Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 1 | /* |
| 2 | * runcon [ context | |
| 3 | * ( [ -c ] [ -r role ] [-t type] [ -u user ] [ -l levelrange ] ) |
| 4 | * command [arg1 [arg2 ...] ] |
| 5 | * |
| 6 | * attempt to run the specified command with the specified context. |
| 7 | * |
| 8 | * -r role : use the current context with the specified role |
| 9 | * -t type : use the current context with the specified type |
| 10 | * -u user : use the current context with the specified user |
| 11 | * -l level : use the current context with the specified level range |
| 12 | * -c : compute process transition context before modifying |
| 13 | * |
| 14 | * Contexts are interpreted as follows: |
| 15 | * |
| 16 | * Number of MLS |
| 17 | * components system? |
| 18 | * |
| 19 | * 1 - type |
| 20 | * 2 - role:type |
| 21 | * 3 Y role:type:range |
| 22 | * 3 N user:role:type |
| 23 | * 4 Y user:role:type:range |
| 24 | * 4 N error |
| 25 | * |
| 26 | * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp> |
| 27 | * - based on coreutils-5.97 (in Fedora Core 6) |
Denis Vlasenko | db12d1d | 2008-12-07 00:52:58 +0000 | [diff] [blame] | 28 | * |
Denys Vlasenko | 0ef64bd | 2010-08-16 20:14:46 +0200 | [diff] [blame] | 29 | * Licensed under GPLv2, see file LICENSE in this source tree. |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 30 | */ |
Pere Orga | 5bc8c00 | 2011-04-11 03:29:49 +0200 | [diff] [blame] | 31 | |
| 32 | //usage:#define runcon_trivial_usage |
| 33 | //usage: "[-c] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] PROG ARGS\n" |
| 34 | //usage: "runcon CONTEXT PROG ARGS" |
| 35 | //usage:#define runcon_full_usage "\n\n" |
| 36 | //usage: "Run PROG in a different security context\n" |
| 37 | //usage: "\n CONTEXT Complete security context\n" |
| 38 | //usage: IF_FEATURE_RUNCON_LONG_OPTIONS( |
| 39 | //usage: "\n -c,--compute Compute process transition context before modifying" |
| 40 | //usage: "\n -t,--type=TYPE Type (for same role as parent)" |
| 41 | //usage: "\n -u,--user=USER User identity" |
| 42 | //usage: "\n -r,--role=ROLE Role" |
| 43 | //usage: "\n -l,--range=RNG Levelrange" |
| 44 | //usage: ) |
| 45 | //usage: IF_NOT_FEATURE_RUNCON_LONG_OPTIONS( |
| 46 | //usage: "\n -c Compute process transition context before modifying" |
| 47 | //usage: "\n -t TYPE Type (for same role as parent)" |
| 48 | //usage: "\n -u USER User identity" |
| 49 | //usage: "\n -r ROLE Role" |
| 50 | //usage: "\n -l RNG Levelrange" |
| 51 | //usage: ) |
| 52 | |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 53 | #include <selinux/context.h> |
| 54 | #include <selinux/flask.h> |
| 55 | |
Denis Vlasenko | b6adbf1 | 2007-05-26 19:00:18 +0000 | [diff] [blame] | 56 | #include "libbb.h" |
| 57 | |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 58 | static context_t runcon_compute_new_context(char *user, char *role, char *type, char *range, |
| 59 | char *command, int compute_trans) |
| 60 | { |
| 61 | context_t con; |
| 62 | security_context_t cur_context; |
| 63 | |
| 64 | if (getcon(&cur_context)) |
Denys Vlasenko | 6331cf0 | 2009-11-13 09:08:27 +0100 | [diff] [blame] | 65 | bb_error_msg_and_die("can't get current context"); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 66 | |
| 67 | if (compute_trans) { |
| 68 | security_context_t file_context, new_context; |
| 69 | |
| 70 | if (getfilecon(command, &file_context) < 0) |
Denys Vlasenko | 6331cf0 | 2009-11-13 09:08:27 +0100 | [diff] [blame] | 71 | bb_error_msg_and_die("can't retrieve attributes of '%s'", |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 72 | command); |
| 73 | if (security_compute_create(cur_context, file_context, |
| 74 | SECCLASS_PROCESS, &new_context)) |
| 75 | bb_error_msg_and_die("unable to compute a new context"); |
| 76 | cur_context = new_context; |
| 77 | } |
| 78 | |
| 79 | con = context_new(cur_context); |
| 80 | if (!con) |
| 81 | bb_error_msg_and_die("'%s' is not a valid context", cur_context); |
| 82 | if (user && context_user_set(con, user)) |
Denys Vlasenko | 651a269 | 2010-03-23 16:25:17 +0100 | [diff] [blame] | 83 | bb_error_msg_and_die("can't set new user '%s'", user); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 84 | if (type && context_type_set(con, type)) |
Denys Vlasenko | 651a269 | 2010-03-23 16:25:17 +0100 | [diff] [blame] | 85 | bb_error_msg_and_die("can't set new type '%s'", type); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 86 | if (range && context_range_set(con, range)) |
Denys Vlasenko | 651a269 | 2010-03-23 16:25:17 +0100 | [diff] [blame] | 87 | bb_error_msg_and_die("can't set new range '%s'", range); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 88 | if (role && context_role_set(con, role)) |
Denys Vlasenko | 651a269 | 2010-03-23 16:25:17 +0100 | [diff] [blame] | 89 | bb_error_msg_and_die("can't set new role '%s'", role); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 90 | |
| 91 | return con; |
| 92 | } |
| 93 | |
| 94 | #if ENABLE_FEATURE_RUNCON_LONG_OPTIONS |
Denis Vlasenko | 6ca409e | 2007-08-12 20:58:27 +0000 | [diff] [blame] | 95 | static const char runcon_longopts[] ALIGN1 = |
Denis Vlasenko | bdc88fd | 2007-07-23 17:14:14 +0000 | [diff] [blame] | 96 | "user\0" Required_argument "u" |
| 97 | "role\0" Required_argument "r" |
| 98 | "type\0" Required_argument "t" |
| 99 | "range\0" Required_argument "l" |
| 100 | "compute\0" No_argument "c" |
Denis Vlasenko | 319f8eb | 2007-08-13 11:09:30 +0000 | [diff] [blame] | 101 | "help\0" No_argument "h" |
Denis Vlasenko | 990d0f6 | 2007-07-24 15:54:42 +0000 | [diff] [blame] | 102 | ; |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 103 | #endif |
| 104 | |
| 105 | #define OPTS_ROLE (1<<0) /* r */ |
| 106 | #define OPTS_TYPE (1<<1) /* t */ |
| 107 | #define OPTS_USER (1<<2) /* u */ |
| 108 | #define OPTS_RANGE (1<<3) /* l */ |
| 109 | #define OPTS_COMPUTE (1<<4) /* c */ |
| 110 | #define OPTS_HELP (1<<5) /* h */ |
| 111 | #define OPTS_CONTEXT_COMPONENT (OPTS_ROLE | OPTS_TYPE | OPTS_USER | OPTS_RANGE) |
| 112 | |
Denis Vlasenko | 9b49a5e | 2007-10-11 10:05:36 +0000 | [diff] [blame] | 113 | int runcon_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; |
Denis Vlasenko | a60f84e | 2008-07-05 09:18:54 +0000 | [diff] [blame] | 114 | int runcon_main(int argc UNUSED_PARAM, char **argv) |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 115 | { |
| 116 | char *role = NULL; |
| 117 | char *range = NULL; |
| 118 | char *user = NULL; |
| 119 | char *type = NULL; |
| 120 | char *context = NULL; |
| 121 | unsigned opts; |
| 122 | context_t con; |
| 123 | |
| 124 | selinux_or_die(); |
| 125 | |
| 126 | #if ENABLE_FEATURE_RUNCON_LONG_OPTIONS |
Denis Vlasenko | 6ca409e | 2007-08-12 20:58:27 +0000 | [diff] [blame] | 127 | applet_long_options = runcon_longopts; |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 128 | #endif |
| 129 | opt_complementary = "-1"; |
Denis Vlasenko | fe7cd64 | 2007-08-18 15:32:12 +0000 | [diff] [blame] | 130 | opts = getopt32(argv, "r:t:u:l:ch", &role, &type, &user, &range); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 131 | argv += optind; |
| 132 | |
| 133 | if (!(opts & OPTS_CONTEXT_COMPONENT)) { |
| 134 | context = *argv++; |
| 135 | if (!argv[0]) |
Denis Vlasenko | ff131b9 | 2007-04-10 15:42:06 +0000 | [diff] [blame] | 136 | bb_error_msg_and_die("no command given"); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 137 | } |
| 138 | |
| 139 | if (context) { |
| 140 | con = context_new(context); |
| 141 | if (!con) |
| 142 | bb_error_msg_and_die("'%s' is not a valid context", context); |
| 143 | } else { |
| 144 | con = runcon_compute_new_context(user, role, type, range, |
| 145 | argv[0], opts & OPTS_COMPUTE); |
| 146 | } |
| 147 | |
| 148 | if (security_check_context(context_str(con))) |
| 149 | bb_error_msg_and_die("'%s' is not a valid context", |
| 150 | context_str(con)); |
| 151 | |
| 152 | if (setexeccon(context_str(con))) |
Denis Vlasenko | f9d4fc3 | 2009-04-21 20:40:51 +0000 | [diff] [blame] | 153 | bb_error_msg_and_die("can't set up security context '%s'", |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 154 | context_str(con)); |
| 155 | |
Denys Vlasenko | 1c31e9e | 2010-11-28 04:34:09 +0100 | [diff] [blame] | 156 | BB_EXECVP_or_die(argv); |
Denis Vlasenko | 1203c9b | 2007-03-11 22:16:02 +0000 | [diff] [blame] | 157 | } |