• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef _RESTORECON_H_
2 #define _RESTORECON_H_
3 
4 #include <sys/types.h>
5 #include <stdarg.h>
6 
7 #ifdef __cplusplus
8 extern "C" {
9 #endif
10 
11 /**
12  * selinux_restorecon - Relabel files.
13  * @pathname: specifies file/directory to relabel.
14  * @restorecon_flags: specifies the actions to be performed when relabeling.
15  *
16  * selinux_restorecon(3) will automatically call
17  * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
18  * first time through to set the selabel_open(3) parameters to use the
19  * currently loaded policy file_contexts and request their computed digest.
20  *
21  * Should other selabel_open(3) parameters be required see
22  * selinux_restorecon_set_sehandle(3).
23  */
24 extern int selinux_restorecon(const char *pathname,
25 				    unsigned int restorecon_flags);
26 /*
27  * restorecon_flags options
28  */
29 /*
30  * Force the checking of labels even if the stored SHA1 digest
31  * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
32  */
33 #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
34 /*
35  * Do not change file labels.
36  */
37 #define SELINUX_RESTORECON_NOCHANGE			0x00002
38 /*
39  * If set, change file label to that in spec file.
40  * If not, only change type component to that in spec file.
41  */
42 #define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x00004
43 /*
44  * Recursively descend directories.
45  */
46 #define SELINUX_RESTORECON_RECURSE			0x00008
47 /*
48  * Log changes to selinux log. Note that if VERBOSE and
49  * PROGRESS are set, then PROGRESS will take precedence.
50  */
51 #define SELINUX_RESTORECON_VERBOSE			0x00010
52 /*
53  * If SELINUX_RESTORECON_PROGRESS is true and
54  * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
55  * else output the number of files in 1k blocks processed to stdout.
56  */
57 #define SELINUX_RESTORECON_PROGRESS			0x00020
58 /*
59  * Convert passed-in pathname to canonical pathname.
60  */
61 #define SELINUX_RESTORECON_REALPATH			0x00040
62 /*
63  * Prevent descending into directories that have a different
64  * device number than the pathname from which the descent began.
65  */
66 #define SELINUX_RESTORECON_XDEV				0x00080
67 /*
68  * Attempt to add an association between an inode and a specification.
69  * If there is already an association for the inode and it conflicts
70  * with the specification, then use the last matching specification.
71  */
72 #define SELINUX_RESTORECON_ADD_ASSOC			0x00100
73 /*
74  * Abort on errors during the file tree walk.
75  */
76 #define SELINUX_RESTORECON_ABORT_ON_ERROR		0x00200
77 /*
78  * Log any label changes to syslog.
79  */
80 #define SELINUX_RESTORECON_SYSLOG_CHANGES		0x00400
81 /*
82  * Log what spec matched each file.
83  */
84 #define SELINUX_RESTORECON_LOG_MATCHES			0x00800
85 /*
86  * Ignore files that do not exist.
87  */
88 #define SELINUX_RESTORECON_IGNORE_NOENTRY		0x01000
89 /*
90  * Do not read /proc/mounts to obtain a list of non-seclabel
91  * mounts to be excluded from relabeling checks.
92  */
93 #define SELINUX_RESTORECON_IGNORE_MOUNTS		0x02000
94 /*
95  * Set if there is a mass relabel required.
96  * See SELINUX_RESTORECON_PROGRESS flag for details.
97  */
98 #define SELINUX_RESTORECON_MASS_RELABEL			0x04000
99 /*
100  * Set if no digest is to be read or written (as only processes
101  * running with CAP_SYS_ADMIN can read/write digests).
102  */
103 #define SELINUX_RESTORECON_SKIP_DIGEST			0x08000
104 
105 /*
106  * Set to treat conflicting specifications as errors.
107  */
108 #define SELINUX_RESTORECON_CONFLICT_ERROR		0x10000
109 
110 /**
111  * selinux_restorecon_set_sehandle - Set the global fc handle.
112  * @hndl: specifies handle to set as the global fc handle.
113  *
114  * Called by a process that has already called selabel_open(3) with its
115  * required parameters, or if selinux_restorecon_default_handle(3) has been
116  * called to set the default selabel_open(3) parameters.
117  */
118 extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl);
119 
120 /**
121  * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters
122  *				       to use the currently loaded policy and
123  *				       file_contexts.
124  *
125  * Return value is the created handle on success or NULL with @errno set on
126  * failure.
127  */
128 extern struct selabel_handle *selinux_restorecon_default_handle(void);
129 
130 /**
131  * selinux_restorecon_set_exclude_list - Add a list of directories that are
132  *					 to be excluded from relabeling.
133  * @exclude_list: containing a NULL terminated list of one or more
134  *		  directories not to be relabeled.
135  */
136 extern void selinux_restorecon_set_exclude_list(const char **exclude_list);
137 
138 /**
139  * selinux_restorecon_set_alt_rootpath - Use alternate rootpath.
140  * @alt_rootpath: containing the alternate rootpath to be used.
141  *
142  * Return %0 on success, -%1 with @errno set on failure.
143  */
144 extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath);
145 
146 /**
147  * selinux_restorecon_xattr - Read/remove security.sehash xattr entries.
148  * @pathname: specifies directory path to check.
149  * @xattr_flags: specifies the actions to be performed.
150  * @xattr_list: a linked list of struct dir_xattr structures containing
151  *              the directory, digest and result of the action on the
152  *              security.sehash entry.
153  *
154  * selinux_restorecon_xattr(3) will automatically call
155  * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
156  * first time through to set the selabel_open(3) parameters to use the
157  * currently loaded policy file_contexts and request their computed digest.
158  *
159  * Should other selabel_open(3) parameters be required see
160  * selinux_restorecon_set_sehandle(3), however note that a file_contexts
161  * computed digest is required for selinux_restorecon_xattr().
162  */
163 enum digest_result {
164 	MATCH = 0,
165 	NOMATCH,
166 	DELETED_MATCH,
167 	DELETED_NOMATCH,
168 	ERROR
169 };
170 
171 struct dir_xattr {
172 	char *directory;
173 	char *digest; /* A hex encoded string that can be printed. */
174 	enum digest_result result;
175 	struct dir_xattr *next;
176 };
177 
178 extern int selinux_restorecon_xattr(const char *pathname,
179 				    unsigned int xattr_flags,
180 				    struct dir_xattr ***xattr_list);
181 
182 /*
183  * xattr_flags options
184  */
185 /* Recursively descend directories. */
186 #define SELINUX_RESTORECON_XATTR_RECURSE			0x0001
187 /* Delete non-matching digests from each directory in pathname. */
188 #define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS	0x0002
189 /* Delete all digests found in pathname. */
190 #define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS		0x0004
191 /* Do not read /proc/mounts. */
192 #define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS			0x0008
193 
194 #ifdef __cplusplus
195 }
196 #endif
197 #endif
198