blob: f8ca9a6aa277f0becb67f7f3ffbab0c91e017441 [file] [log] [blame]
Denis Vlasenko1203c9b2007-03-11 22:16:02 +00001/*
2 * runcon [ context |
3 * ( [ -c ] [ -r role ] [-t type] [ -u user ] [ -l levelrange ] )
4 * command [arg1 [arg2 ...] ]
5 *
6 * attempt to run the specified command with the specified context.
7 *
8 * -r role : use the current context with the specified role
9 * -t type : use the current context with the specified type
10 * -u user : use the current context with the specified user
11 * -l level : use the current context with the specified level range
12 * -c : compute process transition context before modifying
13 *
14 * Contexts are interpreted as follows:
15 *
16 * Number of MLS
17 * components system?
18 *
19 * 1 - type
20 * 2 - role:type
21 * 3 Y role:type:range
22 * 3 N user:role:type
23 * 4 Y user:role:type:range
24 * 4 N error
25 *
26 * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
27 * - based on coreutils-5.97 (in Fedora Core 6)
Denis Vlasenkodb12d1d2008-12-07 00:52:58 +000028 *
29 * Licensed under GPLv2, see file LICENSE in this tarball for details.
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000030 */
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000031#include <getopt.h>
32#include <selinux/context.h>
33#include <selinux/flask.h>
34
Denis Vlasenkob6adbf12007-05-26 19:00:18 +000035#include "libbb.h"
36
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000037static context_t runcon_compute_new_context(char *user, char *role, char *type, char *range,
38 char *command, int compute_trans)
39{
40 context_t con;
41 security_context_t cur_context;
42
43 if (getcon(&cur_context))
Denys Vlasenko6331cf02009-11-13 09:08:27 +010044 bb_error_msg_and_die("can't get current context");
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000045
46 if (compute_trans) {
47 security_context_t file_context, new_context;
48
49 if (getfilecon(command, &file_context) < 0)
Denys Vlasenko6331cf02009-11-13 09:08:27 +010050 bb_error_msg_and_die("can't retrieve attributes of '%s'",
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000051 command);
52 if (security_compute_create(cur_context, file_context,
53 SECCLASS_PROCESS, &new_context))
54 bb_error_msg_and_die("unable to compute a new context");
55 cur_context = new_context;
56 }
57
58 con = context_new(cur_context);
59 if (!con)
60 bb_error_msg_and_die("'%s' is not a valid context", cur_context);
61 if (user && context_user_set(con, user))
Denys Vlasenko651a2692010-03-23 16:25:17 +010062 bb_error_msg_and_die("can't set new user '%s'", user);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000063 if (type && context_type_set(con, type))
Denys Vlasenko651a2692010-03-23 16:25:17 +010064 bb_error_msg_and_die("can't set new type '%s'", type);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000065 if (range && context_range_set(con, range))
Denys Vlasenko651a2692010-03-23 16:25:17 +010066 bb_error_msg_and_die("can't set new range '%s'", range);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000067 if (role && context_role_set(con, role))
Denys Vlasenko651a2692010-03-23 16:25:17 +010068 bb_error_msg_and_die("can't set new role '%s'", role);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000069
70 return con;
71}
72
73#if ENABLE_FEATURE_RUNCON_LONG_OPTIONS
Denis Vlasenko6ca409e2007-08-12 20:58:27 +000074static const char runcon_longopts[] ALIGN1 =
Denis Vlasenkobdc88fd2007-07-23 17:14:14 +000075 "user\0" Required_argument "u"
76 "role\0" Required_argument "r"
77 "type\0" Required_argument "t"
78 "range\0" Required_argument "l"
79 "compute\0" No_argument "c"
Denis Vlasenko319f8eb2007-08-13 11:09:30 +000080 "help\0" No_argument "h"
Denis Vlasenko990d0f62007-07-24 15:54:42 +000081 ;
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000082#endif
83
84#define OPTS_ROLE (1<<0) /* r */
85#define OPTS_TYPE (1<<1) /* t */
86#define OPTS_USER (1<<2) /* u */
87#define OPTS_RANGE (1<<3) /* l */
88#define OPTS_COMPUTE (1<<4) /* c */
89#define OPTS_HELP (1<<5) /* h */
90#define OPTS_CONTEXT_COMPONENT (OPTS_ROLE | OPTS_TYPE | OPTS_USER | OPTS_RANGE)
91
Denis Vlasenko9b49a5e2007-10-11 10:05:36 +000092int runcon_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
Denis Vlasenkoa60f84e2008-07-05 09:18:54 +000093int runcon_main(int argc UNUSED_PARAM, char **argv)
Denis Vlasenko1203c9b2007-03-11 22:16:02 +000094{
95 char *role = NULL;
96 char *range = NULL;
97 char *user = NULL;
98 char *type = NULL;
99 char *context = NULL;
100 unsigned opts;
101 context_t con;
102
103 selinux_or_die();
104
105#if ENABLE_FEATURE_RUNCON_LONG_OPTIONS
Denis Vlasenko6ca409e2007-08-12 20:58:27 +0000106 applet_long_options = runcon_longopts;
Denis Vlasenko1203c9b2007-03-11 22:16:02 +0000107#endif
108 opt_complementary = "-1";
Denis Vlasenkofe7cd642007-08-18 15:32:12 +0000109 opts = getopt32(argv, "r:t:u:l:ch", &role, &type, &user, &range);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +0000110 argv += optind;
111
112 if (!(opts & OPTS_CONTEXT_COMPONENT)) {
113 context = *argv++;
114 if (!argv[0])
Denis Vlasenkoff131b92007-04-10 15:42:06 +0000115 bb_error_msg_and_die("no command given");
Denis Vlasenko1203c9b2007-03-11 22:16:02 +0000116 }
117
118 if (context) {
119 con = context_new(context);
120 if (!con)
121 bb_error_msg_and_die("'%s' is not a valid context", context);
122 } else {
123 con = runcon_compute_new_context(user, role, type, range,
124 argv[0], opts & OPTS_COMPUTE);
125 }
126
127 if (security_check_context(context_str(con)))
128 bb_error_msg_and_die("'%s' is not a valid context",
129 context_str(con));
130
131 if (setexeccon(context_str(con)))
Denis Vlasenkof9d4fc32009-04-21 20:40:51 +0000132 bb_error_msg_and_die("can't set up security context '%s'",
Denis Vlasenko1203c9b2007-03-11 22:16:02 +0000133 context_str(con));
134
135 execvp(argv[0], argv);
Denis Vlasenkof9d4fc32009-04-21 20:40:51 +0000136 bb_perror_msg_and_die("can't execute '%s'", argv[0]);
Denis Vlasenko1203c9b2007-03-11 22:16:02 +0000137}