From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [RFC PATCH v2 10/27] libselinux: introduce selabel_nuke
Date: Mon, 14 Aug 2023 15:20:08 +0200 [thread overview]
Message-ID: <20230814132025.45364-11-cgzones@googlemail.com> (raw)
In-Reply-To: <20230814132025.45364-1-cgzones@googlemail.com>
Introduce a helper to remove SELinux file contexts.
Mainly for testing label operations and only for SELinux disabled
systems, since removing file contexts is not supported by SELinux.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libselinux/utils/.gitignore | 1 +
libselinux/utils/selabel_nuke.c | 134 ++++++++++++++++++++++++++++++++
2 files changed, 135 insertions(+)
create mode 100644 libselinux/utils/selabel_nuke.c
diff --git a/libselinux/utils/.gitignore b/libselinux/utils/.gitignore
index b3311360..a92e1e94 100644
--- a/libselinux/utils/.gitignore
+++ b/libselinux/utils/.gitignore
@@ -20,6 +20,7 @@ selabel_digest
selabel_get_digests_all_partial_matches
selabel_lookup
selabel_lookup_best_match
+selabel_nuke
selabel_partial_match
selinux_check_securetty_context
selinuxenabled
diff --git a/libselinux/utils/selabel_nuke.c b/libselinux/utils/selabel_nuke.c
new file mode 100644
index 00000000..b6a2df66
--- /dev/null
+++ b/libselinux/utils/selabel_nuke.c
@@ -0,0 +1,134 @@
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <getopt.h>
+#include <linux/magic.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/xattr.h>
+#include <unistd.h>
+
+#include <selinux/selinux.h>
+
+
+#define XATTR_NAME_SELINUX "security.selinux"
+
+
+static void usage(const char *progname)
+{
+ fprintf(stderr, "usage: %s [-nrv] <path>\n", progname);
+}
+
+static void nuke(int atfd, const char *path, const char *fullpath, bool dry_run, bool recursive, bool verbose)
+{
+ ssize_t ret;
+ int fd, rc;
+ DIR *dir;
+
+ ret = lgetxattr(fullpath, XATTR_NAME_SELINUX, NULL, 0);
+ if (ret <= 0) {
+ if (errno != ENODATA && errno != ENOTSUP)
+ fprintf(stderr, "Failed to get SELinux label of %s: %m\n", fullpath);
+ else if (verbose)
+ printf("Failed to get SELinux label of %s: %m\n", fullpath);
+ } else {
+ if (dry_run) {
+ printf("Would remove SELinux label of %s\n", fullpath);
+ } else {
+ if (verbose)
+ printf("Removing label of %s\n", fullpath);
+
+ rc = lremovexattr(fullpath, XATTR_NAME_SELINUX);
+ if (rc < 0)
+ fprintf(stderr, "Failed to remove SELinux label of %s: %m\n", fullpath);
+ }
+ }
+
+ if (!recursive)
+ return;
+
+ fd = openat(atfd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
+ if (fd < 0) {
+ if (errno != ENOTDIR)
+ fprintf(stderr, "Failed to open %s: %m\n", fullpath);
+ return;
+ }
+
+ dir = fdopendir(fd);
+ if (!dir) {
+ fprintf(stderr, "Failed to open directory %s: %m\n", fullpath);
+ close(fd);
+ return;
+ }
+
+ while (true) {
+ const struct dirent *entry;
+ char *nextfullpath;
+
+ errno = 0;
+ entry = readdir(dir);
+ if (!entry) {
+ if (errno)
+ fprintf(stderr, "Failed to iterate directory %s: %m\n", fullpath);
+ break;
+ }
+
+ if (entry->d_name[0] == '.' && (entry->d_name[1] == '\0' || (entry->d_name[1] == '.' && entry->d_name[2] == '\0')))
+ continue;
+
+ rc = asprintf(&nextfullpath, "%s/%s", strcmp(fullpath, "/") == 0 ? "" : fullpath, entry->d_name);
+ if (rc < 0) {
+ fprintf(stderr, "Out of memory!\n");
+ closedir(dir);
+ return;
+ }
+
+ nuke(dirfd(dir), entry->d_name, nextfullpath, dry_run, recursive, verbose);
+
+ free(nextfullpath);
+ }
+
+ closedir(dir);
+}
+
+
+int main(int argc, char *argv[])
+{
+ bool dry_run = false, recursive = false, verbose = false;
+ int c;
+
+ while ((c = getopt(argc, argv, "nrv")) != -1) {
+ switch (c) {
+ case 'n':
+ dry_run = true;
+ break;
+ case 'r':
+ recursive = true;
+ break;
+ case 'v':
+ verbose = true;
+ break;
+ default:
+ usage(argv[0]);
+ return EXIT_FAILURE;
+ }
+ }
+
+ if (optind >= argc) {
+ usage(argv[0]);
+ return EXIT_FAILURE;
+ }
+
+ if (is_selinux_enabled()) {
+ fprintf(stderr, "Removing SELinux attributes on a SELinux enabled system is not supported!\n");
+ return EXIT_FAILURE;
+ }
+
+ for (int index = optind; index < argc; index++)
+ nuke(AT_FDCWD, argv[index], argv[index], dry_run, recursive, verbose);
+
+ return EXIT_SUCCESS;
+}
--
2.40.1
next prev parent reply other threads:[~2023-08-14 13:21 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-14 13:19 [RFC PATCH v2 00/27] libselinux: rework selabel_file(5) database Christian Göttsche
2023-08-14 13:19 ` [RFC PATCH v2 01/27] libselinux/utils: update selabel_partial_match Christian Göttsche
2023-10-02 17:13 ` James Carter
2023-10-12 17:52 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 02/27] libselinux: misc label cleanup Christian Göttsche
2023-10-02 17:13 ` James Carter
2023-10-12 17:52 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 03/27] libselinux: drop obsolete optimization flag Christian Göttsche
2023-10-02 17:14 ` James Carter
2023-10-12 17:52 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 04/27] libselinux: drop unnecessary warning overrides Christian Göttsche
2023-10-02 17:14 ` James Carter
2023-10-12 17:53 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 05/27] setfiles: do not issue AUDIT_FS_RELABEL on dry run Christian Göttsche
2023-10-02 17:15 ` James Carter
2023-10-12 17:53 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 06/27] libselinux: cast to unsigned char for character handling function Christian Göttsche
2023-10-02 17:33 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 07/27] libselinux: constify selabel_cmp(3) parameters Christian Göttsche
2023-10-02 18:11 ` James Carter
2023-10-12 17:53 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 08/27] libselinux: introduce reallocarray(3) Christian Göttsche
2023-10-02 18:38 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 09/27] libselinux: simplify zeroing allocation Christian Göttsche
2023-10-02 20:36 ` James Carter
2023-10-12 17:53 ` James Carter
2023-08-14 13:20 ` Christian Göttsche [this message]
2023-10-04 21:01 ` [RFC PATCH v2 10/27] libselinux: introduce selabel_nuke James Carter
2023-08-14 13:20 ` [RFC PATCH v2 11/27] libselinux/utils: use type safe union assignment Christian Göttsche
2023-10-05 14:02 ` James Carter
2023-10-12 17:54 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 12/27] libselinux: avoid regex serialization truncations Christian Göttsche
2023-10-05 14:44 ` James Carter
2023-10-12 17:54 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 13/27] libselinux/utils: introduce selabel_compare Christian Göttsche
2023-10-05 15:29 ` James Carter
2023-11-01 16:47 ` Christian Göttsche
2023-11-01 20:57 ` James Carter
2023-11-03 18:24 ` Christian Göttsche
2023-08-14 13:20 ` [RFC PATCH v2 14/27] libselinux: parameter simplifications Christian Göttsche
2023-10-05 15:39 ` James Carter
2023-10-12 17:54 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 15/27] libselinux/utils: use correct type for backend argument Christian Göttsche
2023-10-05 15:49 ` James Carter
2023-10-12 17:55 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 16/27] libselinux: update string_to_mode() Christian Göttsche
2023-10-10 15:18 ` James Carter
2023-10-12 17:55 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 17/27] libselinux: remove SELABEL_OPT_SUBSET support from selabel_file(5) Christian Göttsche
2023-10-10 17:07 ` James Carter
2023-10-10 18:45 ` Stephen Smalley
2023-11-01 17:29 ` Christian Göttsche
2023-11-02 13:50 ` Stephen Smalley
2023-08-14 13:20 ` [RFC PATCH v2 18/27] libselinux: fix logic for building android backend Christian Göttsche
2023-10-10 19:13 ` James Carter
2023-10-12 17:55 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 19/27] libselinux: avoid unused function Christian Göttsche
2023-10-10 19:15 ` James Carter
2023-10-12 17:55 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 20/27] libselinux: check for stream rewind failures Christian Göttsche
2023-10-11 18:48 ` James Carter
2023-10-12 17:56 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 21/27] libselinux: simplify internal selabel_validate prototype Christian Göttsche
2023-10-11 18:49 ` James Carter
2023-10-12 17:56 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 22/27] libselinux/utils: drop include of internal header file Christian Göttsche
2023-10-11 18:49 ` James Carter
2023-10-12 19:00 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 23/27] libselinux: free elements on read_spec_entries() failure Christian Göttsche
2023-10-11 18:50 ` James Carter
2023-10-12 17:56 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 24/27] libselinux: set errno on label lookup failure Christian Göttsche
2023-10-11 18:50 ` James Carter
2023-10-12 17:57 ` James Carter
2023-08-14 13:20 ` [RFC PATCH v2 26/27] libselinux: remove unused hashtab code Christian Göttsche
2023-08-14 13:20 ` [RFC PATCH v2 27/27] libselinux: add selabel_file(5) fuzzer Christian Göttsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230814132025.45364-11-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.