Home | History | Annotate | Download | only in os 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package android.os;
     18 
     19 import android.util.Slog;
     20 
     21 import java.io.IOException;
     22 import java.io.File;
     23 import java.io.FileDescriptor;
     24 
     25 /**
     26  * This class provides access to the centralized jni bindings for
     27  * SELinux interaction.
     28  * {@hide}
     29  */
     30 public class SELinux {
     31     private static final String TAG = "SELinux";
     32 
     33     /** Keep in sync with ./external/libselinux/include/selinux/android.h */
     34     private static final int SELINUX_ANDROID_RESTORECON_NOCHANGE = 1;
     35     private static final int SELINUX_ANDROID_RESTORECON_VERBOSE = 2;
     36     private static final int SELINUX_ANDROID_RESTORECON_RECURSE = 4;
     37     private static final int SELINUX_ANDROID_RESTORECON_FORCE = 8;
     38     private static final int SELINUX_ANDROID_RESTORECON_DATADATA = 16;
     39 
     40     /**
     41      * Determine whether SELinux is disabled or enabled.
     42      * @return a boolean indicating whether SELinux is enabled.
     43      */
     44     public static final native boolean isSELinuxEnabled();
     45 
     46     /**
     47      * Determine whether SELinux is permissive or enforcing.
     48      * @return a boolean indicating whether SELinux is enforcing.
     49      */
     50     public static final native boolean isSELinuxEnforced();
     51 
     52     /**
     53      * Sets the security context for newly created file objects.
     54      * @param context a security context given as a String.
     55      * @return a boolean indicating whether the operation succeeded.
     56      */
     57     public static final native boolean setFSCreateContext(String context);
     58 
     59     /**
     60      * Change the security context of an existing file object.
     61      * @param path representing the path of file object to relabel.
     62      * @param context new security context given as a String.
     63      * @return a boolean indicating whether the operation succeeded.
     64      */
     65     public static final native boolean setFileContext(String path, String context);
     66 
     67     /**
     68      * Get the security context of a file object.
     69      * @param path the pathname of the file object.
     70      * @return a security context given as a String.
     71      */
     72     public static final native String getFileContext(String path);
     73 
     74     /**
     75      * Get the security context of a peer socket.
     76      * @param fd FileDescriptor class of the peer socket.
     77      * @return a String representing the peer socket security context.
     78      */
     79     public static final native String getPeerContext(FileDescriptor fd);
     80 
     81     /**
     82      * Gets the security context of the current process.
     83      * @return a String representing the security context of the current process.
     84      */
     85     public static final native String getContext();
     86 
     87     /**
     88      * Gets the security context of a given process id.
     89      * @param pid an int representing the process id to check.
     90      * @return a String representing the security context of the given pid.
     91      */
     92     public static final native String getPidContext(int pid);
     93 
     94     /**
     95      * Check permissions between two security contexts.
     96      * @param scon The source or subject security context.
     97      * @param tcon The target or object security context.
     98      * @param tclass The object security class name.
     99      * @param perm The permission name.
    100      * @return a boolean indicating whether permission was granted.
    101      */
    102     public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
    103 
    104     /**
    105      * Restores a file to its default SELinux security context.
    106      * If the system is not compiled with SELinux, then {@code true}
    107      * is automatically returned.
    108      * If SELinux is compiled in, but disabled, then {@code true} is
    109      * returned.
    110      *
    111      * @param pathname The pathname of the file to be relabeled.
    112      * @return a boolean indicating whether the relabeling succeeded.
    113      * @exception NullPointerException if the pathname is a null object.
    114      */
    115     public static boolean restorecon(String pathname) throws NullPointerException {
    116         if (pathname == null) { throw new NullPointerException(); }
    117         return native_restorecon(pathname, 0);
    118     }
    119 
    120     /**
    121      * Restores a file to its default SELinux security context.
    122      * If the system is not compiled with SELinux, then {@code true}
    123      * is automatically returned.
    124      * If SELinux is compiled in, but disabled, then {@code true} is
    125      * returned.
    126      *
    127      * @param pathname The pathname of the file to be relabeled.
    128      * @return a boolean indicating whether the relabeling succeeded.
    129      */
    130     private static native boolean native_restorecon(String pathname, int flags);
    131 
    132     /**
    133      * Restores a file to its default SELinux security context.
    134      * If the system is not compiled with SELinux, then {@code true}
    135      * is automatically returned.
    136      * If SELinux is compiled in, but disabled, then {@code true} is
    137      * returned.
    138      *
    139      * @param file The File object representing the path to be relabeled.
    140      * @return a boolean indicating whether the relabeling succeeded.
    141      * @exception NullPointerException if the file is a null object.
    142      */
    143     public static boolean restorecon(File file) throws NullPointerException {
    144         try {
    145             return native_restorecon(file.getCanonicalPath(), 0);
    146         } catch (IOException e) {
    147             Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
    148                     file.getPath(), e);
    149             return false;
    150         }
    151     }
    152 
    153     /**
    154      * Recursively restores all files under the given path to their default
    155      * SELinux security context. If the system is not compiled with SELinux,
    156      * then {@code true} is automatically returned. If SELinux is compiled in,
    157      * but disabled, then {@code true} is returned.
    158      *
    159      * @return a boolean indicating whether the relabeling succeeded.
    160      */
    161     public static boolean restoreconRecursive(File file) {
    162         try {
    163             return native_restorecon(file.getCanonicalPath(), SELINUX_ANDROID_RESTORECON_RECURSE);
    164         } catch (IOException e) {
    165             Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
    166                     file.getPath(), e);
    167             return false;
    168         }
    169     }
    170 }
    171