1 /*
2 * restorecond
3 *
4 * Copyright (C) 2006-2009 Red Hat
5 * see file 'COPYING' for use and warranty information
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 of
10 * the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 .*
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
20 * 02111-1307 USA
21 *
22 * Authors:
23 * Dan Walsh <dwalsh@redhat.com>
24 *
25 */
26
27 /*
28 * PURPOSE:
29 * This daemon program watches for the creation of files listed in a config file
30 * and makes sure that there security context matches the systems defaults
31 *
32 * USAGE:
33 * restorecond [-d] [-u] [-v] [-f restorecond_file ]
34 *
35 * -d Run in debug mode
36 * -f Use alternative restorecond_file
37 * -u Run in user mode
38 * -v Run in verbose mode (Report missing files)
39 *
40 * EXAMPLE USAGE:
41 * restorecond
42 *
43 */
44
45 #define _GNU_SOURCE
46 #include <sys/inotify.h>
47 #include <errno.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <signal.h>
51 #include <string.h>
52 #include <unistd.h>
53 #include "restore.h"
54 #include <sys/types.h>
55 #include <syslog.h>
56 #include <limits.h>
57 #include <pwd.h>
58 #include <sys/stat.h>
59 #include <string.h>
60 #include <stdio.h>
61 #include <fcntl.h>
62 #include "restorecond.h"
63 #include "utmpwatcher.h"
64
65 const char *homedir;
66 static int master_fd = -1;
67
68 static const char *server_watch_file = "/etc/selinux/restorecond.conf";
69 static const char *user_watch_file = "/etc/selinux/restorecond_user.conf";
70 static const char *watch_file;
71 struct restore_opts r_opts;
72
73 #include <selinux/selinux.h>
74
75 int debug_mode = 0;
76 int terminate = 0;
77 int master_wd = -1;
78 int run_as_user = 0;
79
done(void)80 static void done(void) {
81 watch_list_free(master_fd);
82 close(master_fd);
83 utmpwatcher_free();
84 selabel_close(r_opts.hnd);
85 }
86
87 static const char *pidfile = "/var/run/restorecond.pid";
88
write_pid_file(void)89 static int write_pid_file(void)
90 {
91 int pidfd, len;
92 char val[16];
93
94 len = snprintf(val, sizeof(val), "%u\n", getpid());
95 if (len < 0) {
96 syslog(LOG_ERR, "Pid error (%s)", strerror(errno));
97 pidfile = 0;
98 return 1;
99 }
100 pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
101 if (pidfd < 0) {
102 syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno));
103 pidfile = 0;
104 return 1;
105 }
106 (void)write(pidfd, val, (unsigned int)len);
107 close(pidfd);
108 return 0;
109 }
110
111 /*
112 * SIGTERM handler
113 */
term_handler(int s)114 static void term_handler(int s __attribute__ ((unused)))
115 {
116 terminate = 1;
117 /* trigger a failure in the watch */
118 close(master_fd);
119 }
120
usage(char * program)121 static void usage(char *program)
122 {
123 printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
124 }
125
exitApp(const char * msg)126 void exitApp(const char *msg)
127 {
128 perror(msg);
129 exit(-1);
130 }
131
132 /*
133 Add a file to the watch list. We are watching for file creation, so we actually
134 put the watch on the directory and then examine all files created in that directory
135 to see if it is one that we are watching.
136 */
137
main(int argc,char ** argv)138 int main(int argc, char **argv)
139 {
140 int opt;
141 struct sigaction sa;
142
143 /* If we are not running SELinux then just exit */
144 if (is_selinux_enabled() != 1)
145 return 0;
146
147 /* Set all options to zero/NULL except for ignore_noent & digest. */
148 memset(&r_opts, 0, sizeof(r_opts));
149 r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY;
150 r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST;
151
152 /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */
153 restore_init(&r_opts);
154
155 /* Register sighandlers */
156 sa.sa_flags = 0;
157 sa.sa_handler = term_handler;
158 sigemptyset(&sa.sa_mask);
159 sigaction(SIGTERM, &sa, NULL);
160
161 atexit( done );
162 while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
163 switch (opt) {
164 case 'd':
165 debug_mode = 1;
166 break;
167 case 'f':
168 watch_file = optarg;
169 break;
170 case 'u':
171 run_as_user = 1;
172 break;
173 case 'h':
174 usage(argv[0]);
175 exit(0);
176 break;
177 case 'v':
178 r_opts.verbose = SELINUX_RESTORECON_VERBOSE;
179 break;
180 case '?':
181 usage(argv[0]);
182 exit(-1);
183 }
184 }
185
186 master_fd = inotify_init();
187 if (master_fd < 0)
188 exitApp("inotify_init");
189
190 uid_t uid = getuid();
191 struct passwd *pwd = getpwuid(uid);
192 if (!pwd)
193 exitApp("getpwuid");
194
195 homedir = pwd->pw_dir;
196 if (uid != 0) {
197 if (run_as_user)
198 return server(master_fd, user_watch_file);
199 if (start() != 0)
200 return server(master_fd, user_watch_file);
201 return 0;
202 }
203
204 watch_file = server_watch_file;
205 read_config(master_fd, watch_file);
206
207 if (!debug_mode)
208 daemon(0, 0);
209
210 write_pid_file();
211
212 while (watch(master_fd, watch_file) == 0) {
213 };
214
215 watch_list_free(master_fd);
216 close(master_fd);
217
218 if (pidfile)
219 unlink(pidfile);
220
221 return 0;
222 }
223