search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ls: support --hyperlink to output file:// URIs
[coreutils.git] / src / chcon.c
blobf6f19135bba464edb89f992e023cabe187afe552
1 /* chcon -- change security context of files
2 Copyright (C) 2005-2017 Free Software Foundation, Inc.
3
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
8
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
13
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
16
17 #include <config.h>
18 #include <stdio.h>
19 #include <sys/types.h>
20 #include <getopt.h>
21
22 #include "system.h"
23 #include "dev-ino.h"
24 #include "die.h"
25 #include "error.h"
26 #include "ignore-value.h"
27 #include "quote.h"
28 #include "root-dev-ino.h"
29 #include "selinux-at.h"
30 #include "xfts.h"
31
32 /* The official name of this program (e.g., no 'g' prefix). */
33 #define PROGRAM_NAME "chcon"
34
35 #define AUTHORS \
36 proper_name ("Russell Coker"), \
37 proper_name ("Jim Meyering")
38
39 /* If nonzero, and the systems has support for it, change the context
40 of symbolic links rather than any files they point to. */
41 static bool affect_symlink_referent;
42
43 /* If true, change the modes of directories recursively. */
44 static bool recurse;
45
46 /* Level of verbosity. */
47 static bool verbose;
48
49 /* Pointer to the device and inode numbers of '/', when --recursive.
50 Otherwise NULL. */
51 static struct dev_ino *root_dev_ino;
52
53 /* The name of the context file is being given. */
54 static char const *specified_context;
55
56 /* Specific components of the context */
57 static char const *specified_user;
58 static char const *specified_role;
59 static char const *specified_range;
60 static char const *specified_type;
61
62 /* For long options that have no equivalent short option, use a
63 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
64 enum
65 {
66 DEREFERENCE_OPTION = CHAR_MAX + 1,
67 NO_PRESERVE_ROOT,
68 PRESERVE_ROOT,
69 REFERENCE_FILE_OPTION
70 };
71
72 static struct option const long_options[] =
73 {
74 {"recursive", no_argument, NULL, 'R'},
75 {"dereference", no_argument, NULL, DEREFERENCE_OPTION},
76 {"no-dereference", no_argument, NULL, 'h'},
77 {"no-preserve-root", no_argument, NULL, NO_PRESERVE_ROOT},
78 {"preserve-root", no_argument, NULL, PRESERVE_ROOT},
79 {"reference", required_argument, NULL, REFERENCE_FILE_OPTION},
80 {"user", required_argument, NULL, 'u'},
81 {"role", required_argument, NULL, 'r'},
82 {"type", required_argument, NULL, 't'},
83 {"range", required_argument, NULL, 'l'},
84 {"verbose", no_argument, NULL, 'v'},
85 {GETOPT_HELP_OPTION_DECL},
86 {GETOPT_VERSION_OPTION_DECL},
87 {NULL, 0, NULL, 0}
88 };
89
90 /* Given a security context, CONTEXT, derive a context_t (*RET),
91 setting any portions selected via the global variables, specified_user,
92 specified_role, etc. */
93 static int
94 compute_context_from_mask (char const *context, context_t *ret)
95 {
96 bool ok = true;
97 context_t new_context = context_new (context);
98 if (!new_context)
99 {
100 error (0, errno, _("failed to create security context: %s"),
101 quote (context));
102 return 1;
103 }
104
105 #define SET_COMPONENT(C, comp) \
106 do \
107 { \
108 if (specified_ ## comp \
109 && context_ ## comp ## _set ((C), specified_ ## comp)) \
110 { \
111 error (0, errno, \
112 _("failed to set %s security context component to %s"), \
113 #comp, quote (specified_ ## comp)); \
114 ok = false; \
115 } \
116 } \
117 while (0)
118
119 SET_COMPONENT (new_context, user);
120 SET_COMPONENT (new_context, range);
121 SET_COMPONENT (new_context, role);
122 SET_COMPONENT (new_context, type);
123
124 if (!ok)
125 {
126 int saved_errno = errno;
127 context_free (new_context);
128 errno = saved_errno;
129 return 1;
130 }
131
132 *ret = new_context;
133 return 0;
134 }
135
136 /* Change the context of FILE, using specified components.
137 If it is a directory and -R is given, recurse.
138 Return 0 if successful, 1 if errors occurred. */
139
140 static int
141 change_file_context (int fd, char const *file)
142 {
143 char *file_context = NULL;
144 context_t context IF_LINT (= 0);
145 char const * context_string;
146 int errors = 0;
147
148 if (specified_context == NULL)
149 {
150 int status = (affect_symlink_referent
151 ? getfileconat (fd, file, &file_context)
152 : lgetfileconat (fd, file, &file_context));
153
154 if (status < 0 && errno != ENODATA)
155 {
156 error (0, errno, _("failed to get security context of %s"),
157 quoteaf (file));
158 return 1;
159 }
160
161 /* If the file doesn't have a context, and we're not setting all of
162 the context components, there isn't really an obvious default.
163 Thus, we just give up. */
164 if (file_context == NULL)
165 {
166 error (0, 0, _("can't apply partial context to unlabeled file %s"),
167 quoteaf (file));
168 return 1;
169 }
170
171 if (compute_context_from_mask (file_context, &context))
172 return 1;
173
174 context_string = context_str (context);
175 }
176 else
177 {
178 context_string = specified_context;
179 }
180
181 if (file_context == NULL || ! STREQ (context_string, file_context))
182 {
183 int fail = (affect_symlink_referent
184 ? setfileconat (fd, file, se_const (context_string))
185 : lsetfileconat (fd, file, se_const (context_string)));
186
187 if (fail)
188 {
189 errors = 1;
190 error (0, errno, _("failed to change context of %s to %s"),
191 quoteaf_n (0, file), quote_n (1, context_string));
192 }
193 }
194
195 if (specified_context == NULL)
196 {
197 context_free (context);
198 freecon (file_context);
199 }
200
201 return errors;
202 }
203
204 /* Change the context of FILE.
205 Return true if successful. This function is called
206 once for every file system object that fts encounters. */
207
208 static bool
209 process_file (FTS *fts, FTSENT *ent)
210 {
211 char const *file_full_name = ent->fts_path;
212 char const *file = ent->fts_accpath;
213 const struct stat *file_stats = ent->fts_statp;
214 bool ok = true;
215
216 switch (ent->fts_info)
217 {
218 case FTS_D:
219 if (recurse)
220 {
221 if (ROOT_DEV_INO_CHECK (root_dev_ino, ent->fts_statp))
222 {
223 /* This happens e.g., with "chcon -R --preserve-root ... /"
224 and with "chcon -RH --preserve-root ... symlink-to-root". */
225 ROOT_DEV_INO_WARN (file_full_name);
226 /* Tell fts not to traverse into this hierarchy. */
227 fts_set (fts, ent, FTS_SKIP);
228 /* Ensure that we do not process "/" on the second visit. */
229 ignore_value (fts_read (fts));
230 return false;
231 }
232 return true;
233 }
234 break;
235
236 case FTS_DP:
237 if (! recurse)
238 return true;
239 break;
240
241 case FTS_NS:
242 /* For a top-level file or directory, this FTS_NS (stat failed)
243 indicator is determined at the time of the initial fts_open call.
244 With programs like chmod, chown, and chgrp, that modify
245 permissions, it is possible that the file in question is
246 accessible when control reaches this point. So, if this is
247 the first time we've seen the FTS_NS for this file, tell
248 fts_read to stat it "again". */
249 if (ent->fts_level == 0 && ent->fts_number == 0)
250 {
251 ent->fts_number = 1;
252 fts_set (fts, ent, FTS_AGAIN);
253 return true;
254 }
255 error (0, ent->fts_errno, _("cannot access %s"),
256 quoteaf (file_full_name));
257 ok = false;
258 break;
259
260 case FTS_ERR:
261 error (0, ent->fts_errno, "%s", quotef (file_full_name));
262 ok = false;
263 break;
264
265 case FTS_DNR:
266 error (0, ent->fts_errno, _("cannot read directory %s"),
267 quoteaf (file_full_name));
268 ok = false;
269 break;
270
271 case FTS_DC: /* directory that causes cycles */
272 if (cycle_warning_required (fts, ent))
273 {
274 emit_cycle_warning (file_full_name);
275 return false;
276 }
277 break;
278
279 default:
280 break;
281 }
282
283 if (ent->fts_info == FTS_DP
284 && ok && ROOT_DEV_INO_CHECK (root_dev_ino, file_stats))
285 {
286 ROOT_DEV_INO_WARN (file_full_name);
287 ok = false;
288 }
289
290 if (ok)
291 {
292 if (verbose)
293 printf (_("changing security context of %s\n"),
294 quoteaf (file_full_name));
295
296 if (change_file_context (fts->fts_cwd_fd, file) != 0)
297 ok = false;
298 }
299
300 if ( ! recurse)
301 fts_set (fts, ent, FTS_SKIP);
302
303 return ok;
304 }
305
306 /* Recursively operate on the specified FILES (the last entry
307 of which is NULL). BIT_FLAGS controls how fts works.
308 Return true if successful. */
309
310 static bool
311 process_files (char **files, int bit_flags)
312 {
313 bool ok = true;
314
315 FTS *fts = xfts_open (files, bit_flags, NULL);
316
317 while (1)
318 {
319 FTSENT *ent;
320
321 ent = fts_read (fts);
322 if (ent == NULL)
323 {
324 if (errno != 0)
325 {
326 /* FIXME: try to give a better message */
327 error (0, errno, _("fts_read failed"));
328 ok = false;
329 }
330 break;
331 }
332
333 ok &= process_file (fts, ent);
334 }
335
336 if (fts_close (fts) != 0)
337 {
338 error (0, errno, _("fts_close failed"));
339 ok = false;
340 }
341
342 return ok;
343 }
344
345 void
346 usage (int status)
347 {
348 if (status != EXIT_SUCCESS)
349 emit_try_help ();
350 else
351 {
352 printf (_("\
353 Usage: %s [OPTION]... CONTEXT FILE...\n\
354 or: %s [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...\n\
355 or: %s [OPTION]... --reference=RFILE FILE...\n\
356 "),
357 program_name, program_name, program_name);
358 fputs (_("\
359 Change the SELinux security context of each FILE to CONTEXT.\n\
360 With --reference, change the security context of each FILE to that of RFILE.\n\
361 "), stdout);
362
363 emit_mandatory_arg_note ();
364
365 fputs (_("\
366 --dereference affect the referent of each symbolic link (this is\n\
367 the default), rather than the symbolic link itself\n\
368 -h, --no-dereference affect symbolic links instead of any referenced file\n\
369 "), stdout);
370 fputs (_("\
371 -u, --user=USER set user USER in the target security context\n\
372 -r, --role=ROLE set role ROLE in the target security context\n\
373 -t, --type=TYPE set type TYPE in the target security context\n\
374 -l, --range=RANGE set range RANGE in the target security context\n\
375 "), stdout);
376 fputs (_("\
377 --no-preserve-root do not treat '/' specially (the default)\n\
378 --preserve-root fail to operate recursively on '/'\n\
379 "), stdout);
380 fputs (_("\
381 --reference=RFILE use RFILE's security context rather than specifying\n\
382 a CONTEXT value\n\
383 "), stdout);
384 fputs (_("\
385 -R, --recursive operate on files and directories recursively\n\
386 "), stdout);
387 fputs (_("\
388 -v, --verbose output a diagnostic for every file processed\n\
389 "), stdout);
390 fputs (_("\
391 \n\
392 The following options modify how a hierarchy is traversed when the -R\n\
393 option is also specified. If more than one is specified, only the final\n\
394 one takes effect.\n\
395 \n\
396 -H if a command line argument is a symbolic link\n\
397 to a directory, traverse it\n\
398 -L traverse every symbolic link to a directory\n\
399 encountered\n\
400 -P do not traverse any symbolic links (default)\n\
401 \n\
402 "), stdout);
403 fputs (HELP_OPTION_DESCRIPTION, stdout);
404 fputs (VERSION_OPTION_DESCRIPTION, stdout);
405 emit_ancillary_info (PROGRAM_NAME);
406 }
407 exit (status);
408 }
409
410 int
411 main (int argc, char **argv)
412 {
413 /* Bit flags that control how fts works. */
414 int bit_flags = FTS_PHYSICAL;
415
416 /* 1 if --dereference, 0 if --no-dereference, -1 if neither has been
417 specified. */
418 int dereference = -1;
419
420 bool ok;
421 bool preserve_root = false;
422 bool component_specified = false;
423 char *reference_file = NULL;
424 int optc;
425
426 initialize_main (&argc, &argv);
427 set_program_name (argv[0]);
428 setlocale (LC_ALL, "");
429 bindtextdomain (PACKAGE, LOCALEDIR);
430 textdomain (PACKAGE);
431
432 atexit (close_stdout);
433
434 while ((optc = getopt_long (argc, argv, "HLPRhvu:r:t:l:", long_options, NULL))
435 != -1)
436 {
437 switch (optc)
438 {
439 case 'H': /* Traverse command-line symlinks-to-directories. */
440 bit_flags = FTS_COMFOLLOW | FTS_PHYSICAL;
441 break;
442
443 case 'L': /* Traverse all symlinks-to-directories. */
444 bit_flags = FTS_LOGICAL;
445 break;
446
447 case 'P': /* Traverse no symlinks-to-directories. */
448 bit_flags = FTS_PHYSICAL;
449 break;
450
451 case 'h': /* --no-dereference: affect symlinks */
452 dereference = 0;
453 break;
454
455 case DEREFERENCE_OPTION: /* --dereference: affect the referent
456 of each symlink */
457 dereference = 1;
458 break;
459
460 case NO_PRESERVE_ROOT:
461 preserve_root = false;
462 break;
463
464 case PRESERVE_ROOT:
465 preserve_root = true;
466 break;
467
468 case REFERENCE_FILE_OPTION:
469 reference_file = optarg;
470 break;
471
472 case 'R':
473 recurse = true;
474 break;
475
476 case 'f':
477 /* ignore */
478 break;
479
480 case 'v':
481 verbose = true;
482 break;
483
484 case 'u':
485 specified_user = optarg;
486 component_specified = true;
487 break;
488
489 case 'r':
490 specified_role = optarg;
491 component_specified = true;
492 break;
493
494 case 't':
495 specified_type = optarg;
496 component_specified = true;
497 break;
498
499 case 'l':
500 specified_range = optarg;
501 component_specified = true;
502 break;
503
504 case_GETOPT_HELP_CHAR;
505 case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
506 default:
507 usage (EXIT_FAILURE);
508 }
509 }
510
511 if (recurse)
512 {
513 if (bit_flags == FTS_PHYSICAL)
514 {
515 if (dereference == 1)
516 die (EXIT_FAILURE, 0,
517 _("-R --dereference requires either -H or -L"));
518 affect_symlink_referent = false;
519 }
520 else
521 {
522 if (dereference == 0)
523 die (EXIT_FAILURE, 0, _("-R -h requires -P"));
524 affect_symlink_referent = true;
525 }
526 }
527 else
528 {
529 bit_flags = FTS_PHYSICAL;
530 affect_symlink_referent = (dereference != 0);
531 }
532
533 if (argc - optind < (reference_file || component_specified ? 1 : 2))
534 {
535 if (argc <= optind)
536 error (0, 0, _("missing operand"));
537 else
538 error (0, 0, _("missing operand after %s"), quote (argv[argc - 1]));
539 usage (EXIT_FAILURE);
540 }
541
542 if (reference_file)
543 {
544 char *ref_context = NULL;
545
546 if (getfilecon (reference_file, &ref_context) < 0)
547 die (EXIT_FAILURE, errno, _("failed to get security context of %s"),
548 quoteaf (reference_file));
549
550 specified_context = ref_context;
551 }
552 else if (component_specified)
553 {
554 /* FIXME: it's already null, so this is a no-op. */
555 specified_context = NULL;
556 }
557 else
558 {
559 specified_context = argv[optind++];
560 if (security_check_context (se_const (specified_context)) < 0)
561 die (EXIT_FAILURE, errno, _("invalid context: %s"),
562 quote (specified_context));
563 }
564
565 if (reference_file && component_specified)
566 {
567 error (0, 0, _("conflicting security context specifiers given"));
568 usage (EXIT_FAILURE);
569 }
570
571 if (recurse && preserve_root)
572 {
573 static struct dev_ino dev_ino_buf;
574 root_dev_ino = get_root_dev_ino (&dev_ino_buf);
575 if (root_dev_ino == NULL)
576 die (EXIT_FAILURE, errno, _("failed to get attributes of %s"),
577 quoteaf ("/"));
578 }
579 else
580 {
581 root_dev_ino = NULL;
582 }
583
584 ok = process_files (argv + optind, bit_flags | FTS_NOSTAT);
585
586 return ok ? EXIT_SUCCESS : EXIT_FAILURE;
587 }
GNU core utilities