diff options
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/Config.in | 47 | ||||
-rw-r--r-- | selinux/Kbuild | 13 | ||||
-rw-r--r-- | selinux/getenforce.c | 33 | ||||
-rw-r--r-- | selinux/getsebool.c | 65 | ||||
-rw-r--r-- | selinux/matchpathcon.c | 85 | ||||
-rw-r--r-- | selinux/selinuxenabled.c | 13 | ||||
-rw-r--r-- | selinux/setenforce.c | 44 |
7 files changed, 300 insertions, 0 deletions
diff --git a/selinux/Config.in b/selinux/Config.in new file mode 100644 index 000000000..b078ee59e --- /dev/null +++ b/selinux/Config.in @@ -0,0 +1,47 @@ +# +# For a description of the syntax of this configuration file, +# see scripts/kbuild/config-language.txt. +# + +menu "Selinux Utilities" + depends on SELINUX + +config GETENFORCE + bool "getenforce" + default n + depends on SELINUX + help + Enable support to get the current mode of SELinux. + +config GETSEBOOL + bool "getsebool" + default n + depends on SELINUX + help + Enable support to get SELinux boolean values. + +config MATCHPATHCON + bool "matchpathcon" + default n + depends on SELINUX + help + Enable support to get default security context of the + specified path from the file contexts configuration. + +config SELINUXENABLED + bool "selinuxenabled" + default n + depends on SELINUX + help + Enable support for this command to be used within shell scripts + to determine if selinux is enabled. + +config SETENFORCE + bool "setenforce" + default n + depends on SELINUX + help + Enable support to modify the mode SELinux is running in. + +endmenu + diff --git a/selinux/Kbuild b/selinux/Kbuild new file mode 100644 index 000000000..8371df8e4 --- /dev/null +++ b/selinux/Kbuild @@ -0,0 +1,13 @@ +# Makefile for busybox +# +# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org> +# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp> +# +# Licensed under the GPL v2, see the file LICENSE in this tarball. + +lib-y:= +lib-$(CONFIG_GETENFORCE) += getenforce.o +lib-$(CONFIG_GETSEBOOL) += getsebool.o +lib-$(CONFIG_MATCHPATHCON) += matchpathcon.o +lib-$(CONFIG_SELINUXENABLED) += selinuxenabled.o +lib-$(CONFIG_SETENFORCE) += setenforce.o diff --git a/selinux/getenforce.c b/selinux/getenforce.c new file mode 100644 index 000000000..e240e4dca --- /dev/null +++ b/selinux/getenforce.c @@ -0,0 +1,33 @@ +/* + * getenforce + * + * Based on libselinux 1.33.1 + * Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp> + * + */ + +#include "busybox.h" + +int getenforce_main(int argc, char **argv) +{ + int rc; + + rc = is_selinux_enabled(); + if (rc < 0) + bb_error_msg_and_die("is_selinux_enabled() failed"); + + if (rc == 1) { + rc = security_getenforce(); + if (rc < 0) + bb_error_msg_and_die("getenforce() failed"); + + if (rc) + puts("Enforcing"); + else + puts("Permissive"); + } else { + puts("Disabled"); + } + + return 0; +} diff --git a/selinux/getsebool.c b/selinux/getsebool.c new file mode 100644 index 000000000..d593937ba --- /dev/null +++ b/selinux/getsebool.c @@ -0,0 +1,65 @@ +/* + * getsebool + * + * Based on libselinux 1.33.1 + * Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp> + * + */ + +#include "busybox.h" + +int getsebool_main(int argc, char **argv) +{ + int i, rc = 0, active, pending, len = 0; + char **names; + unsigned opt; + + selinux_or_die(); + opt = getopt32(argc, argv, "a"); + + if (opt) { /* -a */ + if (argc > 2) + bb_show_usage(); + + rc = security_get_boolean_names(&names, &len); + if (rc) + bb_perror_msg_and_die("cannot get boolean names"); + + if (!len) { + puts("No booleans"); + return 0; + } + } + + if (!len) { + if (argc < 2) + bb_show_usage(); + len = argc - 1; + names = xmalloc(sizeof(char *) * len); + for (i = 0; i < len; i++) + names[i] = xstrdup(argv[i + 1]); + } + + for (i = 0; i < len; i++) { + active = security_get_boolean_active(names[i]); + if (active < 0) { + bb_error_msg_and_die("error getting active value for %s", names[i]); + } + pending = security_get_boolean_pending(names[i]); + if (pending < 0) { + bb_error_msg_and_die("error getting pending value for %s", names[i]); + } + printf("%s --> %s", names[i], (active ? "on" : "off")); + if (pending != active) + printf(" pending: %s", (pending ? "on" : "off")); + putchar('\n'); + } + + if (ENABLE_FEATURE_CLEAN_UP) { + for (i = 0; i < len; i++) + free(names[i]); + free(names); + } + + return rc; +} diff --git a/selinux/matchpathcon.c b/selinux/matchpathcon.c new file mode 100644 index 000000000..4fa95b0ef --- /dev/null +++ b/selinux/matchpathcon.c @@ -0,0 +1,85 @@ +/* matchpathcon - get the default security context for the specified + * path from the file contexts configuration. + * based on libselinux-1.32 + * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp> + * + */ +#include "busybox.h" + +static int print_matchpathcon(char *path, int noprint) +{ + char *buf; + int rc = matchpathcon(path, 0, &buf); + if (rc < 0) { + bb_perror_msg("matchpathcon(%s) failed", path); + return 1; + } + if (!noprint) + printf("%s\t%s\n", path, buf); + else + printf("%s\n", buf); + + freecon(buf); + return 0; +} + +#define OPT_NOT_PRINT (1<<0) /* -n */ +#define OPT_NOT_TRANS (1<<1) /* -N */ +#define OPT_FCONTEXT (1<<2) /* -f */ +#define OPT_PREFIX (1<<3) /* -p */ +#define OPT_VERIFY (1<<4) /* -V */ + +int matchpathcon_main(int argc, char **argv) +{ + int error = 0; + unsigned opts; + char *fcontext, *prefix, *path; + + opt_complementary = "-1:" /* at least one param reqd */ + "f--p:p--f"; /* mutually exclusive */ + opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix); + argv += optind; + + if (opts & OPT_NOT_TRANS) { + set_matchpathcon_flags(NOTRANS); + } + if (opts & OPT_FCONTEXT) { + if (matchpathcon_init(fcontext)) + bb_perror_msg_and_die("error while processing %s", fcontext); + } + if (opts & OPT_PREFIX) { + if (matchpathcon_init_prefix(NULL, prefix)) + bb_perror_msg_and_die("error while processing %s", prefix); + } + + while((path = *argv++) != NULL) { + security_context_t con; + int rc; + + if (!(opts & OPT_VERIFY)) { + error += print_matchpathcon(path, opt & OPT_NOT_PRINT); + continue; + } + + if (selinux_file_context_verify(path, 0)) { + printf("%s verified\n", path); + continue; + } + + if (opts & OPT_NOT_TRANS) + rc = lgetfilecon_raw(path, &con); + else + rc = lgetfilecon(path, &con); + + if (rc >= 0) { + printf("%s has context %s, should be ", path, con); + error += print_matchpathcon(path, 1); + freecon(con); + continue; + } + printf("actual context unknown: %s, should be ", strerror(errno)); + error += print_matchpathcon(path, 1); + } + matchpathcon_fini(); + return error; +} diff --git a/selinux/selinuxenabled.c b/selinux/selinuxenabled.c new file mode 100644 index 000000000..b34228098 --- /dev/null +++ b/selinux/selinuxenabled.c @@ -0,0 +1,13 @@ +/* + * selinuxenabled + * + * Based on libselinux 1.33.1 + * Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp> + * + */ +#include "busybox.h" + +int selinuxenabled_main(int argc, char **argv) +{ + return !is_selinux_enabled(); +} diff --git a/selinux/setenforce.c b/selinux/setenforce.c new file mode 100644 index 000000000..670e30086 --- /dev/null +++ b/selinux/setenforce.c @@ -0,0 +1,44 @@ +/* + * setenforce + * + * Based on libselinux 1.33.1 + * Port to BusyBox Hiroshi Shinji <shiroshi@my.email.ne.jp> + * + */ + +#include "busybox.h" + +static const smallint setenforce_mode[] = { + 0, + 1, + 0, + 1, +}; +static const char *const setenforce_cmd[] = { + "0", + "1", + "permissive", + "enforcing", + NULL, +}; + +int setenforce_main(int argc, char **argv) +{ + int i, rc; + + if (argc != 2) + bb_show_usage(); + + selinux_or_die(); + + for (i = 0; setenforce_cmd[i]; i++) { + if (strcasecmp(argv[1], setenforce_cmd[i]) != 0) + continue; + rc = security_setenforce(setenforce_mode[i]); + if (rc < 0) + bb_perror_msg_and_die("setenforce() failed"); + return 0; + } + + bb_show_usage(); +} |