sestatus: new SELinux applet (KaiGai Kohei <kaigai@ak.jp.nec.com>)

author: Denis Vlasenko <vda.linux@googlemail.com> 2007-11-22 01:10:41 +0000
committer: Denis Vlasenko <vda.linux@googlemail.com> 2007-11-22 01:10:41 +0000
commit: 705eaf8b403555741cf6313a76da8597ae54d324 (patch)
tree: d3b8d2f5a5bad99368e3dc50a4e55d2fca22cebf
parent: 9cdfd14223e58a73b2005ca8b432af439c8fe197 (diff)
download: busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.tar.gz
busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.tar.bz2
busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.zip
5 files changed, 234 insertions, 0 deletions
diff --git a/include/applets.h b/include/applets.h
index f188232c4..757fa4a25 100644
--- a/include/applets.h
+++ b/include/applets.h
@@ -300,6 +300,7 @@ USE_RX(APPLET(rx, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SEQ(APPLET_NOFORK(seq, seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER, seq))
+USE_SESTATUS(APPLET(sestatus, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
diff --git a/include/usage.h b/include/usage.h
index 3c8762ee1..5c03719d6 100644
--- a/include/usage.h
+++ b/include/usage.h
@@ -3121,6 +3121,12 @@ USE_FEATURE_RUN_PARTS_FANCY("\n	-l	Prints names of all matching files even when
       "        FIRST LAST\n" \
       "        FIRST INCREMENT LAST"
+#define sestatus_trivial_usage \
+       "[-vb]"
+#define sestatus_full_usage \
+       "-v      Verbose\n" \
+       "-b      Display current state of booleans"
 #define setconsole_trivial_usage \
       "[-r" USE_FEATURE_SETCONSOLE_LONG_OPTIONS("|--reset") "] [DEVICE]"
 #define setconsole_full_usage \
diff --git a/selinux/Config.in b/selinux/Config.in
index c9b48fb1b..f764056a2 100644
--- a/selinux/Config.in
+++ b/selinux/Config.in
@@ -112,5 +112,12 @@ config SETSEBOOL
          Enable support for change boolean.
          semanage and -P option is not supported yet.
+config SESTATUS
+        bool "sestatus"
+        default n
+        depends on SELINUX
+        help
+          Displays the status of SELinux.
 endmenu
diff --git a/selinux/Kbuild b/selinux/Kbuild
index ce353e066..d0c190ceb 100644
--- a/selinux/Kbuild
+++ b/selinux/Kbuild
@@ -17,3 +17,4 @@ lib-$(CONFIG_SETENFORCE)	+= setenforce.o
 lib-$(CONFIG_SETFILES)          += setfiles.o
 lib-$(CONFIG_RESTORECON)        += setfiles.o
 lib-$(CONFIG_SETSEBOOL)         += setsebool.o
+lib-$(CONFIG_SESTATUS)          += sestatus.o
diff --git a/selinux/sestatus.c b/selinux/sestatus.c
new file mode 100644
index 000000000..cc17b175b
--- /dev/null
+++ b/selinux/sestatus.c
@@ -0,0 +1,219 @@
+/*
+ * sestatus -- displays the status of SELinux
+ *
+ * Ported to busybox: KaiGai Kohei <kaigai@ak.jp.nec.com>
+ *
+ * Copyright (C) KaiGai Kohei <kaigai@ak.jp.nec.com>
+ */
+#include "libbb.h"
+extern char *selinux_mnt;
+#define OPT_VERBOSE     (1 << 0)
+#define OPT_BOOLEAN     (1 << 1)
+#define COL_FMT         "%-31s "
+static void display_boolean(void)
+{
+        char **bools;
+        int i, active, pending, nbool;
+        if (security_get_boolean_names(&bools, &nbool) < 0)
+                return;
+        puts("\nPolicy booleans:");
+        for (i = 0; i < nbool; i++) {
+                active = security_get_boolean_active(bools[i]);
+                if (active < 0)
+                        goto skip;
+                pending = security_get_boolean_pending(bools[i]);
+                if (pending < 0)
+                        goto skip;
+                printf(COL_FMT "%s",
+                       bools[i], active == 0 ? "off" : "on");
+                if (active != pending)
+                        printf(" (%sactivate pending)", pending == 0 ? "in" : "");
+                bb_putchar('\n');
+ skip:
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        free(bools[i]);
+        }
+        if (ENABLE_FEATURE_CLEAN_UP)
+                free(bools);
+}
+static void read_config(char **pc, int npc, char **fc, int nfc)
+{
+        char buf[256];
+        FILE *fp;
+        int pc_ofs = 0, fc_ofs = 0, section = -1;
+        pc[0] = fc[0] = NULL;
+        fp = fopen("/etc/sestatus.conf", "rb");
+        if (fp == NULL)
+                return;
+        while (fgets(buf, sizeof(buf), fp) != NULL) {
+                int i, c;
+                /* kills comments */
+                for (i = 0; (c = buf[i]) != '\0'; i++) {
+                        if (c == '#') {
+                                buf[i] = '\0';
+                                break;
+                        }
+                }
+                trim(buf);
+                if (buf[0] == '\0')
+                        continue;
+                if (strcmp(buf, "[process]") == 0) {
+                        section = 1;
+                } else if (strcmp(buf, "[files]") == 0) {
+                        section = 2;
+                } else {
+                        if (section == 1 && pc_ofs < npc -1) {
+                                pc[pc_ofs++] = strdup(buf);
+                                pc[pc_ofs] = NULL;
+                        } else if (section == 2 && fc_ofs < nfc - 1) {
+                                fc[fc_ofs++] = strdup(buf);
+                                fc[fc_ofs] = NULL;
+                        }
+                }
+        }
+        fclose(fp);
+}
+static void display_verbose(void)
+{
+        security_context_t con, _con;
+        char *fc[50], *pc[50], *cterm;
+        pid_t *pidList;
+        int i;
+        read_config(pc, ARRAY_SIZE(pc), fc, ARRAY_SIZE(fc));
+        /* process contexts */
+        puts("\nProcess contexts:");
+        /* current context */
+        if (getcon(&con) == 0) {
+                printf(COL_FMT "%s\n", "Current context:", con);
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        freecon(con);
+        }
+        /* /sbin/init context */
+        if (getpidcon(1, &con) == 0) {
+                printf(COL_FMT "%s\n", "Init context:", con);
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        freecon(con);
+        }
+        /* [process] context */
+        for (i = 0; pc[i] != NULL; i++) {
+                pidList = find_pid_by_name(bb_basename(pc[i]));
+                if (pidList[0] > 0 && getpidcon(pidList[0], &con) == 0) {
+                        printf(COL_FMT "%s\n", pc[i], con);
+                        if (ENABLE_FEATURE_CLEAN_UP)
+                                freecon(con);
+                }
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        free(pidList);
+        }
+        /* files contexts */
+        puts("\nFile contexts:");
+        cterm = ttyname(0);
+        puts(cterm);
+        if (cterm && lgetfilecon(cterm, &con) >= 0) {
+                printf(COL_FMT "%s\n", "Controlling term:", con);
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        freecon(con);
+        }
+        for (i=0; fc[i] != NULL; i++) {
+                struct stat stbuf;
+                if (lgetfilecon(fc[i], &con) < 0)
+                        continue;
+                if (lstat(fc[i], &stbuf) == 0) {
+                        if (S_ISLNK(stbuf.st_mode)) {
+                                if (getfilecon(fc[i], &_con) >= 0) {
+                                        printf(COL_FMT "%s -> %s\n", fc[i], _con, con);
+                                        if (ENABLE_FEATURE_CLEAN_UP)
+                                                freecon(_con);
+                                }
+                        } else {
+                                printf(COL_FMT "%s\n", fc[i], con);
+                        }
+                }
+                if (ENABLE_FEATURE_CLEAN_UP)
+                        freecon(con);
+        }
+}
+int sestatus_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
+int sestatus_main(int argc, char **argv)
+{
+        unsigned opts;
+        const char *pol_path;
+        int rc;
+        opt_complementary = "?0";       /* no arguments are required. */
+        opts = getopt32(argv, "vb");
+        /* SELinux status: line */
+        rc = is_selinux_enabled();
+        if (rc < 0)
+                goto error;
+        printf(COL_FMT "%s\n", "SELinux status:",
+               rc == 1 ? "enabled" : "disabled");
+        /* SELinuxfs mount: line */
+        if (!selinux_mnt)
+                goto error;
+        printf(COL_FMT "%s\n", "SELinuxfs mount:",
+               selinux_mnt);
+        /* Current mode: line */
+        rc = security_getenforce();
+        if (rc < 0)
+                goto error;
+        printf(COL_FMT "%s\n", "Current mode:",
+               rc == 0 ? "permissive" : "enforcing");
+        /* Mode from config file: line */
+        if (selinux_getenforcemode(&rc) != 0)
+                goto error;
+        printf(COL_FMT "%s\n", "Mode from config file:",
+               rc < 0 ? "disabled" : (rc == 0 ? "permissive" : "enforcing"));
+        /* Policy version: line */
+        rc = security_policyvers();
+        if (rc < 0)
+                goto error;
+        printf(COL_FMT "%u\n", "Policy version:", rc);
+        /* Policy from config file: line */
+        pol_path = selinux_policy_root();
+        if (!pol_path)
+                goto error;
+        printf(COL_FMT "%s\n", "Policy from config file:",
+               bb_basename(pol_path));
+        if (opts & OPT_BOOLEAN)
+                display_boolean();
+        if (opts & OPT_VERBOSE)
+                display_verbose();
+        return 0;
+  error:
+        bb_perror_msg_and_die("libselinux returns unknown state");
+}
author	Denis Vlasenko <vda.linux@googlemail.com>	2007-11-22 01:10:41 +0000
committer	Denis Vlasenko <vda.linux@googlemail.com>	2007-11-22 01:10:41 +0000
commit	705eaf8b403555741cf6313a76da8597ae54d324 (patch)
tree	d3b8d2f5a5bad99368e3dc50a4e55d2fca22cebf
parent	9cdfd14223e58a73b2005ca8b432af439c8fe197 (diff)
download	busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.tar.gz busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.tar.bz2 busybox-w32-705eaf8b403555741cf6313a76da8597ae54d324.zip

diff --git a/include/applets.h b/include/applets.h index f188232c4..757fa4a25 100644 --- a/include/applets.h +++ b/include/applets.h
@@ -300,6 +300,7 @@ USE_RX(APPLET(rx, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
300	USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))	300	USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))
301	USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))	301	USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
302	USE_SEQ(APPLET_NOFORK(seq, seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER, seq))	302	USE_SEQ(APPLET_NOFORK(seq, seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER, seq))
		303	USE_SESTATUS(APPLET(sestatus, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
303	USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))	304	USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))
304	USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))	305	USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))
305	USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))	306	USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))


diff --git a/include/usage.h b/include/usage.h index 3c8762ee1..5c03719d6 100644 --- a/include/usage.h +++ b/include/usage.h
@@ -3121,6 +3121,12 @@ USE_FEATURE_RUN_PARTS_FANCY("\n -l Prints names of all matching files even when
3121	" FIRST LAST\n" \	3121	" FIRST LAST\n" \
3122	" FIRST INCREMENT LAST"	3122	" FIRST INCREMENT LAST"
3123		3123
		3124	#define sestatus_trivial_usage \
		3125	"[-vb]"
		3126	#define sestatus_full_usage \
		3127	"-v Verbose\n" \
		3128	"-b Display current state of booleans"
		3129
3124	#define setconsole_trivial_usage \	3130	#define setconsole_trivial_usage \
3125	"[-r" USE_FEATURE_SETCONSOLE_LONG_OPTIONS("\|--reset") "] [DEVICE]"	3131	"[-r" USE_FEATURE_SETCONSOLE_LONG_OPTIONS("\|--reset") "] [DEVICE]"
3126	#define setconsole_full_usage \	3132	#define setconsole_full_usage \


diff --git a/selinux/Config.in b/selinux/Config.in index c9b48fb1b..f764056a2 100644 --- a/selinux/Config.in +++ b/selinux/Config.in
@@ -112,5 +112,12 @@ config SETSEBOOL
112	Enable support for change boolean.	112	Enable support for change boolean.
113	semanage and -P option is not supported yet.	113	semanage and -P option is not supported yet.
114		114
		115	config SESTATUS
		116	bool "sestatus"
		117	default n
		118	depends on SELINUX
		119	help
		120	Displays the status of SELinux.
		121
115	endmenu	122	endmenu
116		123


diff --git a/selinux/Kbuild b/selinux/Kbuild index ce353e066..d0c190ceb 100644 --- a/selinux/Kbuild +++ b/selinux/Kbuild
@@ -17,3 +17,4 @@ lib-$(CONFIG_SETENFORCE) += setenforce.o
17	lib-$(CONFIG_SETFILES) += setfiles.o	17	lib-$(CONFIG_SETFILES) += setfiles.o
18	lib-$(CONFIG_RESTORECON) += setfiles.o	18	lib-$(CONFIG_RESTORECON) += setfiles.o
19	lib-$(CONFIG_SETSEBOOL) += setsebool.o	19	lib-$(CONFIG_SETSEBOOL) += setsebool.o
		20	lib-$(CONFIG_SESTATUS) += sestatus.o


diff --git a/selinux/sestatus.c b/selinux/sestatus.c new file mode 100644 index 000000000..cc17b175b --- /dev/null +++ b/selinux/sestatus.c
@@ -0,0 +1,219 @@
		1	/*
		2	* sestatus -- displays the status of SELinux
		3	*
		4	* Ported to busybox: KaiGai Kohei <kaigai@ak.jp.nec.com>
		5	*
		6	* Copyright (C) KaiGai Kohei <kaigai@ak.jp.nec.com>
		7	*/
		8
		9	#include "libbb.h"
		10
		11	extern char *selinux_mnt;
		12
		13	#define OPT_VERBOSE (1 << 0)
		14	#define OPT_BOOLEAN (1 << 1)
		15
		16	#define COL_FMT "%-31s "
		17
		18	static void display_boolean(void)
		19	{
		20	char **bools;
		21	int i, active, pending, nbool;
		22
		23	if (security_get_boolean_names(&bools, &nbool) < 0)
		24	return;
		25
		26	puts("\nPolicy booleans:");
		27
		28	for (i = 0; i < nbool; i++) {
		29	active = security_get_boolean_active(bools[i]);
		30	if (active < 0)
		31	goto skip;
		32	pending = security_get_boolean_pending(bools[i]);
		33	if (pending < 0)
		34	goto skip;
		35	printf(COL_FMT "%s",
		36	bools[i], active == 0 ? "off" : "on");
		37	if (active != pending)
		38	printf(" (%sactivate pending)", pending == 0 ? "in" : "");
		39	bb_putchar('\n');
		40	skip:
		41	if (ENABLE_FEATURE_CLEAN_UP)
		42	free(bools[i]);
		43	}
		44	if (ENABLE_FEATURE_CLEAN_UP)
		45	free(bools);
		46	}
		47
		48	static void read_config(char pc, int npc, char fc, int nfc)
		49	{
		50	char buf[256];
		51	FILE *fp;
		52	int pc_ofs = 0, fc_ofs = 0, section = -1;
		53
		54	pc[0] = fc[0] = NULL;
		55
		56	fp = fopen("/etc/sestatus.conf", "rb");
		57	if (fp == NULL)
		58	return;
		59
		60	while (fgets(buf, sizeof(buf), fp) != NULL) {
		61	int i, c;
		62
		63	/* kills comments */
		64	for (i = 0; (c = buf[i]) != '\0'; i++) {
		65	if (c == '#') {
		66	buf[i] = '\0';
		67	break;
		68	}
		69	}
		70	trim(buf);
		71
		72	if (buf[0] == '\0')
		73	continue;
		74
		75	if (strcmp(buf, "[process]") == 0) {
		76	section = 1;
		77	} else if (strcmp(buf, "[files]") == 0) {
		78	section = 2;
		79	} else {
		80	if (section == 1 && pc_ofs < npc -1) {
		81	pc[pc_ofs++] = strdup(buf);
		82	pc[pc_ofs] = NULL;
		83	} else if (section == 2 && fc_ofs < nfc - 1) {
		84	fc[fc_ofs++] = strdup(buf);
		85	fc[fc_ofs] = NULL;
		86	}
		87	}
		88	}
		89	fclose(fp);
		90	}
		91
		92	static void display_verbose(void)
		93	{
		94	security_context_t con, _con;
		95	char fc[50], pc[50], *cterm;
		96	pid_t *pidList;
		97	int i;
		98
		99	read_config(pc, ARRAY_SIZE(pc), fc, ARRAY_SIZE(fc));
		100
		101	/* process contexts */
		102	puts("\nProcess contexts:");
		103
		104	/* current context */
		105	if (getcon(&con) == 0) {
		106	printf(COL_FMT "%s\n", "Current context:", con);
		107	if (ENABLE_FEATURE_CLEAN_UP)
		108	freecon(con);
		109	}
		110	/* /sbin/init context */
		111	if (getpidcon(1, &con) == 0) {
		112	printf(COL_FMT "%s\n", "Init context:", con);
		113	if (ENABLE_FEATURE_CLEAN_UP)
		114	freecon(con);
		115	}
		116
		117	/* [process] context */
		118	for (i = 0; pc[i] != NULL; i++) {
		119	pidList = find_pid_by_name(bb_basename(pc[i]));
		120	if (pidList[0] > 0 && getpidcon(pidList[0], &con) == 0) {
		121	printf(COL_FMT "%s\n", pc[i], con);
		122	if (ENABLE_FEATURE_CLEAN_UP)
		123	freecon(con);
		124	}
		125	if (ENABLE_FEATURE_CLEAN_UP)
		126	free(pidList);
		127	}
		128
		129	/* files contexts */
		130	puts("\nFile contexts:");
		131
		132	cterm = ttyname(0);
		133	puts(cterm);
		134	if (cterm && lgetfilecon(cterm, &con) >= 0) {
		135	printf(COL_FMT "%s\n", "Controlling term:", con);
		136	if (ENABLE_FEATURE_CLEAN_UP)
		137	freecon(con);
		138	}
		139
		140	for (i=0; fc[i] != NULL; i++) {
		141	struct stat stbuf;
		142
		143	if (lgetfilecon(fc[i], &con) < 0)
		144	continue;
		145	if (lstat(fc[i], &stbuf) == 0) {
		146	if (S_ISLNK(stbuf.st_mode)) {
		147	if (getfilecon(fc[i], &_con) >= 0) {
		148	printf(COL_FMT "%s -> %s\n", fc[i], _con, con);
		149	if (ENABLE_FEATURE_CLEAN_UP)
		150	freecon(_con);
		151	}
		152	} else {
		153	printf(COL_FMT "%s\n", fc[i], con);
		154	}
		155	}
		156	if (ENABLE_FEATURE_CLEAN_UP)
		157	freecon(con);
		158	}
		159	}
		160
		161	int sestatus_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
		162	int sestatus_main(int argc, char **argv)
		163	{
		164	unsigned opts;
		165	const char *pol_path;
		166	int rc;
		167
		168	opt_complementary = "?0"; /* no arguments are required. */
		169	opts = getopt32(argv, "vb");
		170
		171	/* SELinux status: line */
		172	rc = is_selinux_enabled();
		173	if (rc < 0)
		174	goto error;
		175	printf(COL_FMT "%s\n", "SELinux status:",
		176	rc == 1 ? "enabled" : "disabled");
		177
		178	/* SELinuxfs mount: line */
		179	if (!selinux_mnt)
		180	goto error;
		181	printf(COL_FMT "%s\n", "SELinuxfs mount:",
		182	selinux_mnt);
		183
		184	/* Current mode: line */
		185	rc = security_getenforce();
		186	if (rc < 0)
		187	goto error;
		188	printf(COL_FMT "%s\n", "Current mode:",
		189	rc == 0 ? "permissive" : "enforcing");
		190
		191	/* Mode from config file: line */
		192	if (selinux_getenforcemode(&rc) != 0)
		193	goto error;
		194	printf(COL_FMT "%s\n", "Mode from config file:",
		195	rc < 0 ? "disabled" : (rc == 0 ? "permissive" : "enforcing"));
		196
		197	/* Policy version: line */
		198	rc = security_policyvers();
		199	if (rc < 0)
		200	goto error;
		201	printf(COL_FMT "%u\n", "Policy version:", rc);
		202
		203	/* Policy from config file: line */
		204	pol_path = selinux_policy_root();
		205	if (!pol_path)
		206	goto error;
		207	printf(COL_FMT "%s\n", "Policy from config file:",
		208	bb_basename(pol_path));
		209
		210	if (opts & OPT_BOOLEAN)
		211	display_boolean();
		212	if (opts & OPT_VERBOSE)
		213	display_verbose();
		214
		215	return 0;
		216
		217	error:
		218	bb_perror_msg_and_die("libselinux returns unknown state");
		219	}