From 87516b80a5dcbfc4c2a8bb2193037a249c96674f Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Thu, 4 Jan 2007 16:33:43 +0100 Subject: New program: chcon * gl/modules/selinux-at: New module. Check for libselinux and set LIB_SELINUX here, unconditionally, rather than depending on the configure-time --enable-selinux option. * gl/modules/selinux-h: New module. * bootstrap.conf (gnulib_modules): Add selinux-at. * gl/lib/selinux-at.c, gl/lib/selinux-at.h: New files. * gl/lib/se-selinux_.h: New file. * gl/lib/se-context_.h: New file. * gl/m4/selinux-selinux-h.m4: New file. * gl/m4/selinux-context-h.m4: New file. * src/Makefile.am (bin_PROGRAMS): Add chcon. (chcon_LDADD): Define. * README: Add chcon to the list of programs. * src/chcon.c: Rewrite the original (Red Hat) chcon to use fts. --- gl/lib/se-context_.h | 31 +++++++++++++++ gl/lib/se-selinux_.h | 54 ++++++++++++++++++++++++++ gl/lib/selinux-at.c | 94 ++++++++++++++++++++++++++++++++++++++++++++++ gl/lib/selinux-at.h | 24 ++++++++++++ gl/m4/selinux-context-h.m4 | 18 +++++++++ gl/m4/selinux-selinux-h.m4 | 18 +++++++++ gl/modules/selinux-at | 32 ++++++++++++++++ gl/modules/selinux-h | 54 ++++++++++++++++++++++++++ 8 files changed, 325 insertions(+) create mode 100644 gl/lib/se-context_.h create mode 100644 gl/lib/se-selinux_.h create mode 100644 gl/lib/selinux-at.c create mode 100644 gl/lib/selinux-at.h create mode 100644 gl/m4/selinux-context-h.m4 create mode 100644 gl/m4/selinux-selinux-h.m4 create mode 100644 gl/modules/selinux-at create mode 100644 gl/modules/selinux-h (limited to 'gl') diff --git a/gl/lib/se-context_.h b/gl/lib/se-context_.h new file mode 100644 index 000000000..26e1709f1 --- /dev/null +++ b/gl/lib/se-context_.h @@ -0,0 +1,31 @@ +#ifndef SELINUX_CONTEXT_H +# define SELINUX_CONTEXT_H + +# include +/* Some systems don't have ENOSYS. */ +# ifndef ENOSYS +# ifdef ENOTSUP +# define ENOSYS ENOTSUP +# else +/* Some systems don't have ENOTSUP either. */ +# define ENOSYS EINVAL +# endif +# endif + +typedef int context_t; +static inline context_t context_new (char const *s) + { errno = ENOTSUP; return 0; } +static inline char *context_str (context_t con) + { errno = ENOTSUP; return (void *) 0; } +static inline void context_free (context_t c) {} + +static inline int context_user_set (context_t sc, char const *s) + { errno = ENOTSUP; return -1; } +static inline int context_role_set (context_t sc, char const *s) + { errno = ENOTSUP; return -1; } +static inline int context_range_set (context_t sc, char const *s) + { errno = ENOTSUP; return -1; } +static inline int context_type_set (context_t sc, char const *s) + { errno = ENOTSUP; return -1; } + +#endif diff --git a/gl/lib/se-selinux_.h b/gl/lib/se-selinux_.h new file mode 100644 index 000000000..b08c7eee4 --- /dev/null +++ b/gl/lib/se-selinux_.h @@ -0,0 +1,54 @@ +#ifndef SELINUX_SELINUX_H +# define SELINUX_SELINUX_H + +# include +# include +/* Some systems don't have ENOSYS. */ +# ifndef ENOSYS +# ifdef ENOTSUP +# define ENOSYS ENOTSUP +# else +/* Some systems don't have ENOTSUP either. */ +# define ENOSYS EINVAL +# endif +# endif + +typedef unsigned short security_class_t; +# define security_context_t char* +# define is_selinux_enabled() 0 + +static inline int getcon (security_context_t *con) { errno = ENOTSUP; return -1; } +static inline void freecon (security_context_t con) {} + + +static inline int getfscreatecon (security_context_t *con) + { errno = ENOTSUP; return -1; } +static inline int setfscreatecon (security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int matchpathcon (char const *s, mode_t m, + security_context_t *con) + { errno = ENOTSUP; return -1; } + +static inline int getfilecon (char const *s, security_context_t *con) + { errno = ENOTSUP; return -1; } +static inline int lgetfilecon (char const *s, security_context_t *con) + { errno = ENOTSUP; return -1; } +static inline int setfilecon (char const *s, security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int lsetfilecon (char const *s, security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int fsetfilecon (int fd, security_context_t con) + { errno = ENOTSUP; return -1; } + +static inline int security_check_context (security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int security_check_context_raw (security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int setexeccon (security_context_t con) + { errno = ENOTSUP; return -1; } +static inline int security_compute_create (security_context_t scon, + security_context_t tcon, + security_class_t tclass, + security_context_t *newcon) + { errno = ENOTSUP; return -1; } +#endif diff --git a/gl/lib/selinux-at.c b/gl/lib/selinux-at.c new file mode 100644 index 000000000..ebc41ee7a --- /dev/null +++ b/gl/lib/selinux-at.c @@ -0,0 +1,94 @@ +/* openat-style fd-relative functions for SE Linux + Copyright (C) 2007 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ + +/* written by Jim Meyering */ + +#ifdef HAVE_CONFIG_H +# include +#endif + +#include "selinux-at.h" +#include "openat.h" + +#include +#include +#include +#include + +#include "dirname.h" /* solely for definition of IS_ABSOLUTE_FILE_NAME */ +#include "save-cwd.h" + +#include "gettext.h" +#define _(msgid) gettext (msgid) + +#include "openat-priv.h" + +#define AT_FUNC_NAME getfileconat +#define AT_FUNC_F1 getfilecon +#define AT_FUNC_F2 getfilecon +#define AT_FUNC_USE_F1_COND 1 +#define AT_FUNC_POST_FILE_PARAM_DECLS , security_context_t *con +#define AT_FUNC_POST_FILE_ARGS , con +#include "at-func.c" +#undef AT_FUNC_NAME +#undef AT_FUNC_F1 +#undef AT_FUNC_F2 +#undef AT_FUNC_USE_F1_COND +#undef AT_FUNC_POST_FILE_PARAM_DECLS +#undef AT_FUNC_POST_FILE_ARGS + +#define AT_FUNC_NAME lgetfileconat +#define AT_FUNC_F1 lgetfilecon +#define AT_FUNC_F2 lgetfilecon +#define AT_FUNC_USE_F1_COND 1 +#define AT_FUNC_POST_FILE_PARAM_DECLS , security_context_t *con +#define AT_FUNC_POST_FILE_ARGS , con +#include "at-func.c" +#undef AT_FUNC_NAME +#undef AT_FUNC_F1 +#undef AT_FUNC_F2 +#undef AT_FUNC_USE_F1_COND +#undef AT_FUNC_POST_FILE_PARAM_DECLS +#undef AT_FUNC_POST_FILE_ARGS + +#define AT_FUNC_NAME setfileconat +#define AT_FUNC_F1 setfilecon +#define AT_FUNC_F2 setfilecon +#define AT_FUNC_USE_F1_COND 1 +#define AT_FUNC_POST_FILE_PARAM_DECLS , security_context_t con +#define AT_FUNC_POST_FILE_ARGS , con +#include "at-func.c" +#undef AT_FUNC_NAME +#undef AT_FUNC_F1 +#undef AT_FUNC_F2 +#undef AT_FUNC_USE_F1_COND +#undef AT_FUNC_POST_FILE_PARAM_DECLS +#undef AT_FUNC_POST_FILE_ARGS + +#define AT_FUNC_NAME lsetfileconat +#define AT_FUNC_F1 lsetfilecon +#define AT_FUNC_F2 lsetfilecon +#define AT_FUNC_USE_F1_COND 1 +#define AT_FUNC_POST_FILE_PARAM_DECLS , security_context_t con +#define AT_FUNC_POST_FILE_ARGS , con +#include "at-func.c" +#undef AT_FUNC_NAME +#undef AT_FUNC_F1 +#undef AT_FUNC_F2 +#undef AT_FUNC_USE_F1_COND +#undef AT_FUNC_POST_FILE_PARAM_DECLS +#undef AT_FUNC_POST_FILE_ARGS diff --git a/gl/lib/selinux-at.h b/gl/lib/selinux-at.h new file mode 100644 index 000000000..f12022c51 --- /dev/null +++ b/gl/lib/selinux-at.h @@ -0,0 +1,24 @@ +/* Prototypes for openat-style fd-relative SELinux functions + Copyright (C) 2007 Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ + +#include +#include + +int getfileconat (int fd, char const *file, security_context_t *con); +int lgetfileconat (int fd, char const *file, security_context_t *con); +int setfileconat (int fd, char const *file, security_context_t con); +int lsetfileconat (int fd, char const *file, security_context_t con); diff --git a/gl/m4/selinux-context-h.m4 b/gl/m4/selinux-context-h.m4 new file mode 100644 index 000000000..4011dde2a --- /dev/null +++ b/gl/m4/selinux-context-h.m4 @@ -0,0 +1,18 @@ +# serial 1 -*- Autoconf -*- +# Copyright (C) 2006 Free Software Foundation, Inc. +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# From Jim Meyering +# Provide , if necessary. + +AC_DEFUN([gl_HEADERS_SELINUX_CONTEXT_H], +[ + AC_LIBSOURCES([se-context_.h]) + # Check for , + AC_CHECK_HEADERS([selinux/context.h], + [SELINUX_CONTEXT_H=], + [SELINUX_CONTEXT_H=selinux/context.h]) + AC_SUBST([SELINUX_CONTEXT_H]) +]) diff --git a/gl/m4/selinux-selinux-h.m4 b/gl/m4/selinux-selinux-h.m4 new file mode 100644 index 000000000..13ce2ac9a --- /dev/null +++ b/gl/m4/selinux-selinux-h.m4 @@ -0,0 +1,18 @@ +# serial 1 -*- Autoconf -*- +# Copyright (C) 2006 Free Software Foundation, Inc. +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# From Jim Meyering +# Provide , if necessary. + +AC_DEFUN([gl_HEADERS_SELINUX_SELINUX_H], +[ + AC_LIBSOURCES([se-selinux_.h]) + # Check for , + AC_CHECK_HEADERS([selinux/selinux.h], + [SELINUX_SELINUX_H=], + [SELINUX_SELINUX_H=selinux/selinux.h]) + AC_SUBST([SELINUX_SELINUX_H]) +]) diff --git a/gl/modules/selinux-at b/gl/modules/selinux-at new file mode 100644 index 000000000..759908397 --- /dev/null +++ b/gl/modules/selinux-at @@ -0,0 +1,32 @@ +Description: +openat-style fd-relative functions for SE Linux + +Files: +lib/selinux-at.c +lib/selinux-at.h + +Depends-on: +selinux-h + +configure.ac: +# FIXME: put this in an .m4 file? +# For runcon. +AC_CHECK_HEADERS([selinux/flask.h]) +AC_LIBOBJ([selinux-at]) +ac_save_LIBS="$LIBS" + AC_SEARCH_LIBS(setfilecon, selinux, + [test "$ac_cv_search_setfilecon" = "none required" || + LIB_SELINUX=$ac_cv_search_setfilecon]) + AC_SUBST(LIB_SELINUX) +LIBS="$ac_save_LIBS" + +Makefile.am: + +Include: +selinux-at.h + +License: +LGPL + +Maintainer: +Jim Meyering diff --git a/gl/modules/selinux-h b/gl/modules/selinux-h new file mode 100644 index 000000000..915b9d276 --- /dev/null +++ b/gl/modules/selinux-h @@ -0,0 +1,54 @@ +Description: +SELinux-related headers for systems that lack them. + +Files: +lib/se-context_.h +lib/se-selinux_.h +m4/selinux-context-h.m4 +m4/selinux-selinux-h.m4 + +Depends-on: + +configure.ac: +gl_HEADERS_SELINUX_SELINUX_H +gl_HEADERS_SELINUX_CONTEXT_H + +Makefile.am: +BUILT_SOURCES += $(SELINUX_SELINUX_H) +selinux/selinux.h: se-selinux_.h + mkdir -p selinux + cp $(srcdir)/se-selinux_.h $@-t + chmod a-x $@-t + mv $@-t $@ +MOSTLYCLEANFILES += selinux/selinux.h selinux/selinux.h-t + +BUILT_SOURCES += $(SELINUX_CONTEXT_H) +selinux/context.h: se-context_.h + mkdir -p selinux + cp $(srcdir)/se-context_.h $@-t + chmod a-x $@-t + mv $@-t $@ +MOSTLYCLEANFILES += selinux/context.h selinux/context.h-t +MOSTLYCLEANDIRS += selinux + +Include: +#include +#include + +License: +LGPL + +Maintainer: +Jim Meyering + +# lib/selinux-at.c +# +# # For runcon. +# AC_CHECK_HEADERS([selinux/flask.h]) +# +# ac_save_LIBS="$LIBS" +# AC_SEARCH_LIBS(setfilecon, selinux, +# [test "$ac_cv_search_setfilecon" = "none required" || +# LIB_SELINUX=$ac_cv_search_setfilecon]) +# AC_SUBST(LIB_SELINUX) +# LIBS="$ac_save_LIBS" -- cgit v1.2.3-54-g00ecf