Home | History | Annotate | Download | only in selinux 
      1 #ifndef _RESTORECON_H_
      2 #define _RESTORECON_H_
      3 
      4 #include <sys/types.h>
      5 #include <stdarg.h>
      6 
      7 #ifdef __cplusplus
      8 extern "C" {
      9 #endif
     10 
     11 /**
     12  * selinux_restorecon - Relabel files.
     13  * @pathname: specifies file/directory to relabel.
     14  * @restorecon_flags: specifies the actions to be performed when relabeling.
     15  *
     16  * selinux_restorecon(3) will automatically call
     17  * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
     18  * first time through to set the selabel_open(3) parameters to use the
     19  * currently loaded policy file_contexts and request their computed digest.
     20  *
     21  * Should other selabel_open(3) parameters be required see
     22  * selinux_restorecon_set_sehandle(3).
     23  */
     24 extern int selinux_restorecon(const char *pathname,
     25 				    unsigned int restorecon_flags);
     26 /*
     27  * restorecon_flags options
     28  */
     29 /*
     30  * Force the checking of labels even if the stored SHA1
     31  * digest matches the specfiles SHA1 digest.
     32  */
     33 #define SELINUX_RESTORECON_IGNORE_DIGEST		0x0001
     34 /*
     35  * Do not change file labels.
     36  */
     37 #define SELINUX_RESTORECON_NOCHANGE			0x0002
     38 /*
     39  * If set set change file label to that in spec file.
     40  * If not only change type component to that in spec file.
     41  */
     42 #define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x0004
     43 /*
     44  * Recursively descend directories.
     45  */
     46 #define SELINUX_RESTORECON_RECURSE			0x0008
     47 /*
     48  * Log changes to selinux log. Note that if VERBOSE and
     49  * PROGRESS are set, then PROGRESS will take precedence.
     50  */
     51 #define SELINUX_RESTORECON_VERBOSE			0x0010
     52 /*
     53  * If SELINUX_RESTORECON_PROGRESS is true and
     54  * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
     55  * else output the number of files in 1k blocks processed to stdout.
     56  */
     57 #define SELINUX_RESTORECON_PROGRESS			0x0020
     58 /*
     59  * Convert passed-in pathname to canonical pathname.
     60  */
     61 #define SELINUX_RESTORECON_REALPATH			0x0040
     62 /*
     63  * Prevent descending into directories that have a different
     64  * device number than the pathname from which the descent began.
     65  */
     66 #define SELINUX_RESTORECON_XDEV				0x0080
     67 /*
     68  * Attempt to add an association between an inode and a specification.
     69  * If there is already an association for the inode and it conflicts
     70  * with the specification, then use the last matching specification.
     71  */
     72 #define SELINUX_RESTORECON_ADD_ASSOC			0x0100
     73 /*
     74  * Abort on errors during the file tree walk.
     75  */
     76 #define SELINUX_RESTORECON_ABORT_ON_ERROR		0x0200
     77 /*
     78  * Log any label changes to syslog.
     79  */
     80 #define SELINUX_RESTORECON_SYSLOG_CHANGES		0x0400
     81 /*
     82  * Log what spec matched each file.
     83  */
     84 #define SELINUX_RESTORECON_LOG_MATCHES			0x0800
     85 /*
     86  * Ignore files that do not exist.
     87  */
     88 #define SELINUX_RESTORECON_IGNORE_NOENTRY		0x1000
     89 /*
     90  * Do not read /proc/mounts to obtain a list of non-seclabel
     91  * mounts to be excluded from relabeling checks.
     92  */
     93 #define SELINUX_RESTORECON_IGNORE_MOUNTS		0x2000
     94 /*
     95  * Set if there is a mass relabel required.
     96  * See SELINUX_RESTORECON_PROGRESS flag for details.
     97  */
     98 #define SELINUX_RESTORECON_MASS_RELABEL			0x4000
     99 
    100 /**
    101  * selinux_restorecon_set_sehandle - Set the global fc handle.
    102  * @hndl: specifies handle to set as the global fc handle.
    103  *
    104  * Called by a process that has already called selabel_open(3) with it's
    105  * required parameters, or if selinux_restorecon_default_handle(3) has been
    106  * called to set the default selabel_open(3) parameters.
    107  */
    108 extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl);
    109 
    110 /**
    111  * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters
    112  *				       to use the currently loaded policy and
    113  *				       file_contexts, also requests the digest.
    114  *
    115  * Return value is the created handle on success or NULL with @errno set on
    116  * failure.
    117  */
    118 extern struct selabel_handle *selinux_restorecon_default_handle(void);
    119 
    120 /**
    121  * selinux_restorecon_set_exclude_list - Add a list of directories that are
    122  *					 to be excluded from relabeling.
    123  * @exclude_list: containing a NULL terminated list of one or more
    124  *		  directories not to be relabeled.
    125  */
    126 extern void selinux_restorecon_set_exclude_list(const char **exclude_list);
    127 
    128 /**
    129  * selinux_restorecon_set_alt_rootpath - Use alternate rootpath.
    130  * @alt_rootpath: containing the alternate rootpath to be used.
    131  *
    132  * Return %0 on success, -%1 with @errno set on failure.
    133  */
    134 extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath);
    135 
    136 /**
    137  * selinux_restorecon_xattr - Read/remove RESTORECON_LAST xattr entries.
    138  * @pathname: specifies directory path to check.
    139  * @xattr_flags: specifies the actions to be performed.
    140  * @xattr_list: a linked list of struct dir_xattr structures containing
    141  *              the directory, digest and result of the action on the
    142  *              RESTORECON_LAST entry.
    143  *
    144  * selinux_restorecon_xattr(3) will automatically call
    145  * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3)
    146  * first time through to set the selabel_open(3) parameters to use the
    147  * currently loaded policy file_contexts and request their computed digest.
    148  *
    149  * Should other selabel_open(3) parameters be required see
    150  * selinux_restorecon_set_sehandle(3), however note that a file_contexts
    151  * computed digest is required for selinux_restorecon_xattr().
    152  */
    153 enum digest_result {
    154 	MATCH = 0,
    155 	NOMATCH,
    156 	DELETED_MATCH,
    157 	DELETED_NOMATCH,
    158 	ERROR
    159 };
    160 
    161 struct dir_xattr {
    162 	char *directory;
    163 	char *digest; /* A hex encoded string that can be printed. */
    164 	enum digest_result result;
    165 	struct dir_xattr *next;
    166 };
    167 
    168 extern int selinux_restorecon_xattr(const char *pathname,
    169 				    unsigned int xattr_flags,
    170 				    struct dir_xattr ***xattr_list);
    171 
    172 /*
    173  * xattr_flags options
    174  */
    175 /* Recursively descend directories. */
    176 #define SELINUX_RESTORECON_XATTR_RECURSE			0x0001
    177 /* Delete non-matching digests from each directory in pathname. */
    178 #define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS	0x0002
    179 /* Delete all digests found in pathname. */
    180 #define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS		0x0004
    181 /* Do not read /proc/mounts. */
    182 #define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS			0x0008
    183 
    184 #ifdef __cplusplus
    185 }
    186 #endif
    187 #endif
    188