PERFORCE change 23057 for review

Thu Jan 2 20:16:43 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=23057

Change 23057 by green at green_laptop_2 on 2003/01/02 12:16:08

	* Set SEBSD tty labels in login.c.

Affected files ...

.. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#27 edit

Differences ...

==== //depot/projects/trustedbsd/mac/usr.bin/login/login.c#27 (text+ko) ====

@@ -80,6 +80,7 @@
 
 #include <security/pam_appl.h>
 #include <security/openpam.h>
+#include <security/sebsd/flask.h>
 
 #include "login.h"
 #include "pathnames.h"
@@ -175,7 +176,8 @@
 	const char *tp;
 	const char *shell = NULL;
 	login_cap_t *lc = NULL;
-	mac_t execlabel = NULL;
+	mac_t execlabel = NULL;		/* label to transition to in exec */
+	mac_t oldttylabel = NULL;	/* previous tty label to restore */
 	const char *label_string;
 	pid_t pid;
 
@@ -498,10 +500,14 @@
 	 * Determine if we must execute a transition when we
 	 * run our shell, for MAC policies which require it.  For now,
 	 * this is just SEBSD, and therefore not generic at all.
+	 * When using SEBSD, the terminal device needs to be relabeled
+	 * according to what the security server reports.
 	 */
 	if (sebsd_enabled()) {
-		char *labeltext, *queried, **contexts;
+		char *labeltext, *queried, *oldttylabeltext, *tty_queried,
+		    **contexts;
 		size_t ncontexts;
+		mac_t newttylabel;
 		int n;
 
 		if (get_ordered_context_list(username, NULL, &contexts,
@@ -516,9 +522,33 @@
 			bail(NO_SLEEP_EXIT, 1);
 		}
 		free(labeltext);
+		mac_prepare(&oldttylabel, "sebsd");
+		if (mac_get_file(ttyn, oldttylabel) != 0 ||
+		    mac_to_text(oldttylabel, &oldttylabeltext) != 0) {
+			syslog(LOG_ERR, "Getting SEBSD label on terminal "
+			    "%s: %m", ttyn);
+			bail(NO_SLEEP_EXIT, 1);
+		}
+		if (security_change_context(queried, oldttylabeltext +
+			sizeof("sebsd/") - 1, SECCLASS_CHR_FILE,
+			&tty_queried) != 0 ||
+		    asprintf(&labeltext, "sebsd/%s", tty_queried) == -1) {
+			syslog(LOG_ERR, "Determining SEBSD label for terminal "
+			    "%s: %m", ttyn);
+			bail(NO_SLEEP_EXIT, 1);
+		}
+		free(oldttylabeltext);
+		free(tty_queried);
 		for (n = 0; n < ncontexts; n++)
 			free(contexts[n]);
 		free(contexts);
+		if (mac_from_text(&newttylabel, labeltext) != 0 ||
+		    mac_set_file(ttyn, newttylabel) != 0) {
+			syslog(LOG_ERR, "Setting SEBSD label on terminal "
+			    "%s: %m", ttyn);
+			bail(NO_SLEEP_EXIT, 1);
+		}
+		mac_free(newttylabel);
 	}
 nosebsd:
 
@@ -568,6 +598,7 @@
 		 */
 		setproctitle("-%s [pam]", getprogname());
 		wait(NULL);
+		(void)mac_set_file(ttyn, oldttylabel);
 		bail(NO_SLEEP_EXIT, 0);
 	}
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

