Add support for applying SELinux context

src/common.c

@@ -41,6 +41,10 @@
 #include <netinet/in.h>
 #endif
 
+#ifdef HAVE_SETCON
+# include <selinux/selinux.h>
+#endif
+
 #include "common.h"
 
 /* The raw header used when not using DNS protocol */
@@ -167,6 +171,17 @@ do_chroot(char *newroot)
 #endif
 }
 
+void
+do_setcon(char *context)
+{
+#ifdef HAVE_SETCON
+	if (-1 == setcon(context))
+		err(1, "%s", context);
+#else
+	warnx("No SELinux support built in");
+#endif
+}
+
 void
 do_detach()
 {

src/common.h

@@ -90,6 +90,7 @@ int open_dns(int, in_addr_t);
 void close_dns(int);
 
 void do_chroot(char *);
+void do_setcon(char *);
 void do_detach();
 
 void read_password(char*, size_t);

src/iodine.c

@@ -1104,7 +1104,7 @@ usage() {
 	extern char *__progname;
 
 	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] "
-			"[-P password] [-m maxfragsize] [nameserver] topdomain\n", __progname);
+			"[-P password] [-m maxfragsize] [-z context] [nameserver] topdomain\n", __progname);
 	exit(2);
 }
 
@@ -1114,7 +1114,7 @@ help() {
 
 	fprintf(stderr, "iodine IP over DNS tunneling client\n");
 	fprintf(stderr, "Usage: %s [-v] [-h] [-f] [-u user] [-t chrootdir] [-d device] "
-			"[-P password] [-m maxfragsize] [nameserver] topdomain\n", __progname);
+			"[-P password] [-m maxfragsize] [-z context] [nameserver] topdomain\n", __progname);
 	fprintf(stderr, "  -v to print version info and exit\n");
 	fprintf(stderr, "  -h to print this help and exit\n");
 	fprintf(stderr, "  -f to keep running in foreground\n");
@@ -1123,6 +1123,7 @@ help() {
 	fprintf(stderr, "  -d device to set tunnel device name\n");
 	fprintf(stderr, "  -P password used for authentication (max 32 chars will be used)\n");
 	fprintf(stderr, "  -m maxfragsize, to limit size of downstream packets\n");
+	fprintf(stderr, "  -z context, to apply specified SELinux context after initialization\n");
 	fprintf(stderr, "nameserver is the IP number of the relaying nameserver, if absent /etc/resolv.conf is used\n");
 	fprintf(stderr, "topdomain is the FQDN that is delegated to the tunnel endpoint.\n");
 
@@ -1151,6 +1152,7 @@ main(int argc, char **argv)
 	char *username;
 	int foreground;
 	char *newroot;
+	char *context;
 	char *device;
 	int choice;
 	int tun_fd;
@@ -1163,6 +1165,7 @@ main(int argc, char **argv)
 	username = NULL;
 	foreground = 0;
 	newroot = NULL;
+	context = NULL;
 	device = NULL;
 	chunkid = 0;
 
@@ -1222,6 +1225,9 @@ main(int argc, char **argv)
 			autodetect_frag_size = 0;
 			max_downstream_frag_size = atoi(optarg);
 			break;
+		case 'z':
+			context = optarg;
+			break;
 		default:
 			usage();
 			/* NOTREACHED */
@@ -1321,6 +1327,9 @@ main(int argc, char **argv)
 		}
 #endif
 	}
+
+	if (context != NULL)
+		do_setcon(context);
 	
 	downstream_seqno = 0;
 	downstream_fragment = 0;

src/iodined.c

@@ -981,7 +981,7 @@ usage() {
 	extern char *__progname;
 
 	fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
-		"[-t chrootdir] [-d device] [-m mtu] "
+		"[-t chrootdir] [-d device] [-m mtu] [-z context] "
 		"[-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password]"
 		" tunnel_ip[/netmask] topdomain\n", __progname);
 	exit(2);
@@ -993,7 +993,7 @@ help() {
 
 	fprintf(stderr, "iodine IP over DNS tunneling server\n");
 	fprintf(stderr, "Usage: %s [-v] [-h] [-c] [-s] [-f] [-D] [-u user] "
-		"[-t chrootdir] [-d device] [-m mtu] "
+		"[-t chrootdir] [-d device] [-m mtu] [-z context] "
 		"[-l ip address to listen on] [-p port] [-n external ip] [-b dnsport] [-P password]"
 		" tunnel_ip[/netmask] topdomain\n", __progname);
 	fprintf(stderr, "  -v to print version info and exit\n");
@@ -1007,6 +1007,7 @@ help() {
 	fprintf(stderr, "  -t dir to chroot to directory dir\n");
 	fprintf(stderr, "  -d device to set tunnel device name\n");
 	fprintf(stderr, "  -m mtu to set tunnel device mtu\n");
+	fprintf(stderr, "  -z context to apply SELinux context after initialization\n");
 	fprintf(stderr, "  -l ip address to listen on for incoming dns traffic "
 		"(default 0.0.0.0)\n");
 	fprintf(stderr, "  -p port to listen on for incoming dns traffic (default 53)\n");
@@ -1039,6 +1040,7 @@ main(int argc, char **argv)
 	int foreground;
 	char *username;
 	char *newroot;
+	char *context;
 	char *device;
 	int dnsd_fd;
 	int tun_fd;
@@ -1057,6 +1059,7 @@ main(int argc, char **argv)
 
 	username = NULL;
 	newroot = NULL;
+	context = NULL;
 	device = NULL;
 	foreground = 0;
 	bind_enable = 0;
@@ -1090,7 +1093,7 @@ main(int argc, char **argv)
 	srand(time(NULL));
 	fw_query_init();
 	
-	while ((choice = getopt(argc, argv, "vcsfhDu:t:d:m:l:p:n:b:P:")) != -1) {
+	while ((choice = getopt(argc, argv, "vcsfhDu:t:d:m:l:p:n:b:P:z:")) != -1) {
 		switch(choice) {
 		case 'v':
 			version();
@@ -1142,6 +1145,9 @@ main(int argc, char **argv)
 			/* XXX: find better way of cleaning up ps(1) */
 			memset(optarg, 0, strlen(optarg)); 
 			break;
+		case 'z':
+			context = optarg;
+			break;
 		default:
 			usage();
 			break;
@@ -1287,6 +1293,9 @@ main(int argc, char **argv)
 #endif
 	}
 
+	if (context != NULL)
+		do_setcon(context);
+
 #ifndef WINDOWS32
 	openlog(__progname, LOG_NOWAIT, LOG_DAEMON);
 #endif

src/osflags

@@ -16,6 +16,9 @@ link)
 		windows32)
 			echo '-lws2_32 -liphlpapi';
 		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-lselinux';
+		;;
 	esac
 	;;
 cflags)
@@ -23,6 +26,9 @@ cflags)
 		BeOS)
 			echo '-Dsocklen_t=int';
 		;;
+		Linux)
+			[ -e /usr/include/selinux/selinux.h ] && echo '-DHAVE_SETCON';
+		;;
 	esac
 ;;
 *)