chcon.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. /*
  2. * chcon -- change security context, based on coreutils-5.97-13
  3. *
  4. * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
  5. *
  6. * Copyright (C) 2006 - 2007 KaiGai Kohei <kaigai@kaigai.gr.jp>
  7. *
  8. * Licensed under GPLv2, see file LICENSE in this source tree.
  9. */
  10. //usage:#define chcon_trivial_usage
  11. //usage: "[OPTIONS] CONTEXT FILE..."
  12. //usage: "\n chcon [OPTIONS] [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE..."
  13. //usage: IF_FEATURE_CHCON_LONG_OPTIONS(
  14. //usage: "\n chcon [OPTIONS] --reference=RFILE FILE..."
  15. //usage: )
  16. //usage:#define chcon_full_usage "\n\n"
  17. //usage: "Change the security context of each FILE to CONTEXT\n"
  18. //usage: IF_FEATURE_CHCON_LONG_OPTIONS(
  19. //usage: "\n -v,--verbose Verbose"
  20. //usage: "\n -c,--changes Report changes made"
  21. //usage: "\n -h,--no-dereference Affect symlinks instead of their targets"
  22. //usage: "\n -f,--silent,--quiet Suppress most error messages"
  23. //usage: "\n --reference=RFILE Use RFILE's group instead of using a CONTEXT value"
  24. //usage: "\n -u,--user=USER Set user/role/type/range in the target"
  25. //usage: "\n -r,--role=ROLE security context"
  26. //usage: "\n -t,--type=TYPE"
  27. //usage: "\n -l,--range=RANGE"
  28. //usage: "\n -R,--recursive Recurse"
  29. //usage: )
  30. //usage: IF_NOT_FEATURE_CHCON_LONG_OPTIONS(
  31. //usage: "\n -v Verbose"
  32. //usage: "\n -c Report changes made"
  33. //usage: "\n -h Affect symlinks instead of their targets"
  34. //usage: "\n -f Suppress most error messages"
  35. //usage: "\n -u USER Set user/role/type/range in the target security context"
  36. //usage: "\n -r ROLE"
  37. //usage: "\n -t TYPE"
  38. //usage: "\n -l RNG"
  39. //usage: "\n -R Recurse"
  40. //usage: )
  41. #include <selinux/context.h>
  42. #include "libbb.h"
  43. #define OPT_RECURSIVE (1<<0) /* 'R' */
  44. #define OPT_CHANHES (1<<1) /* 'c' */
  45. #define OPT_NODEREFERENCE (1<<2) /* 'h' */
  46. #define OPT_QUIET (1<<3) /* 'f' */
  47. #define OPT_USER (1<<4) /* 'u' */
  48. #define OPT_ROLE (1<<5) /* 'r' */
  49. #define OPT_TYPE (1<<6) /* 't' */
  50. #define OPT_RANGE (1<<7) /* 'l' */
  51. #define OPT_VERBOSE (1<<8) /* 'v' */
  52. #define OPT_REFERENCE ((1<<9) * ENABLE_FEATURE_CHCON_LONG_OPTIONS)
  53. #define OPT_COMPONENT_SPECIFIED (OPT_USER | OPT_ROLE | OPT_TYPE | OPT_RANGE)
  54. static char *user = NULL;
  55. static char *role = NULL;
  56. static char *type = NULL;
  57. static char *range = NULL;
  58. static char *specified_context = NULL;
  59. static int FAST_FUNC change_filedir_context(
  60. const char *fname,
  61. struct stat *stbuf UNUSED_PARAM,
  62. void *userData UNUSED_PARAM,
  63. int depth UNUSED_PARAM)
  64. {
  65. context_t context = NULL;
  66. security_context_t file_context = NULL;
  67. security_context_t context_string;
  68. int rc = FALSE;
  69. int status = 0;
  70. if (option_mask32 & OPT_NODEREFERENCE) {
  71. status = lgetfilecon(fname, &file_context);
  72. } else {
  73. status = getfilecon(fname, &file_context);
  74. }
  75. if (status < 0 && errno != ENODATA) {
  76. if ((option_mask32 & OPT_QUIET) == 0)
  77. bb_error_msg("can't obtain security context: %s", fname);
  78. goto skip;
  79. }
  80. if (file_context == NULL && specified_context == NULL) {
  81. bb_error_msg("can't apply partial context to unlabeled file %s", fname);
  82. goto skip;
  83. }
  84. if (specified_context == NULL) {
  85. context = set_security_context_component(file_context,
  86. user, role, type, range);
  87. if (!context) {
  88. bb_error_msg("can't compute security context from %s", file_context);
  89. goto skip;
  90. }
  91. } else {
  92. context = context_new(specified_context);
  93. if (!context) {
  94. bb_error_msg("invalid context: %s", specified_context);
  95. goto skip;
  96. }
  97. }
  98. context_string = context_str(context);
  99. if (!context_string) {
  100. bb_error_msg("can't obtain security context in text expression");
  101. goto skip;
  102. }
  103. if (file_context == NULL || strcmp(context_string, file_context) != 0) {
  104. int fail;
  105. if (option_mask32 & OPT_NODEREFERENCE) {
  106. fail = lsetfilecon(fname, context_string);
  107. } else {
  108. fail = setfilecon(fname, context_string);
  109. }
  110. if ((option_mask32 & OPT_VERBOSE) || ((option_mask32 & OPT_CHANHES) && !fail)) {
  111. printf(!fail
  112. ? "context of %s changed to %s\n"
  113. : "can't change context of %s to %s\n",
  114. fname, context_string);
  115. }
  116. if (!fail) {
  117. rc = TRUE;
  118. } else if ((option_mask32 & OPT_QUIET) == 0) {
  119. bb_error_msg("can't change context of %s to %s",
  120. fname, context_string);
  121. }
  122. } else if (option_mask32 & OPT_VERBOSE) {
  123. printf("context of %s retained as %s\n", fname, context_string);
  124. rc = TRUE;
  125. }
  126. skip:
  127. context_free(context);
  128. freecon(file_context);
  129. return rc;
  130. }
  131. #if ENABLE_FEATURE_CHCON_LONG_OPTIONS
  132. static const char chcon_longopts[] ALIGN1 =
  133. "recursive\0" No_argument "R"
  134. "changes\0" No_argument "c"
  135. "no-dereference\0" No_argument "h"
  136. "silent\0" No_argument "f"
  137. "quiet\0" No_argument "f"
  138. "user\0" Required_argument "u"
  139. "role\0" Required_argument "r"
  140. "type\0" Required_argument "t"
  141. "range\0" Required_argument "l"
  142. "verbose\0" No_argument "v"
  143. "reference\0" Required_argument "\xff" /* no short option */
  144. ;
  145. #endif
  146. int chcon_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
  147. int chcon_main(int argc UNUSED_PARAM, char **argv)
  148. {
  149. char *reference_file;
  150. char *fname;
  151. int i, errors = 0;
  152. #if ENABLE_FEATURE_CHCON_LONG_OPTIONS
  153. applet_long_options = chcon_longopts;
  154. #endif
  155. opt_complementary = "-1" /* at least 1 param */
  156. ":?" /* error if exclusivity constraints are violated */
  157. #if ENABLE_FEATURE_CHCON_LONG_OPTIONS
  158. ":\xff--urtl:u--\xff:r--\xff:t--\xff:l--\xff"
  159. #endif
  160. ":f--v:v--f"; /* 'verbose' and 'quiet' are exclusive */
  161. getopt32(argv, "Rchfu:r:t:l:v",
  162. &user, &role, &type, &range, &reference_file);
  163. argv += optind;
  164. #if ENABLE_FEATURE_CHCON_LONG_OPTIONS
  165. if (option_mask32 & OPT_REFERENCE) {
  166. /* FIXME: lgetfilecon() should be used when '-h' is specified.
  167. But current implementation follows the original one. */
  168. if (getfilecon(reference_file, &specified_context) < 0)
  169. bb_perror_msg_and_die("getfilecon('%s') failed", reference_file);
  170. } else
  171. #endif
  172. if ((option_mask32 & OPT_COMPONENT_SPECIFIED) == 0) {
  173. specified_context = *argv++;
  174. /* specified_context is never NULL -
  175. * "-1" in opt_complementary prevents this. */
  176. if (!argv[0])
  177. bb_error_msg_and_die("too few arguments");
  178. }
  179. for (i = 0; (fname = argv[i]) != NULL; i++) {
  180. int fname_len = strlen(fname);
  181. while (fname_len > 1 && fname[fname_len - 1] == '/')
  182. fname_len--;
  183. fname[fname_len] = '\0';
  184. if (recursive_action(fname,
  185. 1<<option_mask32 & OPT_RECURSIVE,
  186. change_filedir_context,
  187. change_filedir_context,
  188. NULL, 0) != TRUE)
  189. errors = 1;
  190. }
  191. return errors;
  192. }