Date: Fri, 27 Dec 2002 16:12:58 -0800 (PST) From: Brian Feldman <green@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 22822 for review Message-ID: <200212280012.gBS0CwdE078531@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=22822 Change 22822 by green@green_laptop_2 on 2002/12/27 16:12:33 Add to libsebsd the query_user_context() call which has a PAM conversation with the user to determine what domain to transition to, and add support for this to login(1). Users can now finally log in and receive the correct domain, via the console so far. Affected files ... .. //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#4 edit .. //depot/projects/trustedbsd/mac/lib/libsebsd/query_user_context.c#1 add .. //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#5 edit .. //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#6 edit .. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#26 edit Differences ... ==== //depot/projects/trustedbsd/mac/lib/libsebsd/Makefile#4 (text+ko) ==== @@ -11,7 +11,7 @@ NOMAN= SRCS= system.c security_get_user_contexts.c get_ordered_context_list.c \ - getseccontext.c + getseccontext.c query_user_context.c INCS= sebsd_context.h sebsd_ss.h sebsd_proc.h sebsd_fs.h sebsd.h \ sebsd_syscalls.h flask_types.h ==== //depot/projects/trustedbsd/mac/lib/libsebsd/sebsd.h#5 (text+ko) ==== @@ -37,6 +37,8 @@ #ifndef _SEBSD_H #define _SEBSD_H +#include <sys/types.h> +#include <security/pam_types.h> #include "flask_types.h" #include "sebsd_syscalls.h" @@ -52,6 +54,8 @@ char ***ordered_list, size_t *length); int get_default_context(const char *username, const char *from_context, char **default_context); +int query_user_context(pam_handle_t *pamh, char **ordered_context_list, + size_t length, char **retcontext); int sebsd_avc_toggle(void); int sebsd_enabled(void); ==== //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#6 (text+ko) ==== @@ -4,8 +4,8 @@ PROG= login SRCS= login.c login_fbtab.c CFLAGS+=-DLOGALL -DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} -LDADD= -lutil -lcrypt ${MINUSLPAM} +DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBPAM} ${LIBSEBSD} +LDADD= -lutil -lcrypt ${MINUSLPAM} -lsebsd MAN= login.1 login.access.5 BINOWN= root BINMODE=4555 ==== //depot/projects/trustedbsd/mac/usr.bin/login/login.c#26 (text+ko) ==== @@ -68,6 +68,7 @@ #include <libutil.h> #include <login_cap.h> #include <pwd.h> +#include <sebsd.h> #include <setjmp.h> #include <signal.h> #include <stdio.h> @@ -156,6 +157,8 @@ static int pam_cred_established; static int pam_session_established; +extern char **environ; + int main(int argc, char *argv[]) { @@ -172,6 +175,7 @@ const char *tp; const char *shell = NULL; login_cap_t *lc = NULL; + mac_t execlabel = NULL; const char *label_string; pid_t pid; @@ -491,6 +495,34 @@ } /* + * Determine if we must execute a transition when we + * run our shell, for MAC policies which require it. For now, + * this is just SEBSD, and therefore not generic at all. + */ + if (sebsd_enabled()) { + char *labeltext, *queried, **contexts; + size_t ncontexts; + int n; + + if (get_ordered_context_list(username, NULL, &contexts, + &ncontexts) != 0 || ncontexts == 0) + goto nosebsd; + if (query_user_context(pamh, contexts, ncontexts, + &queried) != 0 || + asprintf(&labeltext, "sebsd/%s", queried) == -1 || + mac_from_text(&execlabel, labeltext) != 0) { + syslog(LOG_ERR, "Determining SEBSD domain transition:" + " %m"); + bail(NO_SLEEP_EXIT, 1); + } + free(labeltext); + for (n = 0; n < ncontexts; n++) + free(contexts[n]); + free(contexts); + } +nosebsd: + + /* * Destroy environment unless user has requested its * preservation - but preserve TERM in all cases */ @@ -646,7 +678,15 @@ err(1, "asprintf()"); } - execlp(shell, arg0, (char *)0); + if (execlabel != NULL) { + char *shell_argv[2]; + + shell_argv[0] = arg0; + shell_argv[1] = NULL; + mac_execve(pwd->pw_shell, shell_argv, environ, execlabel); + } else { + execlp(shell, arg0, (char *)0); + } err(1, "%s", shell); /* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212280012.gBS0CwdE078531>