folkslinux
/
rpm
mirror of https://github.com/rpm-software-management/rpm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rpm/plugins/selinux.c

195 lines
4.4 KiB
C
Raw Normal View History

First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
#include "system.h"
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/label.h>
#include <selinux/avc.h>
#include <rpm/rpmlog.h>
#include <rpm/rpmts.h>
Separate the external plugin API to its own header - rpmplugins.[ch] implements the rpm internal plugin management infrastructure, which is no business of anybody else. Mark the symbols internal while at it. - rpmplugin.h describes the API for the actual plugins, this is to be made public once the API is considered stable enough (which it certainly is not yet ;) - Adjust our plugins to include the right header
2013-04-03 16:36:09 +08:00
#include "lib/rpmplugin.h"
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
#include "debug.h"
static struct selabel_handle * sehandle = NULL;
Log RPMLOG_ERR level messages on actual errors in selinux plugin, doh. When there's an actual error, people will want to know without having to rerun in verbose mode. Such as in RhBug:1641631 where configured selinux policy differs from what is installed - the former message error: Plugin selinux: hook tsm_pre failed ...is not particularly helpful to anybody, whereas this actually provides some clues now: error: selabel_open: (/etc/selinux/ponies/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed
2019-02-14 19:12:49 +08:00
static inline rpmlogLvl loglvl(int iserror)
{
return iserror ? RPMLOG_ERR : RPMLOG_DEBUG;
}
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
static void sehandle_fini(int close_status)
{
if (sehandle) {
selabel_close(sehandle);
sehandle = NULL;
}
if (close_status) {
selinux_status_close();
}
}
static rpmRC sehandle_init(int open_status)
{
const char * path = selinux_file_context_path();
struct selinux_opt opts[] = {
{ .type = SELABEL_OPT_PATH, .value = path }
};
if (path == NULL)
return RPMRC_FAIL;
if (open_status) {
selinux_status_close();
if (selinux_status_open(0) < 0) {
return RPMRC_FAIL;
}
} else if (!selinux_status_updated() && sehandle) {
return RPMRC_OK;
}
if (sehandle)
sehandle_fini(0);
sehandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
Log RPMLOG_ERR level messages on actual errors in selinux plugin, doh. When there's an actual error, people will want to know without having to rerun in verbose mode. Such as in RhBug:1641631 where configured selinux policy differs from what is installed - the former message error: Plugin selinux: hook tsm_pre failed ...is not particularly helpful to anybody, whereas this actually provides some clues now: error: selabel_open: (/etc/selinux/ponies/contexts/files/file_contexts) No such file or directory error: Plugin selinux: hook tsm_pre failed
2019-02-14 19:12:49 +08:00
rpmlog(loglvl(sehandle == NULL), "selabel_open: (%s) %s\n",
Display message when a hook function of some plugin fails (rhbz:1262424) For a pre hook function display an error message and for a post hook function display just a warning message. This corresponds with the way how error/warning messages are displayed for scriptlets. Also add a debug message into selinux plugin.
2016-03-04 20:51:07 +08:00
path, (sehandle == NULL ? strerror(errno) : ""));
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
return (sehandle != NULL) ? RPMRC_OK : RPMRC_FAIL;
}
Rename all hook functions for saner debugging - Now that the hook functions in plugins no longer need to be uniformly named, rename them to more "natural" pluginname_hookname style so __func__ (and gdb etc) give meaningful, distinct values for them. No functional changes unless I typoed something.
2013-04-05 14:06:49 +08:00
static rpmRC selinux_tsm_pre(rpmPlugin plugin, rpmts ts)
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
{
rpmRC rc = RPMRC_OK;
/* If SELinux isn't enabled on the system, dont mess with it */
if (!is_selinux_enabled()) {
rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS));
}
/* If not enabled or a test-transaction, dont bother with labels */
if (!(rpmtsFlags(ts) & (RPMTRANS_FLAG_NOCONTEXTS|RPMTRANS_FLAG_TEST))) {
rc = sehandle_init(1);
}
return rc;
}
Rename all hook functions for saner debugging - Now that the hook functions in plugins no longer need to be uniformly named, rename them to more "natural" pluginname_hookname style so __func__ (and gdb etc) give meaningful, distinct values for them. No functional changes unless I typoed something.
2013-04-05 14:06:49 +08:00
static rpmRC selinux_tsm_post(rpmPlugin plugin, rpmts ts, int rc)
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
{
if (sehandle) {
sehandle_fini(1);
}
return RPMRC_OK;
}
Rename all hook functions for saner debugging - Now that the hook functions in plugins no longer need to be uniformly named, rename them to more "natural" pluginname_hookname style so __func__ (and gdb etc) give meaningful, distinct values for them. No functional changes unless I typoed something.
2013-04-05 14:06:49 +08:00
static rpmRC selinux_psm_pre(rpmPlugin plugin, rpmte te)
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
{
rpmRC rc = RPMRC_OK;
if (sehandle) {
/* reload the labels if policy changed underneath */
rc = sehandle_init(0);
}
return rc;
}
Use setexecfilecon() from libselinux instead of ad-hoc code This function was factored out from rpm_execcon() upstream to make it easier to use by its users, by making it not call execve() directly. It is now also used by dpkg since 1.17.11. Preserve the ad-hoc code for now so that it can be compiled against old libselinux versions.
2015-01-16 00:01:48 +08:00
#ifndef HAVE_SETEXECFILECON
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
static int setexecfilecon(const char *path, const char *fallback_type)
{
int rc = -1;
Stop using deprecated security_context_t In libselinux >= 3.1 these cause deprecation warnings on build. security_context_t always was nothing but typedef to plain old "char *" so just using that is entirely backwards compatible too.
2020-10-28 14:58:39 +08:00
char *mycon = NULL, fcon = NULL, newcon = NULL;
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
context_t con = NULL;
/* Figure the context to for next exec() */
if (getcon(&mycon) < 0)
goto exit;
if (getfilecon(path, &fcon) < 0)
goto exit;
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
if (security_compute_create(mycon, fcon,
string_to_security_class("process"), &newcon) < 0)
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
goto exit;
if (rstreq(mycon, newcon)) {
con = context_new(mycon);
if (!con)
goto exit;
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
if (context_type_set(con, fallback_type))
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
goto exit;
freecon(newcon);
newcon = xstrdup(context_str(con));
}
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
rc = setexeccon(newcon);
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
exit:
context_free(con);
freecon(newcon);
freecon(fcon);
freecon(mycon);
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
return rc;
}
#endif
static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
const char *path, int type)
{
/* No default transition, use rpm_script_t for now. */
const char *script_type = "rpm_script_t";
rpmRC rc = RPMRC_FAIL;
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
Use setexecfilecon() from libselinux instead of ad-hoc code This function was factored out from rpm_execcon() upstream to make it easier to use by its users, by making it not call execve() directly. It is now also used by dpkg since 1.17.11. Preserve the ad-hoc code for now so that it can be compiled against old libselinux versions.
2015-01-16 00:01:48 +08:00
if (sehandle == NULL)
return RPMRC_OK;
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
if (setexecfilecon(path, script_type) == 0)
Use setexecfilecon() from libselinux instead of ad-hoc code This function was factored out from rpm_execcon() upstream to make it easier to use by its users, by making it not call execve() directly. It is now also used by dpkg since 1.17.11. Preserve the ad-hoc code for now so that it can be compiled against old libselinux versions.
2015-01-16 00:01:48 +08:00
rc = RPMRC_OK;
Permit scriptlet exec context setting to fail in non-enforcing modes for new code path, too. See also 9c082fb8689efdaa5a595d3043e67ccec4ed930c
2015-10-12 18:47:45 +08:00
/* If selinux is not enforcing, we don't care either */
if (rc && security_getenforce() < 1)
rc = RPMRC_OK;
Permit scriptlet exec context setting to fail in non-enforcing modes - This is what rpm_execcon() in libselinux always did, and trying to be more strict causes things to blow up on install to an empty chroot where /proc and /sys/fs/selinux are not mounted.
2013-04-05 15:49:24 +08:00
Use common error logic regardless of setexecfilecon() availability Refactor the custom exec context setting code to look like setexecfilecon() in case the real one is not available to eliminate pesky behavioral differences between the two cases. This fixes a concrete bug of libselinux setexecfilecon() returning with an error when security_getenforce() returns with -1 (such as a bare chroot with no /sys mounts etc), causing us to spit out useless error messages in that case ever since fixing the bogus if-logic in commit ab601b882b9d9d8248250111317615db1aa7b7c6. Fixes: #1077
2020-02-18 21:50:40 +08:00
rpmlog(loglvl(rc), "setexecfilecon: (%s, %s) %s\n",
path, script_type, rc ? strerror(errno) : "");
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
return rc;
}
And now that we finally can, pass rpmfi to plugin hooks when available - Unowned directories obviously do not exist in rpmfi, so plugins still need to be passed path and mode separately, but for all the rest rpmfi is there and contains valuable additional information that's been unavailable to plugins until now
2014-03-05 20:30:59 +08:00
static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
Pass the handle to plugin itself to all plugin hooks - Change all plugin hooks to take plugin itself as the first argument, adjust our existing plugins - Further steps towards making plugins "instances" instead of just semi-global blobs
2013-04-03 16:57:53 +08:00
const char *path, const char *dest,
mode_t file_mode, rpmFsmOp op)
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
{
rpmRC rc = RPMRC_FAIL; /* assume failure */
rpmFileAction action = XFO_ACTION(op);
Fix segfault in selinux plugin when labeling is disabled
2013-03-27 11:52:20 +08:00
if (sehandle && !XFA_SKIPPING(action)) {
Stop using deprecated security_context_t In libselinux >= 3.1 these cause deprecation warnings on build. security_context_t always was nothing but typedef to plain old "char *" so just using that is entirely backwards compatible too.
2020-10-28 14:58:39 +08:00
char *scon = NULL;
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
int conrc = lsetfilecon(path, scon);
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
rc = RPMRC_OK;
Silence spurious error message from lsetfilecon() on -EOPNOTSUPP We already filter out -EOPNOTSUPP and return OK, but the message was getting logged before the filtering so we'd spit out spurious error messages on filesystems that don't support SELinux (RhBug:1777502)
2019-12-13 20:14:10 +08:00
rpmlog(loglvl(rc != RPMRC_OK), "lsetfilecon: (%s, %s) %s\n",
path, scon, (conrc < 0 ? strerror(errno) : ""));
Restore former behavior of ignoring selinux label "not found" errors - The in-rpm selinux code always ignored errors from selabel_lookup_raw(), but the plugin version does. Apparently it can occasionally return ENOENT as in "no context for this thingie here" for something which causes the plugin version to return an error (I'm seeing this on /var/lib/nfs/rpc_pipefs from nfs-utils) - It's not rpm's business to say everything needs to have a label, although this does seem a bit peculiar: for an arbitrary unknown directory selabel_lookup() seems to normally return a "default" context. Why that is not happening here I haven't got the slightest idea, but then restorecon isn't complaining on this, why should we?
2013-04-02 16:20:01 +08:00
freecon(scon);
} else {
/* No context for dest is not our headache */
if (errno == ENOENT)
rc = RPMRC_OK;
First cut at selinux plugin to replace the in-core selinux support - This obviously clashes with the built-in selinux support, but we need to have something in place before the built-in version is axed so...
2013-03-21 19:07:10 +08:00
}
} else {
rc = RPMRC_OK;
}
return rc;
}
Revamp the way plugin hooks discovered and called, adjust plugins - Add a struct containing all hook function pointers to plugins, let plugins populate it by themselves and call the hooks by the hook struct, avoiding repeated dlsym() discovery on each call etc. - Eliminate now unnecessary PLUGINHOOK_FOO typedefs, defines and the "supported hooks" bitfield: supported hooks are whatever a plugin declares in the struct. This also means the number of possible plugin hooks is not limited by number of bits in an integer. - This means the only symbol plugins need to export is <name>_hooks, the actual functions can be static. This is not the case yet but to avoid changing everything at once... this is already a fairly big commit. - This also fixes the nasty issue where in presence of multiple (non-collection) plugins, supported hooks would not get called if another plugin didn't support that hook because of RPMPLUGINS_SET_HOOK_FUNC() using "return" on several cases, which doesn't go very well with loops.
2013-03-31 17:51:31 +08:00
struct rpmPluginHooks_s selinux_hooks = {
Rename all hook functions for saner debugging - Now that the hook functions in plugins no longer need to be uniformly named, rename them to more "natural" pluginname_hookname style so __func__ (and gdb etc) give meaningful, distinct values for them. No functional changes unless I typoed something.
2013-04-05 14:06:49 +08:00
.tsm_pre = selinux_tsm_pre,
.tsm_post = selinux_tsm_post,
.psm_pre = selinux_psm_pre,
.scriptlet_fork_post = selinux_scriptlet_fork_post,
.fsm_file_prepare = selinux_fsm_file_prepare,
Revamp the way plugin hooks discovered and called, adjust plugins - Add a struct containing all hook function pointers to plugins, let plugins populate it by themselves and call the hooks by the hook struct, avoiding repeated dlsym() discovery on each call etc. - Eliminate now unnecessary PLUGINHOOK_FOO typedefs, defines and the "supported hooks" bitfield: supported hooks are whatever a plugin declares in the struct. This also means the number of possible plugin hooks is not limited by number of bits in an integer. - This means the only symbol plugins need to export is <name>_hooks, the actual functions can be static. This is not the case yet but to avoid changing everything at once... this is already a fairly big commit. - This also fixes the nasty issue where in presence of multiple (non-collection) plugins, supported hooks would not get called if another plugin didn't support that hook because of RPMPLUGINS_SET_HOOK_FUNC() using "return" on several cases, which doesn't go very well with loops.
2013-03-31 17:51:31 +08:00
};