From owner-p4-projects@FreeBSD.ORG Wed Dec 31 10:27:09 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 876AD16A4D0; Wed, 31 Dec 2003 10:27:09 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6176A16A4CE for ; Wed, 31 Dec 2003 10:27:09 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2566543D41 for ; Wed, 31 Dec 2003 10:27:07 -0800 (PST) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.10/8.12.10) with ESMTP id hBVIR60B060961 for ; Wed, 31 Dec 2003 10:27:06 -0800 (PST) (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.10/8.12.10/Submit) id hBVIR62d060958 for perforce@freebsd.org; Wed, 31 Dec 2003 10:27:06 -0800 (PST) (envelope-from areisse@nailabs.com) Date: Wed, 31 Dec 2003 10:27:06 -0800 (PST) Message-Id: <200312311827.hBVIR62d060958@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 44601 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Dec 2003 18:27:09 -0000 http://perforce.freebsd.org/chv.cgi?CH=44601 Change 44601 by areisse@areisse_tislabs on 2003/12/31 10:26:54 Support roles supplied after the username, as "andrew/user_r". Affected files ... .. //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#6 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#6 (text+ko) ==== @@ -138,6 +138,8 @@ static char *username; /* user name */ static char *olduser; /* previous user name */ +static char *user_role; /* role/type specified with username */ + /* * Prompts */ @@ -292,6 +294,13 @@ badlogin(olduser); } + char *rp = username; + while (*rp && *rp != '/') + rp++; + if (*rp == '/') { + *rp = 0; + user_role = rp+1; + } /* * Load the PAM policy and set some variables */ @@ -504,7 +513,7 @@ * according to what the security server reports. */ if (sebsd_enabled()) { - char *labeltext, *queried, *oldttylabeltext, *tty_queried, + char *labeltext, *queried, *oldttylabeltext, *tty_queried=NULL, **contexts; size_t ncontexts; mac_t newttylabel; @@ -513,9 +522,40 @@ if (get_ordered_context_list(username, NULL, &contexts, &ncontexts) != 0 || ncontexts == 0) goto nosebsd; + + queried = NULL; + if (user_role) { + int i; + char *p = user_role; + while (*p) { + if (*p == '|' || *p == '/') + *p = ':'; + p++; + } + for (i = 0; i < ncontexts; i++) { + p = contexts[i] + strlen(username)+1; + if (!strcmp (p, user_role)) { + queried = contexts[i]; + break; + } + char *pt = strchr (p, ':'); + if (pt-p == strlen(user_role) && + !strncmp (p, user_role, pt-p)) { + queried = contexts[i]; + break; + } + } + } + + if (!queried) if (query_user_context(pamh, contexts, ncontexts, - &queried) != 0 || - asprintf(&labeltext, "sebsd/%s", queried) == -1 || + &queried) != 0) { + + syslog(LOG_ERR, "Reading SEBSD domain from user:" + " %m"); + bail(NO_SLEEP_EXIT, 1); + } + if (asprintf(&labeltext, "sebsd/%s", queried) == -1 || mac_from_text(&execlabel, labeltext) != 0) { syslog(LOG_ERR, "Determining SEBSD domain transition:" " %m");