Changes in 21.7
===============
- *
+ * Upgraded SELinux code to new api, thanks to Chris PeBenito
Changes in 21.6
===============
AC_PROG_LN_S
dnl checks for options
-AC_SUBST([FLASK_LINUX])
-AC_ARG_ENABLE([flask],
- [AS_HELP_STRING([--enable-flask], [Enable Security-Enhanced Linux features])],
- [enable_flask=$enableval],
- [enable_flask="no"])
-if test "$enable_flask" = "yes"; then
- AC_DEFINE([FLASK_LINUX], [1], [Use Security-Enhanced Linux features])
- AC_CHECK_LIB([secure], [avc_toggle], [FLASK_LIB=-lsecure], [
- AC_MSG_ERROR([Cannot find selinux/ secure static library]) ])
+AC_SUBST([WITH_SELINUX])
+AC_ARG_ENABLE([selinux],
+ [AS_HELP_STRING([--enable-selinux], [Enable Security-Enhanced Linux features])],
+ [enable_selinux=$enableval],
+ [enable_selinux="no"])
+if test "$enable_selinux" = "yes"; then
+ AC_DEFINE([WITH_SELINUX], [1], [Use Security-Enhanced Linux features])
+ AC_CHECK_LIB([selinux], [getfilecon], [SELINUX_LIB=-lselinux], [
+ AC_MSG_ERROR([Cannot find selinux static library]) ])
fi
-AC_SUBST([FLASK_LIB])
+AC_SUBST([SELINUX_LIB])
dnl Checks for libraries.
AC_CHECK_LIB([ncurses], [tgetent], [TERMCAP_LIB=-lncurses], [
.SH SYNOPSIS
.ad l
.B killall
-.RB [ \-d , \-\-sid ]
-.RB [ \-c , \-\-context ]
+.RB [ \-Z , \-\-context ]
.RB [ \-e , \-\-exact ]
.RB [ \-g , \-\-process\-group ]
.RB [ \-i , \-\-interactive ]
any of the killed processes still exist and only returns if none are left.
Note that \fBkillall\fP may wait forever if the signal was ignored, had no
effect, or if the process stays in zombie state.
-.IP \fB\-d\fP
-(Flask only) Specify SID: kill only processes with given SID. Mutually exclusive
-with \fB\-c\fP argument. Must precede other arguments on command line.
-.IP \fB\-c\fP
-(Flask only) Specify security context: kill only processes with given security
-context. Mutually exclusive with \fB\-d\fP. Must precede other arguments on
-the command line.
+.IP \fB\-Z\fP
+(SELinux Only) Specify security context: kill only processes with given security context.
+Must precede other arguments on the command line.
.SH FILES
.nf
/proc location of the proc file system
.RB [ \-n ]
.RB [ \-p ]
.RB [ \-u ]
+.RB [ \-Z ]
.RB [ \-A | \-G | \-U ]
.RB [ \fIpid\fB | \fIuser\fB]
.br
with \fBecho \-e '\\033%@'\fP
.IP \fB\-V\fP
Display version information.
-.IP \fB\-s\fP
-(Flask) Show Security ID (SID) for each process.
-.IP \fB\-x\fP
-(Flask) Show security context for each process.
+.IP \fB\-Z\fP
+(SELinux) Show security context for each process.
.SH FILES
.nf
/proc location of the proc file system
killall_SOURCES = killall.c comm.h signals.c signals.h i18n.h
-killall_LDADD = @FLASK_LIB@
+killall_LDADD = @SELINUX_LIB@
pstree_SOURCES = pstree.c comm.h i18n.h
-pstree_LDADD = @TERMCAP_LIB@ @FLASK_LIB@
+pstree_LDADD = @TERMCAP_LIB@ @SELINUX_LIB@
BUILT_SOURCES = signames.h
#include <sys/types.h>
#include <sys/stat.h>
#include <getopt.h>
-#ifdef FLASK_LINUX
-#include <selinux/fs_secure.h>
-#include <selinux/ss.h>
-#endif /*FLASK_LINUX*/
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
#include "i18n.h"
#include "comm.h"
/* Never should get here */
}
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
static int
-kill_all(int signal, int names, char **namelist, security_id_t sid )
-#else /*FLASK_LINUX*/
+kill_all(int signal, int names, char **namelist, security_context_t scontext )
+#else /*WITH_SELINUX*/
static int
kill_all (int signal, int names, char **namelist)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
{
DIR *dir;
struct dirent *de;
int empty, i, j, okay, length, got_long, error;
int pids, max_pids, pids_killed;
unsigned long found;
-#ifdef FLASK_LINUX
- security_id_t lsid;
+#ifdef WITH_SELINUX
+ security_context_t lcontext=NULL;
if ( names == 0 || ! namelist ) exit( 1 ); /* do the obvious thing...*/
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
if (!(name_len = malloc (sizeof (int) * names)))
{
sts[i].st_dev = 0;
name_len[i] = strlen (namelist[i]);
}
-#ifdef FLASK_LINUX
- else if (stat_secure(namelist[i],&sts[i], &lsid) < 0) {
- perror(namelist[i]);
- exit(1);
- }
-#else /*FLASK_LINUX*/
else if (stat (namelist[i], &sts[i]) < 0)
{
perror (namelist[i]);
exit (1);
}
-#endif /*FLASK_LINUX*/
}
self = getpid ();
found = 0;
else if (got_long ? strcmp (namelist[j], command) :
strncmp (namelist[j], comm, COMM_LEN - 1))
continue;
-#ifdef FLASK_LINUX
- if ( (int) sid > 0 ) {
- if ( stat_secure(path, &st, &lsid) < 0 )
+#ifdef WITH_SELINUX
+ if ( scontext != NULL ) {
+ if ( getpidcon(pid_table[i], &lcontext) < 0 )
continue;
- if ( lsid != sid )
+ if (strcmp(lcontext,scontext)!=0) {
+ freecon(lcontext);
continue;
+ }
+ freecon(lcontext);
}
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
}
else
{
if (asprintf (&path, PROC_BASE "/%d/exe", pid_table[i]) < 0)
continue;
-#ifdef FLASK_LINUX
- if (stat_secure(path,&st,&lsid) < 0) {
- free(path);
- continue;
- }
- if (sts[j].st_dev != st.st_dev ||
- sts[j].st_ino != st.st_ino ||
- ((int) sid > 0 && (lsid != sid)) ) {
- free(path);
- continue;
- }
-#else /*FLASK_LINUX*/
+
if (stat (path, &st) < 0) {
free (path);
continue;
}
-#endif /*FLASK_LINUX*/
free (path);
-
+#ifdef WITH_SELINUX
+ if ( scontext != NULL ) {
+ if ( getpidcon(pid_table[i], &lcontext) < 0 )
+ continue;
+ if (strcmp(lcontext,scontext)!=0) {
+ freecon(lcontext);
+ continue;
+ }
+ freecon(lcontext);
+ }
+#endif /*WITH_SELINUX*/
if (sts[j].st_dev != st.st_dev || sts[j].st_ino != st.st_ino)
continue;
}
static void
usage_killall (void)
{
-#ifdef FLASK_LINUX
- fprintf(stderr, _(
- "usage: killall [-s sid] [-c context] [ -egiqvw ] [ -signal ] name ...\n"));
-#else /*FLASK_LINUX*/
fprintf(stderr, _(
"usage: killall [ OPTIONS ] [ -- ] name ...\n"));
-#endif /*FLASK_LINUX*/
fprintf(stderr, _(
" killall -l, --list\n"
" killall -V --version\n\n"
" -v,--verbose report if the signal was successfully sent\n"
" -V,--version display version information\n"
" -w,--wait wait for processes to die\n\n"));
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
fprintf(stderr, _(
- " -d,--sid kill only process(es) having sid\n"
- " -c,--context kill only process(es) having scontext\n"
- " (-s, -c are mutually exclusive and must precede other arguments)\n\n"
- ));
-#endif /*FLASK_LINUX*/
+ " -Z,--context kill only process(es) having context\n"
+ " (must precede other arguments)"));
+#endif /*WITH_SELINUX*/
}
{"signal", 1, NULL, 's'},
{"verbose", 0, NULL, 'v'},
{"wait", 0, NULL, 'w'},
-#ifdef FLASK_LINUX
- {"Sid", 1, NULL, 'd'},
- {"context", 1, NULL, 'c'},
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ {"context", 1, NULL, 'Z'},
+#endif /*WITH_SELINUX*/
{"version", 0, NULL, 'V'},
{0,0,0,0 }};
-#ifdef FLASK_LINUX
- security_id_t sid = -1;
+#ifdef WITH_SELINUX
+ security_context_t scontext = NULL;
if ( argc < 2 ) usage(); /* do the obvious thing... */
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
name = strrchr (*argv, '/');
if (name)
#endif
opterr = 0;
-#ifdef FLASK_LINUX
- while ( (optc = getopt_long_only(argc,argv,"egilqs:vwd:c:VI",options,NULL)) != EOF) {
+#ifdef WITH_SELINUX
+ while ( (optc = getopt_long_only(argc,argv,"egilqs:vwZ:VI",options,NULL)) != EOF) {
#else
while ( (optc = getopt_long_only(argc,argv,"egilqs:vwVI",options,NULL)) != EOF) {
#endif
print_version();
return 0;
break;
-#ifdef FLASK_LINUX
- case 'd': {
- char **buf, *calloc();
- int strlen(), rv;
- __u32 len;
- security_id_t lsid;
-
- buf = (char **) calloc(1, strlen(optarg));
- if ( ! buf ) {
- (void) fprintf(stderr, "%s: %s\n", name, strerror(errno));
- return( 1 );
- }
-
- lsid = strtol(optarg, buf, 0);
- if ( **buf ) {
- (void) fprintf(stderr, _("%s: SID (%s) must be numeric\n"),
- name, *argv);
- (void) fflush(stderr);
- return( 1 );
- }
-
- sid = (security_id_t) lsid;
- /* sanity check */
- len = strlen(optarg);
- rv = security_sid_to_context(sid, buf, &len);
- if ( rv < 0 && (errno != ENOSPC) ) {
- (void) fprintf(stderr, "%s: security_sid_to_context(%d) %s\n",
- name, (int) sid, strerror(errno));
- (void) fflush(stderr);
- free(buf);
- return( 1 );
- }
- free(buf);
- break;
- }
- case 'c': {
- if ( security_context_to_sid(optarg, strlen(optarg)+1, &sid) ) {
- (void) fprintf(stderr, "%s: security_context_to_sid(%s): %s\n",
- name, optarg, strerror(errno));
- (void) fflush(stderr);
- return( 1 );
- }
- }
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled()>0)
+ scontext=optarg;
+ else
+ fprintf(stderr, "Warning: -Z (--context) ignored. Requires an SELinux enabled kernel\n");
+ break;
+#endif /*WITH_SELINUX*/
case '?':
/* Signal names are in uppercase, so check to see if the argv
* is upper case */
}
argv = argv + myoptind;
/*printf("sending signal %d to procs\n", sig_num);*/
-#ifdef FLASK_LINUX
- return kill_all(sig_num,argc - myoptind, argv, sid);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ return kill_all(sig_num,argc - myoptind, argv, scontext);
+#else /*WITH_SELINUX*/
return kill_all(sig_num,argc - myoptind, argv );
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
}
#include "i18n.h"
#include "comm.h"
-#ifdef FLASK_LINUX
-#include <fs_secure.h>
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif /*WITH_SELINUX*/
#ifndef MAX_DEPTH
#define MAX_DEPTH 100
int argc; /* with -a : number of arguments, -1 if swapped */
pid_t pid;
uid_t uid;
-#ifdef FLASK_LINUX
- security_id_t sid;
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ security_context_t scontext;
+#endif /*WITH_SELINUX*/
int highlight;
struct _child *children;
struct _proc *parent;
static int width[MAX_DEPTH], more[MAX_DEPTH];
static int print_args = 0, compact = 1, user_change = 0, pids = 0, by_pid = 0,
trunc = 1, wait_end = 0;
-#ifdef FLASK_LINUX
-static int show_sids = 0;
+#ifdef WITH_SELINUX
static int show_scontext = 0;
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
static int output_width = 132;
static int cur_x = 1;
static char last_char = 0;
return digits;
}
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
static void
-out_sid ( security_id_t sid )
+out_scontext ( security_context_t scontext )
{
- if ( (int) sid >= 0 )
- out_int((int) sid);
- else
- out_string("??");
-}
-
-static void
-out_scontext ( security_id_t sid )
-{
- static char buf[256];
- int security_sid_to_context();
- int len = sizeof(buf);
- int rv;
-
- bzero(buf,256);
-
- rv = security_sid_to_context((int)sid, buf, &len);
- if ( rv ) {
- out_string("`??\'"); /* punt */
- }
- else {
out_string("`");
- out_string(buf);
- out_string("\'");
- }
+ out_string(scontext);
+ out_string("'");
}
-#endif /*FLASK_LINUX*/
-
+#endif /*WITH_SELINUX*/
+
static void
out_newline (void)
return walk;
}
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
static PROC *
-new_proc(const char *comm, pid_t pid, uid_t uid, security_id_t sid)
-#else /*FLASK_LINUX*/
+new_proc(const char *comm, pid_t pid, uid_t uid, security_context_t scontext)
+#else /*WITH_SELINUX*/
static PROC *
new_proc (const char *comm, pid_t pid, uid_t uid)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
{
PROC *new;
new->pid = pid;
new->uid = uid;
new->highlight = 0;
-#ifdef FLASK_LINUX
- new->sid = sid;
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ new->scontext = scontext;
+#endif /*WITH_SELINUX*/
new->children = NULL;
new->parent = NULL;
new->next = list;
this->argv[i] = start = strchr (start, 0) + 1;
}
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
static void
add_proc(const char *comm, pid_t pid, pid_t ppid, uid_t uid,
- const char *args, int size, security_id_t sid)
-#else /*FLASK_LINUX*/
+ const char *args, int size, security_context_t scontext)
+#else /*WITH_SELINUX*/
static void
add_proc (const char *comm, pid_t pid, pid_t ppid, uid_t uid,
const char *args, int size)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
{
PROC *this, *parent;
if (!(this = find_proc (pid)))
-#ifdef FLASK_LINUX
- this = new_proc(comm, pid, uid, sid);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ this = new_proc(comm, pid, uid, scontext);
+#else /*WITH_SELINUX*/
this = new_proc (comm, pid, uid);
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
else
{
strcpy (this->comm, comm);
if (pid == ppid)
ppid = 0;
if (!(parent = find_proc (ppid)))
-#ifdef FLASK_LINUX
- parent = new_proc("?", ppid, 0, sid);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ parent = new_proc("?", ppid, 0, scontext);
+#else /*WITH_SELINUX*/
parent = new_proc ("?", ppid, 0);
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
add_child (parent, this);
this->parent = parent;
}
else
(void) out_int (current->uid);
}
-#ifdef FLASK_LINUX
- if ( show_sids ) {
- out_char (info++ ? ',' : '(');
- out_sid(current->sid);
- }
+#ifdef WITH_SELINUX
if ( show_scontext ) {
out_char (info++ ? ',' : '(');
- out_scontext(current->sid);
+ out_scontext(current->scontext);
}
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
if ((swapped && print_args && current->argc < 0) || (!swapped && info))
out_char (')');
if (current->highlight && (tmp = tgetstr ("me", NULL)))
tputs (tmp, 1, putchar);
-#ifdef FLASK_LINUX
- if (show_scontext || print_args)
-#else /*FLASK_LINUX*/
if (print_args)
-#endif /*FLASK_LINUX*/
{
for (i = 0; i < current->argc; i++)
{
}
}
}
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
if ( show_scontext || print_args || ! current->children )
-#else /*FLASK_LINUX*/
+#else /*WITH_SELINUX*/
if (print_args || !current->children)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
{
while (closing--)
out_char (']');
out_newline ();
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
if ( show_scontext || print_args )
-#else /*FLASK_LINUX*/
+#else /*WITH_SELINUX*/
if (print_args)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
{
more[level] = !last;
width[level] = swapped + (comm_len > 1 ? 0 : -1);
pid_t pid, ppid;
int fd, size;
int empty;
-#ifdef FLASK_LINUX
- security_id_t sid = -1;
-#endif /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ security_context_t scontext = NULL;
+ int selinux_enabled=is_selinux_enabled()>0;
+#endif /*WITH_SELINUX*/
if (!print_args)
buffer = NULL;
{
empty = 0;
sprintf (path, "%s/%d", PROC_BASE, pid);
-#ifdef FLASK_LINUX
- if (fstat_secure(fileno(file),&st,&sid) < 0)
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ if (selinux_enabled)
+ if (getpidcon(pid,&scontext) < 0)
+ {
+ perror (path);
+ exit (1);
+ }
+#endif /*WITH_SELINUX*/
if (stat (path, &st) < 0)
-#endif /*FLASK_LINUX*/
{
perror (path);
exit (1);
&ppid) == 4)
*/
if (!print_args)
-#ifdef FLASK_LINUX
- add_proc(comm, pid, ppid, st.st_uid, NULL, 0, sid);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ add_proc(comm, pid, ppid, st.st_uid, NULL, 0, scontext);
+#else /*WITH_SELINUX*/
add_proc (comm, pid, ppid, st.st_uid, NULL, 0);
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
else
{
sprintf (path, "%s/%d/cmdline", PROC_BASE, pid);
(void) close (fd);
if (size)
buffer[size++] = 0;
-#ifdef FLASK_LINUX
- add_proc(comm, pid, ppid, st.st_uid, buffer, size, sid);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ add_proc(comm, pid, ppid, st.st_uid, buffer, size, scontext);
+#else /*WITH_SELINUX*/
add_proc (comm, pid, ppid, st.st_uid, buffer, size);
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
}
}
}
cmd = comm;
if (*cmd == '-')
cmd++;
-#ifdef FLASK_LINUX
- add_proc(cmd, pid, ppid, uid, NULL, 0, -1);
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ add_proc(cmd, pid, ppid, uid, NULL, 0, NULL);
+#else /*WITH_SELINUX*/
add_proc (cmd, pid, ppid, uid, NULL, 0);
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
}
}
" -n sort output by PID\n"
" -p show PIDs; implies -c\n"
" -u show uid transitions\n"));
-#ifdef FLASK_LINUX
+#ifdef WITH_SELINUX
fprintf (stderr, _(
- " -s show Flask SIDs\n"
- " -x show Flask security contexts\n"));
-#endif /*FLASK_LINUX*/
+ " -Z show SELinux security contexts\n"));
+#endif /*WITH_SELINUX*/
fprintf (stderr, _(
" -U use UTF-8 (Unicode) line drawing characters\n"
" -V display version information\n"
sym = &sym_ascii;
}
-#ifdef FLASK_LINUX
- while ((c = getopt (argc, argv, "aAcGhH:npluUVsx")) != EOF)
-#else /*FLASK_LINUX*/
+#ifdef WITH_SELINUX
+ while ((c = getopt (argc, argv, "aAcGhH:npluUVZ")) != EOF)
+#else /*WITH_SELINUX*/
while ((c = getopt (argc, argv, "aAcGhH:npluUV")) != EOF)
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
switch (c)
{
case 'a':
case 'V':
print_version();
return 0;
-#ifdef FLASK_LINUX
- case 's':
- show_sids = 1;
- break;
- case 'x':
- show_scontext = 1;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled()>0)
+ show_scontext = 1;
+ else
+ fprintf(stderr, "Warning: -Z ignored. Requires anx SELinux enabled kernel\n");
break;
-#endif /*FLASK_LINUX*/
+#endif /*WITH_SELINUX*/
default:
usage ();
}
projects / psmisc / commitdiff