aboutsummaryrefslogtreecommitdiffstats
path: root/libselinux/src/checkAccess.c
blob: aaebb949708bd296655a75740d03d5c2d1ad278d (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
#include <unistd.h>
#include <sys/types.h>
#include <stdlib.h>
#include <errno.h>
#include "selinux_internal.h"
#include <selinux/flask.h>
#include <selinux/avc.h>
#include <selinux/av_permissions.h>

static pthread_once_t once = PTHREAD_ONCE_INIT;

static void avc_init_once(void)
{
	avc_open(NULL, 0);
}

int selinux_check_access(const security_context_t scon, const security_context_t tcon, const char *class, const char *perm, void *aux) {
	int rc;
	security_id_t scon_id;
	security_id_t tcon_id;
	security_class_t sclass;
	access_vector_t av;

	if (is_selinux_enabled() == 0)
		return 0;

	__selinux_once(once, avc_init_once);

	rc = avc_context_to_sid(scon, &scon_id);
	if (rc < 0)
		return rc;

       rc = avc_context_to_sid(tcon, &tcon_id);
       if (rc < 0)
	       return rc;

       sclass = string_to_security_class(class);
       if (sclass == 0) {
	       rc = errno;
	       if (security_deny_unknown() == 0)
		       return 0;
	       errno = rc;
	       return -1;
       }

       av = string_to_av_perm(sclass, perm);
       if (av == 0) {
	       rc = errno;
	       if (security_deny_unknown() == 0)
		       return 0;
	       errno = rc;
	       return -1;
       }

       return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
}

int selinux_check_passwd_access(access_vector_t requested)
{
	int status = -1;
	security_context_t user_context;
	if (is_selinux_enabled() == 0)
		return 0;
	if (getprevcon_raw(&user_context) == 0) {
		security_class_t passwd_class;
		struct av_decision avd;
		int retval;

		passwd_class = string_to_security_class("passwd");
		if (passwd_class == 0)
			return 0;

		retval = security_compute_av_raw(user_context,
						     user_context,
						     passwd_class,
						     requested,
						     &avd);

		if ((retval == 0) && ((requested & avd.allowed) == requested)) {
			status = 0;
		}
		freecon(user_context);
	}

	if (status != 0 && security_getenforce() == 0)
		status = 0;

	return status;
}

hidden_def(selinux_check_passwd_access)

int checkPasswdAccess(access_vector_t requested)
{
	return selinux_check_passwd_access(requested);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-13 06:31:10 +0000