davmac314 · WavyEbuilder · Oct 15, 2024 · Oct 19, 2024 · Oct 19, 2024 · Oct 19, 2024
diff --git a/BUILD b/BUILD
@@ -178,6 +178,8 @@ DEFAULT_STOP_TIMEOUT=XXX
     this, its process group is sent a SIGKILL signal which should cause it to terminate immediately.
     The default if unspecified is 10 seconds. (The value can be overridden for individual services
     via the service description).
+SUPPORT_SELINUX=1|0
+    Whether to build support for loading the system SELinux policy at boot.
 
 
 Running the test suite

diff --git a/BUILD_MESON b/BUILD_MESON
@@ -167,6 +167,10 @@ Custom options:
  build-shutdown            : Whether to build the shutdown/reboot/halt utilities.
                              Available values : enabled, disabled, auto
                              Default value : auto
+
+ support-selinux           : Enable SELinux support.
+                             Available values : enabled, disabled, auto
+                             Default value : auto
 
 
 Running the test suite

diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -16,3 +16,4 @@ The following people (in alphabetical order) have contributed:
  * Oliver Amann - Code, testing, documentation
  * Locria Cyber - Code, documentation
  * q66 - Code, testing, documentation.
+ * Rahul Sandhu - Code
diff --git a/build/Makefile b/build/Makefile
@@ -16,7 +16,8 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
 		DEFAULT_STOP_TIMEOUT=$(DEFAULT_STOP_TIMEOUT) \
 		$(if $(SUPPORT_CGROUPS),SUPPORT_CGROUPS=$(SUPPORT_CGROUPS),) \
 		$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
-		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
+		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) \
+		$(if $(SUPPORT_SELINUX),SUPPORT_SELINUX=$(SUPPORT_SELINUX),) > includes/mconfig.h
 
 clean:
 	rm -f includes/mconfig.h

diff --git a/build/mconfig.mesontemplate b/build/mconfig.mesontemplate
@@ -8,6 +8,7 @@
 #mesondefine USE_UTMPX
 #mesondefine USE_INITGROUPS
 #mesondefine SUPPORT_CGROUPS
+#mesondefine SUPPORT_SELINUX
 #mesondefine DEFAULT_AUTO_RESTART
 #mesondefine DEFAULT_START_TIMEOUT
 #mesondefine DEFAULT_STOP_TIMEOUT

diff --git a/build/tools/mconfig-gen.cc b/build/tools/mconfig-gen.cc
@@ -80,6 +80,9 @@ int main(int argc, char **argv)
     if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
         cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
     }
+    if (vars.find("SUPPORT_SELINUX") != vars.end()) {
+        cout << "#define SUPPORT_SELINUX " << vars["SUPPORT_SELINUX"] << "\n";
+    }
 
     cout << "\n// Constants\n";
     cout << "\nconstexpr static char DINIT_VERSION[] = " << stringify(vars["VERSION"]) << ";\n";

diff --git a/configure b/configure
@@ -152,6 +152,8 @@ Optional options:
   --disable-utmpx                   Disable manipulating the utmp/utmpx database via the related POSIX functions
   --enable-initgroups               Enable initialization of supplementary groups for run-as [Enabled]
   --disable-initgroups              Disable initialization of supplementary groups for run-as
+  --enable-selinux                  Enable SELinux support [Only avilable on Linux based systems with SELinux support]
+  --disable-selinux                 Disable SELinux support
   --enable-auto-restart             Enable auto-restart for services by default [Deprecated]
   --disable-auto-restart            Disable auto-restart for services by default [Deprecated]
   --default-start-timeout=sec       Default start-timeout for services [60]
@@ -210,6 +212,7 @@ for var in PREFIX \
            SUPPORT_CGROUPS \
            USE_UTMPX \
            USE_INITGROUPS \
+           SUPPORT_SELINUX \
            SYSCONTROLSOCKET \
            STRIPOPTS
 do
@@ -243,6 +246,8 @@ for arg in "$@"; do
         --disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
         --enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
         --disable-initgroups|--enable-initgroups=no) USE_INITGROUPS=0 ;;
+        --enable-selinux|--enable-selinux=yes) SUPPORT_SELINUX=1 ;;
+        --disable-selinux|--enable-selinux=no) SUPPORT_SELINUX=0 ;;
         --enable-auto-restart|--enable-auto-restart=yes) DEFAULT_AUTO_RESTART=ALWAYS ;; # Deprecated
         --disable-auto-restart|--enable-auto-restart=no) DEFAULT_AUTO_RESTART=NEVER ;; # Deprecated
         --enable-strip|--enable-strip=yes) STRIPOPTS="-s" ;;
@@ -275,6 +280,7 @@ done
 : "${DEFAULT_START_TIMEOUT:="60"}"
 : "${DEFAULT_STOP_TIMEOUT:="10"}"
 : "${USE_INITGROUPS:="1"}"
+: "${SUPPORT_SELINUX:="0"}"
 if [ "$PLATFORM" = "Linux" ]; then
     : "${BUILD_SHUTDOWN:="yes"}"
     : "${SUPPORT_CGROUPS:="1"}"
@@ -380,6 +386,9 @@ fi
 if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$PLATFORM" = FreeBSD ]; then
     try_ld_argument LDFLAGS_BASE -lrt
 fi
+if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$SUPPORT_SELINUX" = "1" ]; then
+    try_ld_argument LDFLAGS_BASE -lselinux
+fi
 if [ "$AUTO_TEST_LDFLAGS_BASE" = true ]; then
     TEST_LDFLAGS_BASE="\$(LDFLAGS_BASE)"
     established_TEST_LDFLAGS="$LDFLAGS_BASE"
@@ -467,6 +476,7 @@ STRIPOPTS=$STRIPOPTS
 # Feature settings
 SUPPORT_CGROUPS=$SUPPORT_CGROUPS
 USE_INITGROUPS=$USE_INITGROUPS
+SUPPORT_SELINUX=$SUPPORT_SELINUX
 
 # Optional settings
 SHUTDOWN_PREFIX=${SHUTDOWN_PREFIX:-}

diff --git a/doc/manpages/dinit.8.m4 b/doc/manpages/dinit.8.m4
@@ -108,6 +108,10 @@ If service description settings contain relative cgroup paths, they will be reso
 this path.
 This option is only available if \fBdinit\fR is built with cgroups support.
 .TP
+\fB\-\-disable\-selinux\fR
+Disable loading of the system SELinux policy.
+This option is only available if \fBdinit\fR is built with SELinux support.
+.TP
 \fB\-\-help\fR
 Display brief help text and then exit.
 .TP

diff --git a/meson.build b/meson.build
@@ -33,6 +33,7 @@ man_pages = get_option('man-pages')
 support_cgroups = get_option('support-cgroups')
 use_utmpx = get_option('use-utmpx')
 use_initgroups = get_option('use-initgroups')
+support_selinux = get_option('support-selinux')
 default_auto_restart = get_option('default-auto-restart')
 default_start_timeout = get_option('default-start-timeout').to_string()
 default_stop_timeout = get_option('default-stop-timeout').to_string()
@@ -56,6 +57,9 @@ if platform == 'freebsd' and compiler.has_link_argument('-lrt')
     add_project_link_arguments('-lrt', language : 'cpp')
 endif
 
+## Dependencies
+libselinux_dep = dependency('libselinux', version : '>= 2.1.9', required : support_selinux)
+
 ## Prepare mconfig.h
 mconfig_data.set_quoted('DINIT_VERSION', version)
 mconfig_data.set_quoted('SYSCONTROLSOCKET', dinit_control_socket_path)
@@ -65,6 +69,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
+mconfig_data.set10('SUPPORT_SELINUX', libselinux_dep.found())
 if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
     mconfig_data.set('SUPPORT_CGROUPS', '1') 
 endif

diff --git a/meson_options.txt b/meson_options.txt
@@ -91,3 +91,9 @@ option(
     value : 'auto',
     description : 'Building shutdown/reboot/soft-reboot/halt or not.'
 )
+option(
+    'support-selinux',
+    type : 'feature',
+    value : 'auto',
+    description : 'SELinux support'
+)
diff --git a/src/dinit.cc b/src/dinit.cc
@@ -37,6 +37,12 @@
 
 #include "mconfig.h"
 
+#if SUPPORT_SELINUX
+#include <selinux/avc.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
+#endif
+
 /*
  * When running as the system init process, Dinit processes the following signals:
  *
@@ -210,6 +216,10 @@ struct options {
 
     // list of services to start
     std::list<const char *> services_to_start;
+
+#ifdef SUPPORT_SELINUX
+    bool load_selinux_policy = true;
+#endif
 };
 
 // Process a command line argument (and possibly its follow-up value)
@@ -365,6 +375,11 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
             }
         }
         #endif
+        #ifdef SUPPORT_SELINUX
+        else if (strcmp(argv[i], "--disable-selinux-policy") == 0) {
+            opts.load_selinux_policy = false;
+        }
+        #endif
         else if (strcmp(argv[i], "--service") == 0 || strcmp(argv[i], "-t") == 0) {
             if (++i < argc && argv[i][0] != '\0') {
                 services_to_start.push_back(argv[i]);
@@ -399,6 +414,9 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
                     " --cgroup-path <path>, -b <path>\n"
                     "                              cgroup base path (for resolving relative paths)\n"
                     #endif
+                    #ifdef SUPPORT_SELINUX
+                    " --disable-selinux-policy     don't load the system SELinux policy\n"
+                    #endif
                     " --log-file <file>, -l <file> log to the specified file\n"
                     " --quiet, -q                  disable output to standard output\n"
                     " <service-name>, --service <service-name>, -t <service-name>\n"
@@ -453,6 +471,90 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
     return 0;
 }
 
+#if SUPPORT_SELINUX
+// Load the system SELinux policy and transition ourselves to it. When successful,
+// this will cause SELinux labels as per the policy to be attached to processes (and
+// file descriptors owned by those processes). The SELinux framework will begin to
+// enforce restrictions on access based on these labels and the loaded policy.
+//
+// We might lose access to any file descriptors we have open when this is called (since
+// they will still be labelled with the kernel context), so it is best done early (i.e.
+// before we start opening file descriptors).
+//
+// Parameters:
+//   exe - the path that we are invoked with (to calculate our new security
+//         context to tranition into.)
+//
+// Returns:
+//   If we fail to load the system SELinux policy, return false, otherwise,
+//   return true.
+static bool selinux_transition(const char *exe) {
+    // Let's use std::cerr instead of the log for logging messages here.
+    // If we output anything, we return failure, which indicates dinit should
+    // terminate before the log is initalised and flushed.
+    using std::cerr;
+    using std::endl;
+
+    char *current_context = nullptr;
+    char *file_context = nullptr;
+    security_class_t security_class;
+    char *new_context = nullptr;
+
+    if (is_selinux_enabled() == 1) {
+        return true;
+    }
+
+    int enforce = 0;
+    // We don't need to worry about the enforcing=0 kernel cmdline option or
+    // parsing /etc/selinux/config, selinux_init_load_policy(3) will handle
+    // all cases for us.
+    if (selinux_init_load_policy(&enforce) != 0) {
+        if (enforce > 0) {
+            cerr << "Failed to load SELinux policy." << endl;
+            return false;
+        }
+    }
+
+    bool ret = true;
+    if (getcon_raw(&current_context) < 0) {
+        ret = false;
+        cerr << "Failed to get current context: " << strerror(errno) << endl;
+        goto cleanup;
+    }
+
+    if (getfilecon_raw(exe, &file_context) < 0) {
+        ret = false;
+        cerr << "Failed to get file context for " << exe << ": " << strerror(errno) << endl;
+        goto cleanup;
+    }
+
+    security_class = string_to_security_class("process");
+    if (security_class == 0) {
+        ret = false;
+        cerr << "Failed to get security class for process" << endl;
+        goto cleanup;
+    }
+
+    if (security_compute_create_raw(current_context, file_context, security_class, &new_context) < 0) {
+        ret = false;
+        cerr << "Failed to compute create context: " << strerror(errno) << endl;
+        goto cleanup;
+    }
+
+    if (setcon_raw(new_context) < 0) {
+        ret = false;
+        cerr << "Failed to set transition context to " << new_context << ": " << strerror(errno) << endl;
+        goto cleanup;
+    }
+
+cleanup:
+    if (current_context) freecon(current_context);
+    if (file_context) freecon(file_context);
+    if (new_context) freecon(new_context);
+    return ret;
+}
+#endif
+
 // Main entry point
 int dinit_main(int argc, char **argv)
 {
@@ -486,6 +588,18 @@ int dinit_main(int argc, char **argv)
         }
     }
 
+#if SUPPORT_SELINUX
+    // Error exit if we are PID 1 and fail to load the selinux policy and transition.
+    //
+    // This should be done directly after argument parsing, it's best to do this as early as possible to get
+    // init in the domain specified in the policy, and hence confine it, quickly.
+    //
+    // If selinux_transition fails, the system is not in the state requested by the user, and there is nothing
+    // we can do about it. Instead of continuing to boot the rest of the system without loading the user's policy,
+    // let's bail now to avoid an insecure and untrusted state.
+    if (am_system_mgr && am_system_init && opts.load_selinux_policy && !selinux_transition(argv[0])) return 1;
+#endif
+
     if (am_system_mgr) {
         // setup STDIN, STDOUT, STDERR so that we can use them
         int onefd = open("/dev/console", O_RDONLY, 0);
@@ -1207,6 +1321,9 @@ static void printVersion()
 #endif
 #if USE_INITGROUPS
                 " supplemental-groups"
+#endif
+#if SUPPORT_SELINUX
+                " selinux"
 #endif
                 "\n";
     }

diff --git a/src/meson.build b/src/meson.build
@@ -40,7 +40,8 @@ endif
 executable(
     'dinit',
     dinit_source_files,
-    kwargs: misc_args
+    kwargs: misc_args,
+    dependencies: [libselinux_dep],
 )
 executable(
     'dinitctl',