From owner-p4-projects@FreeBSD.ORG Thu Feb 9 18:37:39 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 4362516A423; Thu, 9 Feb 2006 18:37:39 +0000 (GMT) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02F3316A420 for ; Thu, 9 Feb 2006 18:37:39 +0000 (GMT) (envelope-from deker@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9D8243D45 for ; Thu, 9 Feb 2006 18:37:38 +0000 (GMT) (envelope-from deker@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id k19IbceV026635 for ; Thu, 9 Feb 2006 18:37:38 GMT (envelope-from deker@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.1/8.13.1/Submit) id k19Ibc6V026632 for perforce@freebsd.org; Thu, 9 Feb 2006 18:37:38 GMT (envelope-from deker@FreeBSD.org) Date: Thu, 9 Feb 2006 18:37:38 GMT Message-Id: <200602091837.k19Ibc6V026632@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to deker@FreeBSD.org using -f From: Rob Deker To: Perforce Change Reviews Cc: Subject: PERFORCE change 91439 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 18:37:40 -0000 http://perforce.freebsd.org/chv.cgi?CH=91439 Change 91439 by deker@deker_build1.columbia.sparta.com on 2006/02/09 18:37:17 per millert: "Allow the user to login even if sedarwin module is not loaded. the MAC login plugin bits could be much better but this probably requires changes to the generic MAC login plugin code." Submitted by: millert Affected files ... .. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/MAC.loginPlugin.xcode/project.pbxproj#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.h#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.m#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/GNUmakefile#2 edit .. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/pam_sedarwin.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/MAC.loginPlugin.xcode/project.pbxproj#2 (text+ko) ==== @@ -81,7 +81,7 @@ GCC_PRECOMPILE_PREFIX_HEADER = YES; GCC_PREFIX_HEADER = "$(SYSTEM_LIBRARY_DIR)/Frameworks/AppKit.framework/Headers/AppKit.h"; INFOPLIST_FILE = plugins/SEDarwin/Info.plist; - OTHER_CFLAGS = "-I../../xnu/BUILD/obj/EXPORT_HDRS/bsd -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk -I../../../sedarwin/libselinux/include"; + OTHER_CFLAGS = "-I../../xnu/BUILD/obj/EXPORT_HDRS/bsd -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk -I../../../sedarwin/libselinux/include -I../../../sedarwin"; OTHER_LDFLAGS = "-framework Foundation -framework AppKit -L../../libmac -lmac -L../../../sedarwin/libselinux/src -lselinux"; OTHER_REZFLAGS = ""; PRODUCT_NAME = SEDarwin; ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.h#2 (text+ko) ==== @@ -7,6 +7,7 @@ #include #include #include +#include @interface SEDarwin : NSObject { ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.m#2 (text+ko) ==== @@ -41,6 +41,9 @@ return; } + if (!sebsd_enabled()) + return; + /* * Get an ordered list of possible contexts for the user and * use them to populate the popup button (in the same order). @@ -84,6 +87,10 @@ return (MAC_LOGIN_FAIL); } + /* XXX - use SELINUX_DEFAULTUSER and fill in selector if not enabled? */ + if (!sebsd_enabled()) + return (MAC_LOGIN_OK); + /* * Get the selected context from the popup button and * convert it to a label. @@ -119,6 +126,7 @@ - (void) policyWillLogin { free(username); + if (label != NULL) /* XXX */ mac_free(label); } ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/GNUmakefile#2 (text+ko) ==== @@ -7,7 +7,7 @@ Extra_CC_Flags =-I../../pam/pam/libpam/include/pam/ \ -I../../xnu/BUILD/obj/EXPORT_HDRS/bsd/ \ -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk \ - -I../../../sedarwin/libselinux/include/ + -I../../../sedarwin -I../../../sedarwin/libselinux/include Extra_LD_Flags =-L../../../sedarwin/libselinux/src/ -lselinux \ -L../../libmac/ -lmac ==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/pam_sedarwin.c#2 (text+ko) ==== @@ -33,6 +33,7 @@ #include #include #include +#include #include #include @@ -113,6 +114,12 @@ const char *user; int ncontexts, retval, which; + /* XXX - use SELINUX_DEFAULTUSER if not enabled? */ + if (!sebsd_enabled()) { + syslog(LOG_ERR, "%s(): SEDarwin not enabled", __func__); + return (PAM_SUCCESS); + } + if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { syslog(LOG_ERR, "%s(): unable to get user %s", __func__, user); @@ -164,6 +171,11 @@ mac_t label; int retval; + if (!sebsd_enabled()) { + syslog(LOG_ERR, "%s(): SEDarwin not enabled", __func__); + return (PAM_SUCCESS); + } + /* * If the user didn't specify a label to use in the authentication * function get the default label. @@ -172,8 +184,11 @@ security_context_t con; const char *user; - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + syslog(LOG_ERR, "%s(): unable to get user %s", + __func__, user); return (retval); + } /* * Get user's default context. If we had a way to