PERFORCE change 44601 for review

Andrew Reisse areisse at FreeBSD.org
Wed Dec 31 18:27:06 GMT 2003 

http://perforce.freebsd.org/chv.cgi?CH=44601

Change 44601 by areisse at areisse_tislabs on 2003/12/31 10:26:54

	Support roles supplied after the username, as "andrew/user_r".

Affected files ...

.. //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#6 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#6 (text+ko) ====

@@ -138,6 +138,8 @@
 static char		*username;	/* user name */
 static char		*olduser;	/* previous user name */
 
+static char             *user_role;     /* role/type specified with username */
+
 /*
  * Prompts
  */
@@ -292,6 +294,13 @@
 				badlogin(olduser);
 		}
 
+		char *rp = username;
+		while (*rp && *rp != '/')
+			rp++;
+		if (*rp == '/') {
+			*rp = 0;
+			user_role = rp+1;
+		}
 		/*
 		 * Load the PAM policy and set some variables
 		 */
@@ -504,7 +513,7 @@
 	 * according to what the security server reports.
 	 */
 	if (sebsd_enabled()) {
-		char *labeltext, *queried, *oldttylabeltext, *tty_queried,
+		char *labeltext, *queried, *oldttylabeltext, *tty_queried=NULL,
 		    **contexts;
 		size_t ncontexts;
 		mac_t newttylabel;
@@ -513,9 +522,40 @@
 		if (get_ordered_context_list(username, NULL, &contexts,
 		    &ncontexts) != 0 || ncontexts == 0)
 			goto nosebsd;
+
+		queried = NULL;
+		if (user_role) {
+			int i;
+			char *p = user_role;
+			while (*p) {
+				if (*p == '|' || *p == '/')
+					*p = ':';
+				p++;
+			}
+			for (i = 0; i < ncontexts; i++) {
+				p = contexts[i] + strlen(username)+1;
+				if (!strcmp (p, user_role)) {
+					queried = contexts[i];
+					break;
+				}
+				char *pt = strchr (p, ':');
+				if (pt-p == strlen(user_role) &&
+				    !strncmp (p, user_role, pt-p)) {
+					queried = contexts[i];
+					break;
+				}
+			}
+		}
+		
+		if (!queried)
 		if (query_user_context(pamh, contexts, ncontexts,
-		    &queried) != 0 ||
-		    asprintf(&labeltext, "sebsd/%s", queried) == -1 ||
+			&queried) != 0) {
+
+			syslog(LOG_ERR, "Reading SEBSD domain from user:"
+			    " %m");
+			bail(NO_SLEEP_EXIT, 1);
+		}
+		if (asprintf(&labeltext, "sebsd/%s", queried) == -1 ||
 		    mac_from_text(&execlabel, labeltext) != 0) {
 			syslog(LOG_ERR, "Determining SEBSD domain transition:"
 			    " %m");
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list