From owner-p4-projects Thu Jan 2 12:16:47 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id A5A6B37B405; Thu, 2 Jan 2003 12:16:44 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C8FC37B401 for ; Thu, 2 Jan 2003 12:16:44 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id BCD6B43EC5 for ; Thu, 2 Jan 2003 12:16:43 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h02KGhfh011206 for ; Thu, 2 Jan 2003 12:16:43 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h02KGhAw011203 for perforce@freebsd.org; Thu, 2 Jan 2003 12:16:43 -0800 (PST) Date: Thu, 2 Jan 2003 12:16:43 -0800 (PST) Message-Id: <200301022016.h02KGhAw011203@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 23057 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=23057 Change 23057 by green@green_laptop_2 on 2003/01/02 12:16:08 * Set SEBSD tty labels in login.c. Affected files ... .. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#27 edit Differences ... ==== //depot/projects/trustedbsd/mac/usr.bin/login/login.c#27 (text+ko) ==== @@ -80,6 +80,7 @@ #include #include +#include #include "login.h" #include "pathnames.h" @@ -175,7 +176,8 @@ const char *tp; const char *shell = NULL; login_cap_t *lc = NULL; - mac_t execlabel = NULL; + mac_t execlabel = NULL; /* label to transition to in exec */ + mac_t oldttylabel = NULL; /* previous tty label to restore */ const char *label_string; pid_t pid; @@ -498,10 +500,14 @@ * Determine if we must execute a transition when we * run our shell, for MAC policies which require it. For now, * this is just SEBSD, and therefore not generic at all. + * When using SEBSD, the terminal device needs to be relabeled + * according to what the security server reports. */ if (sebsd_enabled()) { - char *labeltext, *queried, **contexts; + char *labeltext, *queried, *oldttylabeltext, *tty_queried, + **contexts; size_t ncontexts; + mac_t newttylabel; int n; if (get_ordered_context_list(username, NULL, &contexts, @@ -516,9 +522,33 @@ bail(NO_SLEEP_EXIT, 1); } free(labeltext); + mac_prepare(&oldttylabel, "sebsd"); + if (mac_get_file(ttyn, oldttylabel) != 0 || + mac_to_text(oldttylabel, &oldttylabeltext) != 0) { + syslog(LOG_ERR, "Getting SEBSD label on terminal " + "%s: %m", ttyn); + bail(NO_SLEEP_EXIT, 1); + } + if (security_change_context(queried, oldttylabeltext + + sizeof("sebsd/") - 1, SECCLASS_CHR_FILE, + &tty_queried) != 0 || + asprintf(&labeltext, "sebsd/%s", tty_queried) == -1) { + syslog(LOG_ERR, "Determining SEBSD label for terminal " + "%s: %m", ttyn); + bail(NO_SLEEP_EXIT, 1); + } + free(oldttylabeltext); + free(tty_queried); for (n = 0; n < ncontexts; n++) free(contexts[n]); free(contexts); + if (mac_from_text(&newttylabel, labeltext) != 0 || + mac_set_file(ttyn, newttylabel) != 0) { + syslog(LOG_ERR, "Setting SEBSD label on terminal " + "%s: %m", ttyn); + bail(NO_SLEEP_EXIT, 1); + } + mac_free(newttylabel); } nosebsd: @@ -568,6 +598,7 @@ */ setproctitle("-%s [pam]", getprogname()); wait(NULL); + (void)mac_set_file(ttyn, oldttylabel); bail(NO_SLEEP_EXIT, 0); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message