• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2 #include <unistd.h>
3 #include <sys/types.h>
4 #include <stdlib.h>
5 #include <errno.h>
6 #include "selinux_internal.h"
7 #include <selinux/avc.h>
8 #include "avc_internal.h"
9 
10 static pthread_once_t once = PTHREAD_ONCE_INIT;
11 static int selinux_enabled;
12 
avc_init_once(void)13 static void avc_init_once(void)
14 {
15 	selinux_enabled = is_selinux_enabled();
16 	if (selinux_enabled == 1) {
17 		if (avc_open(NULL, 0))
18 			return;
19 	}
20 }
21 
selinux_check_access(const char * scon,const char * tcon,const char * class,const char * perm,void * aux)22 int selinux_check_access(const char *scon, const char *tcon, const char *class, const char *perm, void *aux) {
23 	int rc;
24 	security_id_t scon_id;
25 	security_id_t tcon_id;
26 	security_class_t sclass;
27 	access_vector_t av;
28 
29 	__selinux_once(once, avc_init_once);
30 
31 	if (selinux_enabled != 1)
32 		return 0;
33 
34 	rc = avc_context_to_sid(scon, &scon_id);
35 	if (rc < 0)
36 		return rc;
37 
38 	rc = avc_context_to_sid(tcon, &tcon_id);
39 	if (rc < 0)
40 		return rc;
41 
42 	(void) avc_netlink_check_nb();
43 
44        sclass = string_to_security_class(class);
45        if (sclass == 0) {
46 	       rc = errno;
47 	       avc_log(SELINUX_ERROR, "Unknown class %s", class);
48 	       if (security_deny_unknown() == 0)
49 		       return 0;
50 	       errno = rc;
51 	       return -1;
52        }
53 
54        av = string_to_av_perm(sclass, perm);
55        if (av == 0) {
56 	       rc = errno;
57 	       avc_log(SELINUX_ERROR, "Unknown permission %s for class %s", perm, class);
58 	       if (security_deny_unknown() == 0)
59 		       return 0;
60 	       errno = rc;
61 	       return -1;
62        }
63 
64        return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
65 }
66 
selinux_check_passwd_access(access_vector_t requested)67 int selinux_check_passwd_access(access_vector_t requested)
68 {
69 	int status = -1;
70 	char *user_context;
71 	if (is_selinux_enabled() == 0)
72 		return 0;
73 	if (getprevcon_raw(&user_context) == 0) {
74 		security_class_t passwd_class;
75 		struct av_decision avd;
76 		int retval;
77 
78 		passwd_class = string_to_security_class("passwd");
79 		if (passwd_class == 0) {
80 			freecon(user_context);
81 			return 0;
82 		}
83 
84 		retval = security_compute_av_raw(user_context,
85 						     user_context,
86 						     passwd_class,
87 						     requested,
88 						     &avd);
89 
90 		if ((retval == 0) && ((requested & avd.allowed) == requested)) {
91 			status = 0;
92 		}
93 		freecon(user_context);
94 	}
95 
96 	if (status != 0 && security_getenforce() == 0)
97 		status = 0;
98 
99 	return status;
100 }
101 
hidden_def(selinux_check_passwd_access)102 hidden_def(selinux_check_passwd_access)
103 
104 int checkPasswdAccess(access_vector_t requested)
105 {
106 	return selinux_check_passwd_access(requested);
107 }
108