Date: Mon, 7 Feb 2005 20:19:10 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 70544 for review Message-ID: <200502072019.j17KJAvV035832@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=70544 Change 70544 by areisse@areisse_tislabs on 2005/02/07 20:18:30 Change the TE policy to allow the ssh_sysadm_login boolean to work if UseLogin is enabled (which it must be on SEBSD). Provide the boolean interface from selinux in libsebsd. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 edit .. //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 edit .. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 (text+ko) ==== @@ -20,196 +20,108 @@ #include <errno.h> #include <selinux/selinux.h> +#include <security/sebsd/sebsd_syscalls.h> #include "policy.h" -#define SELINUX_BOOL_DIR "/booleans/" +int security_get_boolean_names(char ***names, int *len) +{ + struct sebsd_get_bools gb; + int i, err, rc = -1; + char **n; + int num = 0; + char *p, *q; + + gb.out = NULL; + gb.len = 0; -static int filename_select(const struct dirent *d) -{ - int len; + err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb); - len = strlen(d->d_name); - if (len == 1 && d->d_name[0] == '.') - return 0; - if (len == 2 && d->d_name[0] == '.' && - d->d_name[1] == '.') - return 0; - return 1; -} + if (err && errno != ENOMEM) + return (-1); + gb.out = malloc (gb.len); -int security_get_boolean_names(char ***names, int *len) -{ - char path[PATH_MAX]; - int i, rc; - struct dirent **namelist; - char **n; + err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb); + if (err) + goto out; - assert(len); + for (p = gb.out; p-gb.out < gb.len; p++) + if (*p == ';') + num++; - snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR); - *len = scandir(path, &namelist, &filename_select, - alphasort); - if (*len <= 0) { - return -1; - } + n = (char**)malloc(sizeof(char*) * num); + if (!n) + goto out; - n = (char**)malloc(sizeof(char*) * *len); - if (!n) { - rc = -1; - goto bad; - } + p = gb.out; + for (i = 0; i < num; i++) { + p += 2; + for (q = p; *q != ';'; q++); - memset(n, 0, sizeof(char*) * *len); - - for (i = 0; i < *len; i++) { - n[i] = (char*)malloc(sizeof(char) - * (namelist[i]->d_reclen + 1)); - if (!n[i]) { - rc = -1; + n[i] = (char*)malloc(sizeof(char) * (1+q-p)); + if (!n[i]) goto bad; - } - strncpy(n[i], namelist[i]->d_name, namelist[i]->d_reclen + 1); + strncpy(n[i], p, q-p); + n[i][q-p] = 0; + p = q+1; } rc = 0; *names = n; -out: - for (i = 0; i < *len; i++) { - free(namelist[i]); - } - free(namelist); - return rc; + *len = num; + goto out; + bad: for (i = 0; i < *len; i++) { if (n[i]) free(n[i]); } free(n); - goto out; -} +out: + if (gb.out) + free(gb.out); -#define STRBUF_SIZE 3 -static int get_bool_value(const char *name, char **buf) -{ - int fd, len; - char *fname = NULL; - - *buf = (char*)malloc(sizeof(char) * (STRBUF_SIZE + 1)); - if (!*buf) - goto out; - (*buf)[STRBUF_SIZE] = 0; - - len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR); - fname = (char*)malloc(sizeof(char) * len); - if (!fname) - goto out; - snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name); - - fd = open(fname, O_RDONLY); - if (fd < 0) - goto out; - - len = read(fd, *buf, STRBUF_SIZE); - close(fd); - if (len != STRBUF_SIZE) - goto out; - - free(fname); - return 0; -out: - if (*buf) - free(*buf); - if (fname) - free(fname); - return -1; + return rc; } int security_get_boolean_pending(const char *name) { - char *buf; - int val; - - if (get_bool_value(name, &buf)) + int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name); + if (r < 0) return -1; - - if (atoi(&buf[1])) - val = 1; - else - val = 0; - free(buf); - return val; + return (r & 2) >> 1; } int security_get_boolean_active(const char *name) { - char *buf; - int val; - - if (get_bool_value(name, &buf)) + int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name); + if (r < 0) return -1; + return (r & 1); +} - buf[1] = '\0'; - if (atoi(buf)) - val = 1; - else - val = 0; - free(buf); - return val; -} +struct lp_args +{ + void *data; + size_t len; +}; int security_set_boolean(const char *name, int value) { - int fd, ret, len; - char buf[2], *fname; + struct lp_args args; + char str[strlen(name) + 2]; - len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR); - fname = (char*)malloc(sizeof(char) * len); - if (!fname) - return -1; - snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name); - - fd = open(fname, O_WRONLY); - if (fd < 0) { - ret = -1; - goto out; - } - - if (value) - buf[0] = '1'; - else - buf[0] = '0'; - buf[1] = '\0'; - - ret = write(fd, buf, 2); - close(fd); -out: - free(fname); - if (ret > 0) - return 0; - else - return -1; + str[0] = value + '0'; + strcpy (str+1, name); + args.data = str; + args.len = 1+strlen(str); + int err = mac_syscall("sebsd", SEBSDCALL_SET_BOOL, &args); + if (err) + perror (name); + return err; } int security_commit_booleans(void) { - int fd, ret; - char buf[2]; - char path[PATH_MAX]; - - snprintf(path, sizeof path, "%s/commit_pending_bools", selinux_mnt); - fd = open(path, O_WRONLY); - if (fd < 0) - return -1; - - buf[0] = '1'; - buf[1] = '\0'; - - ret = write(fd, buf, 2); - close(fd); - - if (ret > 0) - return 0; - else - return -1; + return mac_syscall ("sebsd", SEBSDCALL_COMMIT_BOOLS, NULL); } static char *strtrim(char *dest, char *source, int size) { ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 (text+ko) ==== @@ -302,5 +302,9 @@ # run user shells domain_auto_trans(sshd_login_t, shell_exec_t, user_t) + +if (ssh_sysadm_login) { +domain_trans(sshd_login_t, shell_exec_t, userdomain) +} else { domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain) - +} ==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 (text+ko) ==== @@ -16,7 +16,7 @@ getseccontext.c query_user_context.c security_change_context.c \ string_to_security_class.c security_compute_av.c context.c \ get_default_type.c filecon.c sebsd_config.c \ - freecon.c freeconary.c + freecon.c freeconary.c booleans.c INCSDIR=${INCLUDEDIR}/selinux ==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 (text+ko) ==== @@ -5,3 +5,8 @@ { return _DEFTYPE_PATH; } + +char *selinux_booleans_path() +{ + return "/etc/security/sebsd/booleans"; +}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502072019.j17KJAvV035832>