• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2012 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.os;
18 
19 import android.util.Slog;
20 
21 import java.io.IOException;
22 import java.io.File;
23 import java.io.FileDescriptor;
24 
25 /**
26  * This class provides access to the centralized jni bindings for
27  * SELinux interaction.
28  * {@hide}
29  */
30 public class SELinux {
31 
32     private static final String TAG = "SELinux";
33 
34     /**
35      * Determine whether SELinux is disabled or enabled.
36      * @return a boolean indicating whether SELinux is enabled.
37      */
isSELinuxEnabled()38     public static final native boolean isSELinuxEnabled();
39 
40     /**
41      * Determine whether SELinux is permissive or enforcing.
42      * @return a boolean indicating whether SELinux is enforcing.
43      */
isSELinuxEnforced()44     public static final native boolean isSELinuxEnforced();
45 
46     /**
47      * Set whether SELinux is permissive or enforcing.
48      * @param boolean representing whether to set SELinux to enforcing
49      * @return a boolean representing whether the desired mode was set
50      */
setSELinuxEnforce(boolean value)51     public static final native boolean setSELinuxEnforce(boolean value);
52 
53     /**
54      * Sets the security context for newly created file objects.
55      * @param context a security context given as a String.
56      * @return a boolean indicating whether the operation succeeded.
57      */
setFSCreateContext(String context)58     public static final native boolean setFSCreateContext(String context);
59 
60     /**
61      * Change the security context of an existing file object.
62      * @param path representing the path of file object to relabel.
63      * @param con new security context given as a String.
64      * @return a boolean indicating whether the operation succeeded.
65      */
setFileContext(String path, String context)66     public static final native boolean setFileContext(String path, String context);
67 
68     /**
69      * Get the security context of a file object.
70      * @param path the pathname of the file object.
71      * @return a security context given as a String.
72      */
getFileContext(String path)73     public static final native String getFileContext(String path);
74 
75     /**
76      * Get the security context of a peer socket.
77      * @param fd FileDescriptor class of the peer socket.
78      * @return a String representing the peer socket security context.
79      */
getPeerContext(FileDescriptor fd)80     public static final native String getPeerContext(FileDescriptor fd);
81 
82     /**
83      * Gets the security context of the current process.
84      * @return a String representing the security context of the current process.
85      */
getContext()86     public static final native String getContext();
87 
88     /**
89      * Gets the security context of a given process id.
90      * Use of this function is discouraged for Binder transactions.
91      * Use Binder.getCallingSecctx() instead.
92      * @param pid an int representing the process id to check.
93      * @return a String representing the security context of the given pid.
94      */
getPidContext(int pid)95     public static final native String getPidContext(int pid);
96 
97     /**
98      * Gets a list of the SELinux boolean names.
99      * @return an array of strings containing the SELinux boolean names.
100      */
getBooleanNames()101     public static final native String[] getBooleanNames();
102 
103     /**
104      * Gets the value for the given SELinux boolean name.
105      * @param String The name of the SELinux boolean.
106      * @return a boolean indicating whether the SELinux boolean is set.
107      */
getBooleanValue(String name)108     public static final native boolean getBooleanValue(String name);
109 
110     /**
111      * Sets the value for the given SELinux boolean name.
112      * @param String The name of the SELinux boolean.
113      * @param Boolean The new value of the SELinux boolean.
114      * @return a boolean indicating whether or not the operation succeeded.
115      */
setBooleanValue(String name, boolean value)116     public static final native boolean setBooleanValue(String name, boolean value);
117 
118     /**
119      * Check permissions between two security contexts.
120      * @param scon The source or subject security context.
121      * @param tcon The target or object security context.
122      * @param tclass The object security class name.
123      * @param perm The permission name.
124      * @return a boolean indicating whether permission was granted.
125      */
checkSELinuxAccess(String scon, String tcon, String tclass, String perm)126     public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
127 
128     /**
129      * Restores a file to its default SELinux security context.
130      * If the system is not compiled with SELinux, then {@code true}
131      * is automatically returned.
132      * If SELinux is compiled in, but disabled, then {@code true} is
133      * returned.
134      *
135      * @param pathname The pathname of the file to be relabeled.
136      * @return a boolean indicating whether the relabeling succeeded.
137      * @exception NullPointerException if the pathname is a null object.
138      */
restorecon(String pathname)139     public static boolean restorecon(String pathname) throws NullPointerException {
140         if (pathname == null) { throw new NullPointerException(); }
141         return native_restorecon(pathname);
142     }
143 
144     /**
145      * Restores a file to its default SELinux security context.
146      * If the system is not compiled with SELinux, then {@code true}
147      * is automatically returned.
148      * If SELinux is compiled in, but disabled, then {@code true} is
149      * returned.
150      *
151      * @param pathname The pathname of the file to be relabeled.
152      * @return a boolean indicating whether the relabeling succeeded.
153      */
native_restorecon(String pathname)154     private static native boolean native_restorecon(String pathname);
155 
156     /**
157      * Restores a file to its default SELinux security context.
158      * If the system is not compiled with SELinux, then {@code true}
159      * is automatically returned.
160      * If SELinux is compiled in, but disabled, then {@code true} is
161      * returned.
162      *
163      * @param file The File object representing the path to be relabeled.
164      * @return a boolean indicating whether the relabeling succeeded.
165      * @exception NullPointerException if the file is a null object.
166      */
restorecon(File file)167     public static boolean restorecon(File file) throws NullPointerException {
168         try {
169             return native_restorecon(file.getCanonicalPath());
170         } catch (IOException e) {
171             Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
172                    file.getPath(), e);
173             return false;
174         }
175     }
176 }
177