From owner-p4-projects@FreeBSD.ORG Tue Nov 18 10:52:23 2003 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1261B16A4D0; Tue, 18 Nov 2003 10:52:23 -0800 (PST) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C889116A4CE for ; Tue, 18 Nov 2003 10:52:22 -0800 (PST) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FF3B43F75 for ; Tue, 18 Nov 2003 10:52:22 -0800 (PST) (envelope-from areisse@nailabs.com) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hAIIqLXJ067350 for ; Tue, 18 Nov 2003 10:52:21 -0800 (PST) (envelope-from areisse@nailabs.com) Received: (from perforce@localhost) by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hAIIqLcm067347 for perforce@freebsd.org; Tue, 18 Nov 2003 10:52:21 -0800 (PST) (envelope-from areisse@nailabs.com) Date: Tue, 18 Nov 2003 10:52:21 -0800 (PST) Message-Id: <200311181852.hAIIqLcm067347@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to areisse@nailabs.com using -f From: Andrew Reisse To: Perforce Change Reviews Subject: PERFORCE change 42748 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Nov 2003 18:52:23 -0000 http://perforce.freebsd.org/chv.cgi?CH=42748 Change 42748 by areisse@areisse_ibook on 2003/11/18 10:51:32 domain selection dialog box currently, it doesn't work for root logins. Affected files ... .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/classes.nib#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/info.nib#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/English.lproj/MainMenu.nib/objects.nib#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/LabelChooser.h#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/LabelChooser.m#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/main.m#1 add .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#2 edit .. //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wsloginui.pbproj/project.pbxproj#1 add Differences ... ==== //depot/projects/trustedbsd/sedarwin/sebsd_system/wslogin/wslogin.c#2 (text+ko) ==== @@ -6,6 +6,8 @@ #include #include #include +#include +#include #define errexit(args...) \ { \ @@ -15,15 +17,39 @@ const char *username = "root"; +char *shm = NULL; + int setlogin (const char *user) { + if (!shm) + { + shm = (char *) mmap (0, 4096, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANON, -1, 0); + memset (shm, 0, 4096); + } + if (!shm) + return -1; + username = user; return syscall (50, user); } - +/* +int fork () +{ + if (!shm) + { + shm = (char *) mmap (0, 4096, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANON, -1, 0); + memset (shm, 0, 4096); + } + if (!shm) + return -1; + return syscall (2); +} +*/ int setuid (uid_t uid) { - mac_t execlabel = NULL; /* label to transition to in exec */ + mac_t execlabel = NULL; /* label to transition to in exec */ openlog ("wslogin", LOG_ODELAY, LOG_AUTH); @@ -34,27 +60,76 @@ if (r) return r; + if (shm[0]) + { + if (shm[1] == 0) + errexit ("previous attempt to do transition failed"); + + if (mac_from_text(&execlabel, shm+1)) + errexit("%s is not a valid domain", shm[1]); + + return mac_set_proc (execlabel); + } + if (sebsd_enabled()) { char *labeltext, *queried, **contexts; size_t ncontexts; int n; + FILE *fp; + char userlabel[512]; if (get_ordered_context_list(username, NULL, &contexts, &ncontexts) != 0 || ncontexts == 0) errexit ("Getting context list for %s: %s", username, strerror (errno)); -#if 0 - if (query_user_context(pamh, contexts, ncontexts, - &queried) != 0) - errexit ("Requesting domain from user"); -#else - queried = contexts[0]; -#endif + int retries = 3; + const char *wexe = "/System/Library/CoreServices/wsloginui.app/Contents/MacOS/wslui"; + size_t warglen = strlen (wexe); + for (r = 0; r < ncontexts; r++) + warglen += 2 + strlen (contexts[r]); + + char *wargs = (char *) malloc (warglen); + strcpy (wargs, wexe); + for (r = 0; r < ncontexts; r++) + { + strcat (wargs, " "); + strcat (wargs, contexts[r]); + } + choosed: + fp = popen (wargs, "r"); + if (fp == NULL) + errexit ("Executing domain chooser"); + if (!fgets (userlabel, 512, fp)) + errexit ("Reading from domain chooser"); + char *p = userlabel; + while (*p && *p != '\n') + p++; + *p = 0; + pclose (fp); + + /* Verify that the chooser program returned one of the labels + we gave it */ + for (r = 0; r < ncontexts; r++) + if (!strcmp (contexts[r], userlabel)) + break; + + if (r == ncontexts) + { + if (!--retries) + errexit ("Requesting domain from user"); + goto choosed; + } + else + queried = contexts[r]; if (asprintf(&labeltext, "sebsd/%s", queried) == -1 || mac_from_text(&execlabel, labeltext) != 0) errexit("%s is not a valid domain", queried); syslog (LOG_ERR, "wslogin: user domain is %s", labeltext); + + shm[0] = 1; + strcpy (shm+1,labeltext); + free(labeltext); }