1 /*
2 * restorecond
3 *
4 * Copyright (C) 2006-2009 Red Hat
5 * see file 'COPYING' for use and warranty information
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 of
10 * the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 .*
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
20 * 02111-1307 USA
21 *
22 * Authors:
23 * Dan Walsh <dwalsh@redhat.com>
24 *
25 */
26
27 /*
28 * PURPOSE:
29 * This daemon program watches for the creation of files listed in a config file
30 * and makes sure that there security context matches the systems defaults
31 *
32 * USAGE:
33 * restorecond [-d] [-u] [-v] [-f restorecond_file ]
34 *
35 * -d Run in debug mode
36 * -f Use alternative restorecond_file
37 * -u Run in user mode
38 * -v Run in verbose mode (Report missing files)
39 *
40 * EXAMPLE USAGE:
41 * restorecond
42 *
43 */
44
45 #define _GNU_SOURCE
46 #include <sys/inotify.h>
47 #include <errno.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <signal.h>
51 #include <string.h>
52 #include <unistd.h>
53 #include "restore.h"
54 #include <sys/types.h>
55 #include <syslog.h>
56 #include <limits.h>
57 #include <pwd.h>
58 #include <sys/stat.h>
59 #include <string.h>
60 #include <stdio.h>
61 #include <fcntl.h>
62 #include "restorecond.h"
63 #include "utmpwatcher.h"
64
65 const char *homedir;
66 static int master_fd = -1;
67
68 static const char *server_watch_file = "/etc/selinux/restorecond.conf";
69 static const char *user_watch_file = "/etc/selinux/restorecond_user.conf";
70 static const char *watch_file;
71 struct restore_opts r_opts;
72
73 #include <selinux/selinux.h>
74
75 int debug_mode = 0;
76 int terminate = 0;
77 int master_wd = -1;
78 int run_as_user = 0;
79
done(void)80 static void done(void) {
81 watch_list_free(master_fd);
82 close(master_fd);
83 utmpwatcher_free();
84 selabel_close(r_opts.hnd);
85 }
86
87 static const char *pidfile = "/run/restorecond.pid";
88
write_pid_file(void)89 static int write_pid_file(void)
90 {
91 int pidfd, len;
92 char val[16];
93
94 len = snprintf(val, sizeof(val), "%u\n", getpid());
95 if (len < 0) {
96 syslog(LOG_ERR, "Pid error (%s)", strerror(errno));
97 pidfile = 0;
98 return 1;
99 }
100 pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
101 if (pidfd < 0) {
102 syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno));
103 pidfile = 0;
104 return 1;
105 }
106 if (write(pidfd, val, (unsigned int)len) != len) {
107 syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
108 close(pidfd);
109 return 1;
110 }
111 close(pidfd);
112 return 0;
113 }
114
115 /*
116 * SIGTERM handler
117 */
term_handler(int s)118 static void term_handler(int s __attribute__ ((unused)))
119 {
120 terminate = 1;
121 /* trigger a failure in the watch */
122 close(master_fd);
123 }
124
usage(char * program)125 static void usage(char *program)
126 {
127 printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
128 }
129
exitApp(const char * msg)130 void exitApp(const char *msg)
131 {
132 perror(msg);
133 exit(-1);
134 }
135
136 /*
137 Add a file to the watch list. We are watching for file creation, so we actually
138 put the watch on the directory and then examine all files created in that directory
139 to see if it is one that we are watching.
140 */
141
main(int argc,char ** argv)142 int main(int argc, char **argv)
143 {
144 int opt;
145 struct sigaction sa;
146
147 /* If we are not running SELinux then just exit */
148 if (is_selinux_enabled() != 1)
149 return 0;
150
151 watch_file = server_watch_file;
152
153 /* Set all options to zero/NULL except for ignore_noent & digest. */
154 memset(&r_opts, 0, sizeof(r_opts));
155 r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY;
156 r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST;
157
158 /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */
159 restore_init(&r_opts);
160
161 /* Register sighandlers */
162 sa.sa_flags = 0;
163 sa.sa_handler = term_handler;
164 sigemptyset(&sa.sa_mask);
165 sigaction(SIGTERM, &sa, NULL);
166
167 atexit( done );
168 while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
169 switch (opt) {
170 case 'd':
171 debug_mode = 1;
172 break;
173 case 'f':
174 watch_file = optarg;
175 break;
176 case 'u':
177 run_as_user = 1;
178 break;
179 case 'h':
180 usage(argv[0]);
181 exit(0);
182 break;
183 case 'v':
184 r_opts.verbose = SELINUX_RESTORECON_VERBOSE;
185 break;
186 case '?':
187 usage(argv[0]);
188 exit(-1);
189 }
190 }
191
192 master_fd = inotify_init();
193 if (master_fd < 0)
194 exitApp("inotify_init");
195
196 uid_t uid = getuid();
197 struct passwd *pwd = getpwuid(uid);
198 if (!pwd)
199 exitApp("getpwuid");
200
201 homedir = pwd->pw_dir;
202 if (uid != 0) {
203 if (run_as_user)
204 return server(master_fd, user_watch_file);
205 if (start() != 0)
206 return server(master_fd, user_watch_file);
207 return 0;
208 }
209
210 read_config(master_fd, watch_file);
211
212 if (!debug_mode) {
213 if (daemon(0, 0) < 0)
214 exitApp("daemon");
215 }
216
217 write_pid_file();
218
219 while (watch(master_fd, watch_file) == 0) {
220 }
221
222 watch_list_free(master_fd);
223 close(master_fd);
224
225 if (pidfile)
226 unlink(pidfile);
227
228 return 0;
229 }
230