github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/selinux-support.c (about) 1 /* 2 * Copyright (C) 2018 Canonical Ltd 3 * 4 * This program is free software: you can redistribute it and/or modify 5 * it under the terms of the GNU General Public License version 3 as 6 * published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, 9 * but WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 * GNU General Public License for more details. 12 * 13 * You should have received a copy of the GNU General Public License 14 * along with this program. If not, see <http://www.gnu.org/licenses/>. 15 * 16 */ 17 #include "selinux-support.h" 18 #include "config.h" 19 20 #include <selinux/context.h> 21 #include <selinux/selinux.h> 22 23 #include "../libsnap-confine-private/cleanup-funcs.h" 24 #include "../libsnap-confine-private/string-utils.h" 25 #include "../libsnap-confine-private/utils.h" 26 27 static void sc_freecon(char **ctx) { 28 if (ctx != NULL && *ctx != NULL) { 29 freecon(*ctx); 30 *ctx = NULL; 31 } 32 } 33 34 static void sc_context_free(context_t *ctx) { 35 if (ctx != NULL && *ctx != NULL) { 36 context_free(*ctx); 37 *ctx = NULL; 38 } 39 } 40 41 /** 42 * Set security context for the snap. 43 * 44 * Sets up SELinux context transition to unconfined_service_t. 45 **/ 46 int sc_selinux_set_snap_execcon(void) { 47 if (is_selinux_enabled() < 1) { 48 debug("SELinux not enabled"); 49 return 0; 50 } 51 52 char *ctx_str SC_CLEANUP(sc_freecon) = NULL; 53 if (getcon(&ctx_str) < 0) { 54 die("cannot obtain current SELinux process context"); 55 } 56 debug("current SELinux process context: %s", ctx_str); 57 58 context_t ctx SC_CLEANUP(sc_context_free) = context_new(ctx_str); 59 if (ctx == NULL) { 60 die("cannot create SELinux context from context string %s", ctx_str); 61 } 62 63 /* freed by context_free(ctx) */ 64 const char *ctx_type = context_type_get(ctx); 65 66 if (ctx_type == NULL) { 67 die("cannot obtain type from SELinux context string %s", ctx_str); 68 } 69 70 if (sc_streq(ctx_type, "snappy_confine_t")) { 71 /* We are running under a targeted policy which ended up transitioning 72 * to snappy_confine_t domain, at this point we are right before 73 * executing snap-exec. However we do not have a full SELinux support 74 * for services running in snaps, only the snapd bits and helpers are 75 * covered by the policy. 76 * 77 * At this point transition to the unconfined_service_t domain (allowed 78 * by snap_confine_t policy) upon the next exec() call. 79 */ 80 if (context_type_set(ctx, "unconfined_service_t") != 0) { 81 die("cannot update SELinux context %s type to unconfined_service_t", ctx_str); 82 } 83 84 /* freed by context_free(ctx) */ 85 char *new_ctx_str = context_str(ctx); 86 if (new_ctx_str == NULL) { 87 die("cannot obtain updated SELinux context string"); 88 } 89 if (setexeccon(new_ctx_str) < 0) { 90 die("cannot set SELinux exec context to %s", new_ctx_str); 91 } 92 debug("SELinux context after next exec: %s", new_ctx_str); 93 } 94 95 return 0; 96 }