selinux: add function get_selinux_security_context to uucore

Co-authored-by: Daniel Hofstetter <daniel.hofstetter@42dh.com>
2025-07-28 03:27:44 +00:00 · 2025-04-13 20:47:25 +02:00 · 2025-04-13 20:47:25 +02:00 · 8220f061ef
commit 8220f061ef
parent efb09204a2
1 changed files with 120 additions and 0 deletions
--- a/src/uucore/src/lib/features/selinux.rs
+++ b/src/uucore/src/lib/features/selinux.rs
@ -10,6 +10,20 @@ use selinux::SecurityContext;
 #[derive(Debug)]
 pub enum Error {
    SELinuxNotEnabled,
+    FileOpenFailure,
+    ContextRetrievalFailure,
+    ContextConversionFailure,
+}
+
+impl From<Error> for i32 {
+    fn from(error: Error) -> i32 {
+        match error {
+            Error::SELinuxNotEnabled => 1,
+            Error::FileOpenFailure => 2,
+            Error::ContextRetrievalFailure => 3,
+            Error::ContextConversionFailure => 4,
+        }
+    }
 }

 /// Checks if SELinux is enabled on the system.
@ -109,6 +123,73 @@ pub fn set_selinux_security_context(path: &Path, context: Option<&String>) -> Re
    }
 }

+/// Gets the SELinux security context for the given filesystem path.
+///
+/// Retrieves the security context of the specified filesystem path if SELinux is enabled
+/// on the system.
+///
+/// # Arguments
+///
+/// * `path` - Filesystem path for which to retrieve the SELinux context.
+///
+/// # Returns
+///
+/// * `Ok(String)` - The SELinux context string if successfully retrieved. Returns an empty
+///   string if no context was found.
+/// * `Err(Error)` - An error variant indicating the type of failure:
+///   - `Error::SELinuxNotEnabled` - SELinux is not enabled on the system.
+///   - `Error::FileOpenFailure` - Failed to open the specified file.
+///   - `Error::ContextRetrievalFailure` - Failed to retrieve the security context.
+///   - `Error::ContextConversionFailure` - Failed to convert the security context to a string.
+///
+/// # Examples
+///
+/// ```
+/// use std::path::Path;
+/// use uucore::selinux::{get_selinux_security_context, Error};
+///
+/// // Get the SELinux context for a file
+/// match get_selinux_security_context(Path::new("/path/to/file")) {
+///     Ok(context) => {
+///         if context.is_empty() {
+///             println!("No SELinux context found for the file");
+///         } else {
+///             println!("SELinux context: {}", context);
+///         }
+///     },
+///     Err(Error::SELinuxNotEnabled) => println!("SELinux is not enabled on this system"),
+///     Err(Error::FileOpenFailure) => println!("Failed to open the file"),
+///     Err(Error::ContextRetrievalFailure) => println!("Failed to retrieve the security context"),
+///     Err(Error::ContextConversionFailure) => println!("Failed to convert the security context to a string"),
+/// }
+/// ```
+
+pub fn get_selinux_security_context(path: &Path) -> Result<String, Error> {
+    if selinux::kernel_support() == selinux::KernelSupport::Unsupported {
+        return Err(Error::SELinuxNotEnabled);
+    }
+
+    let f = std::fs::File::open(path).map_err(|_| Error::FileOpenFailure)?;
+
+    // Get the security context of the file
+    let context = match SecurityContext::of_file(&f, false) {
+        Ok(Some(ctx)) => ctx,
+        Ok(None) => return Ok(String::new()), // No context found, return empty string
+        Err(_) => return Err(Error::ContextRetrievalFailure),
+    };
+
+    let context_c_string = context
+        .to_c_string()
+        .map_err(|_| Error::ContextConversionFailure)?;
+
+    if let Some(c_str) = context_c_string {
+        // Convert the C string to a Rust String
+        Ok(c_str.to_string_lossy().to_string())
+    } else {
+        Ok(String::new())
+    }
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@ -171,4 +252,43 @@ mod tests {
            }
        }
    }
+
+    #[test]
+    fn test_get_selinux_security_context() {
+        let tmpfile = NamedTempFile::new().expect("Failed to create tempfile");
+        let path = tmpfile.path();
+
+        std::fs::write(path, b"test content").expect("Failed to write to tempfile");
+
+        let result = get_selinux_security_context(path);
+
+        if result.is_ok() {
+            println!("Retrieved SELinux context: {}", result.unwrap());
+        } else {
+            let err = result.unwrap_err();
+
+            // Valid error types
+            match err {
+                Error::SELinuxNotEnabled => assert!(true, "SELinux not supported"),
+                Error::ContextRetrievalFailure => assert!(true, "Context retrieval failure"),
+                Error::ContextConversionFailure => assert!(true, "Context conversion failure"),
+                Error::FileOpenFailure => {
+                    panic!("File open failure occurred despite file being created")
+                }
+            }
+        }
+    }
+
+    #[test]
+    fn test_get_selinux_context_nonexistent_file() {
+        let path = Path::new("/nonexistent/file/that/does/not/exist");
+
+        let result = get_selinux_security_context(path);
+
+        assert!(result.is_err());
+        assert!(
+            matches!(result.unwrap_err(), Error::FileOpenFailure),
+            "Expected file open error for nonexistent file"
+        );
+    }
 }