selinux/libselinux/src/label.c - nest-cam/4320010/selinux - Git at Google

 /*
  * Generalized labeling frontend for userspace object managers.
  *
  * Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
  */

 #include <sys/types.h>
 #include <ctype.h>
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <selinux/selinux.h>
 #include "callbacks.h"
 #include "label_internal.h"

 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))

 typedef int (*selabel_initfunc)(struct selabel_handle *rec,
 				const struct selinux_opt *opts,
 				unsigned nopts);

 static selabel_initfunc initfuncs[] = {
 	&selabel_file_init,
 	&selabel_media_init,
 	&selabel_x_init,
 	&selabel_db_init,
 	&selabel_property_init,
 };

 static void selabel_subs_fini(struct selabel_sub *ptr)
 {
 	struct selabel_sub *next;

 	while (ptr) {
 		next = ptr->next;
 		free(ptr->src);
 		free(ptr->dst);
 		free(ptr);
 		ptr = next;
 	}
 }

 static char *selabel_sub(struct selabel_sub *ptr, const char *src)
 {
 	char *dst = NULL;
 	int len;

 	while (ptr) {
 		if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
 			if (src[ptr->slen] == '/' ||
 			    src[ptr->slen] == 0) {
 				if ((src[ptr->slen] == '/') &&
 				    (strcmp(ptr->dst, "/") == 0))
 					len = ptr->slen + 1;
 				else
 					len = ptr->slen;
 				if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
 					return NULL;
 				return dst;
 			}
 		}
 		ptr = ptr->next;
 	}
 	return NULL;
 }

 struct selabel_sub *selabel_subs_init(const char *path,
 					    struct selabel_sub *list,
 					    struct selabel_digest *digest)
 {
 	char buf[1024];
 	FILE *cfg = fopen(path, "r");
 	struct selabel_sub *sub = NULL;
 	struct stat sb;

 	if (!cfg)
 		return list;

 	if (fstat(fileno(cfg), &sb) < 0)
 		return list;

 	while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
 		char *ptr = NULL;
 		char *src = buf;
 		char *dst = NULL;

 		while (*src && isspace(*src))
 			src++;
 		if (src[0] == '#') continue;
 		ptr = src;
 		while (*ptr && ! isspace(*ptr))
 			ptr++;
 		*ptr++ = '\0';
 		if (! *src) continue;

 		dst = ptr;
 		while (*dst && isspace(*dst))
 			dst++;
 		ptr=dst;
 		while (*ptr && ! isspace(*ptr))
 			ptr++;
 		*ptr='\0';
 		if (! *dst)
 			continue;

 		sub = malloc(sizeof(*sub));
 		if (! sub)
 			goto err;
 		memset(sub, 0, sizeof(*sub));

 		sub->src=strdup(src);
 		if (! sub->src)
 			goto err;

 		sub->dst=strdup(dst);
 		if (! sub->dst)
 			goto err;

 		sub->slen = strlen(src);
 		sub->next = list;
 		list = sub;
 	}

 	if (digest_add_specfile(digest, cfg, NULL, sb.st_size, path) < 0)
 		goto err;

 out:
 	fclose(cfg);
 	return list;
 err:
 	if (sub)
 		free(sub->src);
 	free(sub);
 	goto out;
 }

 static inline struct selabel_digest *selabel_is_digest_set
 				    (const struct selinux_opt *opts,
 				    unsigned n,
 				    struct selabel_digest *entry)
 {
 	struct selabel_digest *digest = NULL;

 	while (n--) {
 		if (opts[n].type == SELABEL_OPT_DIGEST &&
 					    opts[n].value == (char *)1) {
 			digest = calloc(1, sizeof(*digest));
 			if (!digest)
 				goto err;

 			digest->digest = calloc(1, DIGEST_SPECFILE_SIZE + 1);
 			if (!digest->digest)
 				goto err;

 			digest->specfile_list = calloc(DIGEST_FILES_MAX,
 							    sizeof(char *));
 			if (!digest->specfile_list)
 				goto err;

 			entry = digest;
 			return entry;
 		}
 	}
 	return NULL;

 err:
 	free(digest->digest);
 	free(digest->specfile_list);
 	free(digest);
 	return NULL;
 }

 static void selabel_digest_fini(struct selabel_digest *ptr)
 {
 	int i;

 	free(ptr->digest);
 	free(ptr->hashbuf);

 	if (ptr->specfile_list) {
 		for (i = 0; ptr->specfile_list[i]; i++)
 			free(ptr->specfile_list[i]);
 		free(ptr->specfile_list);
 	}
 	free(ptr);
 }

 /*
  * Validation functions
  */

 static inline int selabel_is_validate_set(const struct selinux_opt *opts,
 					  unsigned n)
 {
 	while (n--)
 		if (opts[n].type == SELABEL_OPT_VALIDATE)
 			return !!opts[n].value;

 	return 0;
 }

 int selabel_validate(struct selabel_handle *rec,
 		     struct selabel_lookup_rec *contexts)
 {
 	int rc = 0;

 	if (!rec->validating || contexts->validated)
 		goto out;

 	rc = selinux_validate(&contexts->ctx_raw);
 	if (rc < 0)
 		goto out;

 	contexts->validated = 1;
 out:
 	return rc;
 }

 /* Public API helpers */
 static char *selabel_sub_key(struct selabel_handle *rec, const char *key)
 {
 	char *ptr = NULL;
 	char *dptr = NULL;

 	ptr = selabel_sub(rec->subs, key);
 	if (ptr) {
 		dptr = selabel_sub(rec->dist_subs, ptr);
 		if (dptr) {
 			free(ptr);
 			ptr = dptr;
 		}
 	} else {
 		ptr = selabel_sub(rec->dist_subs, key);
 	}
 	if (ptr)
 		return ptr;

 	return NULL;
 }

 static int selabel_fini(struct selabel_handle *rec,
 			    struct selabel_lookup_rec *lr,
 			    int translating)
 {
 	if (compat_validate(rec, lr, rec->spec_file, 0))
 		return -1;

 	if (translating && !lr->ctx_trans &&
 	    selinux_raw_to_trans_context(lr->ctx_raw, &lr->ctx_trans))
 		return -1;

 	return 0;
 }

 static struct selabel_lookup_rec *
 selabel_lookup_common(struct selabel_handle *rec, int translating,
 		      const char *key, int type)
 {
 	struct selabel_lookup_rec *lr;
 	char *ptr = NULL;

 	if (key == NULL) {
 		errno = EINVAL;
 		return NULL;
 	}

 	ptr = selabel_sub_key(rec, key);
 	if (ptr) {
 		lr = rec->func_lookup(rec, ptr, type);
 		free(ptr);
 	} else {
 		lr = rec->func_lookup(rec, key, type);
 	}
 	if (!lr)
 		return NULL;

 	if (selabel_fini(rec, lr, translating))
 		return NULL;

 	return lr;
 }

 static struct selabel_lookup_rec *
 selabel_lookup_bm_common(struct selabel_handle *rec, int translating,
 		      const char *key, int type, const char **aliases)
 {
 	struct selabel_lookup_rec *lr;
 	char *ptr = NULL;

 	if (key == NULL) {
 		errno = EINVAL;
 		return NULL;
 	}

 	ptr = selabel_sub_key(rec, key);
 	if (ptr) {
 		lr = rec->func_lookup_best_match(rec, ptr, aliases, type);
 		free(ptr);
 	} else {
 		lr = rec->func_lookup_best_match(rec, key, aliases, type);
 	}
 	if (!lr)
 		return NULL;

 	if (selabel_fini(rec, lr, translating))
 		return NULL;

 	return lr;
 }

 /*
  * Public API
  */

 struct selabel_handle *selabel_open(unsigned int backend,
 				    const struct selinux_opt *opts,
 				    unsigned nopts)
 {
 	struct selabel_handle *rec = NULL;

 	if (backend >= ARRAY_SIZE(initfuncs)) {
 		errno = EINVAL;
 		goto out;
 	}

 	rec = (struct selabel_handle *)malloc(sizeof(*rec));
 	if (!rec)
 		goto out;

 	memset(rec, 0, sizeof(*rec));
 	rec->backend = backend;
 	rec->validating = selabel_is_validate_set(opts, nopts);

 	rec->subs = NULL;
 	rec->dist_subs = NULL;
 	rec->digest = selabel_is_digest_set(opts, nopts, rec->digest);

 	if ((*initfuncs[backend])(rec, opts, nopts)) {
 		free(rec->spec_file);
 		free(rec);
 		rec = NULL;
 	}

 out:
 	return rec;
 }

 int selabel_lookup(struct selabel_handle *rec, char **con,
 		   const char *key, int type)
 {
 	struct selabel_lookup_rec *lr;

 	lr = selabel_lookup_common(rec, 1, key, type);
 	if (!lr)
 		return -1;

 	*con = strdup(lr->ctx_trans);
 	return *con ? 0 : -1;
 }

 int selabel_lookup_raw(struct selabel_handle *rec, char **con,
 		       const char *key, int type)
 {
 	struct selabel_lookup_rec *lr;

 	lr = selabel_lookup_common(rec, 0, key, type);
 	if (!lr)
 		return -1;

 	*con = strdup(lr->ctx_raw);
 	return *con ? 0 : -1;
 }

 bool selabel_partial_match(struct selabel_handle *rec, const char *key)
 {
 	char *ptr;
 	bool ret;

 	if (!rec->func_partial_match) {
 		/*
 		 * If the label backend does not support partial matching,
 		 * then assume a match is possible.
 		 */
 		return true;
 	}

 	ptr = selabel_sub_key(rec, key);
 	if (ptr) {
 		ret = rec->func_partial_match(rec, ptr);
 		free(ptr);
 	} else {
 		ret = rec->func_partial_match(rec, key);
 	}

 	return ret;
 }

 int selabel_lookup_best_match(struct selabel_handle *rec, char **con,
 			      const char *key, const char **aliases, int type)
 {
 	struct selabel_lookup_rec *lr;

 	if (!rec->func_lookup_best_match) {
 		errno = ENOTSUP;
 		return -1;
 	}

 	lr = selabel_lookup_bm_common(rec, 1, key, type, aliases);
 	if (!lr)
 		return -1;

 	*con = strdup(lr->ctx_trans);
 	return *con ? 0 : -1;
 }

 int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
 			      const char *key, const char **aliases, int type)
 {
 	struct selabel_lookup_rec *lr;

 	if (!rec->func_lookup_best_match) {
 		errno = ENOTSUP;
 		return -1;
 	}

 	lr = selabel_lookup_bm_common(rec, 0, key, type, aliases);
 	if (!lr)
 		return -1;

 	*con = strdup(lr->ctx_raw);
 	return *con ? 0 : -1;
 }

 enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1,
 				    struct selabel_handle *h2)
 {
 	if (!h1->func_cmp || h1->func_cmp != h2->func_cmp)
 		return SELABEL_INCOMPARABLE;

 	return h1->func_cmp(h1, h2);
 }

 int selabel_digest(struct selabel_handle *rec,
 				    unsigned char **digest, size_t *digest_len,
 				    char ***specfiles, size_t *num_specfiles)
 {
 	if (!rec->digest) {
 		errno = EINVAL;
 		return -1;
 	}

 	*digest = rec->digest->digest;
 	*digest_len = DIGEST_SPECFILE_SIZE;
 	*specfiles = rec->digest->specfile_list;
 	*num_specfiles = rec->digest->specfile_cnt;
 	return 0;
 }

 void selabel_close(struct selabel_handle *rec)
 {
 	selabel_subs_fini(rec->subs);
 	selabel_subs_fini(rec->dist_subs);
 	if (rec->digest)
 		selabel_digest_fini(rec->digest);
 	rec->func_close(rec);
 	free(rec->spec_file);
 	free(rec);
 }

 void selabel_stats(struct selabel_handle *rec)
 {
 	rec->func_stats(rec);
 }
	/*
	* Generalized labeling frontend for userspace object managers.
	*
	* Author : Eamon Walsh <ewalsh@epoch.ncsc.mil>
	*/

	#include <sys/types.h>
	#include <ctype.h>
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/stat.h>
	#include <selinux/selinux.h>
	#include "callbacks.h"
	#include "label_internal.h"

	#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))

	typedef int (selabel_initfunc)(struct selabel_handle rec,
	const struct selinux_opt *opts,
	unsigned nopts);

	static selabel_initfunc initfuncs[] = {
	&selabel_file_init,
	&selabel_media_init,
	&selabel_x_init,
	&selabel_db_init,
	&selabel_property_init,
	};

	static void selabel_subs_fini(struct selabel_sub *ptr)
	{
	struct selabel_sub *next;

	while (ptr) {
	next = ptr->next;
	free(ptr->src);
	free(ptr->dst);
	free(ptr);
	ptr = next;
	}
	}

	static char selabel_sub(struct selabel_sub ptr, const char *src)
	{
	char *dst = NULL;
	int len;

	while (ptr) {
	if (strncmp(src, ptr->src, ptr->slen) == 0 ) {
	if (src[ptr->slen] == '/' \|\|
	src[ptr->slen] == 0) {
	if ((src[ptr->slen] == '/') &&
	(strcmp(ptr->dst, "/") == 0))
	len = ptr->slen + 1;
	else
	len = ptr->slen;
	if (asprintf(&dst, "%s%s", ptr->dst, &src[len]) < 0)
	return NULL;
	return dst;
	}
	}
	ptr = ptr->next;
	}
	return NULL;
	}

	struct selabel_sub selabel_subs_init(const char path,
	struct selabel_sub *list,
	struct selabel_digest *digest)
	{
	char buf[1024];
	FILE *cfg = fopen(path, "r");
	struct selabel_sub *sub = NULL;
	struct stat sb;

	if (!cfg)
	return list;

	if (fstat(fileno(cfg), &sb) < 0)
	return list;

	while (fgets_unlocked(buf, sizeof(buf) - 1, cfg)) {
	char *ptr = NULL;
	char *src = buf;
	char *dst = NULL;

	while (src && isspace(src))
	src++;
	if (src[0] == '#') continue;
	ptr = src;
	while (ptr && ! isspace(ptr))
	ptr++;
	*ptr++ = '\0';
	if (! *src) continue;

	dst = ptr;
	while (dst && isspace(dst))
	dst++;
	ptr=dst;
	while (ptr && ! isspace(ptr))
	ptr++;
	*ptr='\0';
	if (! *dst)
	continue;

	sub = malloc(sizeof(*sub));
	if (! sub)
	goto err;
	memset(sub, 0, sizeof(*sub));

	sub->src=strdup(src);
	if (! sub->src)
	goto err;

	sub->dst=strdup(dst);
	if (! sub->dst)
	goto err;

	sub->slen = strlen(src);
	sub->next = list;
	list = sub;
	}

	if (digest_add_specfile(digest, cfg, NULL, sb.st_size, path) < 0)
	goto err;

	out:
	fclose(cfg);
	return list;
	err:
	if (sub)
	free(sub->src);
	free(sub);
	goto out;
	}

	static inline struct selabel_digest *selabel_is_digest_set
	(const struct selinux_opt *opts,
	unsigned n,
	struct selabel_digest *entry)
	{
	struct selabel_digest *digest = NULL;

	while (n--) {
	if (opts[n].type == SELABEL_OPT_DIGEST &&
	opts[n].value == (char *)1) {
	digest = calloc(1, sizeof(*digest));
	if (!digest)
	goto err;

	digest->digest = calloc(1, DIGEST_SPECFILE_SIZE + 1);
	if (!digest->digest)
	goto err;

	digest->specfile_list = calloc(DIGEST_FILES_MAX,
	sizeof(char *));
	if (!digest->specfile_list)
	goto err;

	entry = digest;
	return entry;
	}
	}
	return NULL;

	err:
	free(digest->digest);
	free(digest->specfile_list);
	free(digest);
	return NULL;
	}

	static void selabel_digest_fini(struct selabel_digest *ptr)
	{
	int i;

	free(ptr->digest);
	free(ptr->hashbuf);

	if (ptr->specfile_list) {
	for (i = 0; ptr->specfile_list[i]; i++)
	free(ptr->specfile_list[i]);
	free(ptr->specfile_list);
	}
	free(ptr);
	}

	/*
	* Validation functions
	*/

	static inline int selabel_is_validate_set(const struct selinux_opt *opts,
	unsigned n)
	{
	while (n--)
	if (opts[n].type == SELABEL_OPT_VALIDATE)
	return !!opts[n].value;

	return 0;
	}

	int selabel_validate(struct selabel_handle *rec,
	struct selabel_lookup_rec *contexts)
	{
	int rc = 0;

	if (!rec->validating \|\| contexts->validated)
	goto out;

	rc = selinux_validate(&contexts->ctx_raw);
	if (rc < 0)
	goto out;

	contexts->validated = 1;
	out:
	return rc;
	}

	/* Public API helpers */
	static char selabel_sub_key(struct selabel_handle rec, const char *key)
	{
	char *ptr = NULL;
	char *dptr = NULL;

	ptr = selabel_sub(rec->subs, key);
	if (ptr) {
	dptr = selabel_sub(rec->dist_subs, ptr);
	if (dptr) {
	free(ptr);
	ptr = dptr;
	}
	} else {
	ptr = selabel_sub(rec->dist_subs, key);
	}
	if (ptr)
	return ptr;

	return NULL;
	}

	static int selabel_fini(struct selabel_handle *rec,
	struct selabel_lookup_rec *lr,
	int translating)
	{
	if (compat_validate(rec, lr, rec->spec_file, 0))
	return -1;

	if (translating && !lr->ctx_trans &&
	selinux_raw_to_trans_context(lr->ctx_raw, &lr->ctx_trans))
	return -1;

	return 0;
	}

	static struct selabel_lookup_rec *
	selabel_lookup_common(struct selabel_handle *rec, int translating,
	const char *key, int type)
	{
	struct selabel_lookup_rec *lr;
	char *ptr = NULL;

	if (key == NULL) {
	errno = EINVAL;
	return NULL;
	}

	ptr = selabel_sub_key(rec, key);
	if (ptr) {
	lr = rec->func_lookup(rec, ptr, type);
	free(ptr);
	} else {
	lr = rec->func_lookup(rec, key, type);
	}
	if (!lr)
	return NULL;

	if (selabel_fini(rec, lr, translating))
	return NULL;

	return lr;
	}

	static struct selabel_lookup_rec *
	selabel_lookup_bm_common(struct selabel_handle *rec, int translating,
	const char key, int type, const char *aliases)
	{
	struct selabel_lookup_rec *lr;
	char *ptr = NULL;

	if (key == NULL) {
	errno = EINVAL;
	return NULL;
	}

	ptr = selabel_sub_key(rec, key);
	if (ptr) {
	lr = rec->func_lookup_best_match(rec, ptr, aliases, type);
	free(ptr);
	} else {
	lr = rec->func_lookup_best_match(rec, key, aliases, type);
	}
	if (!lr)
	return NULL;

	if (selabel_fini(rec, lr, translating))
	return NULL;

	return lr;
	}

	/*
	* Public API
	*/

	struct selabel_handle *selabel_open(unsigned int backend,
	const struct selinux_opt *opts,
	unsigned nopts)
	{
	struct selabel_handle *rec = NULL;

	if (backend >= ARRAY_SIZE(initfuncs)) {
	errno = EINVAL;
	goto out;
	}

	rec = (struct selabel_handle )malloc(sizeof(rec));
	if (!rec)
	goto out;

	memset(rec, 0, sizeof(*rec));
	rec->backend = backend;
	rec->validating = selabel_is_validate_set(opts, nopts);

	rec->subs = NULL;
	rec->dist_subs = NULL;
	rec->digest = selabel_is_digest_set(opts, nopts, rec->digest);

	if ((*initfuncs[backend])(rec, opts, nopts)) {
	free(rec->spec_file);
	free(rec);
	rec = NULL;
	}

	out:
	return rec;
	}

	int selabel_lookup(struct selabel_handle rec, char *con,
	const char *key, int type)
	{
	struct selabel_lookup_rec *lr;

	lr = selabel_lookup_common(rec, 1, key, type);
	if (!lr)
	return -1;

	*con = strdup(lr->ctx_trans);
	return *con ? 0 : -1;
	}

	int selabel_lookup_raw(struct selabel_handle rec, char *con,
	const char *key, int type)
	{
	struct selabel_lookup_rec *lr;

	lr = selabel_lookup_common(rec, 0, key, type);
	if (!lr)
	return -1;

	*con = strdup(lr->ctx_raw);
	return *con ? 0 : -1;
	}

	bool selabel_partial_match(struct selabel_handle rec, const char key)
	{
	char *ptr;
	bool ret;

	if (!rec->func_partial_match) {
	/*
	* If the label backend does not support partial matching,
	* then assume a match is possible.
	*/
	return true;
	}

	ptr = selabel_sub_key(rec, key);
	if (ptr) {
	ret = rec->func_partial_match(rec, ptr);
	free(ptr);
	} else {
	ret = rec->func_partial_match(rec, key);
	}

	return ret;
	}

	int selabel_lookup_best_match(struct selabel_handle rec, char *con,
	const char key, const char *aliases, int type)
	{
	struct selabel_lookup_rec *lr;

	if (!rec->func_lookup_best_match) {
	errno = ENOTSUP;
	return -1;
	}

	lr = selabel_lookup_bm_common(rec, 1, key, type, aliases);
	if (!lr)
	return -1;

	*con = strdup(lr->ctx_trans);
	return *con ? 0 : -1;
	}

	int selabel_lookup_best_match_raw(struct selabel_handle rec, char *con,
	const char key, const char *aliases, int type)
	{
	struct selabel_lookup_rec *lr;

	if (!rec->func_lookup_best_match) {
	errno = ENOTSUP;
	return -1;
	}

	lr = selabel_lookup_bm_common(rec, 0, key, type, aliases);
	if (!lr)
	return -1;

	*con = strdup(lr->ctx_raw);
	return *con ? 0 : -1;
	}

	enum selabel_cmp_result selabel_cmp(struct selabel_handle *h1,
	struct selabel_handle *h2)
	{
	if (!h1->func_cmp \|\| h1->func_cmp != h2->func_cmp)
	return SELABEL_INCOMPARABLE;

	return h1->func_cmp(h1, h2);
	}

	int selabel_digest(struct selabel_handle *rec,
	unsigned char *digest, size_t digest_len,
	char **specfiles, size_t num_specfiles)
	{
	if (!rec->digest) {
	errno = EINVAL;
	return -1;
	}

	*digest = rec->digest->digest;
	*digest_len = DIGEST_SPECFILE_SIZE;
	*specfiles = rec->digest->specfile_list;
	*num_specfiles = rec->digest->specfile_cnt;
	return 0;
	}

	void selabel_close(struct selabel_handle *rec)
	{
	selabel_subs_fini(rec->subs);
	selabel_subs_fini(rec->dist_subs);
	if (rec->digest)
	selabel_digest_fini(rec->digest);
	rec->func_close(rec);
	free(rec->spec_file);
	free(rec);
	}

	void selabel_stats(struct selabel_handle *rec)
	{
	rec->func_stats(rec);
	}