468 lines
12 KiB
C
468 lines
12 KiB
C
/* SELinux access controls for nscd.
|
|
Copyright (C) 2004-2022 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<https://www.gnu.org/licenses/>. */
|
|
|
|
#include "config.h"
|
|
#include <error.h>
|
|
#include <errno.h>
|
|
#include <libintl.h>
|
|
#include <pthread.h>
|
|
#include <stdarg.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <syslog.h>
|
|
#include <unistd.h>
|
|
#include <sys/prctl.h>
|
|
#include <selinux/avc.h>
|
|
#include <selinux/selinux.h>
|
|
#ifdef HAVE_LIBAUDIT
|
|
# include <libaudit.h>
|
|
#endif
|
|
#include <libc-diag.h>
|
|
|
|
#include "dbg_log.h"
|
|
#include "selinux.h"
|
|
|
|
|
|
#ifdef HAVE_SELINUX
|
|
/* Global variable to tell if the kernel has SELinux support. */
|
|
int selinux_enabled;
|
|
|
|
/* Define mappings of request type to AVC permission name. */
|
|
static const char *perms[LASTREQ] =
|
|
{
|
|
[GETPWBYNAME] = "getpwd",
|
|
[GETPWBYUID] = "getpwd",
|
|
[GETGRBYNAME] = "getgrp",
|
|
[GETGRBYGID] = "getgrp",
|
|
[GETHOSTBYNAME] = "gethost",
|
|
[GETHOSTBYNAMEv6] = "gethost",
|
|
[GETHOSTBYADDR] = "gethost",
|
|
[GETHOSTBYADDRv6] = "gethost",
|
|
[SHUTDOWN] = "admin",
|
|
[GETSTAT] = "getstat",
|
|
[INVALIDATE] = "admin",
|
|
[GETFDPW] = "shmempwd",
|
|
[GETFDGR] = "shmemgrp",
|
|
[GETFDHST] = "shmemhost",
|
|
[GETAI] = "gethost",
|
|
[INITGROUPS] = "getgrp",
|
|
[GETSERVBYNAME] = "getserv",
|
|
[GETSERVBYPORT] = "getserv",
|
|
[GETFDSERV] = "shmemserv",
|
|
[GETNETGRENT] = "getnetgrp",
|
|
[INNETGR] = "getnetgrp",
|
|
[GETFDNETGR] = "shmemnetgrp",
|
|
};
|
|
|
|
/* Store an entry ref to speed AVC decisions. */
|
|
static struct avc_entry_ref aeref;
|
|
|
|
/* Thread to listen for SELinux status changes via netlink. */
|
|
static pthread_t avc_notify_thread;
|
|
|
|
#ifdef HAVE_LIBAUDIT
|
|
/* Prototype for supporting the audit daemon */
|
|
static void log_callback (const char *fmt, ...);
|
|
#endif
|
|
|
|
/* Prototypes for AVC callback functions. */
|
|
static void *avc_create_thread (void (*run) (void));
|
|
static void avc_stop_thread (void *thread);
|
|
static void *avc_alloc_lock (void);
|
|
static void avc_get_lock (void *lock);
|
|
static void avc_release_lock (void *lock);
|
|
static void avc_free_lock (void *lock);
|
|
|
|
/* AVC callback structures for use in avc_init. */
|
|
static const struct avc_log_callback log_cb =
|
|
{
|
|
#ifdef HAVE_LIBAUDIT
|
|
.func_log = log_callback,
|
|
#else
|
|
.func_log = dbg_log,
|
|
#endif
|
|
.func_audit = NULL
|
|
};
|
|
static const struct avc_thread_callback thread_cb =
|
|
{
|
|
.func_create_thread = avc_create_thread,
|
|
.func_stop_thread = avc_stop_thread
|
|
};
|
|
static const struct avc_lock_callback lock_cb =
|
|
{
|
|
.func_alloc_lock = avc_alloc_lock,
|
|
.func_get_lock = avc_get_lock,
|
|
.func_release_lock = avc_release_lock,
|
|
.func_free_lock = avc_free_lock
|
|
};
|
|
|
|
#ifdef HAVE_LIBAUDIT
|
|
/* The audit system's netlink socket descriptor */
|
|
static int audit_fd = -1;
|
|
|
|
/* When an avc denial occurs, log it to audit system */
|
|
static void
|
|
log_callback (const char *fmt, ...)
|
|
{
|
|
if (audit_fd >= 0)
|
|
{
|
|
va_list ap;
|
|
va_start (ap, fmt);
|
|
|
|
char *buf;
|
|
int e = vasprintf (&buf, fmt, ap);
|
|
if (e < 0)
|
|
{
|
|
buf = alloca (BUFSIZ);
|
|
vsnprintf (buf, BUFSIZ, fmt, ap);
|
|
}
|
|
|
|
/* FIXME: need to attribute this to real user, using getuid for now */
|
|
audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
|
NULL, getuid ());
|
|
|
|
if (e >= 0)
|
|
free (buf);
|
|
|
|
va_end (ap);
|
|
}
|
|
}
|
|
|
|
/* Initialize the connection to the audit system */
|
|
static void
|
|
audit_init (void)
|
|
{
|
|
audit_fd = audit_open ();
|
|
if (audit_fd < 0
|
|
/* If kernel doesn't support audit, bail out */
|
|
&& errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
|
|
dbg_log (_("Failed opening connection to the audit subsystem: %m"));
|
|
}
|
|
|
|
|
|
# ifdef HAVE_LIBCAP
|
|
static const cap_value_t new_cap_list[] =
|
|
{ CAP_AUDIT_WRITE };
|
|
# define nnew_cap_list (sizeof (new_cap_list) / sizeof (new_cap_list[0]))
|
|
static const cap_value_t tmp_cap_list[] =
|
|
{ CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
|
|
# define ntmp_cap_list (sizeof (tmp_cap_list) / sizeof (tmp_cap_list[0]))
|
|
|
|
cap_t
|
|
preserve_capabilities (void)
|
|
{
|
|
if (getuid () != 0)
|
|
/* Not root, then we cannot preserve anything. */
|
|
return NULL;
|
|
|
|
if (prctl (PR_SET_KEEPCAPS, 1) == -1)
|
|
{
|
|
dbg_log (_("Failed to set keep-capabilities"));
|
|
do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
|
|
/* NOTREACHED */
|
|
}
|
|
|
|
cap_t tmp_caps = cap_init ();
|
|
cap_t new_caps = NULL;
|
|
if (tmp_caps != NULL)
|
|
new_caps = cap_init ();
|
|
|
|
if (tmp_caps == NULL || new_caps == NULL)
|
|
{
|
|
if (tmp_caps != NULL)
|
|
cap_free (tmp_caps);
|
|
|
|
dbg_log (_("Failed to initialize drop of capabilities"));
|
|
do_exit (EXIT_FAILURE, 0, _("cap_init failed"));
|
|
}
|
|
|
|
/* There is no reason why these should not work. */
|
|
cap_set_flag (new_caps, CAP_PERMITTED, nnew_cap_list,
|
|
(cap_value_t *) new_cap_list, CAP_SET);
|
|
cap_set_flag (new_caps, CAP_EFFECTIVE, nnew_cap_list,
|
|
(cap_value_t *) new_cap_list, CAP_SET);
|
|
|
|
cap_set_flag (tmp_caps, CAP_PERMITTED, ntmp_cap_list,
|
|
(cap_value_t *) tmp_cap_list, CAP_SET);
|
|
cap_set_flag (tmp_caps, CAP_EFFECTIVE, ntmp_cap_list,
|
|
(cap_value_t *) tmp_cap_list, CAP_SET);
|
|
|
|
int res = cap_set_proc (tmp_caps);
|
|
|
|
cap_free (tmp_caps);
|
|
|
|
if (__glibc_unlikely (res != 0))
|
|
{
|
|
cap_free (new_caps);
|
|
dbg_log (_("Failed to drop capabilities"));
|
|
do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
|
|
}
|
|
|
|
return new_caps;
|
|
}
|
|
|
|
void
|
|
install_real_capabilities (cap_t new_caps)
|
|
{
|
|
/* If we have no capabilities there is nothing to do here. */
|
|
if (new_caps == NULL)
|
|
return;
|
|
|
|
if (cap_set_proc (new_caps))
|
|
{
|
|
cap_free (new_caps);
|
|
dbg_log (_("Failed to drop capabilities"));
|
|
do_exit (EXIT_FAILURE, 0, _("cap_set_proc failed"));
|
|
/* NOTREACHED */
|
|
}
|
|
|
|
cap_free (new_caps);
|
|
|
|
if (prctl (PR_SET_KEEPCAPS, 0) == -1)
|
|
{
|
|
dbg_log (_("Failed to unset keep-capabilities"));
|
|
do_exit (EXIT_FAILURE, errno, _("prctl(KEEPCAPS) failed"));
|
|
/* NOTREACHED */
|
|
}
|
|
}
|
|
# endif /* HAVE_LIBCAP */
|
|
#endif /* HAVE_LIBAUDIT */
|
|
|
|
/* Determine if we are running on an SELinux kernel. Set selinux_enabled
|
|
to the result. */
|
|
void
|
|
nscd_selinux_enabled (int *selinux_enabled)
|
|
{
|
|
*selinux_enabled = is_selinux_enabled ();
|
|
if (*selinux_enabled < 0)
|
|
{
|
|
dbg_log (_("Failed to determine if kernel supports SELinux"));
|
|
do_exit (EXIT_FAILURE, 0, NULL);
|
|
}
|
|
}
|
|
|
|
|
|
/* Create thread for AVC netlink notification. */
|
|
static void *
|
|
avc_create_thread (void (*run) (void))
|
|
{
|
|
int rc;
|
|
|
|
rc =
|
|
pthread_create (&avc_notify_thread, NULL, (void *(*) (void *)) run, NULL);
|
|
if (rc != 0)
|
|
do_exit (EXIT_FAILURE, rc, _("Failed to start AVC thread"));
|
|
|
|
return &avc_notify_thread;
|
|
}
|
|
|
|
|
|
/* Stop AVC netlink thread. */
|
|
static void
|
|
avc_stop_thread (void *thread)
|
|
{
|
|
pthread_cancel (*(pthread_t *) thread);
|
|
}
|
|
|
|
|
|
/* Allocate a new AVC lock. */
|
|
static void *
|
|
avc_alloc_lock (void)
|
|
{
|
|
pthread_mutex_t *avc_mutex;
|
|
|
|
avc_mutex = malloc (sizeof (pthread_mutex_t));
|
|
if (avc_mutex == NULL)
|
|
do_exit (EXIT_FAILURE, errno, _("Failed to create AVC lock"));
|
|
pthread_mutex_init (avc_mutex, NULL);
|
|
|
|
return avc_mutex;
|
|
}
|
|
|
|
|
|
/* Acquire an AVC lock. */
|
|
static void
|
|
avc_get_lock (void *lock)
|
|
{
|
|
pthread_mutex_lock (lock);
|
|
}
|
|
|
|
|
|
/* Release an AVC lock. */
|
|
static void
|
|
avc_release_lock (void *lock)
|
|
{
|
|
pthread_mutex_unlock (lock);
|
|
}
|
|
|
|
|
|
/* Free an AVC lock. */
|
|
static void
|
|
avc_free_lock (void *lock)
|
|
{
|
|
pthread_mutex_destroy (lock);
|
|
free (lock);
|
|
}
|
|
|
|
|
|
/* avc_init (along with several other symbols) was marked as deprecated by the
|
|
SELinux API starting from version 3.1. We use it here, but should
|
|
eventually switch to the newer API. */
|
|
DIAG_PUSH_NEEDS_COMMENT
|
|
DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations");
|
|
|
|
/* Initialize the user space access vector cache (AVC) for NSCD along with
|
|
log/thread/lock callbacks. */
|
|
void
|
|
nscd_avc_init (void)
|
|
{
|
|
avc_entry_ref_init (&aeref);
|
|
|
|
if (avc_init ("avc", NULL, &log_cb, &thread_cb, &lock_cb) < 0)
|
|
do_exit (EXIT_FAILURE, errno, _("Failed to start AVC"));
|
|
else
|
|
dbg_log (_("Access Vector Cache (AVC) started"));
|
|
#ifdef HAVE_LIBAUDIT
|
|
audit_init ();
|
|
#endif
|
|
}
|
|
DIAG_POP_NEEDS_COMMENT
|
|
|
|
|
|
/* security_context_t and sidput (along with several other symbols) were marked
|
|
as deprecated by the SELinux API starting from version 3.1. We use them
|
|
here, but should eventually switch to the newer API. */
|
|
DIAG_PUSH_NEEDS_COMMENT
|
|
DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations");
|
|
|
|
/* Check the permission from the caller (via getpeercon) to nscd.
|
|
Returns 0 if access is allowed, 1 if denied, and -1 on error.
|
|
|
|
The SELinux policy, enablement, and permission bits are all dynamic and the
|
|
caching done by glibc is not entirely correct. This nscd support should be
|
|
rewritten to use selinux_check_permission. A rewrite is risky though and
|
|
requires some refactoring. Currently we use symbolic mappings instead of
|
|
compile time constants (which SELinux upstream says are going away), and we
|
|
use security_deny_unknown to determine what to do if selinux-policy* doesn't
|
|
have a definition for the the permission or object class we are looking
|
|
up. */
|
|
int
|
|
nscd_request_avc_has_perm (int fd, request_type req)
|
|
{
|
|
/* Initialize to NULL so we know what to free in case of failure. */
|
|
security_context_t scon = NULL;
|
|
security_context_t tcon = NULL;
|
|
security_id_t ssid = NULL;
|
|
security_id_t tsid = NULL;
|
|
int rc = -1;
|
|
security_class_t sc_nscd;
|
|
access_vector_t perm;
|
|
int avc_deny_unknown;
|
|
|
|
/* Check if SELinux denys or allows unknown object classes
|
|
and permissions. It is 0 if they are allowed, 1 if they
|
|
are not allowed and -1 on error. */
|
|
if ((avc_deny_unknown = security_deny_unknown ()) == -1)
|
|
dbg_log (_("Error querying policy for undefined object classes "
|
|
"or permissions."));
|
|
|
|
/* Get the security class for nscd. If this fails we will likely be
|
|
unable to do anything unless avc_deny_unknown is 0. */
|
|
sc_nscd = string_to_security_class ("nscd");
|
|
if (sc_nscd == 0 && avc_deny_unknown == 1)
|
|
dbg_log (_("Error getting security class for nscd."));
|
|
|
|
/* Convert permission to AVC bits. */
|
|
perm = string_to_av_perm (sc_nscd, perms[req]);
|
|
if (perm == 0 && avc_deny_unknown == 1)
|
|
dbg_log (_("Error translating permission name "
|
|
"\"%s\" to access vector bit."), perms[req]);
|
|
|
|
/* If the nscd security class was not found or perms were not
|
|
found and AVC does not deny unknown values then allow it. */
|
|
if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0)
|
|
return 0;
|
|
|
|
if (getpeercon (fd, &scon) < 0)
|
|
{
|
|
dbg_log (_("Error getting context of socket peer"));
|
|
goto out;
|
|
}
|
|
if (getcon (&tcon) < 0)
|
|
{
|
|
dbg_log (_("Error getting context of nscd"));
|
|
goto out;
|
|
}
|
|
if (avc_context_to_sid (scon, &ssid) < 0
|
|
|| avc_context_to_sid (tcon, &tsid) < 0)
|
|
{
|
|
dbg_log (_("Error getting sid from context"));
|
|
goto out;
|
|
}
|
|
|
|
/* The SELinux API for avc_has_perm conflates access denied and error into
|
|
the return code -1, while nscd_request_avs_has_perm has distinct error
|
|
(-1) and denied (1) return codes. We map the avc_has_perm access denied or
|
|
error into an access denied at the nscd interface level (we do accurately
|
|
report error for the getpeercon, getcon, and avc_context_to_sid interfaces
|
|
used above). */
|
|
rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0;
|
|
|
|
out:
|
|
if (scon)
|
|
freecon (scon);
|
|
if (tcon)
|
|
freecon (tcon);
|
|
if (ssid)
|
|
sidput (ssid);
|
|
if (tsid)
|
|
sidput (tsid);
|
|
|
|
return rc;
|
|
}
|
|
DIAG_POP_NEEDS_COMMENT
|
|
|
|
|
|
/* Wrapper to get AVC statistics. */
|
|
void
|
|
nscd_avc_cache_stats (struct avc_cache_stats *cstats)
|
|
{
|
|
avc_cache_stats (cstats);
|
|
}
|
|
|
|
|
|
/* Print the AVC statistics to stdout. */
|
|
void
|
|
nscd_avc_print_stats (struct avc_cache_stats *cstats)
|
|
{
|
|
printf (_("\nSELinux AVC Statistics:\n\n"
|
|
"%15u entry lookups\n"
|
|
"%15u entry hits\n"
|
|
"%15u entry misses\n"
|
|
"%15u entry discards\n"
|
|
"%15u CAV lookups\n"
|
|
"%15u CAV hits\n"
|
|
"%15u CAV probes\n"
|
|
"%15u CAV misses\n"),
|
|
cstats->entry_lookups, cstats->entry_hits, cstats->entry_misses,
|
|
cstats->entry_discards, cstats->cav_lookups, cstats->cav_hits,
|
|
cstats->cav_probes, cstats->cav_misses);
|
|
}
|
|
|
|
#endif /* HAVE_SELINUX */
|