2 * SPDX-License-Identifier: ISC
4 * Copyright (c) 2009-2016 Todd C. Miller <Todd.Miller@sudo.ws>
5 * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
7 * Borrowed heavily from newrole source code
11 * Steve Grubb <sgrubb@redhat.com>
12 * Darrel Goeddel <DGoeddel@trustedcs.com>
13 * Michael Thompson <mcthomps@us.ibm.com>
14 * Dan Walsh <dwalsh@redhat.com>
16 * Permission to use, copy, modify, and distribute this software for any
17 * purpose with or without fee is hereby granted, provided that the above
18 * copyright notice and this permission notice appear in all copies.
20 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
21 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
22 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
23 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
24 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
25 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
26 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
30 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
31 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
38 #include <sys/types.h>
49 #include <selinux/selinux.h> /* for is_selinux_enabled() */
50 #include <selinux/context.h> /* for context-mangling functions */
51 #include <selinux/get_default_type.h>
52 #include <selinux/get_context_list.h>
54 #ifdef HAVE_LINUX_AUDIT
55 # include <libaudit.h>
59 #include "sudo_exec.h"
61 static struct selinux_state {
62 security_context_t old_context;
63 security_context_t new_context;
64 security_context_t tty_context;
65 security_context_t new_tty_context;
71 #ifdef HAVE_LINUX_AUDIT
73 audit_role_change(const security_context_t old_context,
74 const security_context_t new_context, const char *ttyn, int result)
78 debug_decl(audit_role_change, SUDO_DEBUG_SELINUX)
82 /* Kernel may not have audit support. */
83 if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT
85 sudo_fatal(U_("unable to open audit system"));
87 /* audit role change using the same format as newrole(1) */
88 rc = asprintf(&message, "newrole: old-context=%s new-context=%s",
89 old_context, new_context);
91 sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
92 rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE,
93 message, NULL, NULL, ttyn, result);
95 sudo_warn(U_("unable to send audit message"));
100 debug_return_int(rc);
105 * This function attempts to revert the relabeling done to the tty.
106 * fd - referencing the opened ttyn
107 * ttyn - name of tty to restore
109 * Returns zero on success, non-zero otherwise
112 selinux_restore_tty(void)
115 security_context_t chk_tty_context = NULL;
116 debug_decl(selinux_restore_tty, SUDO_DEBUG_SELINUX)
118 if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
121 /* Verify that the tty still has the context set by sudo. */
122 if ((retval = fgetfilecon(se_state.ttyfd, &chk_tty_context)) < 0) {
123 sudo_warn(U_("unable to fgetfilecon %s"), se_state.ttyn);
127 if ((retval = strcmp(chk_tty_context, se_state.new_tty_context))) {
128 sudo_warnx(U_("%s changed labels"), se_state.ttyn);
132 if ((retval = fsetfilecon(se_state.ttyfd, se_state.tty_context)) < 0)
133 sudo_warn(U_("unable to restore context for %s"), se_state.ttyn);
136 if (se_state.ttyfd != -1) {
137 close(se_state.ttyfd);
140 if (chk_tty_context != NULL) {
141 freecon(chk_tty_context);
142 chk_tty_context = NULL;
144 debug_return_int(retval);
148 * This function attempts to relabel the tty. If this function fails, then
149 * the contexts are free'd and -1 is returned. On success, 0 is returned
150 * and tty_context and new_tty_context are set.
152 * This function will not fail if it can not relabel the tty when selinux is
153 * in permissive mode.
156 relabel_tty(const char *ttyn, int ptyfd)
158 security_context_t tty_con = NULL;
159 security_context_t new_tty_con = NULL;
162 debug_decl(relabel_tty, SUDO_DEBUG_SELINUX)
164 se_state.ttyfd = ptyfd;
166 /* It is perfectly legal to have no tty. */
167 if (ptyfd == -1 && ttyn == NULL)
170 /* If sudo is not allocating a pty for the command, open current tty. */
172 se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY|O_NONBLOCK);
173 if (se_state.ttyfd == -1 || fstat(se_state.ttyfd, &sb) == -1) {
174 sudo_warn(U_("unable to open %s, not relabeling tty"), ttyn);
177 if (!S_ISCHR(sb.st_mode)) {
178 sudo_warn(U_("%s is not a character device, not relabeling tty"),
182 (void)fcntl(se_state.ttyfd, F_SETFL,
183 fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
186 if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
187 sudo_warn(U_("unable to get current tty context, not relabeling tty"));
192 security_class_t tclass = string_to_security_class("chr_file");
194 sudo_warn(U_("unknown security class \"chr_file\", not relabeling tty"));
197 if (security_compute_relabel(se_state.new_context, tty_con,
198 tclass, &new_tty_con) < 0) {
199 sudo_warn(U_("unable to get new tty context, not relabeling tty"));
204 if (new_tty_con != NULL) {
205 if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
206 sudo_warn(U_("unable to set new tty context"));
212 /* Reopen pty that was relabeled, std{in,out,err} are reset later. */
213 se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
214 if (se_state.ttyfd == -1 || fstat(se_state.ttyfd, &sb) == -1) {
215 sudo_warn(U_("unable to open %s"), ttyn);
218 if (!S_ISCHR(sb.st_mode)) {
219 sudo_warn(U_("%s is not a character device, not relabeling tty"),
223 if (dup2(se_state.ttyfd, ptyfd) == -1) {
228 /* Re-open tty to get new label and reset std{in,out,err} */
229 close(se_state.ttyfd);
230 se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY|O_NONBLOCK);
231 if (se_state.ttyfd == -1 || fstat(se_state.ttyfd, &sb) == -1) {
232 sudo_warn(U_("unable to open %s"), ttyn);
235 if (!S_ISCHR(sb.st_mode)) {
236 sudo_warn(U_("%s is not a character device, not relabeling tty"),
240 (void)fcntl(se_state.ttyfd, F_SETFL,
241 fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
242 for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
243 if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
249 /* Retain se_state.ttyfd so we can restore label when command finishes. */
250 (void)fcntl(se_state.ttyfd, F_SETFD, FD_CLOEXEC);
252 se_state.ttyn = ttyn;
253 se_state.tty_context = tty_con;
254 se_state.new_tty_context = new_tty_con;
258 if (se_state.ttyfd != -1 && se_state.ttyfd != ptyfd) {
259 close(se_state.ttyfd);
263 debug_return_int(se_state.enforcing ? -1 : 0);
267 * Returns a new security context based on the old context and the
268 * specified role and type.
271 get_exec_context(security_context_t old_context, const char *role, const char *type)
273 security_context_t new_context = NULL;
274 context_t context = NULL;
275 char *typebuf = NULL;
276 debug_decl(get_exec_context, SUDO_DEBUG_SELINUX)
278 /* We must have a role, the type is optional (we can use the default). */
280 sudo_warnx(U_("you must specify a role for type %s"), type);
285 if (get_default_type(role, &typebuf)) {
286 sudo_warnx(U_("unable to get default type for role %s"), role);
294 * Expand old_context into a context_t so that we extract and modify
295 * its components easily.
297 context = context_new(old_context);
300 * Replace the role and type in "context" with the role and
301 * type we will be running the command as.
303 if (context_role_set(context, role)) {
304 sudo_warn(U_("failed to set new role %s"), role);
307 if (context_type_set(context, type)) {
308 sudo_warn(U_("failed to set new type %s"), type);
313 * Convert "context" back into a string and verify it.
315 if ((new_context = strdup(context_str(context))) == NULL) {
316 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
319 if (security_check_context(new_context) < 0) {
320 sudo_warnx(U_("%s is not a valid context"), new_context);
326 sudo_warnx("Your new context is %s", new_context);
329 context_free(context);
330 debug_return_ptr(new_context);
334 context_free(context);
335 freecon(new_context);
336 debug_return_ptr(NULL);
340 * Set the exec and tty contexts in preparation for fork/exec.
341 * Must run as root, before the uid change.
342 * If ptyfd is not -1, it indicates we are running
343 * in a pty and do not need to reset std{in,out,err}.
344 * Returns 0 on success and -1 on failure.
347 selinux_setup(const char *role, const char *type, const char *ttyn,
351 debug_decl(selinux_setup, SUDO_DEBUG_SELINUX)
353 /* Store the caller's SID in old_context. */
354 if (getprevcon(&se_state.old_context)) {
355 sudo_warn(U_("failed to get old_context"));
359 se_state.enforcing = security_getenforce();
360 if (se_state.enforcing < 0) {
361 sudo_warn(U_("unable to determine enforcing mode."));
366 sudo_warnx("your old context was %s", se_state.old_context);
368 se_state.new_context = get_exec_context(se_state.old_context, role, type);
369 if (!se_state.new_context) {
370 #ifdef HAVE_LINUX_AUDIT
371 audit_role_change(se_state.old_context, "?",
377 if (relabel_tty(ttyn, ptyfd) < 0) {
378 sudo_warn(U_("unable to set tty context to %s"), se_state.new_context);
383 if (se_state.ttyfd != -1) {
384 sudo_warnx("your old tty context is %s", se_state.tty_context);
385 sudo_warnx("your new tty context is %s", se_state.new_tty_context);
389 #ifdef HAVE_LINUX_AUDIT
390 audit_role_change(se_state.old_context, se_state.new_context,
397 debug_return_int(ret);
401 selinux_execve(int fd, const char *path, char *const argv[], char *envp[],
406 int argc, nargc, serrno;
407 debug_decl(selinux_execve, SUDO_DEBUG_SELINUX)
409 sesh = sudo_conf_sesh_path();
411 sudo_warnx("internal error: sesh path not set");
416 if (setexeccon(se_state.new_context)) {
417 sudo_warn(U_("unable to set exec context to %s"), se_state.new_context);
418 if (se_state.enforcing)
422 #ifdef HAVE_SETKEYCREATECON
423 if (setkeycreatecon(se_state.new_context)) {
424 sudo_warn(U_("unable to set key creation context to %s"), se_state.new_context);
425 if (se_state.enforcing)
428 #endif /* HAVE_SETKEYCREATECON */
431 * Build new argv with sesh as argv[0].
432 * If argv[0] ends in -noexec, sesh will disable execute
433 * for the command it runs.
435 for (argc = 0; argv[argc] != NULL; argc++)
437 nargv = reallocarray(NULL, argc + 3, sizeof(char *));
439 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
443 nargv[0] = *argv[0] == '-' ? "-sesh-noexec" : "sesh-noexec";
445 nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh";
447 if (fd != -1 && asprintf(&nargv[nargc++], "--execfd=%d", fd) == -1) {
448 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
451 nargv[nargc++] = (char *)path;
452 memcpy(&nargv[nargc], &argv[1], argc * sizeof(char *)); /* copies NULL */
454 /* sesh will handle noexec for us. */
455 sudo_execve(-1, sesh, nargv, envp, false);
462 #endif /* HAVE_SELINUX */