1 /* chcon -- change security context of files
2 Copyright (C) 2005-2008 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
19 #include <sys/types.h>
28 #include "root-dev-ino.h"
29 #include "selinux-at.h"
32 /* The official name of this program (e.g., no `g' prefix). */
33 #define PROGRAM_NAME "chcon"
35 #define AUTHORS "Russell Coker", "Jim Meyering"
42 CH_NO_CHANGE_REQUESTED
47 /* Print a message for each file that is processed. */
50 /* Print a message for each file whose attributes we change. */
53 /* Do not be verbose. This is the default. */
57 /* The name the program was run with. */
60 /* If nonzero, and the systems has support for it, change the context
61 of symbolic links rather than any files they point to. */
62 static bool affect_symlink_referent;
64 /* If true, change the modes of directories recursively. */
67 /* Level of verbosity. */
70 /* Pointer to the device and inode numbers of `/', when --recursive.
72 static struct dev_ino *root_dev_ino;
74 /* The name of the context file is being given. */
75 static char const *specified_context;
77 /* Specific components of the context */
78 static char const *specified_user;
79 static char const *specified_role;
80 static char const *specified_range;
81 static char const *specified_type;
83 /* For long options that have no equivalent short option, use a
84 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
87 DEREFERENCE_OPTION = CHAR_MAX + 1,
93 static struct option const long_options[] =
95 {"recursive", no_argument, NULL, 'R'},
96 {"dereference", no_argument, NULL, DEREFERENCE_OPTION},
97 {"no-dereference", no_argument, NULL, 'h'},
98 {"no-preserve-root", no_argument, NULL, NO_PRESERVE_ROOT},
99 {"preserve-root", no_argument, NULL, PRESERVE_ROOT},
100 {"reference", required_argument, NULL, REFERENCE_FILE_OPTION},
101 {"user", required_argument, NULL, 'u'},
102 {"role", required_argument, NULL, 'r'},
103 {"type", required_argument, NULL, 't'},
104 {"range", required_argument, NULL, 'l'},
105 {"verbose", no_argument, NULL, 'v'},
106 {GETOPT_HELP_OPTION_DECL},
107 {GETOPT_VERSION_OPTION_DECL},
111 /* Given a security context, CONTEXT, derive a context_t (*RET),
112 setting any portions selected via the global variables, specified_user,
113 specified_role, etc. */
115 compute_context_from_mask (security_context_t context, context_t *ret)
118 context_t new_context = context_new (context);
121 error (0, errno, _("failed to create security context: %s"),
122 quotearg_colon (context));
126 #define SET_COMPONENT(C, comp) \
129 if (specified_ ## comp \
130 && context_ ## comp ## _set ((C), specified_ ## comp)) \
133 _("failed to set %s security context component to %s"), \
134 #comp, quote (specified_ ## comp)); \
140 SET_COMPONENT (new_context, user);
141 SET_COMPONENT (new_context, range);
142 SET_COMPONENT (new_context, role);
143 SET_COMPONENT (new_context, type);
147 int saved_errno = errno;
148 context_free (new_context);
157 /* Change the context of FILE, using specified components.
158 If it is a directory and -R is given, recurse.
159 Return 0 if successful, 1 if errors occurred. */
162 change_file_context (int fd, char const *file)
164 security_context_t file_context = NULL;
166 security_context_t context_string;
169 if (specified_context == NULL)
171 int status = (affect_symlink_referent
172 ? getfileconat (fd, file, &file_context)
173 : lgetfileconat (fd, file, &file_context));
175 if (status < 0 && errno != ENODATA)
177 error (0, errno, _("failed to get security context of %s"),
182 /* If the file doesn't have a context, and we're not setting all of
183 the context components, there isn't really an obvious default.
184 Thus, we just give up. */
185 if (file_context == NULL)
187 error (0, 0, _("can't apply partial context to unlabeled file %s"),
192 if (compute_context_from_mask (file_context, &context))
197 /* FIXME: this should be done exactly once, in main. */
198 context = context_new (specified_context);
203 context_string = context_str (context);
205 if (file_context == NULL || ! STREQ (context_string, file_context))
207 int fail = (affect_symlink_referent
208 ? setfileconat (fd, file, context_string)
209 : lsetfileconat (fd, file, context_string));
214 error (0, errno, _("failed to change context of %s to %s"),
215 quote_n (0, file), quote_n (1, context_string));
219 context_free (context);
220 freecon (file_context);
225 /* Change the context of FILE.
226 Return true if successful. This function is called
227 once for every file system object that fts encounters. */
230 process_file (FTS *fts, FTSENT *ent)
232 char const *file_full_name = ent->fts_path;
233 char const *file = ent->fts_accpath;
234 const struct stat *file_stats = ent->fts_statp;
237 switch (ent->fts_info)
242 if (ROOT_DEV_INO_CHECK (root_dev_ino, ent->fts_statp))
244 /* This happens e.g., with "chcon -R --preserve-root ... /"
245 and with "chcon -RH --preserve-root ... symlink-to-root". */
246 ROOT_DEV_INO_WARN (file_full_name);
247 /* Tell fts not to traverse into this hierarchy. */
248 fts_set (fts, ent, FTS_SKIP);
249 /* Ensure that we do not process "/" on the second visit. */
250 ent = fts_read (fts);
263 /* For a top-level file or directory, this FTS_NS (stat failed)
264 indicator is determined at the time of the initial fts_open call.
265 With programs like chmod, chown, and chgrp, that modify
266 permissions, it is possible that the file in question is
267 accessible when control reaches this point. So, if this is
268 the first time we've seen the FTS_NS for this file, tell
269 fts_read to stat it "again". */
270 if (ent->fts_level == 0 && ent->fts_number == 0)
273 fts_set (fts, ent, FTS_AGAIN);
276 error (0, ent->fts_errno, _("cannot access %s"), quote (file_full_name));
281 error (0, ent->fts_errno, _("%s"), quote (file_full_name));
286 error (0, ent->fts_errno, _("cannot read directory %s"),
287 quote (file_full_name));
295 if (ent->fts_info == FTS_DP
296 && ok && ROOT_DEV_INO_CHECK (root_dev_ino, file_stats))
298 ROOT_DEV_INO_WARN (file_full_name);
305 printf (_("changing security context of %s"),
306 quote (file_full_name));
308 if (change_file_context (fts->fts_cwd_fd, file) != 0)
313 fts_set (fts, ent, FTS_SKIP);
318 /* Recursively operate on the specified FILES (the last entry
319 of which is NULL). BIT_FLAGS controls how fts works.
320 Return true if successful. */
323 process_files (char **files, int bit_flags)
327 FTS *fts = xfts_open (files, bit_flags, NULL);
333 ent = fts_read (fts);
338 /* FIXME: try to give a better message */
339 error (0, errno, _("fts_read failed"));
345 ok &= process_file (fts, ent);
348 /* Ignore failure, since the only way it can do so is in failing to
349 return to the original directory, and since we're about to exit,
350 that doesn't matter. */
359 if (status != EXIT_SUCCESS)
360 fprintf (stderr, _("Try `%s --help' for more information.\n"),
365 Usage: %s [OPTION]... CONTEXT FILE...\n\
366 or: %s [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...\n\
367 or: %s [OPTION]... --reference=RFILE FILE...\n\
369 program_name, program_name, program_name);
371 Change the security context of each FILE to CONTEXT.\n\
372 With --reference, change the security context of each FILE to that of RFILE.\n\
374 -c, --changes like verbose but report only when a change is made\n\
375 -h, --no-dereference affect symbolic links instead of any referenced file\n\
378 --reference=RFILE use RFILE's security context rather than specifying\n\
380 -R, --recursive operate on files and directories recursively\n\
381 -v, --verbose output a diagnostic for every file processed\n\
384 -u, --user=USER set user USER in the target security context\n\
385 -r, --role=ROLE set role ROLE in the target security context\n\
386 -t, --type=TYPE set type TYPE in the target security context\n\
387 -l, --range=RANGE set range RANGE in the target security context\n\
391 The following options modify how a hierarchy is traversed when the -R\n\
392 option is also specified. If more than one is specified, only the final\n\
395 -H if a command line argument is a symbolic link\n\
396 to a directory, traverse it\n\
397 -L traverse every symbolic link to a directory\n\
399 -P do not traverse any symbolic links (default)\n\
402 fputs (HELP_OPTION_DESCRIPTION, stdout);
403 fputs (VERSION_OPTION_DESCRIPTION, stdout);
409 main (int argc, char **argv)
411 security_context_t ref_context = NULL;
413 /* Bit flags that control how fts works. */
414 int bit_flags = FTS_PHYSICAL;
416 /* 1 if --dereference, 0 if --no-dereference, -1 if neither has been
418 int dereference = -1;
421 bool preserve_root = false;
422 bool component_specified = false;
423 char *reference_file = NULL;
426 initialize_main (&argc, &argv);
427 program_name = argv[0];
428 setlocale (LC_ALL, "");
429 bindtextdomain (PACKAGE, LOCALEDIR);
430 textdomain (PACKAGE);
432 atexit (close_stdout);
434 while ((optc = getopt_long (argc, argv, "HLPRchvu:r:t:l:", long_options, NULL))
439 case 'H': /* Traverse command-line symlinks-to-directories. */
440 bit_flags = FTS_COMFOLLOW | FTS_PHYSICAL;
443 case 'L': /* Traverse all symlinks-to-directories. */
444 bit_flags = FTS_LOGICAL;
447 case 'P': /* Traverse no symlinks-to-directories. */
448 bit_flags = FTS_PHYSICAL;
451 case 'h': /* --no-dereference: affect symlinks */
455 case DEREFERENCE_OPTION: /* --dereference: affect the referent
460 case NO_PRESERVE_ROOT:
461 preserve_root = false;
465 preserve_root = true;
468 case REFERENCE_FILE_OPTION:
469 reference_file = optarg;
485 specified_user = optarg;
486 component_specified = true;
490 specified_role = optarg;
491 component_specified = true;
495 specified_type = optarg;
496 component_specified = true;
500 specified_range = optarg;
501 component_specified = true;
504 case_GETOPT_HELP_CHAR;
505 case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
507 usage (EXIT_FAILURE);
513 if (bit_flags == FTS_PHYSICAL)
515 if (dereference == 1)
516 error (EXIT_FAILURE, 0,
517 _("-R --dereference requires either -H or -L"));
518 affect_symlink_referent = false;
522 if (dereference == 0)
523 error (EXIT_FAILURE, 0, _("-R -h requires -P"));
524 affect_symlink_referent = true;
529 bit_flags = FTS_PHYSICAL;
530 affect_symlink_referent = (dereference != 0);
533 if (argc - optind < (reference_file || component_specified ? 1 : 2))
536 error (0, 0, _("missing operand"));
538 error (0, 0, _("missing operand after %s"), quote (argv[argc - 1]));
539 usage (EXIT_FAILURE);
544 if (getfilecon (reference_file, &ref_context) < 0)
545 error (EXIT_FAILURE, errno, _("failed to get security context of %s"),
546 quote (reference_file));
548 specified_context = ref_context;
550 else if (component_specified)
552 /* FIXME: it's already null, so this is a no-op. */
553 specified_context = NULL;
558 specified_context = argv[optind++];
559 context = context_new (specified_context);
561 error (EXIT_FAILURE, 0, _("invalid context: %s"),
562 quotearg_colon (specified_context));
563 context_free (context);
566 if (reference_file && component_specified)
568 error (0, 0, _("conflicting security context specifiers given"));
572 if (recurse & preserve_root)
574 static struct dev_ino dev_ino_buf;
575 root_dev_ino = get_root_dev_ino (&dev_ino_buf);
576 if (root_dev_ino == NULL)
577 error (EXIT_FAILURE, errno, _("failed to get attributes of %s"),
585 ok = process_files (argv + optind, bit_flags | FTS_NOSTAT);
587 exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);