1#include <unistd.h>
2#include <sys/types.h>
3#include <fcntl.h>
4#include <stdio.h>
5#include <stdlib.h>
6#include <errno.h>
7#include <string.h>
8#include <ctype.h>
9#include <selinux/selinux.h>
10#include <selinux/get_context_list.h>
11
12static __attribute__ ((__noreturn__)) void usage(const char *name, const char *detail, int rc)
13{
14	fprintf(stderr, "usage:  %s [-l level] [-s service] user [fromcon]\n", name);
15	if (detail)
16		fprintf(stderr, "%s:  %s\n", name, detail);
17	exit(rc);
18}
19
20int main(int argc, char **argv)
21{
22	char * usercon = NULL, *cur_context = NULL;
23	char *user = NULL, *level = NULL, *role=NULL, *seuser=NULL, *dlevel=NULL;
24	char *service = NULL;
25	int ret, opt;
26	int verbose = 0;
27
28	while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) {
29		switch (opt) {
30		case 'l':
31			free(level);
32			level = strdup(optarg);
33			break;
34		case 'r':
35			free(role);
36			role = strdup(optarg);
37			break;
38		case 's':
39			free(service);
40			service = strdup(optarg);
41			break;
42		case 'v':
43			verbose = 1;
44			break;
45		default:
46			usage(argv[0], "invalid option", 1);
47		}
48	}
49
50	if (((argc - optind) < 1) || ((argc - optind) > 2))
51		usage(argv[0], "invalid number of arguments", 2);
52
53	/* If selinux isn't available, bail out. */
54	if (!is_selinux_enabled()) {
55		fprintf(stderr,
56			"%s may be used only on a SELinux kernel.\n", argv[0]);
57		return 1;
58	}
59
60	user = argv[optind];
61
62	/* If a context wasn't passed, use the current context. */
63	if (((argc - optind) < 2)) {
64		if (getcon(&cur_context) < 0) {
65			fprintf(stderr, "Couldn't get current context:  %s\n", strerror(errno));
66			return 2;
67		}
68	} else
69		cur_context = argv[optind + 1];
70
71	if (security_check_context(cur_context)) {
72		fprintf(stderr, "%s:  invalid from context '%s'\n", argv[0], cur_context);
73		return 3;
74	}
75
76	if ((ret = getseuser(user, service, &seuser, &dlevel)) == 0) {
77		if (! level) level=dlevel;
78		if (role != NULL && role[0])
79			ret=get_default_context_with_rolelevel(seuser, role, level,cur_context,&usercon);
80		else
81			ret=get_default_context_with_level(seuser, level, cur_context,&usercon);
82	}
83	if (ret < 0)
84		perror(argv[0]);
85	else {
86		if (verbose) {
87			printf("%s: %s from %s %s %s %s -> %s\n", argv[0], user, cur_context, seuser, role, level, usercon);
88		} else {
89			printf("%s\n", usercon);
90		}
91	}
92
93	free(role);
94	free(seuser);
95	if (level != dlevel) free(level);
96	free(dlevel);
97	free(usercon);
98
99	return ret >= 0;
100}
101