search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
docs: Reword virDomainGetEmulatorPinInfo description
[libvirt.git] / tests / securityselinuxhelper.c
blobe5ded964851826b4a2b42bec13d94bc43f0a8ac0
1 /*
2 * Copyright (C) 2011-2013, 2016 Red Hat, Inc.
3 *
4 * This library is free software; you can redistribute it and/or
5 * modify it under the terms of the GNU Lesser General Public
6 * License as published by the Free Software Foundation; either
7 * version 2.1 of the License, or (at your option) any later version.
8 *
9 * This library is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * Lesser General Public License for more details.
13 *
14 * You should have received a copy of the GNU Lesser General Public
15 * License along with this library. If not, see
16 * <http://www.gnu.org/licenses/>.
17 *
18 */
19
20 #include <config.h>
21
22 /* This file is only compiled on Linux, and only if xattr support was
23 * detected. */
24
25 #include "virmock.h"
26 #include <linux/magic.h>
27 #include <selinux/selinux.h>
28 #include <selinux/label.h>
29 #include <sys/vfs.h>
30 #include <unistd.h>
31 #include <sys/xattr.h>
32
33 #ifndef NFS_SUPER_MAGIC
34 # define NFS_SUPER_MAGIC 0x6969
35 #endif
36
37 #define VIR_FROM_THIS VIR_FROM_NONE
38
39 #include "viralloc.h"
40
41 static int (*real_statfs)(const char *path, struct statfs *buf);
42 static int (*real_security_get_boolean_active)(const char *name);
43 static int (*real_is_selinux_enabled)(void);
44
45 static const char *(*real_selinux_virtual_domain_context_path)(void);
46 static const char *(*real_selinux_virtual_image_context_path)(void);
47
48 static const char *(*real_selinux_lxc_contexts_path)(void);
49
50 static struct selabel_handle *(*real_selabel_open)(unsigned int backend,
51 const struct selinux_opt *opts,
52 unsigned nopts);
53 static void (*real_selabel_close)(struct selabel_handle *handle);
54 static int (*real_selabel_lookup_raw)(struct selabel_handle *handle,
55 char **con,
56 const char *key,
57 int type);
58
59 static void init_syms(void)
60 {
61 if (real_statfs)
62 return;
63
64 VIR_MOCK_REAL_INIT(statfs);
65 VIR_MOCK_REAL_INIT(security_get_boolean_active);
66 VIR_MOCK_REAL_INIT(is_selinux_enabled);
67
68 VIR_MOCK_REAL_INIT(selinux_virtual_domain_context_path);
69 VIR_MOCK_REAL_INIT(selinux_virtual_image_context_path);
70
71 VIR_MOCK_REAL_INIT(selinux_lxc_contexts_path);
72
73 VIR_MOCK_REAL_INIT(selabel_open);
74 VIR_MOCK_REAL_INIT(selabel_close);
75 VIR_MOCK_REAL_INIT(selabel_lookup_raw);
76 }
77
78
79 /*
80 * The kernel policy will not allow us to arbitrarily change
81 * test process context. This helper is used as an LD_PRELOAD
82 * so that the libvirt code /thinks/ it is changing/reading
83 * the process context, whereas in fact we're faking it all.
84 * Furthermore, we fake out that we are using an nfs subdirectory,
85 * where we control whether selinux is enforcing and whether
86 * the virt_use_nfs bool is set.
87 */
88
89 int getcon_raw(char **context)
90 {
91 if (!is_selinux_enabled()) {
92 errno = EINVAL;
93 return -1;
94 }
95 if (getenv("FAKE_SELINUX_CONTEXT") == NULL) {
96 *context = NULL;
97 errno = EINVAL;
98 return -1;
99 }
100 *context = g_strdup(getenv("FAKE_SELINUX_CONTEXT"));
101 return 0;
102 }
103
104 int getcon(char **context)
105 {
106 return getcon_raw(context);
107 }
108
109 int getpidcon_raw(pid_t pid, char **context)
110 {
111 if (!is_selinux_enabled()) {
112 errno = EINVAL;
113 return -1;
114 }
115 if (pid != getpid()) {
116 *context = NULL;
117 errno = ESRCH;
118 return -1;
119 }
120 if (getenv("FAKE_SELINUX_CONTEXT") == NULL) {
121 *context = NULL;
122 errno = EINVAL;
123 return -1;
124 }
125 *context = g_strdup(getenv("FAKE_SELINUX_CONTEXT"));
126 return 0;
127 }
128
129 int getpidcon(pid_t pid, char **context)
130 {
131 return getpidcon_raw(pid, context);
132 }
133
134 int setfilecon_raw(const char *path, const char *con)
135 {
136 const char *constr = con;
137 if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) {
138 errno = EOPNOTSUPP;
139 return -1;
140 }
141 return setxattr(path, "user.libvirt.selinux",
142 constr, strlen(constr), 0);
143 }
144
145 int setfilecon(const char *path, const char *con)
146 {
147 return setfilecon_raw(path, con);
148 }
149
150 int getfilecon_raw(const char *path, char **con)
151 {
152 char *constr = NULL;
153 ssize_t len = getxattr(path, "user.libvirt.selinux",
154 NULL, 0);
155 if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) {
156 errno = EOPNOTSUPP;
157 return -1;
158 }
159 if (len < 0)
160 return -1;
161 if (!(constr = malloc(len+1)))
162 return -1;
163 memset(constr, 0, len);
164 if (getxattr(path, "user.libvirt.selinux", constr, len) < 0) {
165 free(constr);
166 return -1;
167 }
168 *con = constr;
169 constr[len] = '\0';
170 return 0;
171 }
172
173
174 int getfilecon(const char *path, char **con)
175 {
176 return getfilecon_raw(path, con);
177 }
178
179
180 int statfs(const char *path, struct statfs *buf)
181 {
182 int ret;
183
184 init_syms();
185
186 ret = real_statfs(path, buf);
187 if (!ret && STREQ(path, abs_builddir "/securityselinuxlabeldata/nfs"))
188 buf->f_type = NFS_SUPER_MAGIC;
189 return ret;
190 }
191
192 int is_selinux_enabled(void)
193 {
194 return getenv("FAKE_SELINUX_DISABLED") == NULL;
195 }
196
197 int security_getenforce(void)
198 {
199 if (!is_selinux_enabled()) {
200 errno = ENOENT;
201 return -1;
202 }
203
204 /* For the purpose of our test, we are enforcing. */
205 return 1;
206 }
207
208
209 int security_get_boolean_active(const char *name)
210 {
211 if (!is_selinux_enabled()) {
212 errno = ENOENT;
213 return -1;
214 }
215
216 /* For the purpose of our test, nfs is not permitted. */
217 if (STREQ(name, "virt_use_nfs"))
218 return 0;
219
220 init_syms();
221 return real_security_get_boolean_active(name);
222 }
223
224 const char *selinux_virtual_domain_context_path(void)
225 {
226 init_syms();
227
228 if (real_is_selinux_enabled())
229 return real_selinux_virtual_domain_context_path();
230
231 return abs_srcdir "/securityselinuxhelperdata/virtual_domain_context";
232 }
233
234 const char *selinux_virtual_image_context_path(void)
235 {
236 init_syms();
237
238 if (real_is_selinux_enabled())
239 return real_selinux_virtual_image_context_path();
240
241 return abs_srcdir "/securityselinuxhelperdata/virtual_image_context";
242 }
243
244 const char *selinux_lxc_contexts_path(void)
245 {
246 init_syms();
247
248 if (real_is_selinux_enabled())
249 return real_selinux_lxc_contexts_path();
250
251 return abs_srcdir "/securityselinuxhelperdata/lxc_contexts";
252 }
253
254 struct selabel_handle *
255 selabel_open(unsigned int backend,
256 const struct selinux_opt *opts,
257 unsigned nopts)
258 {
259 char *fake_handle;
260
261 init_syms();
262
263 if (real_is_selinux_enabled())
264 return real_selabel_open(backend, opts, nopts);
265
266 /* struct selabel_handle is opaque; fake it */
267 fake_handle = g_new0(char, 1);
268 return (struct selabel_handle *)fake_handle;
269 }
270
271 void selabel_close(struct selabel_handle *handle)
272 {
273 init_syms();
274
275 if (real_is_selinux_enabled())
276 return real_selabel_close(handle);
277
278 VIR_FREE(handle);
279 }
280
281 int selabel_lookup_raw(struct selabel_handle *handle,
282 char **con,
283 const char *key,
284 int type)
285 {
286 init_syms();
287
288 if (real_is_selinux_enabled())
289 return real_selabel_lookup_raw(handle, con, key, type);
290
291 /* Unimplemented */
292 errno = ENOENT;
293 return -1;
294 }
libvirt mirror