From 5952f943e1f0fd631be9868dcfff2123127f142c Mon Sep 17 00:00:00 2001 From: Rahul Sandhu Date: Tue, 15 Oct 2024 21:46:14 +0100 Subject: [PATCH] init: optionally load the system SELinux policy --- CONTRIBUTORS | 1 + build/mconfig.mesontemplate | 1 + meson.build | 2 ++ meson_options.txt | 6 ++++++ src/dinit.cc | 26 +++++++++++++++++++++++++- src/meson.build | 9 ++++++++- 6 files changed, 43 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index 797debea..b47b3be2 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -16,3 +16,4 @@ The following people (in alphabetical order) have contributed: * Oliver Amann - Code, testing, documentation * Locria Cyber - Code, documentation * q66 - Code, testing, documentation. + * Rahul Sandhu - Code diff --git a/build/mconfig.mesontemplate b/build/mconfig.mesontemplate index a7a6d1fb..435fc60b 100644 --- a/build/mconfig.mesontemplate +++ b/build/mconfig.mesontemplate @@ -8,6 +8,7 @@ #mesondefine USE_UTMPX #mesondefine USE_INITGROUPS #mesondefine SUPPORT_CGROUPS +#mesondefine SUPPORT_SELINUX #mesondefine DEFAULT_AUTO_RESTART #mesondefine DEFAULT_START_TIMEOUT #mesondefine DEFAULT_STOP_TIMEOUT diff --git a/meson.build b/meson.build index 96e1a0f9..2cbef24f 100644 --- a/meson.build +++ b/meson.build @@ -33,6 +33,7 @@ man_pages = get_option('man-pages') support_cgroups = get_option('support-cgroups') use_utmpx = get_option('use-utmpx') use_initgroups = get_option('use-initgroups') +libselinux = dependency('libselinux', version : '>= 2.1.9', required : get_option('selinux')) default_auto_restart = get_option('default-auto-restart') default_start_timeout = get_option('default-start-timeout').to_string() default_stop_timeout = get_option('default-stop-timeout').to_string() @@ -65,6 +66,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart) mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout) mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout) mconfig_data.set10('USE_INITGROUPS', use_initgroups) +mconfig_data.set10('SUPPORT_SELINUX', libselinux.found()) if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled() mconfig_data.set('SUPPORT_CGROUPS', '1') endif diff --git a/meson_options.txt b/meson_options.txt index 617669ec..1cc8179d 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -91,3 +91,9 @@ option( value : 'auto', description : 'Building shutdown/reboot/soft-reboot/halt or not.' ) +option( + 'selinux', + type : 'feature', + value : 'auto', + description : 'SELinux support' +) diff --git a/src/dinit.cc b/src/dinit.cc index d2d0510d..dbb82cb3 100644 --- a/src/dinit.cc +++ b/src/dinit.cc @@ -37,6 +37,10 @@ #include "mconfig.h" +#if SUPPORT_SELINUX +#include +#endif + /* * When running as the system init process, Dinit processes the following signals: * @@ -460,7 +464,27 @@ int dinit_main(int argc, char **argv) am_system_mgr = (getpid() == 1); am_system_init = (getuid() == 0); - + +#if SUPPORT_SELINUX + int enforce = 0; + if (getenv("SELINUX_INIT") == NULL && am_system_mgr && am_system_init) { + if (is_selinux_enabled() != 1) { + if (selinux_init_load_policy(&enforce) == 0) { + setenv("SELINUX_INIT", "YES", 1); + // Once the selinux policy has loaded, we should reexec ourself so we get assigned the + // right context. + execv(argv[0], argv); + } else { + if (enforce > 0) { + fprintf(stderr, "Failed to load SELinux policy.\n"); + // error exit + return 1; + } + } + } + } +#endif + struct options opts; // if we are PID 1 and user id 0, we are *most probably* the system init. (Or on linux at least, we diff --git a/src/meson.build b/src/meson.build index 75b3aced..e0154f5f 100644 --- a/src/meson.build +++ b/src/meson.build @@ -21,6 +21,12 @@ dinit_source_files = [ 'dinit-env.cc', 'settings.cc' ] +dinit_dependencies = [] + +if libselinux.found() + dinit_dependencies += libselinux +endif + ## src/'s Defines shutdown_built = false @@ -40,7 +46,8 @@ endif executable( 'dinit', dinit_source_files, - kwargs: misc_args + kwargs: misc_args, + dependencies: dinit_dependencies ) executable( 'dinitctl',