1 /*
2 * restorecond
3 *
4 * Copyright (C) 2006-2009 Red Hat
5 * see file 'COPYING' for use and warranty information
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as
9 * published by the Free Software Foundation; either version 2 of
10 * the License, or (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 .*
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
20 * 02111-1307 USA
21 *
22 * Authors:
23 * Dan Walsh <dwalsh@redhat.com>
24 *
25 */
26
27 /*
28 * PURPOSE:
29 * This daemon program watches for the creation of files listed in a config file
30 * and makes sure that there security context matches the systems defaults
31 *
32 * USAGE:
33 * restorecond [-d] [-u] [-v] [-f restorecond_file ]
34 *
35 * -d Run in debug mode
36 * -f Use alternative restorecond_file
37 * -u Run in user mode
38 * -v Run in verbose mode (Report missing files)
39 *
40 * EXAMPLE USAGE:
41 * restorecond
42 *
43 */
44
45 #define _GNU_SOURCE
46 #include <sys/inotify.h>
47 #include <errno.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <signal.h>
51 #include <string.h>
52 #include <unistd.h>
53 #include "restore.h"
54 #include <sys/types.h>
55 #include <syslog.h>
56 #include <limits.h>
57 #include <pwd.h>
58 #include <sys/stat.h>
59 #include <string.h>
60 #include <stdio.h>
61 #include <fcntl.h>
62 #include "restorecond.h"
63 #include "utmpwatcher.h"
64
65 const char *homedir;
66 static int master_fd = -1;
67
68 static const char *server_watch_file = "/etc/selinux/restorecond.conf";
69 static const char *user_watch_file = "/etc/selinux/restorecond_user.conf";
70 static const char *watch_file;
71 struct restore_opts r_opts;
72
73 #include <selinux/selinux.h>
74
75 int debug_mode = 0;
76 int terminate = 0;
77 int master_wd = -1;
78 int run_as_user = 0;
79
done(void)80 static void done(void) {
81 watch_list_free(master_fd);
82 close(master_fd);
83 utmpwatcher_free();
84 selabel_close(r_opts.hnd);
85 }
86
87 static const char *pidfile = "/var/run/restorecond.pid";
88
write_pid_file(void)89 static int write_pid_file(void)
90 {
91 int pidfd, len;
92 char val[16];
93
94 len = snprintf(val, sizeof(val), "%u\n", getpid());
95 if (len < 0) {
96 syslog(LOG_ERR, "Pid error (%s)", strerror(errno));
97 pidfile = 0;
98 return 1;
99 }
100 pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644);
101 if (pidfd < 0) {
102 syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno));
103 pidfile = 0;
104 return 1;
105 }
106 if (write(pidfd, val, (unsigned int)len) != len) {
107 syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
108 return 1;
109 }
110 close(pidfd);
111 return 0;
112 }
113
114 /*
115 * SIGTERM handler
116 */
term_handler(int s)117 static void term_handler(int s __attribute__ ((unused)))
118 {
119 terminate = 1;
120 /* trigger a failure in the watch */
121 close(master_fd);
122 }
123
usage(char * program)124 static void usage(char *program)
125 {
126 printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
127 }
128
exitApp(const char * msg)129 void exitApp(const char *msg)
130 {
131 perror(msg);
132 exit(-1);
133 }
134
135 /*
136 Add a file to the watch list. We are watching for file creation, so we actually
137 put the watch on the directory and then examine all files created in that directory
138 to see if it is one that we are watching.
139 */
140
main(int argc,char ** argv)141 int main(int argc, char **argv)
142 {
143 int opt;
144 struct sigaction sa;
145
146 /* If we are not running SELinux then just exit */
147 if (is_selinux_enabled() != 1)
148 return 0;
149
150 /* Set all options to zero/NULL except for ignore_noent & digest. */
151 memset(&r_opts, 0, sizeof(r_opts));
152 r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY;
153 r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST;
154
155 /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */
156 restore_init(&r_opts);
157
158 /* Register sighandlers */
159 sa.sa_flags = 0;
160 sa.sa_handler = term_handler;
161 sigemptyset(&sa.sa_mask);
162 sigaction(SIGTERM, &sa, NULL);
163
164 atexit( done );
165 while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
166 switch (opt) {
167 case 'd':
168 debug_mode = 1;
169 break;
170 case 'f':
171 watch_file = optarg;
172 break;
173 case 'u':
174 run_as_user = 1;
175 break;
176 case 'h':
177 usage(argv[0]);
178 exit(0);
179 break;
180 case 'v':
181 r_opts.verbose = SELINUX_RESTORECON_VERBOSE;
182 break;
183 case '?':
184 usage(argv[0]);
185 exit(-1);
186 }
187 }
188
189 master_fd = inotify_init();
190 if (master_fd < 0)
191 exitApp("inotify_init");
192
193 uid_t uid = getuid();
194 struct passwd *pwd = getpwuid(uid);
195 if (!pwd)
196 exitApp("getpwuid");
197
198 homedir = pwd->pw_dir;
199 if (uid != 0) {
200 if (run_as_user)
201 return server(master_fd, user_watch_file);
202 if (start() != 0)
203 return server(master_fd, user_watch_file);
204 return 0;
205 }
206
207 watch_file = server_watch_file;
208 read_config(master_fd, watch_file);
209
210 if (!debug_mode) {
211 if (daemon(0, 0) < 0)
212 exitApp("daemon");
213 }
214
215 write_pid_file();
216
217 while (watch(master_fd, watch_file) == 0) {
218 };
219
220 watch_list_free(master_fd);
221 close(master_fd);
222
223 if (pidfile)
224 unlink(pidfile);
225
226 return 0;
227 }
228