1/*
2 * Copyright (c) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15#include "selinux_adp.h"
16
17#include <errno.h>
18
19#include "init_error.h"
20#include "init_hook.h"
21#include "init_module_engine.h"
22#include "plugin_adapter.h"
23#include "securec.h"
24
25#include <policycoreutils.h>
26#include <selinux/label.h>
27#include <selinux/restorecon.h>
28
29enum {
30    CMD_LOAD_POLICY = 0,
31    CMD_SET_SERVICE_CONTEXTS = 1,
32    CMD_SET_SOCKET_CONTEXTS = 2,
33    CMD_RESTORE_INDEX = 3,
34    CMD_RESTORE_INDEX_FORCE = 4,
35    CMD_RESTORE_INDEX_SKIP = 5,
36};
37
38extern char *__progname;
39
40static int LoadSelinuxPolicy(int id, const char *name, int argc, const char **argv)
41{
42    int ret;
43    char processContext[MAX_SECON_LEN];
44
45    UNUSED(id);
46    UNUSED(name);
47    UNUSED(argc);
48    UNUSED(argv);
49    PLUGIN_LOGI("LoadSelinuxPolicy ");
50    // load selinux policy and context
51    if (LoadPolicy() < 0) {
52        PLUGIN_LOGE("main, load_policy failed.");
53    } else {
54        PLUGIN_LOGI("main, load_policy success.");
55    }
56
57    ret = snprintf_s(processContext, sizeof(processContext), sizeof(processContext) - 1, "u:r:%s:s0", __progname);
58    if (ret == -1) {
59        setcon("u:r:init:s0");
60    } else {
61        setcon(processContext);
62    }
63    (void)RestoreconRecurse("/dev");
64    return 0;
65}
66
67static int SetServiceContent(int id, const char *name, int argc, const char **argv)
68{
69    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
70    ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
71    char *label = "u:r:limit_domain:s0";
72    if (data != NULL) {
73        label = (char *)data->data;
74    } else {
75        PLUGIN_LOGE("Please set secon field in service %s's cfg file, limit_domain will be blocked", argv[0]);
76    }
77
78    if (setexeccon(label) < 0) {
79        PLUGIN_LOGE("Service error %d %s, failed to set secon %s.", errno, argv[0], label);
80#ifndef STARTUP_INIT_TEST
81        _exit(INIT_EEXEC_CONTENT);
82#endif
83    } else {
84        PLUGIN_LOGV("Service info %s, set secon %s.", argv[0], label);
85    }
86    return 0;
87}
88
89static int SetSockCreateCon(int id, const char *name, int argc, const char **argv)
90{
91    PLUGIN_CHECK(name != NULL, return -1, "Invalid parameter");
92    if (argc == 0) {
93        setsockcreatecon(NULL);
94        return 0;
95    }
96    PLUGIN_CHECK(argc >= 1 && argv != NULL, return -1, "Invalid parameter");
97    ServiceExtData *data = GetServiceExtData(argv[0], HOOK_ID_SELINUX);
98    if (data != NULL) {
99        if (setsockcreatecon((char *)data->data) < 0) {
100            PLUGIN_LOGE("failed to set socket context %s's secon (%s).", argv[0], (char *)data->data);
101#ifndef STARTUP_INIT_TEST
102            _exit(PROCESS_EXIT_CODE);
103#endif
104        }
105    }
106
107    return 0;
108}
109
110static int RestoreContentRecurse(int id, const char *name, int argc, const char **argv)
111{
112    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
113    PLUGIN_LOGV("RestoreContentRecurse path %s", argv[0]);
114    if (RestoreconRecurse(argv[0]) && errno != 0) {
115        PLUGIN_LOGE("restoreContentRecurse failed for '%s', err %d.", argv[0], errno);
116    }
117    return 0;
118}
119
120static int RestoreContentRecurseForce(int id, const char *name, int argc, const char **argv)
121{
122    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
123    PLUGIN_LOGV("RestoreContentRecurseForce path %s", argv[0]);
124    if (RestoreconRecurseForce(argv[0]) && errno != 0) {
125        PLUGIN_LOGE("RestoreContentRecurseForce failed for '%s', err %d.", argv[0], errno);
126    }
127    return 0;
128}
129
130static int RestoreContentRecurseSkipElx(int id, const char *name, int argc, const char **argv)
131{
132    PLUGIN_CHECK(name != NULL && argc >= 1 && argv != NULL, return -1, "Invalid parameter");
133    PLUGIN_LOGV("RestoreContentRecurseSkipElx path %s", argv[0]);
134    if (RestoreconCommon(argv[0], SELINUX_RESTORECON_REALPATH |
135        SELINUX_RESTORECON_RECURSE | SELINUX_RESTORECON_SKIPELX, 1) && errno != 0) {
136        PLUGIN_LOGE("RestoreContentRecurseSkipElx failed for '%s', err %d.", argv[0], errno);
137    }
138    return 0;
139}
140
141static int32_t g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP + 1] = {0}; // 6 cmd count
142static void SelinuxAdpInit(void)
143{
144    g_selinuxAdpCmdIds[CMD_LOAD_POLICY] = AddCmdExecutor("loadSelinuxPolicy", LoadSelinuxPolicy);
145    g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] = AddCmdExecutor("setServiceContent", SetServiceContent);
146    g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] = AddCmdExecutor("setSockCreateCon", SetSockCreateCon);
147    g_selinuxAdpCmdIds[CMD_RESTORE_INDEX] = AddCmdExecutor("restoreContentRecurse", RestoreContentRecurse);
148    g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE] =
149        AddCmdExecutor("restoreContentRecurseForce", RestoreContentRecurseForce);
150    g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP] =
151        AddCmdExecutor("restoreContentRecurseSkipElx", RestoreContentRecurseSkipElx);
152}
153
154static void SelinuxAdpExit(void)
155{
156    if (g_selinuxAdpCmdIds[CMD_LOAD_POLICY] != -1) {
157        RemoveCmdExecutor("loadSelinuxPolicy", g_selinuxAdpCmdIds[CMD_LOAD_POLICY]);
158    }
159    if (g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS] != -1) {
160        RemoveCmdExecutor("setServiceContent", g_selinuxAdpCmdIds[CMD_SET_SERVICE_CONTEXTS]);
161    }
162    if (g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS] != -1) {
163        RemoveCmdExecutor("setSockCreateCon", g_selinuxAdpCmdIds[CMD_SET_SOCKET_CONTEXTS]);
164    }
165    if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX] != -1) {
166        RemoveCmdExecutor("restoreContentRecurse", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX]);
167    }
168    if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE] != -1) {
169        RemoveCmdExecutor("restoreContentRecurseForce", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_FORCE]);
170    }
171    if (g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP] != -1) {
172        RemoveCmdExecutor("restoreContentRecurseSkipElx", g_selinuxAdpCmdIds[CMD_RESTORE_INDEX_SKIP]);
173    }
174}
175
176MODULE_CONSTRUCTOR(void)
177{
178    PLUGIN_LOGI("Selinux adapter plug-in init now ...");
179    SelinuxAdpInit();
180}
181
182MODULE_DESTRUCTOR(void)
183{
184    if (getpid() != 1) {
185        return;
186    }
187    PLUGIN_LOGI("Selinux adapter plug-in exit now ...");
188    SelinuxAdpExit();
189}
190