1 /*
2  * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #include "selinux_adp.h"
16 
17 #include <errno.h>
18 
19 #include "init_error.h"
20 #include "init_hook.h"
21 #include "init_module_engine.h"
22 #include "plugin_adapter.h"
23 #include "securec.h"
24 
25 #include <policycoreutils.h>
26 #include <selinux/label.h>
27 #include <selinux/restorecon.h>
28 
29 enum {
30     CMD_LOAD_POLICY = 0,
31     CMD_SET_SERVICE_CONTEXTS = 1,
32     CMD_SET_SOCKET_CONTEXTS = 2,
33     CMD_RESTORE_INDEX = 3,
34     CMD_RESTORE_INDEX_FORCE = 4,
35     CMD_RESTORE_INDEX_SKIP = 5,
36 };
37 
38 extern char *__progname;
39 
LoadSelinuxPolicy(int id,const char * name,int argc,const char ** argv)40 static int LoadSelinuxPolicy(int id, const char *name, int argc, const char **argv)
41 {
42     int ret;
43     char processContext[MAX_SECON_LEN];
44 
45     UNUSED(id);
46     UNUSED(name);
47     UNUSED(argc);
48     UNUSED(argv);
49     PLUGIN_LOGI("LoadSelinuxPolicy ");
50     // load selinux policy and context
51     if (LoadPolicy() < 0) {
52         PLUGIN_LOGE("main, load_policy failed.");
53     } else {
54         PLUGIN_LOGI("main, load_policy success.");
55     }
56 
57     ret = snprintf_s(processContext, sizeof(processContext), sizeof(processContext) - 1, "u:r:%s:s0", __progname);
58     if (ret == -1) {
59         setcon("u:r:init:s0");
60     } else {
61         setcon(processContext);
62     }
63     (void)RestoreconRecurse("/dev");
64     return 0;
65 }
66 
SetServiceContent(int id,const char * name,int argc,const char ** argv)67 static int SetServiceContent(int id, const char *name, int argc, const char **argv)
68 {
69     PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
70     ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
71     char *label = "u:r:limit_domain:s0";
72     if (data != NULL) {
73         label = (char *)data->data;
74     } else {
75         PLUGIN_LOGE("Please set secon field in service %s's cfg file, limit_domain will be blocked", argv[0]);
76     }
77 
78     if (setexeccon(label) < 0) {
79         PLUGIN_LOGE("Service error %d %s, failed to set secon %s.", errno, argv[0], label);
80 #ifndef STARTUP_INIT_TEST
81         _exit(INIT_EEXEC_CONTENT);
82 #endif
83     } else {
84         PLUGIN_LOGV("Service info %s, set secon %s.", argv[0], label);
85     }
86     return 0;
87 }
88 
SetSockCreateCon(int id,const char * name,int argc,const char ** argv)89 static int SetSockCreateCon(int id, const char *name, int argc, const char **argv)
90 {
91     PLUGIN_CHECK(name != NULL, return -1, "Invalid parameter");
92     if (argc == 0) {
93         setsockcreatecon(NULL);
94         return 0;
95     }
96     PLUGIN_CHECK(argc >= 1 && argv != NULL, return -1, "Invalid parameter");
97     ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
98     if (data != NULL) {
99         if (setsockcreatecon((char *)data->data) < 0) {
100             PLUGIN_LOGE("failed to set socket context %s's secon (%s).", argv[0], (char *)data->data);
101 #ifndef STARTUP_INIT_TEST
102             _exit(PROCESS_EXIT_CODE);
103 #endif
104         }
105     }
106 
107     return 0;
108 }
109 
RestoreContentRecurse(int id,const char * name,int argc,const char ** argv)110 static int RestoreContentRecurse(int id, const char *name, int argc, const char **argv)
111 {
112     PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
113     PLUGIN_LOGV("RestoreContentRecurse path %s", argv[0]);
114     if (RestoreconRecurse(argv[0]) && errno != 0) {
115         PLUGIN_LOGE("restoreContentRecurse failed for '%s', err %d.", argv[0], errno);
116     }
117     return 0;
118 }
119 
RestoreContentRecurseForce(int id,const char * name,int argc,const char ** argv)120 static int RestoreContentRecurseForce(int id, const char *name, int argc, const char **argv)
121 {
122     PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
123     PLUGIN_LOGV("RestoreContentRecurseForce path %s", argv[0]);
124     if (RestoreconRecurseForce(argv[0]) && errno != 0) {
125         PLUGIN_LOGE("RestoreContentRecurseForce failed for '%s', err %d.", argv[0], errno);
126     }
127     return 0;
128 }
129 
RestoreContentRecurseSkipElx(int id,const char * name,int argc,const char ** argv)130 static int RestoreContentRecurseSkipElx(int id, const char *name, int argc, const char **argv)
131 {
132     PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
133     PLUGIN_LOGV("RestoreContentRecurseSkipElx path %s", argv[0]);
134     if (RestoreconCommon(argv[0], SELINUX_RESTORECON_REALPATH |
135         SELINUX_RESTORECON_RECURSE | SELINUX_RESTORECON_SKIPELX, 1) && errno != 0) {
136         PLUGIN_LOGE("RestoreContentRecurseSkipElx failed for '%s', err %d.", argv[0], errno);
137     }
138     return 0;
139 }
140 
141 static int32_t g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP + 1] = {0}; // 6 cmd count
SelinuxAdpInit(void)142 static void SelinuxAdpInit(void)
143 {
144     g_selinuxAdpCmdIds[CMD_LOAD_POLICY] = AddCmdExecutor("loadSelinuxPolicy", LoadSelinuxPolicy);
145     g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] = AddCmdExecutor("setServiceContent", SetServiceContent);
146     g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] = AddCmdExecutor("setSockCreateCon", SetSockCreateCon);
147     g_selinuxAdpCmdIds[CMD_RESTORE_INDEX] = AddCmdExecutor("restoreContentRecurse", RestoreContentRecurse);
148     g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE] =
149         AddCmdExecutor("restoreContentRecurseForce", RestoreContentRecurseForce);
150     g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP] =
151         AddCmdExecutor("restoreContentRecurseSkipElx", RestoreContentRecurseSkipElx);
152 }
153 
SelinuxAdpExit(void)154 static void SelinuxAdpExit(void)
155 {
156     if (g_selinuxAdpCmdIds[CMD_LOAD_POLICY] != -1) {
157         RemoveCmdExecutor("loadSelinuxPolicy", g_selinuxAdpCmdIds[CMD_LOAD_POLICY]);
158     }
159     if (g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] != -1) {
160         RemoveCmdExecutor("setServiceContent", g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS]);
161     }
162     if (g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] != -1) {
163         RemoveCmdExecutor("setSockCreateCon", g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS]);
164     }
165     if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX] != -1) {
166         RemoveCmdExecutor("restoreContentRecurse", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX]);
167     }
168     if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE] != -1) {
169         RemoveCmdExecutor("restoreContentRecurseForce", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE]);
170     }
171     if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP] != -1) {
172         RemoveCmdExecutor("restoreContentRecurseSkipElx", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP]);
173     }
174 }
175 
MODULE_CONSTRUCTOR(void)176 MODULE_CONSTRUCTOR(void)
177 {
178     PLUGIN_LOGI("Selinux adapter plug-in init now ...");
179     SelinuxAdpInit();
180 }
181 
MODULE_DESTRUCTOR(void)182 MODULE_DESTRUCTOR(void)
183 {
184     if (getpid() != 1) {
185         return;
186     }
187     PLUGIN_LOGI("Selinux adapter plug-in exit now ...");
188     SelinuxAdpExit();
189 }
190