libcompat: Add a setexecfilecon() function out from dpkg code

This is now a fallback implementation in case libselinux is too old.

3 files changed, 90 insertions, 0 deletions

diff --git a/lib/compat/Makefile.am b/lib/compat/Makefile.am
index 975f86357..72c50b23b 100644
--- a/lib/compat/Makefile.am
+++ b/lib/compat/Makefile.am
@@ -10,6 +10,7 @@ noinst_LTLIBRARIES = libcompat-test.la libcompat.la
 libcompat_test_la_CPPFLAGS = $(AM_CPPFLAGS) -DTEST_LIBCOMPAT=1
 libcompat_test_la_SOURCES = \
 	compat.h \
+	selinux.c \
 	strnlen.c \
 	strndup.c \
 	strerror.c \
@@ -56,6 +57,10 @@ if !HAVE_STRSIGNAL
 libcompat_la_SOURCES += strsignal.c
 endif
 
+if !HAVE_SETEXECFILECON
+libcompat_la_SOURCES += selinux.c
+endif
+
 if !HAVE_C99_SNPRINTF
 libcompat_la_SOURCES += snprintf.c vsnprintf.c
 endif
diff --git a/lib/compat/compat.h b/lib/compat/compat.h
index 52379ec8e..643aa3c17 100644
--- a/lib/compat/compat.h
+++ b/lib/compat/compat.h
@@ -170,6 +170,10 @@ int alphasort(const void *a, const void *b);
 int unsetenv(const char *x);
 #endif
 
+#if TEST_LIBCOMPAT || !defined(HAVE_SETEXECFILECON)
+int setexecfilecon(const char *filename, const char *fallback_type);
+#endif
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/lib/compat/selinux.c b/lib/compat/selinux.c
new file mode 100644
index 000000000..087317527
--- /dev/null
+++ b/lib/compat/selinux.c
@@ -0,0 +1,81 @@
+/*
+ * libcompat - system compatibility library
+ *
+ * Based on code from libselinux, Public Domain.
+ * Copyright © 2014 Guillem Jover <guillem@debian.org>
+ *
+ * This is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include <string.h>
+#include <stdlib.h>
+
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/context.h>
+
+#include "compat.h"
+
+int
+setexecfilecon(const char *filename, const char *fallback)
+{
+	int rc;
+
+	security_context_t curcon = NULL, newcon = NULL, filecon = NULL;
+	context_t tmpcon = NULL;
+
+	if (is_selinux_enabled() < 1)
+		return 0;
+
+	rc = getcon(&curcon);
+	if (rc < 0)
+		goto out;
+
+	rc = getfilecon(filename, &filecon);
+	if (rc < 0)
+		goto out;
+
+	rc = security_compute_create(curcon, filecon, SECCLASS_PROCESS, &newcon);
+	if (rc < 0)
+		goto out;
+
+	if (strcmp(curcon, newcon) == 0) {
+		/* No default transition, use fallback for now. */
+		rc = -1;
+		tmpcon = context_new(curcon);
+		if (tmpcon == NULL)
+			goto out;
+		if (context_type_set(tmpcon, fallback))
+			goto out;
+		freecon(newcon);
+		newcon = strdup(context_str(tmpcon));
+		if (newcon == NULL)
+			goto out;
+	}
+
+	rc = setexeccon(newcon);
+
+out:
+	if (rc < 0 && security_getenforce() == 0)
+		rc = 0;
+
+	context_free(tmpcon);
+	freecon(newcon);
+	freecon(curcon);
+	freecon(filecon);
+
+	return rc;
+}