1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
|
/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "SELinuxJNI"
#include <utils/Log.h>
#include <nativehelper/JNIHelp.h>
#include "jni.h"
#include "core_jni_helpers.h"
#include "selinux/selinux.h"
#include "selinux/android.h"
#include <errno.h>
#include <memory>
#include <atomic>
#include <nativehelper/ScopedLocalRef.h>
#include <nativehelper/ScopedUtfChars.h>
namespace android {
namespace {
std::atomic<selabel_handle*> sehandle{nullptr};
selabel_handle* GetSELabelHandle() {
selabel_handle* h = sehandle.load();
if (h != nullptr) {
return h;
}
h = selinux_android_file_context_handle();
selabel_handle* expected = nullptr;
if (!sehandle.compare_exchange_strong(expected, h)) {
selabel_close(h);
return sehandle.load();
}
return h;
}
}
struct SecurityContext_Delete {
void operator()(security_context_t p) const {
freecon(p);
}
};
typedef std::unique_ptr<char[], SecurityContext_Delete> Unique_SecurityContext;
static jboolean isSELinuxDisabled = true;
/*
* Function: isSELinuxEnabled
* Purpose: checks whether SELinux is enabled/disbaled
* Parameters: none
* Return value : true (enabled) or false (disabled)
* Exceptions: none
*/
static jboolean isSELinuxEnabled(JNIEnv *env, jobject) {
return !isSELinuxDisabled;
}
/*
* Function: isSELinuxEnforced
* Purpose: return the current SELinux enforce mode
* Parameters: none
* Return value: true (enforcing) or false (permissive)
* Exceptions: none
*/
static jboolean isSELinuxEnforced(JNIEnv *env, jobject) {
return (security_getenforce() == 1) ? true : false;
}
static jstring fileSelabelLookup(JNIEnv* env, jobject, jstring pathStr) {
if (isSELinuxDisabled) {
ALOGE("fileSelabelLookup => SELinux is disabled");
return NULL;
}
if (pathStr == NULL) {
ALOGE("fileSelabelLookup => got null path.");
jniThrowNullPointerException(
env, "Trying to get security context of a null path.");
return NULL;
}
ScopedUtfChars path(env, pathStr);
const char* path_c_str = path.c_str();
if (path_c_str == NULL) {
ALOGE("fileSelabelLookup => Got null path");
jniThrowNullPointerException(
env, "Trying to get security context of a null path.");
return NULL;
}
auto* selabel_handle = GetSELabelHandle();
if (selabel_handle == NULL) {
ALOGE("fileSelabelLookup => Failed to get SEHandle");
return NULL;
}
security_context_t tmp = NULL;
if (selabel_lookup(selabel_handle, &tmp, path_c_str, S_IFREG) != 0) {
ALOGE("fileSelabelLookup => selabel_lookup for %s failed: %d", path_c_str, errno);
return NULL;
}
Unique_SecurityContext context(tmp);
return env->NewStringUTF(context.get());
}
static jstring getFdConInner(JNIEnv *env, jobject fileDescriptor, bool isSocket) {
if (isSELinuxDisabled) {
return NULL;
}
if (fileDescriptor == NULL) {
jniThrowNullPointerException(env,
"Trying to check security context of a null FileDescriptor.");
return NULL;
}
int fd = jniGetFDFromFileDescriptor(env, fileDescriptor);
if (env->ExceptionCheck()) {
ALOGE("getFdCon => getFD for %p failed", fileDescriptor);
return NULL;
}
security_context_t tmp = NULL;
int ret;
if (isSocket) {
ret = getpeercon(fd, &tmp);
} else{
ret = fgetfilecon(fd, &tmp);
}
Unique_SecurityContext context(tmp);
ScopedLocalRef<jstring> contextStr(env, NULL);
if (ret != -1) {
contextStr.reset(env->NewStringUTF(context.get()));
}
ALOGV("getFdCon(%d) => %s", fd, context.get());
return contextStr.release();
}
/*
* Function: getPeerCon
* Purpose: retrieves security context of peer socket
* Parameters:
* fileDescriptor: peer socket file as a FileDescriptor object
* Returns: jstring representing the security_context of socket or NULL if error
* Exceptions: NullPointerException if fileDescriptor object is NULL
*/
static jstring getPeerCon(JNIEnv *env, jobject, jobject fileDescriptor) {
return getFdConInner(env, fileDescriptor, true);
}
/*
* Function: getFdCon
* Purpose: retrieves security context of a file descriptor.
* Parameters:
* fileDescriptor: a FileDescriptor object
* Returns: jstring representing the security_context of socket or NULL if error
* Exceptions: NullPointerException if fileDescriptor object is NULL
*/
static jstring getFdCon(JNIEnv *env, jobject, jobject fileDescriptor) {
return getFdConInner(env, fileDescriptor, false);
}
/*
* Function: setFSCreateCon
* Purpose: set security context used for creating a new file system object
* Parameters:
* context: security_context_t representing the new context of a file system object,
* set to NULL to return to the default policy behavior
* Returns: true on success, false on error
* Exception: none
*/
static jboolean setFSCreateCon(JNIEnv *env, jobject, jstring contextStr) {
if (isSELinuxDisabled) {
return false;
}
std::unique_ptr<ScopedUtfChars> context;
const char* context_c_str = NULL;
if (contextStr != NULL) {
context.reset(new ScopedUtfChars(env, contextStr));
context_c_str = context->c_str();
if (context_c_str == NULL) {
return false;
}
}
int ret = setfscreatecon(const_cast<char *>(context_c_str));
ALOGV("setFSCreateCon(%s) => %d", context_c_str, ret);
return (ret == 0) ? true : false;
}
/*
* Function: setFileCon
* Purpose: set the security context of a file object
* Parameters:
* path: the location of the file system object
* context: the new security context of the file system object
* Returns: true on success, false on error
* Exception: NullPointerException is thrown if either path or context strign are NULL
*/
static jboolean setFileCon(JNIEnv *env, jobject, jstring pathStr, jstring contextStr) {
if (isSELinuxDisabled) {
return false;
}
ScopedUtfChars path(env, pathStr);
if (path.c_str() == NULL) {
return false;
}
ScopedUtfChars context(env, contextStr);
if (context.c_str() == NULL) {
return false;
}
// GetStringUTFChars returns const char * yet setfilecon needs char *
char *tmp = const_cast<char *>(context.c_str());
int ret = setfilecon(path.c_str(), tmp);
ALOGV("setFileCon(%s, %s) => %d", path.c_str(), context.c_str(), ret);
return (ret == 0) ? true : false;
}
/*
* Function: getFileCon
* Purpose: retrieves the context associated with the given path in the file system
* Parameters:
* path: given path in the file system
* Returns:
* string representing the security context string of the file object
* the string may be NULL if an error occured
* Exceptions: NullPointerException if the path object is null
*/
static jstring getFileCon(JNIEnv *env, jobject, jstring pathStr) {
if (isSELinuxDisabled) {
return NULL;
}
ScopedUtfChars path(env, pathStr);
if (path.c_str() == NULL) {
return NULL;
}
security_context_t tmp = NULL;
int ret = getfilecon(path.c_str(), &tmp);
Unique_SecurityContext context(tmp);
ScopedLocalRef<jstring> securityString(env, NULL);
if (ret != -1) {
securityString.reset(env->NewStringUTF(context.get()));
}
ALOGV("getFileCon(%s) => %s", path.c_str(), context.get());
return securityString.release();
}
/*
* Function: getCon
* Purpose: Get the context of the current process.
* Parameters: none
* Returns: a jstring representing the security context of the process,
* the jstring may be NULL if there was an error
* Exceptions: none
*/
static jstring getCon(JNIEnv *env, jobject) {
if (isSELinuxDisabled) {
return NULL;
}
security_context_t tmp = NULL;
int ret = getcon(&tmp);
Unique_SecurityContext context(tmp);
ScopedLocalRef<jstring> securityString(env, NULL);
if (ret != -1) {
securityString.reset(env->NewStringUTF(context.get()));
}
ALOGV("getCon() => %s", context.get());
return securityString.release();
}
/*
* Function: getPidCon
* Purpose: Get the context of a process identified by its pid
* Parameters:
* pid: a jint representing the process
* Returns: a jstring representing the security context of the pid,
* the jstring may be NULL if there was an error
* Exceptions: none
*/
static jstring getPidCon(JNIEnv *env, jobject, jint pid) {
if (isSELinuxDisabled) {
return NULL;
}
security_context_t tmp = NULL;
int ret = getpidcon(static_cast<pid_t>(pid), &tmp);
Unique_SecurityContext context(tmp);
ScopedLocalRef<jstring> securityString(env, NULL);
if (ret != -1) {
securityString.reset(env->NewStringUTF(context.get()));
}
ALOGV("getPidCon(%d) => %s", pid, context.get());
return securityString.release();
}
/*
* Function: checkSELinuxAccess
* Purpose: Check permissions between two security contexts.
* Parameters: subjectContextStr: subject security context as a string
* objectContextStr: object security context as a string
* objectClassStr: object's security class name as a string
* permissionStr: permission name as a string
* Returns: boolean: (true) if permission was granted, (false) otherwise
* Exceptions: None
*/
static jboolean checkSELinuxAccess(JNIEnv *env, jobject, jstring subjectContextStr,
jstring objectContextStr, jstring objectClassStr, jstring permissionStr) {
if (isSELinuxDisabled) {
return true;
}
ScopedUtfChars subjectContext(env, subjectContextStr);
if (subjectContext.c_str() == NULL) {
return false;
}
ScopedUtfChars objectContext(env, objectContextStr);
if (objectContext.c_str() == NULL) {
return false;
}
ScopedUtfChars objectClass(env, objectClassStr);
if (objectClass.c_str() == NULL) {
return false;
}
ScopedUtfChars permission(env, permissionStr);
if (permission.c_str() == NULL) {
return false;
}
char *tmp1 = const_cast<char *>(subjectContext.c_str());
char *tmp2 = const_cast<char *>(objectContext.c_str());
int accessGranted = selinux_check_access(tmp1, tmp2, objectClass.c_str(), permission.c_str(),
NULL);
ALOGV("checkSELinuxAccess(%s, %s, %s, %s) => %d", subjectContext.c_str(), objectContext.c_str(),
objectClass.c_str(), permission.c_str(), accessGranted);
return (accessGranted == 0) ? true : false;
}
/*
* Function: native_restorecon
* Purpose: restore default SELinux security context
* Parameters: pathname: the pathname for the file to be relabeled
* Returns: boolean: (true) file label successfully restored, (false) otherwise
* Exceptions: none
*/
static jboolean native_restorecon(JNIEnv *env, jobject, jstring pathnameStr, jint flags) {
if (isSELinuxDisabled) {
return true;
}
ScopedUtfChars pathname(env, pathnameStr);
if (pathname.c_str() == NULL) {
ALOGV("restorecon(%p) => threw exception", pathnameStr);
return false;
}
int ret = selinux_android_restorecon(pathname.c_str(), flags);
ALOGV("restorecon(%s) => %d", pathname.c_str(), ret);
return (ret == 0);
}
/*
* JNI registration.
*/
static const JNINativeMethod method_table[] = {
/* name, signature, funcPtr */
{ "checkSELinuxAccess" , "(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;)Z" , (void*)checkSELinuxAccess },
{ "getContext" , "()Ljava/lang/String;" , (void*)getCon },
{ "getFileContext" , "(Ljava/lang/String;)Ljava/lang/String;" , (void*)getFileCon },
{ "getPeerContext" , "(Ljava/io/FileDescriptor;)Ljava/lang/String;" , (void*)getPeerCon },
{ "getFileContext" , "(Ljava/io/FileDescriptor;)Ljava/lang/String;" , (void*)getFdCon },
{ "getPidContext" , "(I)Ljava/lang/String;" , (void*)getPidCon },
{ "isSELinuxEnforced" , "()Z" , (void*)isSELinuxEnforced},
{ "isSELinuxEnabled" , "()Z" , (void*)isSELinuxEnabled },
{ "native_restorecon" , "(Ljava/lang/String;I)Z" , (void*)native_restorecon},
{ "setFileContext" , "(Ljava/lang/String;Ljava/lang/String;)Z" , (void*)setFileCon },
{ "setFSCreateContext" , "(Ljava/lang/String;)Z" , (void*)setFSCreateCon },
{ "fileSelabelLookup" , "(Ljava/lang/String;)Ljava/lang/String;" , (void*)fileSelabelLookup},
};
static int log_callback(int type, const char *fmt, ...) {
va_list ap;
int priority;
switch (type) {
case SELINUX_WARNING:
priority = ANDROID_LOG_WARN;
break;
case SELINUX_INFO:
priority = ANDROID_LOG_INFO;
break;
default:
priority = ANDROID_LOG_ERROR;
break;
}
va_start(ap, fmt);
LOG_PRI_VA(priority, "SELinux", fmt, ap);
va_end(ap);
return 0;
}
int register_android_os_SELinux(JNIEnv *env) {
union selinux_callback cb;
cb.func_log = log_callback;
selinux_set_callback(SELINUX_CB_LOG, cb);
isSELinuxDisabled = (is_selinux_enabled() != 1) ? true : false;
return RegisterMethodsOrDie(env, "android/os/SELinux", method_table, NELEM(method_table));
}
}
|
