1 #ifndef _RESTORECON_H_ 2 #define _RESTORECON_H_ 3 4 #include <sys/types.h> 5 #include <stddef.h> 6 #include <stdarg.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 /** 13 * selinux_restorecon - Relabel files. 14 * @pathname: specifies file/directory to relabel. 15 * @restorecon_flags: specifies the actions to be performed when relabeling. 16 * 17 * selinux_restorecon(3) will automatically call 18 * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) 19 * first time through to set the selabel_open(3) parameters to use the 20 * currently loaded policy file_contexts and request their computed digest. 21 * 22 * Should other selabel_open(3) parameters be required see 23 * selinux_restorecon_set_sehandle(3). 24 */ 25 extern int selinux_restorecon(const char *pathname, 26 unsigned int restorecon_flags); 27 /** 28 * selinux_restorecon_parallel - Relabel files, optionally use more threads. 29 * @pathname: specifies file/directory to relabel. 30 * @restorecon_flags: specifies the actions to be performed when relabeling. 31 * @nthreads: specifies the number of threads to use (0 = use number of CPUs 32 * currently online) 33 * 34 * Same as selinux_restorecon(3), but allows to use multiple threads to do 35 * the work. 36 */ 37 extern int selinux_restorecon_parallel(const char *pathname, 38 unsigned int restorecon_flags, 39 size_t nthreads); 40 /* 41 * restorecon_flags options 42 */ 43 /* 44 * Force the checking of labels even if the stored SHA1 digest 45 * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). 46 */ 47 #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 48 /* 49 * Do not change file labels. 50 */ 51 #define SELINUX_RESTORECON_NOCHANGE 0x00002 52 /* 53 * If set, change file label to that in spec file. 54 * If not, only change type component to that in spec file. 55 */ 56 #define SELINUX_RESTORECON_SET_SPECFILE_CTX 0x00004 57 /* 58 * Recursively descend directories. 59 */ 60 #define SELINUX_RESTORECON_RECURSE 0x00008 61 /* 62 * Log changes to selinux log. Note that if VERBOSE and 63 * PROGRESS are set, then PROGRESS will take precedence. 64 */ 65 #define SELINUX_RESTORECON_VERBOSE 0x00010 66 /* 67 * If SELINUX_RESTORECON_PROGRESS is true and 68 * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete, 69 * else output the number of files in 1k blocks processed to stdout. 70 */ 71 #define SELINUX_RESTORECON_PROGRESS 0x00020 72 /* 73 * Convert passed-in pathname to canonical pathname. 74 */ 75 #define SELINUX_RESTORECON_REALPATH 0x00040 76 /* 77 * Prevent descending into directories that have a different 78 * device number than the pathname from which the descent began. 79 */ 80 #define SELINUX_RESTORECON_XDEV 0x00080 81 /* 82 * Attempt to add an association between an inode and a specification. 83 * If there is already an association for the inode and it conflicts 84 * with the specification, then use the last matching specification. 85 */ 86 #define SELINUX_RESTORECON_ADD_ASSOC 0x00100 87 /* 88 * Abort on errors during the file tree walk. 89 */ 90 #define SELINUX_RESTORECON_ABORT_ON_ERROR 0x00200 91 /* 92 * Log any label changes to syslog. 93 */ 94 #define SELINUX_RESTORECON_SYSLOG_CHANGES 0x00400 95 /* 96 * Log what spec matched each file. 97 */ 98 #define SELINUX_RESTORECON_LOG_MATCHES 0x00800 99 /* 100 * Ignore files that do not exist. 101 */ 102 #define SELINUX_RESTORECON_IGNORE_NOENTRY 0x01000 103 /* 104 * Do not read /proc/mounts to obtain a list of non-seclabel 105 * mounts to be excluded from relabeling checks. 106 */ 107 #define SELINUX_RESTORECON_IGNORE_MOUNTS 0x02000 108 /* 109 * Set if there is a mass relabel required. 110 * See SELINUX_RESTORECON_PROGRESS flag for details. 111 */ 112 #define SELINUX_RESTORECON_MASS_RELABEL 0x04000 113 /* 114 * Set if no digest is to be read or written (as only processes 115 * running with CAP_SYS_ADMIN can read/write digests). 116 */ 117 #define SELINUX_RESTORECON_SKIP_DIGEST 0x08000 118 119 /* 120 * Set to treat conflicting specifications as errors. 121 */ 122 #define SELINUX_RESTORECON_CONFLICT_ERROR 0x10000 123 124 /* 125 * Count, but otherwise ignore, errors during the file tree walk. 126 */ 127 #define SELINUX_RESTORECON_COUNT_ERRORS 0x20000 128 129 /* 130 * a flag indicating skip certain files or directories when restoring their security context. 131 */ 132 #define SELINUX_RESTORECON_SKIPELX 0x40000 133 134 /** 135 * selinux_restorecon_set_sehandle - Set the global fc handle. 136 * @hndl: specifies handle to set as the global fc handle. 137 * 138 * Called by a process that has already called selabel_open(3) with its 139 * required parameters, or if selinux_restorecon_default_handle(3) has been 140 * called to set the default selabel_open(3) parameters. 141 */ 142 extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl); 143 144 /** 145 * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters 146 * to use the currently loaded policy and 147 * file_contexts. 148 * 149 * Return value is the created handle on success or NULL with @errno set on 150 * failure. 151 */ 152 extern struct selabel_handle *selinux_restorecon_default_handle(void); 153 154 /** 155 * selinux_restorecon_set_exclude_list - Add a list of directories that are 156 * to be excluded from relabeling. 157 * @exclude_list: containing a NULL terminated list of one or more 158 * directories not to be relabeled. 159 */ 160 extern void selinux_restorecon_set_exclude_list(const char **exclude_list); 161 162 /** 163 * selinux_restorecon_set_alt_rootpath - Use alternate rootpath. 164 * @alt_rootpath: containing the alternate rootpath to be used. 165 * 166 * Return %0 on success, -%1 with @errno set on failure. 167 */ 168 extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath); 169 170 /** 171 * selinux_restorecon_xattr - Read/remove security.sehash xattr entries. 172 * @pathname: specifies directory path to check. 173 * @xattr_flags: specifies the actions to be performed. 174 * @xattr_list: a linked list of struct dir_xattr structures containing 175 * the directory, digest and result of the action on the 176 * security.sehash entry. 177 * 178 * selinux_restorecon_xattr(3) will automatically call 179 * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) 180 * first time through to set the selabel_open(3) parameters to use the 181 * currently loaded policy file_contexts and request their computed digest. 182 * 183 * Should other selabel_open(3) parameters be required see 184 * selinux_restorecon_set_sehandle(3), however note that a file_contexts 185 * computed digest is required for selinux_restorecon_xattr(). 186 */ 187 enum digest_result { 188 MATCH = 0, 189 NOMATCH, 190 DELETED_MATCH, 191 DELETED_NOMATCH, 192 ERROR 193 }; 194 195 struct dir_xattr { 196 char *directory; 197 char *digest; /* A hex encoded string that can be printed. */ 198 enum digest_result result; 199 struct dir_xattr *next; 200 }; 201 202 extern int selinux_restorecon_xattr(const char *pathname, 203 unsigned int xattr_flags, 204 struct dir_xattr ***xattr_list); 205 206 /* 207 * xattr_flags options 208 */ 209 /* Recursively descend directories. */ 210 #define SELINUX_RESTORECON_XATTR_RECURSE 0x0001 211 /* Delete non-matching digests from each directory in pathname. */ 212 #define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS 0x0002 213 /* Delete all digests found in pathname. */ 214 #define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS 0x0004 215 /* Do not read /proc/mounts. */ 216 #define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS 0x0008 217 218 /* selinux_restorecon_get_skipped_errors - Get the number of errors ignored 219 * during re-labeling. 220 * 221 * If SELINUX_RESTORECON_COUNT_ERRORS was passed to selinux_restorecon(3) or 222 * selinux_restorecon_parallel(3), and that function returned successfully 223 * (i.e., with a zero return value), then this function returns the number of 224 * errors ignored during the file tree walk. 225 */ 226 extern long unsigned selinux_restorecon_get_skipped_errors(void); 227 228 #ifdef __cplusplus 229 } 230 #endif 231 #endif 232