1 #ifndef _RESTORECON_H_ 2 #define _RESTORECON_H_ 3 4 #include <selinux/label.h> 5 6 #include <sys/types.h> 7 #include <stddef.h> 8 #include <stdarg.h> 9 10 #ifdef __cplusplus 11 extern "C" { 12 #endif 13 14 /** 15 * selinux_restorecon - Relabel files. 16 * @pathname: specifies file/directory to relabel. 17 * @restorecon_flags: specifies the actions to be performed when relabeling. 18 * 19 * selinux_restorecon(3) will automatically call 20 * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) 21 * first time through to set the selabel_open(3) parameters to use the 22 * currently loaded policy file_contexts and request their computed digest. 23 * 24 * Should other selabel_open(3) parameters be required see 25 * selinux_restorecon_set_sehandle(3). 26 */ 27 extern int selinux_restorecon(const char *pathname, 28 unsigned int restorecon_flags); 29 /** 30 * selinux_restorecon_parallel - Relabel files, optionally use more threads. 31 * @pathname: specifies file/directory to relabel. 32 * @restorecon_flags: specifies the actions to be performed when relabeling. 33 * @nthreads: specifies the number of threads to use (0 = use number of CPUs 34 * currently online) 35 * 36 * Same as selinux_restorecon(3), but allows to use multiple threads to do 37 * the work. 38 */ 39 extern int selinux_restorecon_parallel(const char *pathname, 40 unsigned int restorecon_flags, 41 size_t nthreads); 42 /* 43 * restorecon_flags options 44 */ 45 /* 46 * Force the checking of labels even if the stored SHA1 digest 47 * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN). 48 */ 49 #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001 50 /* 51 * Do not change file labels. 52 */ 53 #define SELINUX_RESTORECON_NOCHANGE 0x00002 54 /* 55 * If set, change file label to that in spec file. 56 * If not, only change type component to that in spec file. 57 */ 58 #define SELINUX_RESTORECON_SET_SPECFILE_CTX 0x00004 59 /* 60 * Recursively descend directories. 61 */ 62 #define SELINUX_RESTORECON_RECURSE 0x00008 63 /* 64 * Log changes to selinux log. Note that if VERBOSE and 65 * PROGRESS are set, then PROGRESS will take precedence. 66 */ 67 #define SELINUX_RESTORECON_VERBOSE 0x00010 68 /* 69 * If SELINUX_RESTORECON_PROGRESS is true and 70 * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete, 71 * else output the number of files in 1k blocks processed to stdout. 72 */ 73 #define SELINUX_RESTORECON_PROGRESS 0x00020 74 /* 75 * Convert passed-in pathname to canonical pathname. 76 */ 77 #define SELINUX_RESTORECON_REALPATH 0x00040 78 /* 79 * Prevent descending into directories that have a different 80 * device number than the pathname from which the descent began. 81 */ 82 #define SELINUX_RESTORECON_XDEV 0x00080 83 /* 84 * Attempt to add an association between an inode and a specification. 85 * If there is already an association for the inode and it conflicts 86 * with the specification, then use the last matching specification. 87 */ 88 #define SELINUX_RESTORECON_ADD_ASSOC 0x00100 89 /* 90 * Abort on errors during the file tree walk. 91 */ 92 #define SELINUX_RESTORECON_ABORT_ON_ERROR 0x00200 93 /* 94 * Log any label changes to syslog. 95 */ 96 #define SELINUX_RESTORECON_SYSLOG_CHANGES 0x00400 97 /* 98 * Log what spec matched each file. 99 */ 100 #define SELINUX_RESTORECON_LOG_MATCHES 0x00800 101 /* 102 * Ignore files that do not exist. 103 */ 104 #define SELINUX_RESTORECON_IGNORE_NOENTRY 0x01000 105 /* 106 * Do not read /proc/mounts to obtain a list of non-seclabel 107 * mounts to be excluded from relabeling checks. 108 */ 109 #define SELINUX_RESTORECON_IGNORE_MOUNTS 0x02000 110 /* 111 * Set if there is a mass relabel required. 112 * See SELINUX_RESTORECON_PROGRESS flag for details. 113 */ 114 #define SELINUX_RESTORECON_MASS_RELABEL 0x04000 115 /* 116 * Set if no digest is to be read or written (as only processes 117 * running with CAP_SYS_ADMIN can read/write digests). 118 */ 119 #define SELINUX_RESTORECON_SKIP_DIGEST 0x08000 120 121 /* 122 * Set to treat conflicting specifications as errors. 123 */ 124 #define SELINUX_RESTORECON_CONFLICT_ERROR 0x10000 125 126 /* 127 * Count, but otherwise ignore, errors during the file tree walk. 128 */ 129 #define SELINUX_RESTORECON_COUNT_ERRORS 0x20000 130 131 /** 132 * selinux_restorecon_set_sehandle - Set the global fc handle. 133 * @hndl: specifies handle to set as the global fc handle. 134 * 135 * Called by a process that has already called selabel_open(3) with its 136 * required parameters, or if selinux_restorecon_default_handle(3) has been 137 * called to set the default selabel_open(3) parameters. 138 */ 139 extern void selinux_restorecon_set_sehandle(struct selabel_handle *hndl); 140 141 /** 142 * selinux_restorecon_default_handle - Sets default selabel_open(3) parameters 143 * to use the currently loaded policy and 144 * file_contexts. 145 * 146 * Return value is the created handle on success or NULL with @errno set on 147 * failure. 148 */ 149 extern struct selabel_handle *selinux_restorecon_default_handle(void); 150 151 /** 152 * selinux_restorecon_set_exclude_list - Add a list of directories that are 153 * to be excluded from relabeling. 154 * @exclude_list: containing a NULL terminated list of one or more 155 * directories not to be relabeled. 156 */ 157 extern void selinux_restorecon_set_exclude_list(const char **exclude_list); 158 159 /** 160 * selinux_restorecon_set_alt_rootpath - Use alternate rootpath. 161 * @alt_rootpath: containing the alternate rootpath to be used. 162 * 163 * Return %0 on success, -%1 with @errno set on failure. 164 */ 165 extern int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath); 166 167 /** 168 * selinux_restorecon_xattr - Read/remove security.sehash xattr entries. 169 * @pathname: specifies directory path to check. 170 * @xattr_flags: specifies the actions to be performed. 171 * @xattr_list: a linked list of struct dir_xattr structures containing 172 * the directory, digest and result of the action on the 173 * security.sehash entry. 174 * 175 * selinux_restorecon_xattr(3) will automatically call 176 * selinux_restorecon_default_handle(3) and selinux_restorecon_set_sehandle(3) 177 * first time through to set the selabel_open(3) parameters to use the 178 * currently loaded policy file_contexts and request their computed digest. 179 * 180 * Should other selabel_open(3) parameters be required see 181 * selinux_restorecon_set_sehandle(3), however note that a file_contexts 182 * computed digest is required for selinux_restorecon_xattr(). 183 */ 184 enum digest_result { 185 MATCH = 0, 186 NOMATCH, 187 DELETED_MATCH, 188 DELETED_NOMATCH, 189 ERROR 190 }; 191 192 struct dir_xattr { 193 char *directory; 194 char *digest; /* A hex encoded string that can be printed. */ 195 enum digest_result result; 196 struct dir_xattr *next; 197 }; 198 199 extern int selinux_restorecon_xattr(const char *pathname, 200 unsigned int xattr_flags, 201 struct dir_xattr ***xattr_list); 202 203 /* 204 * xattr_flags options 205 */ 206 /* Recursively descend directories. */ 207 #define SELINUX_RESTORECON_XATTR_RECURSE 0x0001 208 /* Delete non-matching digests from each directory in pathname. */ 209 #define SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS 0x0002 210 /* Delete all digests found in pathname. */ 211 #define SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS 0x0004 212 /* Do not read /proc/mounts. */ 213 #define SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS 0x0008 214 215 /* selinux_restorecon_get_skipped_errors - Get the number of errors ignored 216 * during re-labeling. 217 * 218 * If SELINUX_RESTORECON_COUNT_ERRORS was passed to selinux_restorecon(3) or 219 * selinux_restorecon_parallel(3), and that function returned successfully 220 * (i.e., with a zero return value), then this function returns the number of 221 * errors ignored during the file tree walk. 222 */ 223 extern long unsigned selinux_restorecon_get_skipped_errors(void); 224 225 #ifdef __cplusplus 226 } 227 #endif 228 #endif 229