Re: [patch] selinux: export initial SID contexts via selinuxfs (v2)

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

James Carter wrote:
> Make the initial SID contexts accessible to userspace via selinuxfs.
> An initial use of this support will be to make the unlabeled context
> available to libselinux for use for invalidated userspace SIDs.
> 
> This version fixes the problem with the for loop that Steve pointed out,
> and changes the flow of security_get_initial_sid_context so that the if
> clause checks for the error condition and uses unlikely().
> 
> Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>

The attached patch enables to access /selinux/initial_contexts/*
entries via libselinux.
It add the following two functions:
  int getinitsidcon(int init_sid, security_context_t * con);
  int getinitsidcon_raw(int init_sid, security_context_t * con);

You have to specify init_sid with one of SECINITSID_* in selinux/flask.h

Thanks,
-- 
Open Source Software Promotion Center, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: getinitsidcon.patch --]
[-- Type: text/x-patch, Size: 4000 bytes --]

Index: libselinux/include/selinux/selinux.h
===================================================================
--- libselinux/include/selinux/selinux.h	(revision 2324)
+++ libselinux/include/selinux/selinux.h	(working copy)
@@ -119,6 +119,11 @@
 	extern int getpeercon(int fd, security_context_t * con);
 	extern int getpeercon_raw(int fd, security_context_t * con);
 
+/* Get context of initial SID, and set *con to refer to it.
+   Caller must free via freecon. */
+	extern int getinitsidcon(int init_sid, security_context_t * con);
+	extern int getinitsidcon_raw(int init_sid, security_context_t * con);
+
 /* Wrappers for the selinuxfs (policy) API. */
 
 	typedef unsigned int access_vector_t;
Index: libselinux/src/initial_sid_to_string.h
===================================================================
--- libselinux/src/initial_sid_to_string.h	(revision 0)
+++ libselinux/src/initial_sid_to_string.h	(revision 0)
@@ -0,0 +1,33 @@
+/* This file is automatically generated.  Do not edit. */
+static char *initial_sid_to_string[] =
+{
+    "null",
+    "kernel",
+    "security",
+    "unlabeled",
+    "fs",
+    "file",
+    "file_labels",
+    "init",
+    "any_socket",
+    "port",
+    "netif",
+    "netmsg",
+    "node",
+    "igmp_packet",
+    "icmp_socket",
+    "tcp_socket",
+    "sysctl_modprobe",
+    "sysctl",
+    "sysctl_fs",
+    "sysctl_kernel",
+    "sysctl_net",
+    "sysctl_net_unix",
+    "sysctl_vm",
+    "sysctl_dev",
+    "kmod",
+    "policy",
+    "scmp_packet",
+    "devnull",
+};
+
Index: libselinux/src/getinitsidcon.c
===================================================================
--- libselinux/src/getinitsidcon.c	(revision 0)
+++ libselinux/src/getinitsidcon.c	(revision 0)
@@ -0,0 +1,62 @@
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <selinux/flask.h>
+#include <limits.h>
+#include "selinux_internal.h"
+#include "policy.h"
+#include "initial_sid_to_string.h"
+
+int getinitsidcon_raw(int init_sid, security_context_t * con)
+{
+	security_context_t initcon;
+	char path[PATH_MAX];
+	int fd, n;
+
+	if (init_sid < 1 || init_sid > SECINITSID_NUM) {
+		errno = EINVAL;
+		return -1;
+	}
+
+	if (!selinux_mnt) {
+		errno = ENOENT;
+		return -1;
+	}
+
+	snprintf(path, sizeof(path), "%s/initial_contexts/%s",
+		 selinux_mnt, initial_sid_to_string[init_sid]);
+	fd = open(path, O_RDONLY);
+	if (fd < 0)
+		return -1;
+
+	n = read(fd, path, sizeof(path));
+	close(fd);
+	if (n < 0)
+		return -1;
+
+	initcon = strdup(path);
+	if (!initcon)
+		return -1;
+
+	*con = initcon;
+
+	return 0;
+}
+
+int getinitsidcon(int init_sid, security_context_t * con)
+{
+	int rc;
+	security_context_t rcontext;
+
+	rc = getinitsidcon_raw(init_sid, &rcontext);
+
+	if (!rc) {
+		rc = selinux_raw_to_trans_context(rcontext, con);
+		freecon(rcontext);
+	}
+
+	return rc;
+}
Index: libselinux/man/man3/getcon.3
===================================================================
--- libselinux/man/man3/getcon.3	(revision 2324)
+++ libselinux/man/man3/getcon.3	(working copy)
@@ -16,6 +16,8 @@
 .br
 .BI "int getpeercon(int " fd ", security_context_t *" context);
 .br
+.BI "int getinitsidcon(int " init_sid ", security_context_t *" context);
+.br
 .BI "int setcon(security_context_t " context);
 
 .SH "DESCRIPTION"
@@ -32,6 +34,9 @@
 .B getpeercon
 retrieves context of peer socket, and set *context to refer to it, which must be free'd with freecon.
 
+.B getinitsidcon
+retrieves context of initial SID, and set *context to refer to it, which must be free'd with freecon.
+
 .B setcon
 sets the current security context of the process to a new value.  Note
 that use of this function requires that the entire application be
Index: libselinux/man/man3/getinitsidcon.3
===================================================================
--- libselinux/man/man3/getinitsidcon.3	(revision 0)
+++ libselinux/man/man3/getinitsidcon.3	(revision 0)
@@ -0,0 +1 @@
+.so man3/getcon.3