Annotation of /trunk/mkinitrd-magellan/busybox/selinux/runcon.c
Parent Directory
| 
Revision Log
Revision 984 -
(hide annotations)
(download)
Sun May 30 11:32:42 2010 UTC (14 years ago) by niro
File MIME type: text/plain
File size: 4131 byte(s)
Sun May 30 11:32:42 2010 UTC (14 years ago) by niro
File MIME type: text/plain
File size: 4131 byte(s)
-updated to busybox-1.16.1 and enabled blkid/uuid support in default config
| 1 | niro | 816 | /* |
| 2 | * runcon [ context | | ||
| 3 | * ( [ -c ] [ -r role ] [-t type] [ -u user ] [ -l levelrange ] ) | ||
| 4 | * command [arg1 [arg2 ...] ] | ||
| 5 | * | ||
| 6 | * attempt to run the specified command with the specified context. | ||
| 7 | * | ||
| 8 | * -r role : use the current context with the specified role | ||
| 9 | * -t type : use the current context with the specified type | ||
| 10 | * -u user : use the current context with the specified user | ||
| 11 | * -l level : use the current context with the specified level range | ||
| 12 | * -c : compute process transition context before modifying | ||
| 13 | * | ||
| 14 | * Contexts are interpreted as follows: | ||
| 15 | * | ||
| 16 | * Number of MLS | ||
| 17 | * components system? | ||
| 18 | * | ||
| 19 | * 1 - type | ||
| 20 | * 2 - role:type | ||
| 21 | * 3 Y role:type:range | ||
| 22 | * 3 N user:role:type | ||
| 23 | * 4 Y user:role:type:range | ||
| 24 | * 4 N error | ||
| 25 | * | ||
| 26 | * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp> | ||
| 27 | * - based on coreutils-5.97 (in Fedora Core 6) | ||
| 28 | niro | 984 | * |
| 29 | * Licensed under GPLv2, see file LICENSE in this tarball for details. | ||
| 30 | niro | 816 | */ |
| 31 | #include <getopt.h> | ||
| 32 | #include <selinux/context.h> | ||
| 33 | #include <selinux/flask.h> | ||
| 34 | |||
| 35 | #include "libbb.h" | ||
| 36 | |||
| 37 | static context_t runcon_compute_new_context(char *user, char *role, char *type, char *range, | ||
| 38 | char *command, int compute_trans) | ||
| 39 | { | ||
| 40 | context_t con; | ||
| 41 | security_context_t cur_context; | ||
| 42 | |||
| 43 | if (getcon(&cur_context)) | ||
| 44 | niro | 984 | bb_error_msg_and_die("can't get current context"); |
| 45 | niro | 816 | |
| 46 | if (compute_trans) { | ||
| 47 | security_context_t file_context, new_context; | ||
| 48 | |||
| 49 | if (getfilecon(command, &file_context) < 0) | ||
| 50 | niro | 984 | bb_error_msg_and_die("can't retrieve attributes of '%s'", |
| 51 | niro | 816 | command); |
| 52 | if (security_compute_create(cur_context, file_context, | ||
| 53 | SECCLASS_PROCESS, &new_context)) | ||
| 54 | bb_error_msg_and_die("unable to compute a new context"); | ||
| 55 | cur_context = new_context; | ||
| 56 | } | ||
| 57 | |||
| 58 | con = context_new(cur_context); | ||
| 59 | if (!con) | ||
| 60 | bb_error_msg_and_die("'%s' is not a valid context", cur_context); | ||
| 61 | if (user && context_user_set(con, user)) | ||
| 62 | bb_error_msg_and_die("failed to set new user '%s'", user); | ||
| 63 | if (type && context_type_set(con, type)) | ||
| 64 | bb_error_msg_and_die("failed to set new type '%s'", type); | ||
| 65 | if (range && context_range_set(con, range)) | ||
| 66 | bb_error_msg_and_die("failed to set new range '%s'", range); | ||
| 67 | if (role && context_role_set(con, role)) | ||
| 68 | bb_error_msg_and_die("failed to set new role '%s'", role); | ||
| 69 | |||
| 70 | return con; | ||
| 71 | } | ||
| 72 | |||
| 73 | #if ENABLE_FEATURE_RUNCON_LONG_OPTIONS | ||
| 74 | static const char runcon_longopts[] ALIGN1 = | ||
| 75 | "user\0" Required_argument "u" | ||
| 76 | "role\0" Required_argument "r" | ||
| 77 | "type\0" Required_argument "t" | ||
| 78 | "range\0" Required_argument "l" | ||
| 79 | "compute\0" No_argument "c" | ||
| 80 | "help\0" No_argument "h" | ||
| 81 | ; | ||
| 82 | #endif | ||
| 83 | |||
| 84 | #define OPTS_ROLE (1<<0) /* r */ | ||
| 85 | #define OPTS_TYPE (1<<1) /* t */ | ||
| 86 | #define OPTS_USER (1<<2) /* u */ | ||
| 87 | #define OPTS_RANGE (1<<3) /* l */ | ||
| 88 | #define OPTS_COMPUTE (1<<4) /* c */ | ||
| 89 | #define OPTS_HELP (1<<5) /* h */ | ||
| 90 | #define OPTS_CONTEXT_COMPONENT (OPTS_ROLE | OPTS_TYPE | OPTS_USER | OPTS_RANGE) | ||
| 91 | |||
| 92 | int runcon_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; | ||
| 93 | int runcon_main(int argc UNUSED_PARAM, char **argv) | ||
| 94 | { | ||
| 95 | char *role = NULL; | ||
| 96 | char *range = NULL; | ||
| 97 | char *user = NULL; | ||
| 98 | char *type = NULL; | ||
| 99 | char *context = NULL; | ||
| 100 | unsigned opts; | ||
| 101 | context_t con; | ||
| 102 | |||
| 103 | selinux_or_die(); | ||
| 104 | |||
| 105 | #if ENABLE_FEATURE_RUNCON_LONG_OPTIONS | ||
| 106 | applet_long_options = runcon_longopts; | ||
| 107 | #endif | ||
| 108 | opt_complementary = "-1"; | ||
| 109 | opts = getopt32(argv, "r:t:u:l:ch", &role, &type, &user, &range); | ||
| 110 | argv += optind; | ||
| 111 | |||
| 112 | if (!(opts & OPTS_CONTEXT_COMPONENT)) { | ||
| 113 | context = *argv++; | ||
| 114 | if (!argv[0]) | ||
| 115 | bb_error_msg_and_die("no command given"); | ||
| 116 | } | ||
| 117 | |||
| 118 | if (context) { | ||
| 119 | con = context_new(context); | ||
| 120 | if (!con) | ||
| 121 | bb_error_msg_and_die("'%s' is not a valid context", context); | ||
| 122 | } else { | ||
| 123 | con = runcon_compute_new_context(user, role, type, range, | ||
| 124 | argv[0], opts & OPTS_COMPUTE); | ||
| 125 | } | ||
| 126 | |||
| 127 | if (security_check_context(context_str(con))) | ||
| 128 | bb_error_msg_and_die("'%s' is not a valid context", | ||
| 129 | context_str(con)); | ||
| 130 | |||
| 131 | if (setexeccon(context_str(con))) | ||
| 132 | niro | 984 | bb_error_msg_and_die("can't set up security context '%s'", |
| 133 | niro | 816 | context_str(con)); |
| 134 | |||
| 135 | execvp(argv[0], argv); | ||
| 136 | |||
| 137 | niro | 984 | bb_perror_msg_and_die("can't execute '%s'", argv[0]); |
| 138 | niro | 816 | } |