Mike Lockwood | 1305e95 | 2011-12-07 08:17:59 -0800 | [diff] [blame] | 1 | /* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ |
| 2 | |
| 3 | /* |
| 4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> |
| 5 | * Copyright (c) 2006 Damien Miller <djm@openbsd.org> |
| 6 | * |
| 7 | * Permission to use, copy, modify, and distribute this software for any |
| 8 | * purpose with or without fee is hereby granted, provided that the above |
| 9 | * copyright notice and this permission notice appear in all copies. |
| 10 | * |
| 11 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 12 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 13 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
| 14 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 15 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
| 16 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
| 17 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
| 18 | */ |
| 19 | |
| 20 | /* |
| 21 | * Linux-specific portability code - just SELinux support at present |
| 22 | */ |
| 23 | |
| 24 | #include "includes.h" |
| 25 | |
| 26 | #if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) |
| 27 | #include <errno.h> |
| 28 | #include <stdarg.h> |
| 29 | #include <string.h> |
| 30 | #include <stdio.h> |
| 31 | |
| 32 | #include "log.h" |
| 33 | #include "xmalloc.h" |
| 34 | #include "port-linux.h" |
| 35 | |
| 36 | #ifdef WITH_SELINUX |
| 37 | #include <selinux/selinux.h> |
| 38 | #include <selinux/flask.h> |
| 39 | #include <selinux/get_context_list.h> |
| 40 | |
| 41 | #ifndef SSH_SELINUX_UNCONFINED_TYPE |
| 42 | # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" |
| 43 | #endif |
| 44 | |
| 45 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
| 46 | int |
| 47 | ssh_selinux_enabled(void) |
| 48 | { |
| 49 | static int enabled = -1; |
| 50 | |
| 51 | if (enabled == -1) { |
| 52 | enabled = (is_selinux_enabled() == 1); |
| 53 | debug("SELinux support %s", enabled ? "enabled" : "disabled"); |
| 54 | } |
| 55 | |
| 56 | return (enabled); |
| 57 | } |
| 58 | |
| 59 | /* Return the default security context for the given username */ |
| 60 | static security_context_t |
| 61 | ssh_selinux_getctxbyname(char *pwname) |
| 62 | { |
| 63 | security_context_t sc; |
| 64 | char *sename = NULL, *lvl = NULL; |
| 65 | int r; |
| 66 | |
| 67 | #ifdef HAVE_GETSEUSERBYNAME |
| 68 | if (getseuserbyname(pwname, &sename, &lvl) != 0) |
| 69 | return NULL; |
| 70 | #else |
| 71 | sename = pwname; |
| 72 | lvl = NULL; |
| 73 | #endif |
| 74 | |
| 75 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
| 76 | r = get_default_context_with_level(sename, lvl, NULL, &sc); |
| 77 | #else |
| 78 | r = get_default_context(sename, NULL, &sc); |
| 79 | #endif |
| 80 | |
| 81 | if (r != 0) { |
| 82 | switch (security_getenforce()) { |
| 83 | case -1: |
| 84 | fatal("%s: ssh_selinux_getctxbyname: " |
| 85 | "security_getenforce() failed", __func__); |
| 86 | case 0: |
| 87 | error("%s: Failed to get default SELinux security " |
| 88 | "context for %s", __func__, pwname); |
| 89 | break; |
| 90 | default: |
| 91 | fatal("%s: Failed to get default SELinux security " |
| 92 | "context for %s (in enforcing mode)", |
| 93 | __func__, pwname); |
| 94 | } |
| 95 | } |
| 96 | |
| 97 | #ifdef HAVE_GETSEUSERBYNAME |
| 98 | if (sename != NULL) |
| 99 | xfree(sename); |
| 100 | if (lvl != NULL) |
| 101 | xfree(lvl); |
| 102 | #endif |
| 103 | |
| 104 | return (sc); |
| 105 | } |
| 106 | |
| 107 | /* Set the execution context to the default for the specified user */ |
| 108 | void |
| 109 | ssh_selinux_setup_exec_context(char *pwname) |
| 110 | { |
| 111 | security_context_t user_ctx = NULL; |
| 112 | |
| 113 | if (!ssh_selinux_enabled()) |
| 114 | return; |
| 115 | |
| 116 | debug3("%s: setting execution context", __func__); |
| 117 | |
| 118 | user_ctx = ssh_selinux_getctxbyname(pwname); |
| 119 | if (setexeccon(user_ctx) != 0) { |
| 120 | switch (security_getenforce()) { |
| 121 | case -1: |
| 122 | fatal("%s: security_getenforce() failed", __func__); |
| 123 | case 0: |
| 124 | error("%s: Failed to set SELinux execution " |
| 125 | "context for %s", __func__, pwname); |
| 126 | break; |
| 127 | default: |
| 128 | fatal("%s: Failed to set SELinux execution context " |
| 129 | "for %s (in enforcing mode)", __func__, pwname); |
| 130 | } |
| 131 | } |
| 132 | if (user_ctx != NULL) |
| 133 | freecon(user_ctx); |
| 134 | |
| 135 | debug3("%s: done", __func__); |
| 136 | } |
| 137 | |
| 138 | /* Set the TTY context for the specified user */ |
| 139 | void |
| 140 | ssh_selinux_setup_pty(char *pwname, const char *tty) |
| 141 | { |
| 142 | security_context_t new_tty_ctx = NULL; |
| 143 | security_context_t user_ctx = NULL; |
| 144 | security_context_t old_tty_ctx = NULL; |
| 145 | |
| 146 | if (!ssh_selinux_enabled()) |
| 147 | return; |
| 148 | |
| 149 | debug3("%s: setting TTY context on %s", __func__, tty); |
| 150 | |
| 151 | user_ctx = ssh_selinux_getctxbyname(pwname); |
| 152 | |
| 153 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
| 154 | |
| 155 | if (getfilecon(tty, &old_tty_ctx) == -1) { |
| 156 | error("%s: getfilecon: %s", __func__, strerror(errno)); |
| 157 | goto out; |
| 158 | } |
| 159 | |
| 160 | if (security_compute_relabel(user_ctx, old_tty_ctx, |
| 161 | SECCLASS_CHR_FILE, &new_tty_ctx) != 0) { |
| 162 | error("%s: security_compute_relabel: %s", |
| 163 | __func__, strerror(errno)); |
| 164 | goto out; |
| 165 | } |
| 166 | |
| 167 | if (setfilecon(tty, new_tty_ctx) != 0) |
| 168 | error("%s: setfilecon: %s", __func__, strerror(errno)); |
| 169 | out: |
| 170 | if (new_tty_ctx != NULL) |
| 171 | freecon(new_tty_ctx); |
| 172 | if (old_tty_ctx != NULL) |
| 173 | freecon(old_tty_ctx); |
| 174 | if (user_ctx != NULL) |
| 175 | freecon(user_ctx); |
| 176 | debug3("%s: done", __func__); |
| 177 | } |
| 178 | |
| 179 | void |
| 180 | ssh_selinux_change_context(const char *newname) |
| 181 | { |
| 182 | int len, newlen; |
| 183 | char *oldctx, *newctx, *cx; |
| 184 | void (*switchlog) (const char *fmt,...) = logit; |
| 185 | |
| 186 | if (!ssh_selinux_enabled()) |
| 187 | return; |
| 188 | |
| 189 | if (getcon((security_context_t *)&oldctx) < 0) { |
| 190 | logit("%s: getcon failed with %s", __func__, strerror(errno)); |
| 191 | return; |
| 192 | } |
| 193 | if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == |
| 194 | NULL) { |
| 195 | logit ("%s: unparseable context %s", __func__, oldctx); |
| 196 | return; |
| 197 | } |
| 198 | |
| 199 | /* |
| 200 | * Check whether we are attempting to switch away from an unconfined |
| 201 | * security context. |
| 202 | */ |
| 203 | if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE, |
| 204 | sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) |
| 205 | switchlog = debug3; |
| 206 | |
| 207 | newlen = strlen(oldctx) + strlen(newname) + 1; |
| 208 | newctx = xmalloc(newlen); |
| 209 | len = cx - oldctx + 1; |
| 210 | memcpy(newctx, oldctx, len); |
| 211 | strlcpy(newctx + len, newname, newlen - len); |
| 212 | if ((cx = index(cx + 1, ':'))) |
| 213 | strlcat(newctx, cx, newlen); |
| 214 | debug3("%s: setting context from '%s' to '%s'", __func__, |
| 215 | oldctx, newctx); |
| 216 | if (setcon(newctx) < 0) |
| 217 | switchlog("%s: setcon %s from %s failed with %s", __func__, |
| 218 | newctx, oldctx, strerror(errno)); |
| 219 | xfree(oldctx); |
| 220 | xfree(newctx); |
| 221 | } |
| 222 | |
| 223 | void |
| 224 | ssh_selinux_setfscreatecon(const char *path) |
| 225 | { |
| 226 | security_context_t context; |
| 227 | |
| 228 | if (!ssh_selinux_enabled()) |
| 229 | return; |
| 230 | if (path == NULL) { |
| 231 | setfscreatecon(NULL); |
| 232 | return; |
| 233 | } |
| 234 | if (matchpathcon(path, 0700, &context) == 0) |
| 235 | setfscreatecon(context); |
| 236 | } |
| 237 | |
| 238 | #endif /* WITH_SELINUX */ |
| 239 | |
| 240 | #ifdef LINUX_OOM_ADJUST |
| 241 | /* |
| 242 | * The magic "don't kill me" values, old and new, as documented in eg: |
| 243 | * http://lxr.linux.no/#linux+v2.6.32/Documentation/filesystems/proc.txt |
| 244 | * http://lxr.linux.no/#linux+v2.6.36/Documentation/filesystems/proc.txt |
| 245 | */ |
| 246 | |
| 247 | static int oom_adj_save = INT_MIN; |
| 248 | static char *oom_adj_path = NULL; |
| 249 | struct { |
| 250 | char *path; |
| 251 | int value; |
| 252 | } oom_adjust[] = { |
| 253 | {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */ |
| 254 | {"/proc/self/oom_adj", -17}, /* kernels <= 2.6.35 */ |
| 255 | {NULL, 0}, |
| 256 | }; |
| 257 | |
| 258 | /* |
| 259 | * Tell the kernel's out-of-memory killer to avoid sshd. |
| 260 | * Returns the previous oom_adj value or zero. |
| 261 | */ |
| 262 | void |
| 263 | oom_adjust_setup(void) |
| 264 | { |
| 265 | int i, value; |
| 266 | FILE *fp; |
| 267 | |
| 268 | debug3("%s", __func__); |
| 269 | for (i = 0; oom_adjust[i].path != NULL; i++) { |
| 270 | oom_adj_path = oom_adjust[i].path; |
| 271 | value = oom_adjust[i].value; |
| 272 | if ((fp = fopen(oom_adj_path, "r+")) != NULL) { |
| 273 | if (fscanf(fp, "%d", &oom_adj_save) != 1) |
| 274 | verbose("error reading %s: %s", oom_adj_path, |
| 275 | strerror(errno)); |
| 276 | else { |
| 277 | rewind(fp); |
| 278 | if (fprintf(fp, "%d\n", value) <= 0) |
| 279 | verbose("error writing %s: %s", |
| 280 | oom_adj_path, strerror(errno)); |
| 281 | else |
| 282 | verbose("Set %s from %d to %d", |
| 283 | oom_adj_path, oom_adj_save, value); |
| 284 | } |
| 285 | fclose(fp); |
| 286 | return; |
| 287 | } |
| 288 | } |
| 289 | oom_adj_path = NULL; |
| 290 | } |
| 291 | |
| 292 | /* Restore the saved OOM adjustment */ |
| 293 | void |
| 294 | oom_adjust_restore(void) |
| 295 | { |
| 296 | FILE *fp; |
| 297 | |
| 298 | debug3("%s", __func__); |
| 299 | if (oom_adj_save == INT_MIN || oom_adj_path == NULL || |
| 300 | (fp = fopen(oom_adj_path, "w")) == NULL) |
| 301 | return; |
| 302 | |
| 303 | if (fprintf(fp, "%d\n", oom_adj_save) <= 0) |
| 304 | verbose("error writing %s: %s", oom_adj_path, strerror(errno)); |
| 305 | else |
| 306 | verbose("Set %s to %d", oom_adj_path, oom_adj_save); |
| 307 | |
| 308 | fclose(fp); |
| 309 | return; |
| 310 | } |
| 311 | #endif /* LINUX_OOM_ADJUST */ |
| 312 | #endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ |