ret;
39 char processContext[MAX_SECON_LEN];
40
41 UNUSED(id);
42 UNUSED(name);
43 UNUSED(argc);
44 UNUSED(argv);
45 PLUGIN_LOGI("LoadSelinuxPolicy ");
46 // load selinux policy and context
47 if (LoadPolicy() < 0) {
48 PLUGIN_LOGE("main, load_policy failed.");
49 } else {
50 PLUGIN_LOGI("main, load_policy success.");
51 }
52
53 ret = snprintf_s(processContext, sizeof(processContext), sizeof(processContext) - 1, "u:r:%s:s0", __progname);
54 if (ret == -1) {
55 setcon("u:r:init:s0");
56 } else {
57 setcon(processContext);
58 }
59 (void)RestoreconRecurse("/dev");
60 return 0;
61 }
62
SetServiceContent(int id,const char * name,int argc,const char ** argv)63 static int SetServiceContent(int id, const char *name, int argc, const char **argv)
64 {
65 PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
66 ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
67 if (data != NULL) {
68 if (setexeccon((char *)data->data) < 0) {
69 PLUGIN_LOGE("failed to set service %s's secon (%s).", argv[0], (char *)data->data);
70 _exit(PROCESS_EXIT_CODE);
71 } else {
72 PLUGIN_LOGV("Set content %s to %s.", (char *)data->data, argv[0]);
73 }
74 } else {
75 PLUGIN_CHECK(!(setexeccon("u:r:limit_domain:s0") < 0), _exit(PROCESS_EXIT_CODE),
76 "failed to set service %s's secon (%s).", argv[0], "u:r:limit_domain:s0");
77 PLUGIN_LOGE("Please set secon field in service %s's cfg file, limit_domain will be blocked", argv[0]);
78 }
79 return 0;
80 }
81
SetSockCreateCon(int id,const char * name,int argc,const char ** argv)82 static int SetSockCreateCon(int id, const char *name, int argc, const char **argv)
83 {
84 PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
85 if (argv[0] == NULL) {
86 setsockcreatecon(NULL);
87 return 0;
88 }
89
90 ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
91 if (data != NULL) {
92 if (setsockcreatecon((char *)data->data) < 0) {
93 PLUGIN_LOGE("failed to set socket context %s's secon (%s).", argv[0], (char *)data->data);
94 _exit(PROCESS_EXIT_CODE);
95 }
96 }
97
98 return 0;
99 }
100
RestoreContentRecurse(int id,const char * name,int argc,const char ** argv)101 static int RestoreContentRecurse(int id, const char *name, int argc, const char **argv)
102 {
103 PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
104 PLUGIN_LOGV("RestoreContentRecurse path %s", argv[0]);
105 if (RestoreconRecurse(argv[0])) {
106 PLUGIN_LOGE("restoreContentRecurse failed for '%s', err %d.", argv[0], errno);
107 }
108 return 0;
109 }
110
111 static int32_t selinuxAdpCmdIds[CMD_RESTORE_INDEX + 1] = {0}; // 4 cmd count
SelinuxAdpInit(void)112 static void SelinuxAdpInit(void)
113 {
114 selinuxAdpCmdIds[CMD_LOAD_POLICY] = AddCmdExecutor("loadSelinuxPolicy", LoadSelinuxPolicy);
115 selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] = AddCmdExecutor("setServiceContent", SetServiceContent);
116 selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] = AddCmdExecutor("setSockCreateCon", SetSockCreateCon);
117 selinuxAdpCmdIds[CMD_RESTORE_INDEX] = AddCmdExecutor("restoreContentRecurse", RestoreContentRecurse);
118 }
119
SelinuxAdpExit(void)120 static void SelinuxAdpExit(void)
121 {
122 if (selinuxAdpCmdIds[CMD_LOAD_POLICY] != -1) {
123 RemoveCmdExecutor("loadSelinuxPolicy", selinuxAdpCmdIds[CMD_LOAD_POLICY]);
124 }
125 if (selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] != -1) {
126 RemoveCmdExecutor("setServiceContent", selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS]);
127 }
128 if (selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] != -1) {
129 RemoveCmdExecutor("setSockCreateCon", selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS]);
130 }
131 if (selinuxAdpCmdIds[CMD_RESTORE_INDEX] != -1) {
132 RemoveCmdExecutor("restoreContentRecurse", selinuxAdpCmdIds[CMD_RESTORE_INDEX]);
133 }
134 }
135
MODULE_CONSTRUCTOR(void)136 MODULE_CONSTRUCTOR(void)
137 {
138 PLUGIN_LOGI("Selinux adapter plug-in init now ...");
139 SelinuxAdpInit();
140 }
141
MODULE_DESTRUCTOR(void)142 MODULE_DESTRUCTOR(void)
143 {
144 PLUGIN_LOGI("Selinux adapter plug-in exit now ...");
145 SelinuxAdpExit();
146 }
147