22542eca18
function old new delta vgetopt32 1318 1392 +74 runsvdir_main 703 713 +10 bb_make_directory 423 425 +2 collect_cpu 546 545 -1 opt_chars 3 - -3 opt_complementary 4 - -4 tftpd_main 567 562 -5 ntp_init 476 471 -5 zcip_main 1266 1256 -10 xxd_main 428 418 -10 whois_main 140 130 -10 who_main 463 453 -10 which_main 212 202 -10 wget_main 2535 2525 -10 watchdog_main 291 281 -10 watch_main 222 212 -10 vlock_main 399 389 -10 uuencode_main 332 322 -10 uudecode_main 316 306 -10 unlink_main 45 35 -10 udhcpd_main 1482 1472 -10 udhcpc_main 2762 2752 -10 tune2fs_main 290 280 -10 tunctl_main 366 356 -10 truncate_main 218 208 -10 tr_main 518 508 -10 time_main 1134 1124 -10 tftp_main 286 276 -10 telnetd_main 1873 1863 -10 tcpudpsvd_main 1785 1775 -10 taskset_main 521 511 -10 tar_main 1009 999 -10 tail_main 1644 1634 -10 syslogd_main 1967 1957 -10 switch_root_main 368 358 -10 svlogd_main 1454 1444 -10 sv 1296 1286 -10 stat_main 104 94 -10 start_stop_daemon_main 1028 1018 -10 split_main 542 532 -10 sort_main 796 786 -10 slattach_main 624 614 -10 shuf_main 504 494 -10 setsid_main 96 86 -10 setserial_main 1132 1122 -10 setfont_main 388 378 -10 setconsole_main 78 68 -10 sendmail_main 1209 1199 -10 sed_main 677 667 -10 script_main 1077 1067 -10 run_parts_main 325 315 -10 rtcwake_main 454 444 -10 rm_main 175 165 -10 reformime_main 119 109 -10 readlink_main 123 113 -10 rdate_main 246 236 -10 pwdx_main 189 179 -10 pstree_main 317 307 -10 pscan_main 663 653 -10 popmaildir_main 818 808 -10 pmap_main 80 70 -10 nc_main 1042 1032 -10 mv_main 558 548 -10 mountpoint_main 477 467 -10 mount_main 1264 1254 -10 modprobe_main 768 758 -10 modinfo_main 333 323 -10 mktemp_main 200 190 -10 mkswap_main 324 314 -10 mkfs_vfat_main 1489 1479 -10 microcom_main 715 705 -10 md5_sha1_sum_main 521 511 -10 man_main 867 857 -10 makedevs_main 1052 1042 -10 ls_main 563 553 -10 losetup_main 432 422 -10 loadfont_main 89 79 -10 ln_main 524 514 -10 link_main 75 65 -10 ipcalc_main 544 534 -10 iostat_main 2397 2387 -10 install_main 768 758 -10 id_main 480 470 -10 i2cset_main 1239 1229 -10 i2cget_main 380 370 -10 i2cdump_main 1482 1472 -10 i2cdetect_main 682 672 -10 hwclock_main 406 396 -10 httpd_main 741 731 -10 grep_main 837 827 -10 getty_main 1559 1549 -10 fuser_main 297 287 -10 ftpgetput_main 345 335 -10 ftpd_main 2232 2222 -10 fstrim_main 251 241 -10 fsfreeze_main 77 67 -10 fsck_minix_main 2921 2911 -10 flock_main 314 304 -10 flashcp_main 740 730 -10 flash_eraseall_main 833 823 -10 fdformat_main 532 522 -10 expand_main 680 670 -10 eject_main 335 325 -10 dumpleases_main 630 620 -10 du_main 314 304 -10 dos2unix_main 441 431 -10 diff_main 1350 1340 -10 df_main 1064 1054 -10 date_main 1095 1085 -10 cut_main 961 951 -10 cryptpw_main 228 218 -10 crontab_main 575 565 -10 crond_main 1149 1139 -10 cp_main 370 360 -10 common_traceroute_main 3834 3824 -10 common_ping_main 1767 1757 -10 comm_main 239 229 -10 cmp_main 655 645 -10 chrt_main 379 369 -10 chpst_main 704 694 -10 chpasswd_main 308 298 -10 chown_main 171 161 -10 chmod_main 158 148 -10 cat_main 428 418 -10 bzip2_main 120 110 -10 blkdiscard_main 264 254 -10 base64_main 221 211 -10 arping_main 1665 1655 -10 ar_main 556 546 -10 adjtimex_main 406 396 -10 adduser_main 882 872 -10 addgroup_main 411 401 -10 acpid_main 1198 1188 -10 optstring 11 - -11 opt_string 18 - -18 OPT_STR 25 - -25 ubi_tools_main 1288 1258 -30 ls_options 31 - -31 ------------------------------------------------------------------------------ (add/remove: 0/6 grow/shrink: 3/129 up/down: 86/-1383) Total: -1297 bytes text data bss dec hex filename 915428 485 6876 922789 e14a5 busybox_old 914629 485 6872 921986 e1182 busybox_unstripped Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
162 lines
4.7 KiB
C
162 lines
4.7 KiB
C
/*
|
|
* runcon [ context |
|
|
* ( [ -c ] [ -r role ] [-t type] [ -u user ] [ -l levelrange ] )
|
|
* command [arg1 [arg2 ...] ]
|
|
*
|
|
* attempt to run the specified command with the specified context.
|
|
*
|
|
* -r role : use the current context with the specified role
|
|
* -t type : use the current context with the specified type
|
|
* -u user : use the current context with the specified user
|
|
* -l level : use the current context with the specified level range
|
|
* -c : compute process transition context before modifying
|
|
*
|
|
* Contexts are interpreted as follows:
|
|
*
|
|
* Number of MLS
|
|
* components system?
|
|
*
|
|
* 1 - type
|
|
* 2 - role:type
|
|
* 3 Y role:type:range
|
|
* 3 N user:role:type
|
|
* 4 Y user:role:type:range
|
|
* 4 N error
|
|
*
|
|
* Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
|
|
* - based on coreutils-5.97 (in Fedora Core 6)
|
|
*
|
|
* Licensed under GPLv2, see file LICENSE in this source tree.
|
|
*/
|
|
//config:config RUNCON
|
|
//config: bool "runcon (6.6 kb)"
|
|
//config: default n
|
|
//config: depends on SELINUX
|
|
//config: help
|
|
//config: Enable support to run command in specified security context.
|
|
|
|
//applet:IF_RUNCON(APPLET(runcon, BB_DIR_USR_BIN, BB_SUID_DROP))
|
|
|
|
//kbuild:lib-$(CONFIG_RUNCON) += runcon.o
|
|
|
|
//usage:#define runcon_trivial_usage
|
|
//usage: "[-c] [-u USER] [-r ROLE] [-t TYPE] [-l RANGE] PROG ARGS\n"
|
|
//usage: "runcon CONTEXT PROG ARGS"
|
|
//usage:#define runcon_full_usage "\n\n"
|
|
//usage: "Run PROG in a different security context\n"
|
|
//usage: "\n CONTEXT Complete security context\n"
|
|
//usage: "\n -c Compute process transition context before modifying"
|
|
//usage: "\n -t TYPE Type (for same role as parent)"
|
|
//usage: "\n -u USER User identity"
|
|
//usage: "\n -r ROLE Role"
|
|
//usage: "\n -l RNG Levelrange"
|
|
|
|
#include <selinux/context.h>
|
|
/* from deprecated <selinux/flask.h>: */
|
|
#undef SECCLASS_PROCESS
|
|
#define SECCLASS_PROCESS 2
|
|
|
|
#include "libbb.h"
|
|
|
|
static context_t runcon_compute_new_context(char *user, char *role, char *type, char *range,
|
|
char *command, int compute_trans)
|
|
{
|
|
context_t con;
|
|
security_context_t cur_context;
|
|
|
|
if (getcon(&cur_context))
|
|
bb_error_msg_and_die("can't get current context");
|
|
|
|
if (compute_trans) {
|
|
security_context_t file_context, new_context;
|
|
|
|
if (getfilecon(command, &file_context) < 0)
|
|
bb_error_msg_and_die("can't retrieve attributes of '%s'",
|
|
command);
|
|
if (security_compute_create(cur_context, file_context,
|
|
SECCLASS_PROCESS, &new_context))
|
|
bb_error_msg_and_die("unable to compute a new context");
|
|
cur_context = new_context;
|
|
}
|
|
|
|
con = context_new(cur_context);
|
|
if (!con)
|
|
bb_error_msg_and_die("'%s' is not a valid context", cur_context);
|
|
if (user && context_user_set(con, user))
|
|
bb_error_msg_and_die("can't set new user '%s'", user);
|
|
if (type && context_type_set(con, type))
|
|
bb_error_msg_and_die("can't set new type '%s'", type);
|
|
if (range && context_range_set(con, range))
|
|
bb_error_msg_and_die("can't set new range '%s'", range);
|
|
if (role && context_role_set(con, role))
|
|
bb_error_msg_and_die("can't set new role '%s'", role);
|
|
|
|
return con;
|
|
}
|
|
|
|
#if ENABLE_LONG_OPTS
|
|
static const char runcon_longopts[] ALIGN1 =
|
|
"user\0" Required_argument "u"
|
|
"role\0" Required_argument "r"
|
|
"type\0" Required_argument "t"
|
|
"range\0" Required_argument "l"
|
|
"compute\0" No_argument "c"
|
|
"help\0" No_argument "h"
|
|
;
|
|
#endif
|
|
|
|
#define OPTS_ROLE (1<<0) /* r */
|
|
#define OPTS_TYPE (1<<1) /* t */
|
|
#define OPTS_USER (1<<2) /* u */
|
|
#define OPTS_RANGE (1<<3) /* l */
|
|
#define OPTS_COMPUTE (1<<4) /* c */
|
|
#define OPTS_HELP (1<<5) /* h */
|
|
#define OPTS_CONTEXT_COMPONENT (OPTS_ROLE | OPTS_TYPE | OPTS_USER | OPTS_RANGE)
|
|
|
|
int runcon_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
|
|
int runcon_main(int argc UNUSED_PARAM, char **argv)
|
|
{
|
|
char *role = NULL;
|
|
char *range = NULL;
|
|
char *user = NULL;
|
|
char *type = NULL;
|
|
char *context = NULL;
|
|
unsigned opts;
|
|
context_t con;
|
|
|
|
selinux_or_die();
|
|
|
|
opts = getopt32long(argv, "^"
|
|
"r:t:u:l:ch"
|
|
"\0" "-1",
|
|
runcon_longopts,
|
|
&role, &type, &user, &range
|
|
);
|
|
argv += optind;
|
|
|
|
if (!(opts & OPTS_CONTEXT_COMPONENT)) {
|
|
context = *argv++;
|
|
if (!argv[0])
|
|
bb_error_msg_and_die("no command given");
|
|
}
|
|
|
|
if (context) {
|
|
con = context_new(context);
|
|
if (!con)
|
|
bb_error_msg_and_die("'%s' is not a valid context", context);
|
|
} else {
|
|
con = runcon_compute_new_context(user, role, type, range,
|
|
argv[0], opts & OPTS_COMPUTE);
|
|
}
|
|
|
|
if (security_check_context(context_str(con)))
|
|
bb_error_msg_and_die("'%s' is not a valid context",
|
|
context_str(con));
|
|
|
|
if (setexeccon(context_str(con)))
|
|
bb_error_msg_and_die("can't set up security context '%s'",
|
|
context_str(con));
|
|
|
|
BB_EXECVP_or_die(argv);
|
|
}
|