Home | History | Annotate | Download | only in os 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package android.os;
     18 
     19 import android.util.Slog;
     20 
     21 import java.io.IOException;
     22 import java.io.File;
     23 import java.io.FileDescriptor;
     24 
     25 /**
     26  * This class provides access to the centralized jni bindings for
     27  * SELinux interaction.
     28  * {@hide}
     29  */
     30 public class SELinux {
     31 
     32     private static final String TAG = "SELinux";
     33 
     34     /**
     35      * Determine whether SELinux is disabled or enabled.
     36      * @return a boolean indicating whether SELinux is enabled.
     37      */
     38     public static final native boolean isSELinuxEnabled();
     39 
     40     /**
     41      * Determine whether SELinux is permissive or enforcing.
     42      * @return a boolean indicating whether SELinux is enforcing.
     43      */
     44     public static final native boolean isSELinuxEnforced();
     45 
     46     /**
     47      * Set whether SELinux is permissive or enforcing.
     48      * @param boolean representing whether to set SELinux to enforcing
     49      * @return a boolean representing whether the desired mode was set
     50      */
     51     public static final native boolean setSELinuxEnforce(boolean value);
     52 
     53     /**
     54      * Sets the security context for newly created file objects.
     55      * @param context a security context given as a String.
     56      * @return a boolean indicating whether the operation succeeded.
     57      */
     58     public static final native boolean setFSCreateContext(String context);
     59 
     60     /**
     61      * Change the security context of an existing file object.
     62      * @param path representing the path of file object to relabel.
     63      * @param con new security context given as a String.
     64      * @return a boolean indicating whether the operation succeeded.
     65      */
     66     public static final native boolean setFileContext(String path, String context);
     67 
     68     /**
     69      * Get the security context of a file object.
     70      * @param path the pathname of the file object.
     71      * @return a security context given as a String.
     72      */
     73     public static final native String getFileContext(String path);
     74 
     75     /**
     76      * Get the security context of a peer socket.
     77      * @param fd FileDescriptor class of the peer socket.
     78      * @return a String representing the peer socket security context.
     79      */
     80     public static final native String getPeerContext(FileDescriptor fd);
     81 
     82     /**
     83      * Gets the security context of the current process.
     84      * @return a String representing the security context of the current process.
     85      */
     86     public static final native String getContext();
     87 
     88     /**
     89      * Gets the security context of a given process id.
     90      * Use of this function is discouraged for Binder transactions.
     91      * Use Binder.getCallingSecctx() instead.
     92      * @param pid an int representing the process id to check.
     93      * @return a String representing the security context of the given pid.
     94      */
     95     public static final native String getPidContext(int pid);
     96 
     97     /**
     98      * Gets a list of the SELinux boolean names.
     99      * @return an array of strings containing the SELinux boolean names.
    100      */
    101     public static final native String[] getBooleanNames();
    102 
    103     /**
    104      * Gets the value for the given SELinux boolean name.
    105      * @param String The name of the SELinux boolean.
    106      * @return a boolean indicating whether the SELinux boolean is set.
    107      */
    108     public static final native boolean getBooleanValue(String name);
    109 
    110     /**
    111      * Sets the value for the given SELinux boolean name.
    112      * @param String The name of the SELinux boolean.
    113      * @param Boolean The new value of the SELinux boolean.
    114      * @return a boolean indicating whether or not the operation succeeded.
    115      */
    116     public static final native boolean setBooleanValue(String name, boolean value);
    117 
    118     /**
    119      * Check permissions between two security contexts.
    120      * @param scon The source or subject security context.
    121      * @param tcon The target or object security context.
    122      * @param tclass The object security class name.
    123      * @param perm The permission name.
    124      * @return a boolean indicating whether permission was granted.
    125      */
    126     public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
    127 
    128     /**
    129      * Restores a file to its default SELinux security context.
    130      * If the system is not compiled with SELinux, then {@code true}
    131      * is automatically returned.
    132      * If SELinux is compiled in, but disabled, then {@code true} is
    133      * returned.
    134      *
    135      * @param pathname The pathname of the file to be relabeled.
    136      * @return a boolean indicating whether the relabeling succeeded.
    137      * @exception NullPointerException if the pathname is a null object.
    138      */
    139     public static boolean restorecon(String pathname) throws NullPointerException {
    140         if (pathname == null) { throw new NullPointerException(); }
    141         return native_restorecon(pathname);
    142     }
    143 
    144     /**
    145      * Restores a file to its default SELinux security context.
    146      * If the system is not compiled with SELinux, then {@code true}
    147      * is automatically returned.
    148      * If SELinux is compiled in, but disabled, then {@code true} is
    149      * returned.
    150      *
    151      * @param pathname The pathname of the file to be relabeled.
    152      * @return a boolean indicating whether the relabeling succeeded.
    153      */
    154     private static native boolean native_restorecon(String pathname);
    155 
    156     /**
    157      * Restores a file to its default SELinux security context.
    158      * If the system is not compiled with SELinux, then {@code true}
    159      * is automatically returned.
    160      * If SELinux is compiled in, but disabled, then {@code true} is
    161      * returned.
    162      *
    163      * @param file The File object representing the path to be relabeled.
    164      * @return a boolean indicating whether the relabeling succeeded.
    165      * @exception NullPointerException if the file is a null object.
    166      */
    167     public static boolean restorecon(File file) throws NullPointerException {
    168         try {
    169             return native_restorecon(file.getCanonicalPath());
    170         } catch (IOException e) {
    171             Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
    172                    file.getPath(), e);
    173             return false;
    174         }
    175     }
    176 }
    177