From owner-p4-projects Thu Jan 30 11:13:34 2003 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 95DA037B405; Thu, 30 Jan 2003 11:13:29 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44D3337B401 for ; Thu, 30 Jan 2003 11:13:29 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5B2843F43 for ; Thu, 30 Jan 2003 11:13:28 -0800 (PST) (envelope-from green@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.6/8.12.6) with ESMTP id h0UJDSbv040328 for ; Thu, 30 Jan 2003 11:13:28 -0800 (PST) (envelope-from green@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.6/8.12.6/Submit) id h0UJDSxo040325 for perforce@freebsd.org; Thu, 30 Jan 2003 11:13:28 -0800 (PST) Date: Thu, 30 Jan 2003 11:13:28 -0800 (PST) Message-Id: <200301301913.h0UJDSxo040325@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to green@freebsd.org using -f From: Brian Feldman Subject: PERFORCE change 24449 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://perforce.freebsd.org/chv.cgi?CH=24449 Change 24449 by green@green_laptop_2 on 2003/01/30 11:12:33 Make cron(8) work in an SEBSD system. The way to get "correct" defaults for the contexts used will be: # cat /etc/security/default_contexts system_r:crond_t system_r:system_crond_t user_r:user_crond_t Affected files ... .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#2 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#2 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#2 (text+ko) ==== @@ -6,7 +6,7 @@ CFLAGS+= -DLOGIN_CAP -DPADD= ${LIBCRON} ${LIBUTIL} -LDADD= ${LIBCRON} -lutil +DPADD= ${LIBCRON} ${LIBUTIL} ${LIBSEBSD} +LDADD= ${LIBCRON} -lutil -lsebsd .include ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#2 (text+ko) ==== @@ -29,7 +29,14 @@ #include #include +#include +#include +#include +#include +#include +#include + #define TMAX(a,b) ((a)>(b)?(a):(b)) @@ -249,6 +256,56 @@ free_user(u); log_it(fname, getpid(), "RELOAD", tabname); } + if (sebsd_enabled()) { + /* + * Perform a virtual entrypoint access decision on + * the user's crontab as if it were the script + * being executed. + */ + struct security_query q; + struct security_response r; + char *context, *file_context; + mac_t filelabel; + int error; + + if (mac_prepare(&filelabel, "sebsd") != 0) { + log_it(fname, getpid(), + "failure getting SEBSD context for tab", tabname); + goto next_crontab; + } + if (mac_get_fd(crontab_fd, filelabel) != 0) { + log_it(fname, getpid(), + "failure getting SEBSD context for tab", tabname); + mac_free(filelabel); + goto next_crontab; + } + if (mac_to_text(filelabel, &file_context) != 0) { + log_it(fname, getpid(), + "failure getting SEBSD context for tab", tabname); + mac_free(filelabel); + goto next_crontab; + } + mac_free(filelabel); + if (get_default_context(strcmp(fname, "*system*") == 0 ? + "system_u" : fname, NULL, &context)) { + log_it(fname, getpid(), + "failure getting default SEBSD context", tabname); + free(file_context); + goto next_crontab; + } + q.scontext = context; + q.tcontext = file_context + sizeof("sebsd/") - 1; + q.tclass = SECCLASS_FILE; + q.requested = FILE__ENTRYPOINT; + error = security_compute_av(&q, &r); + free(file_context); + free(context); + if (error || ((q.requested & r.allowed) != q.requested)) { + log_it(fname, getpid(), "SEBSD entrypoint failed", + tabname); + goto next_crontab; + } + } u = load_user(crontab_fd, pw, fname); if (u != NULL) { u->mtime = statbuf->st_mtime; ==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#2 (text+ko) ==== @@ -32,6 +32,9 @@ #if defined(LOGIN_CAP) # include #endif +#include +#include +#include static void child_process __P((entry *, user *)), @@ -265,7 +268,36 @@ _exit(OK_EXIT); } # endif /*DEBUGGING*/ - execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); + if (sebsd_enabled()) { + mac_t mac; + char *context, *labeltext, *argv[4]; + + + if (get_default_context(strcmp(u->name, + "*system*") == 0 ? "system_u" : u->name, + NULL, &context) == -1) { + fprintf(stderr, "command execution: " + "could not get SEBSD context for " + "user %s\n", u->name); + _exit(ERROR_EXIT); + } + if (asprintf(&labeltext, "sebsd/%s", context) + == -1 || mac_from_text(&mac, labeltext) == + -1) { + fprintf(stderr, "command execution: " + "could make SEBSD label for " + "user %s\n", u->name); + _exit(ERROR_EXIT); + } + argv[0] = shell; + argv[1] = "-c"; + argv[2] = e->cmd; + argv[3] = NULL; + mac_execve(shell, argv, e->envp, mac); + } else { + execle(shell, shell, "-c", e->cmd, (char *)0, + e->envp); + } warn("execl: couldn't exec `%s'", shell); _exit(ERROR_EXIT); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message