• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
3  * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 /*
19  * Linux-specific portability code - just SELinux support at present
20  */
21 
22 #include "includes.h"
23 
24 #if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
25 #include <errno.h>
26 #include <stdarg.h>
27 #include <string.h>
28 #include <stdio.h>
29 
30 #include "log.h"
31 #include "xmalloc.h"
32 #include "port-linux.h"
33 
34 #ifdef WITH_SELINUX
35 #include <selinux/selinux.h>
36 #include <selinux/flask.h>
37 #include <selinux/get_context_list.h>
38 
39 #ifndef SSH_SELINUX_UNCONFINED_TYPE
40 # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
41 #endif
42 
43 /* Wrapper around is_selinux_enabled() to log its return value once only */
44 int
ssh_selinux_enabled(void)45 ssh_selinux_enabled(void)
46 {
47 	static int enabled = -1;
48 
49 	if (enabled == -1) {
50 		enabled = (is_selinux_enabled() == 1);
51 		debug("SELinux support %s", enabled ? "enabled" : "disabled");
52 	}
53 
54 	return (enabled);
55 }
56 
57 /* Return the default security context for the given username */
58 static security_context_t
ssh_selinux_getctxbyname(char * pwname)59 ssh_selinux_getctxbyname(char *pwname)
60 {
61 	security_context_t sc = NULL;
62 	char *sename = NULL, *lvl = NULL;
63 	int r;
64 
65 #ifdef HAVE_GETSEUSERBYNAME
66 	if (getseuserbyname(pwname, &sename, &lvl) != 0)
67 		return NULL;
68 #else
69 	sename = pwname;
70 	lvl = NULL;
71 #endif
72 
73 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
74 	r = get_default_context_with_level(sename, lvl, NULL, &sc);
75 #else
76 	r = get_default_context(sename, NULL, &sc);
77 #endif
78 
79 	if (r != 0) {
80 		switch (security_getenforce()) {
81 		case -1:
82 			fatal("%s: ssh_selinux_getctxbyname: "
83 			    "security_getenforce() failed", __func__);
84 		case 0:
85 			error("%s: Failed to get default SELinux security "
86 			    "context for %s", __func__, pwname);
87 			sc = NULL;
88 			break;
89 		default:
90 			fatal("%s: Failed to get default SELinux security "
91 			    "context for %s (in enforcing mode)",
92 			    __func__, pwname);
93 		}
94 	}
95 
96 #ifdef HAVE_GETSEUSERBYNAME
97 	free(sename);
98 	free(lvl);
99 #endif
100 
101 	return sc;
102 }
103 
104 /* Set the execution context to the default for the specified user */
105 void
ssh_selinux_setup_exec_context(char * pwname)106 ssh_selinux_setup_exec_context(char *pwname)
107 {
108 	security_context_t user_ctx = NULL;
109 
110 	if (!ssh_selinux_enabled())
111 		return;
112 
113 	debug3("%s: setting execution context", __func__);
114 
115 	user_ctx = ssh_selinux_getctxbyname(pwname);
116 	if (setexeccon(user_ctx) != 0) {
117 		switch (security_getenforce()) {
118 		case -1:
119 			fatal("%s: security_getenforce() failed", __func__);
120 		case 0:
121 			error("%s: Failed to set SELinux execution "
122 			    "context for %s", __func__, pwname);
123 			break;
124 		default:
125 			fatal("%s: Failed to set SELinux execution context "
126 			    "for %s (in enforcing mode)", __func__, pwname);
127 		}
128 	}
129 	if (user_ctx != NULL)
130 		freecon(user_ctx);
131 
132 	debug3("%s: done", __func__);
133 }
134 
135 /* Set the TTY context for the specified user */
136 void
ssh_selinux_setup_pty(char * pwname,const char * tty)137 ssh_selinux_setup_pty(char *pwname, const char *tty)
138 {
139 	security_context_t new_tty_ctx = NULL;
140 	security_context_t user_ctx = NULL;
141 	security_context_t old_tty_ctx = NULL;
142 
143 	if (!ssh_selinux_enabled())
144 		return;
145 
146 	debug3("%s: setting TTY context on %s", __func__, tty);
147 
148 	user_ctx = ssh_selinux_getctxbyname(pwname);
149 
150 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
151 
152 	if (getfilecon(tty, &old_tty_ctx) == -1) {
153 		error("%s: getfilecon: %s", __func__, strerror(errno));
154 		goto out;
155 	}
156 
157 	if (security_compute_relabel(user_ctx, old_tty_ctx,
158 	    SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
159 		error("%s: security_compute_relabel: %s",
160 		    __func__, strerror(errno));
161 		goto out;
162 	}
163 
164 	if (setfilecon(tty, new_tty_ctx) != 0)
165 		error("%s: setfilecon: %s", __func__, strerror(errno));
166  out:
167 	if (new_tty_ctx != NULL)
168 		freecon(new_tty_ctx);
169 	if (old_tty_ctx != NULL)
170 		freecon(old_tty_ctx);
171 	if (user_ctx != NULL)
172 		freecon(user_ctx);
173 	debug3("%s: done", __func__);
174 }
175 
176 void
ssh_selinux_change_context(const char * newname)177 ssh_selinux_change_context(const char *newname)
178 {
179 	int len, newlen;
180 	char *oldctx, *newctx, *cx;
181 	void (*switchlog) (const char *fmt,...) = logit;
182 
183 	if (!ssh_selinux_enabled())
184 		return;
185 
186 	if (getcon((security_context_t *)&oldctx) < 0) {
187 		logit("%s: getcon failed with %s", __func__, strerror(errno));
188 		return;
189 	}
190 	if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
191 	    NULL) {
192 		logit ("%s: unparseable context %s", __func__, oldctx);
193 		return;
194 	}
195 
196 	/*
197 	 * Check whether we are attempting to switch away from an unconfined
198 	 * security context.
199 	 */
200 	if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
201 	    sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
202 		switchlog = debug3;
203 
204 	newlen = strlen(oldctx) + strlen(newname) + 1;
205 	newctx = xmalloc(newlen);
206 	len = cx - oldctx + 1;
207 	memcpy(newctx, oldctx, len);
208 	strlcpy(newctx + len, newname, newlen - len);
209 	if ((cx = index(cx + 1, ':')))
210 		strlcat(newctx, cx, newlen);
211 	debug3("%s: setting context from '%s' to '%s'", __func__,
212 	    oldctx, newctx);
213 	if (setcon(newctx) < 0)
214 		switchlog("%s: setcon %s from %s failed with %s", __func__,
215 		    newctx, oldctx, strerror(errno));
216 	free(oldctx);
217 	free(newctx);
218 }
219 
220 void
ssh_selinux_setfscreatecon(const char * path)221 ssh_selinux_setfscreatecon(const char *path)
222 {
223 	security_context_t context;
224 
225 	if (!ssh_selinux_enabled())
226 		return;
227 	if (path == NULL) {
228 		setfscreatecon(NULL);
229 		return;
230 	}
231 	if (matchpathcon(path, 0700, &context) == 0)
232 		setfscreatecon(context);
233 }
234 
235 #endif /* WITH_SELINUX */
236 
237 #ifdef LINUX_OOM_ADJUST
238 /*
239  * The magic "don't kill me" values, old and new, as documented in eg:
240  * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt
241  * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt
242  */
243 
244 static int oom_adj_save = INT_MIN;
245 static char *oom_adj_path = NULL;
246 struct {
247 	char *path;
248 	int value;
249 } oom_adjust[] = {
250 	{"/proc/self/oom_score_adj", -1000},	/* kernels >= 2.6.36 */
251 	{"/proc/self/oom_adj", -17},		/* kernels <= 2.6.35 */
252 	{NULL, 0},
253 };
254 
255 /*
256  * Tell the kernel's out-of-memory killer to avoid sshd.
257  * Returns the previous oom_adj value or zero.
258  */
259 void
oom_adjust_setup(void)260 oom_adjust_setup(void)
261 {
262 	int i, value;
263 	FILE *fp;
264 
265 	debug3("%s", __func__);
266 	 for (i = 0; oom_adjust[i].path != NULL; i++) {
267 		oom_adj_path = oom_adjust[i].path;
268 		value = oom_adjust[i].value;
269 		if ((fp = fopen(oom_adj_path, "r+")) != NULL) {
270 			if (fscanf(fp, "%d", &oom_adj_save) != 1)
271 				verbose("error reading %s: %s", oom_adj_path,
272 				    strerror(errno));
273 			else {
274 				rewind(fp);
275 				if (fprintf(fp, "%d\n", value) <= 0)
276 					verbose("error writing %s: %s",
277 					   oom_adj_path, strerror(errno));
278 				else
279 					debug("Set %s from %d to %d",
280 					   oom_adj_path, oom_adj_save, value);
281 			}
282 			fclose(fp);
283 			return;
284 		}
285 	}
286 	oom_adj_path = NULL;
287 }
288 
289 /* Restore the saved OOM adjustment */
290 void
oom_adjust_restore(void)291 oom_adjust_restore(void)
292 {
293 	FILE *fp;
294 
295 	debug3("%s", __func__);
296 	if (oom_adj_save == INT_MIN || oom_adj_path == NULL ||
297 	    (fp = fopen(oom_adj_path, "w")) == NULL)
298 		return;
299 
300 	if (fprintf(fp, "%d\n", oom_adj_save) <= 0)
301 		verbose("error writing %s: %s", oom_adj_path, strerror(errno));
302 	else
303 		debug("Set %s to %d", oom_adj_path, oom_adj_save);
304 
305 	fclose(fp);
306 	return;
307 }
308 #endif /* LINUX_OOM_ADJUST */
309 #endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
310