1 /* 2 * restorecond 3 * 4 * Copyright (C) 2006-2009 Red Hat 5 * see file 'COPYING' for use and warranty information 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as 9 * published by the Free Software Foundation; either version 2 of 10 * the License, or (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 .* 17 * You should have received a copy of the GNU General Public License 18 * along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 20 * 02111-1307 USA 21 * 22 * Authors: 23 * Dan Walsh <dwalsh (at) redhat.com> 24 * 25 */ 26 27 /* 28 * PURPOSE: 29 * This daemon program watches for the creation of files listed in a config file 30 * and makes sure that there security context matches the systems defaults 31 * 32 * USAGE: 33 * restorecond [-d] [-u] [-v] [-f restorecond_file ] 34 * 35 * -d Run in debug mode 36 * -f Use alternative restorecond_file 37 * -u Run in user mode 38 * -v Run in verbose mode (Report missing files) 39 * 40 * EXAMPLE USAGE: 41 * restorecond 42 * 43 */ 44 45 #define _GNU_SOURCE 46 #include <sys/inotify.h> 47 #include <errno.h> 48 #include <stdio.h> 49 #include <stdlib.h> 50 #include <signal.h> 51 #include <string.h> 52 #include <unistd.h> 53 #include "restore.h" 54 #include <sys/types.h> 55 #include <syslog.h> 56 #include <limits.h> 57 #include <pwd.h> 58 #include <sys/stat.h> 59 #include <string.h> 60 #include <stdio.h> 61 #include <fcntl.h> 62 #include "restorecond.h" 63 #include "utmpwatcher.h" 64 65 const char *homedir; 66 static int master_fd = -1; 67 68 static const char *server_watch_file = "/etc/selinux/restorecond.conf"; 69 static const char *user_watch_file = "/etc/selinux/restorecond_user.conf"; 70 static const char *watch_file; 71 struct restore_opts r_opts; 72 73 #include <selinux/selinux.h> 74 75 int debug_mode = 0; 76 int terminate = 0; 77 int master_wd = -1; 78 int run_as_user = 0; 79 80 static void done(void) { 81 watch_list_free(master_fd); 82 close(master_fd); 83 utmpwatcher_free(); 84 selabel_close(r_opts.hnd); 85 } 86 87 static const char *pidfile = "/var/run/restorecond.pid"; 88 89 static int write_pid_file(void) 90 { 91 int pidfd, len; 92 char val[16]; 93 94 len = snprintf(val, sizeof(val), "%u\n", getpid()); 95 if (len < 0) { 96 syslog(LOG_ERR, "Pid error (%s)", strerror(errno)); 97 pidfile = 0; 98 return 1; 99 } 100 pidfd = open(pidfile, O_CREAT | O_TRUNC | O_NOFOLLOW | O_WRONLY, 0644); 101 if (pidfd < 0) { 102 syslog(LOG_ERR, "Unable to set pidfile (%s)", strerror(errno)); 103 pidfile = 0; 104 return 1; 105 } 106 if (write(pidfd, val, (unsigned int)len) != len) { 107 syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno)); 108 return 1; 109 } 110 close(pidfd); 111 return 0; 112 } 113 114 /* 115 * SIGTERM handler 116 */ 117 static void term_handler(int s __attribute__ ((unused))) 118 { 119 terminate = 1; 120 /* trigger a failure in the watch */ 121 close(master_fd); 122 } 123 124 static void usage(char *program) 125 { 126 printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program); 127 } 128 129 void exitApp(const char *msg) 130 { 131 perror(msg); 132 exit(-1); 133 } 134 135 /* 136 Add a file to the watch list. We are watching for file creation, so we actually 137 put the watch on the directory and then examine all files created in that directory 138 to see if it is one that we are watching. 139 */ 140 141 int main(int argc, char **argv) 142 { 143 int opt; 144 struct sigaction sa; 145 146 /* If we are not running SELinux then just exit */ 147 if (is_selinux_enabled() != 1) 148 return 0; 149 150 /* Set all options to zero/NULL except for ignore_noent & digest. */ 151 memset(&r_opts, 0, sizeof(r_opts)); 152 r_opts.ignore_noent = SELINUX_RESTORECON_IGNORE_NOENTRY; 153 r_opts.ignore_digest = SELINUX_RESTORECON_IGNORE_DIGEST; 154 155 /* As r_opts.selabel_opt_digest = NULL, no digest will be requested. */ 156 restore_init(&r_opts); 157 158 /* Register sighandlers */ 159 sa.sa_flags = 0; 160 sa.sa_handler = term_handler; 161 sigemptyset(&sa.sa_mask); 162 sigaction(SIGTERM, &sa, NULL); 163 164 atexit( done ); 165 while ((opt = getopt(argc, argv, "hdf:uv")) > 0) { 166 switch (opt) { 167 case 'd': 168 debug_mode = 1; 169 break; 170 case 'f': 171 watch_file = optarg; 172 break; 173 case 'u': 174 run_as_user = 1; 175 break; 176 case 'h': 177 usage(argv[0]); 178 exit(0); 179 break; 180 case 'v': 181 r_opts.verbose = SELINUX_RESTORECON_VERBOSE; 182 break; 183 case '?': 184 usage(argv[0]); 185 exit(-1); 186 } 187 } 188 189 master_fd = inotify_init(); 190 if (master_fd < 0) 191 exitApp("inotify_init"); 192 193 uid_t uid = getuid(); 194 struct passwd *pwd = getpwuid(uid); 195 if (!pwd) 196 exitApp("getpwuid"); 197 198 homedir = pwd->pw_dir; 199 if (uid != 0) { 200 if (run_as_user) 201 return server(master_fd, user_watch_file); 202 if (start() != 0) 203 return server(master_fd, user_watch_file); 204 return 0; 205 } 206 207 watch_file = server_watch_file; 208 read_config(master_fd, watch_file); 209 210 if (!debug_mode) { 211 if (daemon(0, 0) < 0) 212 exitApp("daemon"); 213 } 214 215 write_pid_file(); 216 217 while (watch(master_fd, watch_file) == 0) { 218 }; 219 220 watch_list_free(master_fd); 221 close(master_fd); 222 223 if (pidfile) 224 unlink(pidfile); 225 226 return 0; 227 } 228