1 /* 2 * restorecond 3 * 4 * Copyright (C) 2006-2009 Red Hat 5 * see file 'COPYING' for use and warranty information 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as 9 * published by the Free Software Foundation; either version 2 of 10 * the License, or (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 .* 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 20 * 02111-1307 USA 21 * 22 * Authors: 23 * Dan Walsh <dwalsh (at) redhat.com> 24 * 25 */ 26 27 /* 28 * PURPOSE: 29 * This daemon program watches for the creation of files listed in a config file 30 * and makes sure that there security context matches the systems defaults 31 * 32 * USAGE: 33 * restorecond [-d] [-u] [-v] [-f restorecond_file ] 34 * 35 * -d Run in debug mode 36 * -f Use alternative restorecond_file 37 * -u Run in user mode 38 * -v Run in verbose mode (Report missing files) 39 * 40 * EXAMPLE USAGE: 41 * restorecond 42 * 43 */ 44 45 #define _GNU_SOURCE 46 #include <sys/inotify.h> 47 #include <errno.h> 48 #include <stdio.h> 49 #include <stdlib.h> 50 #include <signal.h> 51 #include <string.h> 52 #include <unistd.h> 53 #include "restore.h" 54 #include <sys/types.h> 55 #include <syslog.h> 56 #include <limits.h> 57 #include <pwd.h> 58 #include <sys/stat.h> 59 #include <string.h> 60 #include <stdio.h> 61 #include <fcntl.h> 62 #include "restorecond.h" 63 #include "utmpwatcher.h" 64 65 const char *homedir; 66 static int master_fd = -1; 67 68 static const char *server_watch_file = "/etc/selinux/restorecond.conf"; 69 static const char *user_watch_file = "/etc/selinux/restorecond_user.conf"; 70 static const char *watch_file; 71 struct restore_opts r_opts; 72 73 #include <selinux/selinux.h> 74 75 int debug_mode = 0; 76 int terminate = 0; 77 int master_wd = -1; 78 int run_as_user = 0; 79 80 static void done(void) { 81 watch_list_free(master_fd); 82 close(master_fd); 83 utmpwatcher_free(); 84 selabel_close(r_opts.hnd); 85 } 86 87 static const char *pidfile = "/run/restorecond.pid"; 88 89 static int write_pid_file(void) 90 { 91 int pidfd, len; 92 char val[16]; 93 94 len = snprintf(val, sizeof(val), "%u\n", getpid()); 95 if (len < 0) { 96 syslog(LOG_ERR, "Pid error (%s)", strerror(errno)); 97 pidfile = 0; 98 return 1; 99 } 100 pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644); 101 if (pidfd < 0) { 102 syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno)); 103 pidfile = 0; 104 return 1; 105 } 106 if (write(pidfd, val, (unsigned int)len) != len) { 107 syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno)); 108 close(pidfd); 109 return 1; 110 } 111 close(pidfd); 112 return 0; 113 } 114 115 /* 116 * SIGTERM handler 117 */ 118 static void term_handler(int s __attribute__ ((unused))) 119 { 120 terminate = 1; 121 /* trigger a failure in the watch */ 122 close(master_fd); 123 } 124 125 static void usage(char *program) 126 { 127 printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); 128 } 129 130 void exitApp(const char *msg) 131 { 132 perror(msg); 133 exit(-1); 134 } 135 136 /* 137 Add a file to the watch list. We are watching for file creation, so we actually 138 put the watch on the directory and then examine all files created in that directory 139 to see if it is one that we are watching. 140 */ 141 142 int main(int argc, char **argv) 143 { 144 int opt; 145 struct sigaction sa; 146 147 /* If we are not running SELinux then just exit */ 148 if (is_selinux_enabled() != 1) 149 return 0; 150 151 watch_file = server_watch_file; 152 153 /* Set all options to zero/NULL except for ignore_noent & digest. */ 154 memset(&r_opts, 0, sizeof(r_opts)); 155 r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY; 156 r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST; 157 158 /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */ 159 restore_init(&r_opts); 160 161 /* Register sighandlers */ 162 sa.sa_flags = 0; 163 sa.sa_handler = term_handler; 164 sigemptyset(&sa.sa_mask); 165 sigaction(SIGTERM, &sa, NULL); 166 167 atexit( done ); 168 while ((opt = getopt(argc, argv, "hdf:uv")) > 0) { 169 switch (opt) { 170 case 'd': 171 debug_mode = 1; 172 break; 173 case 'f': 174 watch_file = optarg; 175 break; 176 case 'u': 177 run_as_user = 1; 178 break; 179 case 'h': 180 usage(argv[0]); 181 exit(0); 182 break; 183 case 'v': 184 r_opts.verbose = SELINUX_RESTORECON_VERBOSE; 185 break; 186 case '?': 187 usage(argv[0]); 188 exit(-1); 189 } 190 } 191 192 master_fd = inotify_init(); 193 if (master_fd < 0) 194 exitApp("inotify_init"); 195 196 uid_t uid = getuid(); 197 struct passwd *pwd = getpwuid(uid); 198 if (!pwd) 199 exitApp("getpwuid"); 200 201 homedir = pwd->pw_dir; 202 if (uid != 0) { 203 if (run_as_user) 204 return server(master_fd, user_watch_file); 205 if (start() != 0) 206 return server(master_fd, user_watch_file); 207 return 0; 208 } 209 210 read_config(master_fd, watch_file); 211 212 if (!debug_mode) { 213 if (daemon(0, 0) < 0) 214 exitApp("daemon"); 215 } 216 217 write_pid_file(); 218 219 while (watch(master_fd, watch_file) == 0) { 220 } 221 222 watch_list_free(master_fd); 223 close(master_fd); 224 225 if (pidfile) 226 unlink(pidfile); 227 228 return 0; 229 } 230
