PERFORCE change 24449 for review

Thu Jan 30 19:13:28 GMT 2003

http://perforce.freebsd.org/chv.cgi?CH=24449

Change 24449 by green at green_laptop_2 on 2003/01/30 11:12:33

	Make cron(8) work in an SEBSD system.  The way to get "correct"
	defaults for the contexts used will be:
	# cat /etc/security/default_contexts
	system_r:crond_t        system_r:system_crond_t user_r:user_crond_t

Affected files ...

.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#2 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#2 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#2 (text+ko) ====

@@ -6,7 +6,7 @@
 
 CFLAGS+= -DLOGIN_CAP
 
-DPADD=	${LIBCRON} ${LIBUTIL}
-LDADD=	${LIBCRON} -lutil
+DPADD=	${LIBCRON} ${LIBUTIL} ${LIBSEBSD}
+LDADD=	${LIBCRON} -lutil -lsebsd
 
 .include <bsd.prog.mk>

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#2 (text+ko) ====

@@ -29,7 +29,14 @@
 #include <sys/stat.h>
 #include <sys/file.h>
 
+#include <sys/mac.h>
+#include <security/sebsd/flask.h>
+#include <security/sebsd/flask_types.h>
+#include <security/sebsd/sebsd_syscalls.h>
+#include <security/sebsd/avc/av_permissions.h>
+#include <sebsd.h>
 
+
 #define TMAX(a,b) ((a)>(b)?(a):(b))
 
 
@@ -249,6 +256,56 @@
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+	if (sebsd_enabled()) {
+		/*
+		 * Perform a virtual entrypoint access decision on
+		 * the user's crontab as if it were the script
+		 * being executed.
+		 */
+		struct security_query q;
+		struct security_response r;
+		char *context, *file_context;
+		mac_t filelabel;
+		int error;
+
+		if (mac_prepare(&filelabel, "sebsd") != 0) {
+			log_it(fname, getpid(),
+			    "failure getting SEBSD context for tab", tabname);
+                        goto next_crontab;
+                }
+		if (mac_get_fd(crontab_fd, filelabel) != 0) {
+			log_it(fname, getpid(),
+			    "failure getting SEBSD context for tab", tabname);
+			mac_free(filelabel);
+                        goto next_crontab;
+                }
+		if (mac_to_text(filelabel, &file_context) != 0) {
+			log_it(fname, getpid(),
+			    "failure getting SEBSD context for tab", tabname);
+			mac_free(filelabel);
+                        goto next_crontab;
+		}
+		mac_free(filelabel);
+		if (get_default_context(strcmp(fname, "*system*") == 0 ?
+		    "system_u" : fname, NULL, &context)) {
+			log_it(fname, getpid(),
+			    "failure getting default SEBSD context", tabname);
+			free(file_context);
+                        goto next_crontab;
+                }
+                q.scontext = context;
+                q.tcontext = file_context + sizeof("sebsd/") - 1;
+                q.tclass = SECCLASS_FILE;
+                q.requested = FILE__ENTRYPOINT;
+                error = security_compute_av(&q, &r);
+		free(file_context);
+		free(context);
+                if (error || ((q.requested & r.allowed) != q.requested)) {
+                        log_it(fname, getpid(), "SEBSD entrypoint failed",
+			    tabname);
+                        goto next_crontab;
+                }
+	}
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#2 (text+ko) ====

@@ -32,6 +32,9 @@
 #if defined(LOGIN_CAP)
 # include <login_cap.h>
 #endif
+#include <sys/mac.h>
+#include <security/sebsd/flask_types.h>
+#include <sebsd.h>
 
 
 static void		child_process __P((entry *, user *)),
@@ -265,7 +268,36 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
-			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
+			if (sebsd_enabled()) {
+				mac_t mac;
+				char *context, *labeltext, *argv[4];
+				
+
+				if (get_default_context(strcmp(u->name,
+				    "*system*") == 0 ? "system_u" : u->name,
+				    NULL, &context) == -1) {
+					fprintf(stderr, "command execution: "
+					    "could not get SEBSD context for "
+					    "user %s\n", u->name);
+					_exit(ERROR_EXIT);
+				}
+				if (asprintf(&labeltext, "sebsd/%s", context)
+				    == -1 || mac_from_text(&mac, labeltext) ==
+				    -1) {
+					fprintf(stderr, "command execution: "
+					    "could make SEBSD label for "
+					    "user %s\n", u->name);
+					_exit(ERROR_EXIT);
+				}
+				argv[0] = shell;
+				argv[1] = "-c";
+				argv[2] = e->cmd;
+				argv[3] = NULL;
+				mac_execve(shell, argv, e->envp, mac);
+			} else {
+				execle(shell, shell, "-c", e->cmd, (char *)0,
+				    e->envp);
+			}
 			warn("execl: couldn't exec `%s'", shell);
 			_exit(ERROR_EXIT);
 		}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

