2 * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
3 * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
5 * Borrowed heavily from newrole source code
9 * Steve Grubb <sgrubb@redhat.com>
10 * Darrel Goeddel <DGoeddel@trustedcs.com>
11 * Michael Thompson <mcthomps@us.ibm.com>
12 * Dan Walsh <dwalsh@redhat.com>
14 * Permission to use, copy, modify, and distribute this software for any
15 * purpose with or without fee is hereby granted, provided that the above
16 * copyright notice and this permission notice appear in all copies.
18 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
19 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
21 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
22 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
23 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
24 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
29 #include <sys/types.h>
40 #include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
41 #include <selinux/selinux.h> /* for is_selinux_enabled() */
42 #include <selinux/context.h> /* for context-mangling functions */
43 #include <selinux/get_default_type.h>
44 #include <selinux/get_context_list.h>
46 #ifdef HAVE_LINUX_AUDIT
47 # include <libaudit.h>
51 #include "sudo_exec.h"
53 static struct selinux_state {
54 security_context_t old_context;
55 security_context_t new_context;
56 security_context_t tty_context;
57 security_context_t new_tty_context;
63 #ifdef HAVE_LINUX_AUDIT
65 audit_role_change(const security_context_t old_context,
66 const security_context_t new_context, const char *ttyn)
70 debug_decl(audit_role_change, SUDO_DEBUG_SELINUX)
74 /* Kernel may not have audit support. */
75 if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT
77 fatal(_("unable to open audit system"));
79 /* audit role change using the same format as newrole(1) */
80 easprintf(&message, "newrole: old-context=%s new-context=%s",
81 old_context, new_context);
82 rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE,
83 message, NULL, NULL, ttyn, 1);
85 warning(_("unable to send audit message"));
95 * This function attempts to revert the relabeling done to the tty.
96 * fd - referencing the opened ttyn
97 * ttyn - name of tty to restore
99 * Returns zero on success, non-zero otherwise
102 selinux_restore_tty(void)
105 security_context_t chk_tty_context = NULL;
106 debug_decl(selinux_restore_tty, SUDO_DEBUG_SELINUX)
108 if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
111 /* Verify that the tty still has the context set by sudo. */
112 if ((retval = fgetfilecon(se_state.ttyfd, &chk_tty_context)) < 0) {
113 warning(_("unable to fgetfilecon %s"), se_state.ttyn);
117 if ((retval = strcmp(chk_tty_context, se_state.new_tty_context))) {
118 warningx(_("%s changed labels"), se_state.ttyn);
122 if ((retval = fsetfilecon(se_state.ttyfd, se_state.tty_context)) < 0)
123 warning(_("unable to restore context for %s"), se_state.ttyn);
126 if (se_state.ttyfd != -1) {
127 close(se_state.ttyfd);
130 if (chk_tty_context != NULL) {
131 freecon(chk_tty_context);
132 chk_tty_context = NULL;
134 debug_return_int(retval);
138 * This function attempts to relabel the tty. If this function fails, then
139 * the contexts are free'd and -1 is returned. On success, 0 is returned
140 * and tty_context and new_tty_context are set.
142 * This function will not fail if it can not relabel the tty when selinux is
143 * in permissive mode.
146 relabel_tty(const char *ttyn, int ptyfd)
148 security_context_t tty_con = NULL;
149 security_context_t new_tty_con = NULL;
151 debug_decl(relabel_tty, SUDO_DEBUG_SELINUX)
153 se_state.ttyfd = ptyfd;
155 /* It is perfectly legal to have no tty. */
156 if (ptyfd == -1 && ttyn == NULL)
159 /* If sudo is not allocating a pty for the command, open current tty. */
161 se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
162 if (se_state.ttyfd == -1) {
163 warning(_("unable to open %s, not relabeling tty"), ttyn);
164 if (se_state.enforcing)
167 (void)fcntl(se_state.ttyfd, F_SETFL,
168 fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
171 if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
172 warning(_("unable to get current tty context, not relabeling tty"));
173 if (se_state.enforcing)
177 if (tty_con && (security_compute_relabel(se_state.new_context, tty_con,
178 SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
179 warning(_("unable to get new tty context, not relabeling tty"));
180 if (se_state.enforcing)
184 if (new_tty_con != NULL) {
185 if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
186 warning(_("unable to set new tty context"));
187 if (se_state.enforcing)
193 /* Reopen pty that was relabeled, std{in,out,err} are reset later. */
194 se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
195 if (se_state.ttyfd == -1) {
196 warning(_("unable to open %s"), ttyn);
197 if (se_state.enforcing)
200 if (dup2(se_state.ttyfd, ptyfd) == -1) {
205 /* Re-open tty to get new label and reset std{in,out,err} */
206 close(se_state.ttyfd);
207 se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
208 if (se_state.ttyfd == -1) {
209 warning(_("unable to open %s"), ttyn);
212 (void)fcntl(se_state.ttyfd, F_SETFL,
213 fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
214 for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
215 if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
221 /* Retain se_state.ttyfd so we can restore label when command finishes. */
222 (void)fcntl(se_state.ttyfd, F_SETFD, FD_CLOEXEC);
224 se_state.ttyn = ttyn;
225 se_state.tty_context = tty_con;
226 se_state.new_tty_context = new_tty_con;
230 if (se_state.ttyfd != -1 && se_state.ttyfd != ptyfd) {
231 close(se_state.ttyfd);
235 debug_return_int(-1);
239 * Returns a new security context based on the old context and the
240 * specified role and type.
243 get_exec_context(security_context_t old_context, const char *role, const char *type)
245 security_context_t new_context = NULL;
246 context_t context = NULL;
247 char *typebuf = NULL;
248 debug_decl(get_exec_context, SUDO_DEBUG_SELINUX)
250 /* We must have a role, the type is optional (we can use the default). */
252 warningx(_("you must specify a role for type %s"), type);
257 if (get_default_type(role, &typebuf)) {
258 warningx(_("unable to get default type for role %s"), role);
266 * Expand old_context into a context_t so that we extract and modify
267 * its components easily.
269 context = context_new(old_context);
272 * Replace the role and type in "context" with the role and
273 * type we will be running the command as.
275 if (context_role_set(context, role)) {
276 warning(_("failed to set new role %s"), role);
279 if (context_type_set(context, type)) {
280 warning(_("failed to set new type %s"), type);
285 * Convert "context" back into a string and verify it.
287 new_context = estrdup(context_str(context));
288 if (security_check_context(new_context) < 0) {
289 warningx(_("%s is not a valid context"), new_context);
295 warningx("Your new context is %s", new_context);
298 context_free(context);
299 debug_return_ptr(new_context);
303 context_free(context);
304 freecon(new_context);
305 debug_return_ptr(NULL);
309 * Set the exec and tty contexts in preparation for fork/exec.
310 * Must run as root, before the uid change.
311 * If ptyfd is not -1, it indicates we are running
312 * in a pty and do not need to reset std{in,out,err}.
313 * Returns 0 on success and -1 on failure.
316 selinux_setup(const char *role, const char *type, const char *ttyn,
320 debug_decl(selinux_setup, SUDO_DEBUG_SELINUX)
322 /* Store the caller's SID in old_context. */
323 if (getprevcon(&se_state.old_context)) {
324 warning(_("failed to get old_context"));
328 se_state.enforcing = security_getenforce();
329 if (se_state.enforcing < 0) {
330 warning(_("unable to determine enforcing mode."));
335 warningx("your old context was %s", se_state.old_context);
337 se_state.new_context = get_exec_context(se_state.old_context, role, type);
338 if (!se_state.new_context)
341 if (relabel_tty(ttyn, ptyfd) < 0) {
342 warning(_("unable to setup tty context for %s"), se_state.new_context);
347 if (se_state.ttyfd != -1) {
348 warningx("your old tty context is %s", se_state.tty_context);
349 warningx("your new tty context is %s", se_state.new_tty_context);
353 #ifdef HAVE_LINUX_AUDIT
354 audit_role_change(se_state.old_context, se_state.new_context,
361 debug_return_int(rval);
365 selinux_execve(const char *path, char *const argv[], char *const envp[],
371 debug_decl(selinux_execve, SUDO_DEBUG_SELINUX)
373 sesh = sudo_conf_sesh_path();
375 warningx("internal error: sesh path not set");
380 if (setexeccon(se_state.new_context)) {
381 warning(_("unable to set exec context to %s"), se_state.new_context);
382 if (se_state.enforcing)
386 #ifdef HAVE_SETKEYCREATECON
387 if (setkeycreatecon(se_state.new_context)) {
388 warning(_("unable to set key creation context to %s"), se_state.new_context);
389 if (se_state.enforcing)
392 #endif /* HAVE_SETKEYCREATECON */
395 * Build new argv with sesh as argv[0].
396 * If argv[0] ends in -noexec, sesh will disable execute
397 * for the command it runs.
399 for (argc = 0; argv[argc] != NULL; argc++)
401 nargv = emalloc2(argc + 2, sizeof(char *));
403 nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec";
405 nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh";
406 nargv[1] = (char *)path;
407 memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */
409 /* sesh will handle noexec for us. */
410 sudo_execve(sesh, nargv, envp, 0);