aboutsummaryrefslogtreecommitdiff
path: root/0.8.0/paludis/selinux
diff options
context:
space:
mode:
Diffstat (limited to '0.8.0/paludis/selinux')
-rw-r--r--0.8.0/paludis/selinux/Makefile.am25
-rw-r--r--0.8.0/paludis/selinux/security_context.cc242
-rw-r--r--0.8.0/paludis/selinux/security_context.hh170
3 files changed, 437 insertions, 0 deletions
diff --git a/0.8.0/paludis/selinux/Makefile.am b/0.8.0/paludis/selinux/Makefile.am
new file mode 100644
index 000000000..bcb56c178
--- /dev/null
+++ b/0.8.0/paludis/selinux/Makefile.am
@@ -0,0 +1,25 @@
+MAINTAINERCLEANFILES = Makefile.in
+CLEANFILES = *~
+SUBDIRS = .
+
+paludis_selinux_includedir = $(includedir)/paludis/selinux/
+
+paludis_selinux_include_HEADERS = \
+ security_context.hh
+
+libpaludisselinux_la_SOURCES = \
+ $(paludis_selinux_include_HEADERS) \
+ security_context.cc
+
+libpaludisselinux_la_LDFLAGS = -version-info @VERSION_LIB_CURRENT@:@VERSION_LIB_REVISION@:0
+
+lib_LTLIBRARIES = libpaludisselinux.la
+
+TESTS =
+EXTRA_DIST =
+
+check_PROGRAMS = $(TESTS)
+
+AM_CXXFLAGS = -I$(top_srcdir) @PALUDIS_CXXFLAGS@ @PALUDIS_CXXFLAGS_VISIBILITY@
+
+
diff --git a/0.8.0/paludis/selinux/security_context.cc b/0.8.0/paludis/selinux/security_context.cc
new file mode 100644
index 000000000..2a6dd3b11
--- /dev/null
+++ b/0.8.0/paludis/selinux/security_context.cc
@@ -0,0 +1,242 @@
+/* vim: set sw=4 sts=4 et foldmethod=syntax : */
+
+/*
+ * Copyright (c) 2006 Stephen Bennett <spb@gentoo.org>
+ *
+ * This file is part of the Paludis package manager. Paludis is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU General
+ * Public License as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Paludis is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#include <paludis/util/log.hh>
+#include <paludis/util/stringify.hh>
+#include <paludis/selinux/security_context.hh>
+
+#include "config.h"
+
+#ifdef HAVE_SELINUX
+
+#include <dlfcn.h>
+#include <selinux/selinux.h>
+
+// I think the name explains it. C++ is picky about casting to function pointers.
+#define STUPID_CAST(type, val) reinterpret_cast<type>(reinterpret_cast<uintptr_t>(val))
+
+namespace
+{
+ class LibSELinux
+ {
+ private:
+ void *_handle;
+
+ void (*_freecon)(security_context_t);
+ int (*_getcon)(security_context_t*);
+ int (*_getfscreatecon)(security_context_t*);
+ int (*_setfscreatecon)(security_context_t);
+ int (*_matchpathcon)(const char *, mode_t, security_context_t*);
+ int (*_matchpathcon_init)(const char *);
+ int (*_is_selinux_enabled)(void);
+
+ public:
+ LibSELinux() :
+ _handle(0), _freecon(0), _getcon(0),
+ _getfscreatecon(0), _setfscreatecon(0),
+ _matchpathcon(0), _matchpathcon_init(0),
+ _is_selinux_enabled(0)
+ {
+ _handle = dlopen("libselinux.so", RTLD_LAZY | RTLD_LOCAL);
+ if (0 != _handle)
+ {
+ _freecon = STUPID_CAST(void (*)(security_context_t), dlsym(_handle, "freecon"));
+ _getcon = STUPID_CAST(int (*)(security_context_t*), dlsym(_handle, "getcon"));
+ _getfscreatecon = STUPID_CAST(int (*) (security_context_t*), dlsym(_handle, "getfscreatecon"));
+ _setfscreatecon = STUPID_CAST(int (*) (security_context_t), dlsym(_handle, "setfscreatecon"));
+ _matchpathcon = STUPID_CAST(int (*) (const char *, mode_t, security_context_t *),
+ dlsym(_handle, "matchpathcon"));
+ _matchpathcon_init = STUPID_CAST(int (*) (const char *), dlsym(_handle, "matchpathcon_init"));
+ _is_selinux_enabled = STUPID_CAST(int (*)(void), dlsym(_handle, "is_selinux_enabled"));
+ }
+ }
+
+ ~LibSELinux()
+ {
+ if (0 != _handle)
+ dlclose(_handle);
+ }
+
+ void freecon(security_context_t c)
+ {
+ if (0 != _freecon && is_selinux_enabled())
+ _freecon(c);
+ }
+
+ int getcon(security_context_t *c)
+ {
+ if (0 != _getcon && is_selinux_enabled())
+ return _getcon(c);
+ return 0;
+ }
+
+ int getfscreatecon(security_context_t *c)
+ {
+ if (0 != _getfscreatecon && is_selinux_enabled())
+ return _getfscreatecon(c);
+ return 0;
+ }
+
+ int setfscreatecon(security_context_t c)
+ {
+ if (0 != _setfscreatecon && is_selinux_enabled())
+ return _setfscreatecon(c);
+ return 0;
+ }
+
+ int matchpathcon(const char *path, mode_t mode, security_context_t *con)
+ {
+ if (0 != _matchpathcon && is_selinux_enabled())
+ return _matchpathcon(path, mode, con);
+ return 0;
+ }
+
+ int matchpathcon_init(const char *path)
+ {
+ if (0 != _matchpathcon_init && is_selinux_enabled())
+ return _matchpathcon_init(path);
+ return 0;
+ }
+
+ int is_selinux_enabled()
+ {
+ // Assume that if this returns an error we can't effectively use selinux.
+ if (0 != _is_selinux_enabled)
+ return _is_selinux_enabled() > 0 ? 1 : 0;
+ return 0;
+ }
+ } libselinux;
+}
+
+using namespace paludis;
+
+namespace paludis
+{
+ template<>
+ struct Implementation<SecurityContext> : InternalCounted<Implementation<SecurityContext> >
+ {
+ security_context_t _context;
+
+ Implementation(security_context_t con)
+ : _context(con)
+ { }
+
+ ~Implementation()
+ {
+ if (0 != _context)
+ libselinux.freecon(_context);
+ }
+
+ void set(security_context_t newcon)
+ {
+ if (0 != _context)
+ libselinux.freecon(_context);
+
+ _context = newcon;
+ }
+ };
+}
+
+SecurityContext::SecurityContext()
+ : PrivateImplementationPattern<SecurityContext>(new Implementation<SecurityContext>(0))
+{
+}
+
+SecurityContext::~SecurityContext()
+{
+}
+
+SecurityContext::ConstPointer SecurityContext::current_context()
+{
+ SecurityContext::Pointer p(new SecurityContext);
+ security_context_t con;
+ if (0 != libselinux.getcon(&con))
+ throw SELinuxException("Couldn't get current security context.");
+ p->_imp->set(con);
+ return p;
+}
+
+SecurityContext::ConstPointer SecurityContext::fs_create_context()
+{
+ SecurityContext::Pointer p(new SecurityContext);
+ security_context_t con;
+ if (0 != libselinux.getfscreatecon(&con))
+ throw SELinuxException("Couldn't get current filesystem creation context.");
+ p->_imp->set(con);
+ return p;
+}
+
+std::ostream & paludis::operator<<(std::ostream & os, const SecurityContext & context)
+{
+ os << static_cast<const char *>(context._imp->_context);
+ return os;
+}
+
+FSCreateCon::FSCreateCon(SecurityContext::ConstPointer newfscreatecon)
+ : _context(newfscreatecon), _prev_context(SecurityContext::fs_create_context())
+{
+ if (0 != libselinux.setfscreatecon(_context->_imp->_context))
+ throw SELinuxException("Couldn't set filesystem creation context to '" + stringify(*_context) + "'.");
+}
+
+FSCreateCon::~FSCreateCon()
+{
+ if (0 != libselinux.setfscreatecon(_prev_context->_imp->_context))
+ throw SELinuxException("Couldn't reset filesystem creation context to '" + stringify(*_prev_context) + "'.");
+}
+
+MatchPathCon::MatchPathCon()
+{
+ if (0 != libselinux.matchpathcon_init(0))
+ {
+ _good=false;
+// throw SELinuxException("Failed running matchpathcon_init.");
+ }
+ else
+ _good=true;
+}
+
+MatchPathCon::~MatchPathCon()
+{
+}
+
+bool MatchPathCon::good() const
+{
+ return _good;
+}
+
+SecurityContext::ConstPointer MatchPathCon::match(const std::string & path, mode_t mode) const
+{
+ SecurityContext::Pointer p(new SecurityContext);
+ security_context_t context;
+ if (0 != libselinux.matchpathcon(path.c_str(), mode, &context))
+ {
+ Log::get_instance()->message(ll_warning, lc_no_context,
+ "Couldn't get default security context for '" + path + "'.");
+// throw SELinuxException("Couldn't get default security context for '" + path + "'.");
+ }
+ else
+ {
+ p->_imp->set(context);
+ }
+ return p;
+}
+
+#endif
diff --git a/0.8.0/paludis/selinux/security_context.hh b/0.8.0/paludis/selinux/security_context.hh
new file mode 100644
index 000000000..1388faa68
--- /dev/null
+++ b/0.8.0/paludis/selinux/security_context.hh
@@ -0,0 +1,170 @@
+/* vim: set sw=4 sts=4 et foldmethod=syntax : */
+
+/*
+ * Copyright (c) 2006 Stephen Bennett <spb@gentoo.org>
+ *
+ * This file is part of the Paludis package manager. Paludis is free software;
+ * you can redistribute it and/or modify it under the terms of the GNU General
+ * Public License as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Paludis is distributed in the hope that it will be useful, but WITHOUT ANY
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef PALUDIS_GUARD_PALUDIS_UTIL_SECURITY_CONTEXT_HH
+#define PALUDIS_GUARD_PALUDIS_UTIL_SECURITY_CONTEXT_HH 1
+
+#include <string>
+#include <paludis/util/exception.hh>
+#include <paludis/util/counted_ptr.hh>
+#include <paludis/util/instantiation_policy.hh>
+#include <paludis/util/private_implementation_pattern.hh>
+
+/** \file
+ * Declarations for SecurityContext and associated classes.
+ *
+ * \ingroup grplibpaludisselinux
+ */
+
+namespace paludis
+{
+ class FSCreateCon;
+ class MatchPathCon;
+
+ /**
+ * Error class for SELinux-related functions
+ *
+ * \ingroup grplibpaludisselinux
+ * \ingroup grpexceptions
+ */
+ class PALUDIS_VISIBLE SELinuxException :
+ public Exception
+ {
+ public:
+ /// Constructor.
+ SELinuxException(const std::string & our_message)
+ : Exception(our_message)
+ {
+ }
+ };
+
+ /**
+ * Security context class. Wraps security_context_t.
+ *
+ * \ingroup grplibpaludisselinux
+ */
+ class PALUDIS_VISIBLE SecurityContext :
+ private PrivateImplementationPattern<SecurityContext>,
+ private InstantiationPolicy<SecurityContext, instantiation_method::NonCopyableTag>,
+ public InternalCounted<SecurityContext>
+ {
+ public:
+ /**
+ * Constructor
+ */
+ SecurityContext();
+
+ /**
+ * Can be constructed from a string.
+ */
+ SecurityContext(const std::string &);
+
+ /**
+ * Destructor
+ */
+ ~SecurityContext();
+
+ friend std::ostream& paludis::operator<<(std::ostream&, const SecurityContext &);
+ friend class paludis::FSCreateCon;
+ friend class paludis::MatchPathCon;
+
+ /**
+ * Returns a SecurityContext referring to the current process's context
+ */
+ static SecurityContext::ConstPointer current_context();
+
+ /**
+ * Returns a SecurityContext referring to the current filesystem creation context
+ */
+ static SecurityContext::ConstPointer fs_create_context();
+ };
+
+ /**
+ * A SecurityContext can be written to a stream.
+ *
+ * \ingroup grplibpaludisselinux
+ */
+ std::ostream& operator<<(std::ostream&, const SecurityContext &) PALUDIS_VISIBLE;
+
+ /**
+ * RAII-style wrapper for setfscreatecon().
+ *
+ * Create an FSCreateCon object to set the security context of newly created file objects.
+ * When destroyed, it will revert to the previous creation context.
+ *
+ * Note that this operation is not thread-safe. Any multi-threaded code calling it must use a
+ * critical section to ensure the desired behaviour.
+ *
+ * \ingroup grplibpaludisselinux
+ */
+ class PALUDIS_VISIBLE FSCreateCon
+ {
+ private:
+ SecurityContext::ConstPointer _context;
+ SecurityContext::ConstPointer _prev_context;
+
+ public:
+ /**
+ * Constructor
+ */
+ FSCreateCon(SecurityContext::ConstPointer);
+
+ /**
+ * Destructor
+ */
+ ~FSCreateCon();
+ };
+
+ /**
+ * Wrapper class around matchpathcon().
+ *
+ * \ingroup grplibpaludisselinux
+ */
+ class PALUDIS_VISIBLE MatchPathCon :
+ public InstantiationPolicy<MatchPathCon, instantiation_method::SingletonAsNeededTag>
+ {
+ private:
+ bool _good;
+
+ public:
+ /**
+ * Constructor. Optional parameter is the path to the file_contexts to use.
+ */
+ MatchPathCon();
+
+ /**
+ * Destructor
+ */
+ ~MatchPathCon();
+
+ /**
+ * Retrieve the default context for a given pathname
+ */
+ SecurityContext::ConstPointer match(const std::string &, mode_t = 0) const;
+
+ /**
+ * Did the initialisation succeed?
+ */
+ bool good() const;
+ };
+
+}
+
+#endif