+++ /dev/null
-/*
- * Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
- * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
- *
- * Borrowed heavily from newrole source code
- * Authors:
- * Anthony Colatrella
- * Tim Fraser
- * Steve Grubb <sgrubb@redhat.com>
- * Darrel Goeddel <DGoeddel@trustedcs.com>
- * Michael Thompson <mcthomps@us.ibm.com>
- * Dan Walsh <dwalsh@redhat.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <signal.h>
-#ifdef HAVE_LINUX_AUDIT
-#include <libaudit.h>
-#endif
-
-#include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
-#include <selinux/selinux.h> /* for is_selinux_enabled() */
-#include <selinux/context.h> /* for context-mangling functions */
-#include <selinux/get_default_type.h>
-#include <selinux/get_context_list.h>
-
-#include "sudo.h"
-#include "linux_audit.h"
-
-static struct selinux_state {
- security_context_t old_context;
- security_context_t new_context;
- security_context_t tty_context;
- security_context_t new_tty_context;
- const char *ttyn;
- int ttyfd;
- int enforcing;
-} se_state;
-
-/*
- * This function attempts to revert the relabeling done to the tty.
- * fd - referencing the opened ttyn
- * ttyn - name of tty to restore
- *
- * Returns zero on success, non-zero otherwise
- */
-int
-selinux_restore_tty(void)
-{
- int retval = 0;
- security_context_t chk_tty_context = NULL;
-
- if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
- goto skip_relabel;
-
- /* Verify that the tty still has the context set by sudo. */
- if ((retval = fgetfilecon(se_state.ttyfd, &chk_tty_context)) < 0) {
- warning("unable to fgetfilecon %s", se_state.ttyn);
- goto skip_relabel;
- }
-
- if ((retval = strcmp(chk_tty_context, se_state.new_tty_context))) {
- warningx("%s changed labels.", se_state.ttyn);
- goto skip_relabel;
- }
-
- if ((retval = fsetfilecon(se_state.ttyfd, se_state.tty_context)) < 0)
- warning("unable to restore context for %s", se_state.ttyn);
-
-skip_relabel:
- if (se_state.ttyfd != -1) {
- close(se_state.ttyfd);
- se_state.ttyfd = -1;
- }
- if (chk_tty_context != NULL) {
- freecon(chk_tty_context);
- chk_tty_context = NULL;
- }
- return retval;
-}
-
-/*
- * This function attempts to relabel the tty. If this function fails, then
- * the contexts are free'd and -1 is returned. On success, 0 is returned
- * and tty_context and new_tty_context are set.
- *
- * This function will not fail if it can not relabel the tty when selinux is
- * in permissive mode.
- */
-static int
-relabel_tty(const char *ttyn, int ptyfd)
-{
- security_context_t tty_con = NULL;
- security_context_t new_tty_con = NULL;
- int fd;
-
- se_state.ttyfd = ptyfd;
-
- /* It is perfectly legal to have no tty. */
- if (ptyfd == -1 && ttyn == NULL)
- return 0;
-
- /* If sudo is not allocating a pty for the command, open current tty. */
- if (ptyfd == -1) {
- se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
- if (se_state.ttyfd == -1) {
- warning("unable to open %s, not relabeling tty", ttyn);
- if (se_state.enforcing)
- goto bad;
- }
- (void)fcntl(se_state.ttyfd, F_SETFL,
- fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
- }
-
- if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
- warning("unable to get current tty context, not relabeling tty");
- if (se_state.enforcing)
- goto bad;
- }
-
- if (tty_con && (security_compute_relabel(se_state.new_context, tty_con,
- SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
- warning("unable to get new tty context, not relabeling tty");
- if (se_state.enforcing)
- goto bad;
- }
-
- if (new_tty_con != NULL) {
- if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
- warning("unable to set new tty context");
- if (se_state.enforcing)
- goto bad;
- }
- }
-
- if (ptyfd != -1) {
- /* Reopen pty that was relabeled, std{in,out,err} are reset later. */
- se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
- if (se_state.ttyfd == -1) {
- warning("cannot open %s", ttyn);
- if (se_state.enforcing)
- goto bad;
- }
- if (dup2(se_state.ttyfd, ptyfd) == -1) {
- warning("dup2");
- goto bad;
- }
- } else {
- /* Re-open tty to get new label and reset std{in,out,err} */
- close(se_state.ttyfd);
- se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
- if (se_state.ttyfd == -1) {
- warning("unable to open %s", ttyn);
- goto bad;
- }
- (void)fcntl(se_state.ttyfd, F_SETFL,
- fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
- for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
- if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
- warning("dup2");
- goto bad;
- }
- }
- }
- /* Retain se_state.ttyfd so we can restore label when command finishes. */
- (void)fcntl(se_state.ttyfd, F_SETFD, FD_CLOEXEC);
-
- se_state.ttyn = ttyn;
- se_state.tty_context = tty_con;
- se_state.new_tty_context = new_tty_con;
- return 0;
-
-bad:
- if (se_state.ttyfd != -1 && se_state.ttyfd != ptyfd) {
- close(se_state.ttyfd);
- se_state.ttyfd = -1;
- }
- freecon(tty_con);
- return -1;
-}
-
-/*
- * Returns a new security context based on the old context and the
- * specified role and type.
- */
-security_context_t
-get_exec_context(security_context_t old_context, const char *role, const char *type)
-{
- security_context_t new_context = NULL;
- context_t context = NULL;
- char *typebuf = NULL;
-
- /* We must have a role, the type is optional (we can use the default). */
- if (!role) {
- warningx("you must specify a role for type %s", type);
- errno = EINVAL;
- return NULL;
- }
- if (!type) {
- if (get_default_type(role, &typebuf)) {
- warningx("unable to get default type for role %s", role);
- errno = EINVAL;
- return NULL;
- }
- type = typebuf;
- }
-
- /*
- * Expand old_context into a context_t so that we extract and modify
- * its components easily.
- */
- context = context_new(old_context);
-
- /*
- * Replace the role and type in "context" with the role and
- * type we will be running the command as.
- */
- if (context_role_set(context, role)) {
- warning("failed to set new role %s", role);
- goto bad;
- }
- if (context_type_set(context, type)) {
- warning("failed to set new type %s", type);
- goto bad;
- }
-
- /*
- * Convert "context" back into a string and verify it.
- */
- new_context = estrdup(context_str(context));
- if (security_check_context(new_context) < 0) {
- warningx("%s is not a valid context", new_context);
- errno = EINVAL;
- goto bad;
- }
-
-#ifdef DEBUG
- warningx("Your new context is %s", new_context);
-#endif
-
- context_free(context);
- return new_context;
-
-bad:
- free(typebuf);
- context_free(context);
- freecon(new_context);
- return NULL;
-}
-
-/*
- * Set the exec and tty contexts in preparation for fork/exec.
- * Must run as root, before the uid change.
- * If ptyfd is not -1, it indicates we are running
- * in a pty and do not need to reset std{in,out,err}.
- * Returns 0 on success and -1 on failure.
- */
-int
-selinux_setup(const char *role, const char *type, const char *ttyn,
- int ptyfd)
-{
- int rval = -1;
-
- /* Store the caller's SID in old_context. */
- if (getprevcon(&se_state.old_context)) {
- warning("failed to get old_context");
- goto done;
- }
-
- se_state.enforcing = security_getenforce();
- if (se_state.enforcing < 0) {
- warning("unable to determine enforcing mode.");
- goto done;
- }
-
-#ifdef DEBUG
- warningx("your old context was %s", se_state.old_context);
-#endif
- se_state.new_context = get_exec_context(se_state.old_context, role, type);
- if (!se_state.new_context)
- goto done;
-
- if (relabel_tty(ttyn, ptyfd) < 0) {
- warning("unable to setup tty context for %s", se_state.new_context);
- goto done;
- }
-
-#ifdef DEBUG
- if (se_state.ttyfd != -1) {
- warningx("your old tty context is %s", se_state.tty_context);
- warningx("your new tty context is %s", se_state.new_tty_context);
- }
-#endif
-
-#ifdef HAVE_LINUX_AUDIT
- linux_audit_role_change(se_state.old_context, se_state.new_context,
- se_state.ttyn);
-#endif
-
- rval = 0;
-
-done:
- return rval;
-}
-
-void
-selinux_execve(const char *path, char *argv[], char *envp[])
-{
- if (setexeccon(se_state.new_context)) {
- warning("unable to set exec context to %s", se_state.new_context);
- if (se_state.enforcing)
- return;
- }
-
-#ifdef HAVE_SETKEYCREATECON
- if (setkeycreatecon(se_state.new_context)) {
- warning("unable to set key creation context to %s", se_state.new_context);
- if (se_state.enforcing)
- return;
- }
-#endif /* HAVE_SETKEYCREATECON */
-
- /* We use the "spare" slot in argv to store sesh. */
- --argv;
- argv[0] = *argv[1] == '-' ? "-sesh" : "sesh";
- argv[1] = (char *)path;
-
- execve(_PATH_SUDO_SESH, argv, envp);
-}