PERFORCE change 70544 for review
Andrew Reisse
areisse at FreeBSD.org
Mon Feb 7 20:19:10 GMT 2005
http://perforce.freebsd.org/chv.cgi?CH=70544
Change 70544 by areisse at areisse_tislabs on 2005/02/07 20:18:30
Change the TE policy to allow the ssh_sysadm_login boolean to work
if UseLogin is enabled (which it must be on SEBSD).
Provide the boolean interface from selinux in libsebsd.
Affected files ...
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 edit
Differences ...
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 (text+ko) ====
@@ -20,196 +20,108 @@
#include <errno.h>
#include <selinux/selinux.h>
+#include <security/sebsd/sebsd_syscalls.h>
#include "policy.h"
-#define SELINUX_BOOL_DIR "/booleans/"
+int security_get_boolean_names(char ***names, int *len)
+{
+ struct sebsd_get_bools gb;
+ int i, err, rc = -1;
+ char **n;
+ int num = 0;
+ char *p, *q;
+
+ gb.out = NULL;
+ gb.len = 0;
-static int filename_select(const struct dirent *d)
-{
- int len;
+ err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb);
- len = strlen(d->d_name);
- if (len == 1 && d->d_name[0] == '.')
- return 0;
- if (len == 2 && d->d_name[0] == '.' &&
- d->d_name[1] == '.')
- return 0;
- return 1;
-}
+ if (err && errno != ENOMEM)
+ return (-1);
+ gb.out = malloc (gb.len);
-int security_get_boolean_names(char ***names, int *len)
-{
- char path[PATH_MAX];
- int i, rc;
- struct dirent **namelist;
- char **n;
+ err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb);
+ if (err)
+ goto out;
- assert(len);
+ for (p = gb.out; p-gb.out < gb.len; p++)
+ if (*p == ';')
+ num++;
- snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
- *len = scandir(path, &namelist, &filename_select,
- alphasort);
- if (*len <= 0) {
- return -1;
- }
+ n = (char**)malloc(sizeof(char*) * num);
+ if (!n)
+ goto out;
- n = (char**)malloc(sizeof(char*) * *len);
- if (!n) {
- rc = -1;
- goto bad;
- }
+ p = gb.out;
+ for (i = 0; i < num; i++) {
+ p += 2;
+ for (q = p; *q != ';'; q++);
- memset(n, 0, sizeof(char*) * *len);
-
- for (i = 0; i < *len; i++) {
- n[i] = (char*)malloc(sizeof(char)
- * (namelist[i]->d_reclen + 1));
- if (!n[i]) {
- rc = -1;
+ n[i] = (char*)malloc(sizeof(char) * (1+q-p));
+ if (!n[i])
goto bad;
- }
- strncpy(n[i], namelist[i]->d_name, namelist[i]->d_reclen + 1);
+ strncpy(n[i], p, q-p);
+ n[i][q-p] = 0;
+ p = q+1;
}
rc = 0;
*names = n;
-out:
- for (i = 0; i < *len; i++) {
- free(namelist[i]);
- }
- free(namelist);
- return rc;
+ *len = num;
+ goto out;
+
bad:
for (i = 0; i < *len; i++) {
if (n[i])
free(n[i]);
}
free(n);
- goto out;
-}
+out:
+ if (gb.out)
+ free(gb.out);
-#define STRBUF_SIZE 3
-static int get_bool_value(const char *name, char **buf)
-{
- int fd, len;
- char *fname = NULL;
-
- *buf = (char*)malloc(sizeof(char) * (STRBUF_SIZE + 1));
- if (!*buf)
- goto out;
- (*buf)[STRBUF_SIZE] = 0;
-
- len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
- fname = (char*)malloc(sizeof(char) * len);
- if (!fname)
- goto out;
- snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
-
- fd = open(fname, O_RDONLY);
- if (fd < 0)
- goto out;
-
- len = read(fd, *buf, STRBUF_SIZE);
- close(fd);
- if (len != STRBUF_SIZE)
- goto out;
-
- free(fname);
- return 0;
-out:
- if (*buf)
- free(*buf);
- if (fname)
- free(fname);
- return -1;
+ return rc;
}
int security_get_boolean_pending(const char *name)
{
- char *buf;
- int val;
-
- if (get_bool_value(name, &buf))
+ int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name);
+ if (r < 0)
return -1;
-
- if (atoi(&buf[1]))
- val = 1;
- else
- val = 0;
- free(buf);
- return val;
+ return (r & 2) >> 1;
}
int security_get_boolean_active(const char *name)
{
- char *buf;
- int val;
-
- if (get_bool_value(name, &buf))
+ int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name);
+ if (r < 0)
return -1;
+ return (r & 1);
+}
- buf[1] = '\0';
- if (atoi(buf))
- val = 1;
- else
- val = 0;
- free(buf);
- return val;
-}
+struct lp_args
+{
+ void *data;
+ size_t len;
+};
int security_set_boolean(const char *name, int value)
{
- int fd, ret, len;
- char buf[2], *fname;
+ struct lp_args args;
+ char str[strlen(name) + 2];
- len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
- fname = (char*)malloc(sizeof(char) * len);
- if (!fname)
- return -1;
- snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
-
- fd = open(fname, O_WRONLY);
- if (fd < 0) {
- ret = -1;
- goto out;
- }
-
- if (value)
- buf[0] = '1';
- else
- buf[0] = '0';
- buf[1] = '\0';
-
- ret = write(fd, buf, 2);
- close(fd);
-out:
- free(fname);
- if (ret > 0)
- return 0;
- else
- return -1;
+ str[0] = value + '0';
+ strcpy (str+1, name);
+ args.data = str;
+ args.len = 1+strlen(str);
+ int err = mac_syscall("sebsd", SEBSDCALL_SET_BOOL, &args);
+ if (err)
+ perror (name);
+ return err;
}
int security_commit_booleans(void)
{
- int fd, ret;
- char buf[2];
- char path[PATH_MAX];
-
- snprintf(path, sizeof path, "%s/commit_pending_bools", selinux_mnt);
- fd = open(path, O_WRONLY);
- if (fd < 0)
- return -1;
-
- buf[0] = '1';
- buf[1] = '\0';
-
- ret = write(fd, buf, 2);
- close(fd);
-
- if (ret > 0)
- return 0;
- else
- return -1;
+ return mac_syscall ("sebsd", SEBSDCALL_COMMIT_BOOLS, NULL);
}
static char *strtrim(char *dest, char *source, int size) {
==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 (text+ko) ====
@@ -302,5 +302,9 @@
# run user shells
domain_auto_trans(sshd_login_t, shell_exec_t, user_t)
+
+if (ssh_sysadm_login) {
+domain_trans(sshd_login_t, shell_exec_t, userdomain)
+} else {
domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain)
-
+}
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 (text+ko) ====
@@ -16,7 +16,7 @@
getseccontext.c query_user_context.c security_change_context.c \
string_to_security_class.c security_compute_av.c context.c \
get_default_type.c filecon.c sebsd_config.c \
- freecon.c freeconary.c
+ freecon.c freeconary.c booleans.c
INCSDIR=${INCLUDEDIR}/selinux
==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 (text+ko) ====
@@ -5,3 +5,8 @@
{
return _DEFTYPE_PATH;
}
+
+char *selinux_booleans_path()
+{
+ return "/etc/security/sebsd/booleans";
+}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list