* launching apps at level (MLS) and polyinstantiation @ 2007-04-27 18:41 Ted X Toth 2007-04-27 19:01 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Ted X Toth @ 2007-04-27 18:41 UTC (permalink / raw) To: selinux I'm working on an application that launches other applications at a specified level. I have also configured polyinstantiation for a some directories. What I have found is that I had to make this application pam aware in order for the child process to get polyinstantiated directories. One issue is the reauthentication I've already authenticated why should I have to reauthenticate so that a child process can use polyinstantiated directories? Currently this app works when run as root but not as other users because the unshare call in pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I need to do so that the application has this capability? I tried making the app setuid but that didn't help. Ted -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-04-27 18:41 launching apps at level (MLS) and polyinstantiation Ted X Toth @ 2007-04-27 19:01 ` Stephen Smalley 2007-04-27 19:05 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-04-27 19:01 UTC (permalink / raw) To: Ted X Toth; +Cc: selinux On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote: > I'm working on an application that launches other applications at a > specified level. I have also configured polyinstantiation for a some > directories. What I have found is that I had to make this application > pam aware in order for the child process to get polyinstantiated > directories. One issue is the reauthentication I've already > authenticated why should I have to reauthenticate so that a child > process can use polyinstantiated directories? Currently this app works > when run as root but not as other users because the unshare call in > pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I > need to do so that the application has this capability? I tried making > the app setuid but that didn't help. First, your application sounds similar to newrole -l, so hopefully you can draw from it. What precisely requires your app to perform authentication? You control your app's pam config, so you can define those modules as you see fit, including using trivial ones like pam_permit.so. And you control whether your app calls pam_authenticate(). Possibly you may need to set up state to make pam_open_session() happy. newrole has the same issue wrt needing capabilities, so look to it as an example - look at the NAMESPACE_PRIV code. It needs to be suid but also needs to run in a domain that is allowed those capabilities. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-04-27 19:01 ` Stephen Smalley @ 2007-04-27 19:05 ` Stephen Smalley [not found] ` <463360B0.7020106@gmail.com> 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-04-27 19:05 UTC (permalink / raw) To: Ted X Toth; +Cc: selinux On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote: > On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote: > > I'm working on an application that launches other applications at a > > specified level. I have also configured polyinstantiation for a some > > directories. What I have found is that I had to make this application > > pam aware in order for the child process to get polyinstantiated > > directories. One issue is the reauthentication I've already > > authenticated why should I have to reauthenticate so that a child > > process can use polyinstantiated directories? Currently this app works > > when run as root but not as other users because the unshare call in > > pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I > > need to do so that the application has this capability? I tried making > > the app setuid but that didn't help. > > First, your application sounds similar to newrole -l, so hopefully you > can draw from it. In fact, newrole -l <level> -- -c <app> will run an application in a given level. > > What precisely requires your app to perform authentication? You control > your app's pam config, so you can define those modules as you see fit, > including using trivial ones like pam_permit.so. And you control > whether your app calls pam_authenticate(). Possibly you may need to set > up state to make pam_open_session() happy. > > newrole has the same issue wrt needing capabilities, so look to it as an > example - look at the NAMESPACE_PRIV code. It needs to be suid but also > needs to run in a domain that is allowed those capabilities. > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
[parent not found: <463360B0.7020106@gmail.com>]
[parent not found: <1177934887.16232.7.camel@moss-spartans.epoch.ncsc.mil>]
* Re: launching apps at level (MLS) and polyinstantiation [not found] ` <1177934887.16232.7.camel@moss-spartans.epoch.ncsc.mil> @ 2007-04-30 14:41 ` Ted X Toth 2007-04-30 14:52 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Ted X Toth @ 2007-04-30 14:41 UTC (permalink / raw) To: Stephen Smalley, selinux Stephen Smalley wrote: > On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote: > >> Stephen Smalley wrote: >> >>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote: >>> >>> >>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote: >>>> >>>> >>>>> I'm working on an application that launches other applications at a >>>>> specified level. I have also configured polyinstantiation for a some >>>>> directories. What I have found is that I had to make this application >>>>> pam aware in order for the child process to get polyinstantiated >>>>> directories. One issue is the reauthentication I've already >>>>> authenticated why should I have to reauthenticate so that a child >>>>> process can use polyinstantiated directories? Currently this app works >>>>> when run as root but not as other users because the unshare call in >>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I >>>>> need to do so that the application has this capability? I tried making >>>>> the app setuid but that didn't help. >>>>> >>>>> >>>> First, your application sounds similar to newrole -l, so hopefully you >>>> can draw from it. >>>> >>>> >>> In fact, newrole -l <level> -- -c <app> will run an application in a >>> given level. >>> >>> >>> >>>> What precisely requires your app to perform authentication? You control >>>> your app's pam config, so you can define those modules as you see fit, >>>> including using trivial ones like pam_permit.so. And you control >>>> whether your app calls pam_authenticate(). Possibly you may need to set >>>> up state to make pam_open_session() happy. >>>> >>>> newrole has the same issue wrt needing capabilities, so look to it as an >>>> example - look at the NAMESPACE_PRIV code. It needs to be suid but also >>>> needs to run in a domain that is allowed those capabilities. >>>> >>>> >>>> >> Would it be reasonable to extend newrole by adding a parameter for the >> pam service name so that different authentication strategies could be >> employed? >> > > That would be dangerous - a user could then pick any pam service name he > wants and run newrole with that, e.g. to bypass some aspect of the > newrole pam stack. > > But you are certainly free to customize /etc/pam.d/newrole on your > systems as you like. > We wouldn't want to change newroles pam configuration across the board like that we're looking to be able to reuse its capability in more flexible ways. You could limit which pam configurations that could be used by defining a policy attribute and only allowing newrole access to files with that attribute, right? Another idea is to have a configuration file that would map service names to applications being run under newrole. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-04-30 14:41 ` Ted X Toth @ 2007-04-30 14:52 ` Stephen Smalley 2007-05-02 15:49 ` Xavier Toth 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-04-30 14:52 UTC (permalink / raw) To: Ted X Toth; +Cc: selinux On Mon, 2007-04-30 at 09:41 -0500, Ted X Toth wrote: > Stephen Smalley wrote: > > On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote: > > > >> Stephen Smalley wrote: > >> > >>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote: > >>> > >>> > >>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote: > >>>> > >>>> > >>>>> I'm working on an application that launches other applications at a > >>>>> specified level. I have also configured polyinstantiation for a some > >>>>> directories. What I have found is that I had to make this application > >>>>> pam aware in order for the child process to get polyinstantiated > >>>>> directories. One issue is the reauthentication I've already > >>>>> authenticated why should I have to reauthenticate so that a child > >>>>> process can use polyinstantiated directories? Currently this app works > >>>>> when run as root but not as other users because the unshare call in > >>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I > >>>>> need to do so that the application has this capability? I tried making > >>>>> the app setuid but that didn't help. > >>>>> > >>>>> > >>>> First, your application sounds similar to newrole -l, so hopefully you > >>>> can draw from it. > >>>> > >>>> > >>> In fact, newrole -l <level> -- -c <app> will run an application in a > >>> given level. > >>> > >>> > >>> > >>>> What precisely requires your app to perform authentication? You control > >>>> your app's pam config, so you can define those modules as you see fit, > >>>> including using trivial ones like pam_permit.so. And you control > >>>> whether your app calls pam_authenticate(). Possibly you may need to set > >>>> up state to make pam_open_session() happy. > >>>> > >>>> newrole has the same issue wrt needing capabilities, so look to it as an > >>>> example - look at the NAMESPACE_PRIV code. It needs to be suid but also > >>>> needs to run in a domain that is allowed those capabilities. > >>>> > >>>> > >>>> > >> Would it be reasonable to extend newrole by adding a parameter for the > >> pam service name so that different authentication strategies could be > >> employed? > >> > > > > That would be dangerous - a user could then pick any pam service name he > > wants and run newrole with that, e.g. to bypass some aspect of the > > newrole pam stack. > > > > But you are certainly free to customize /etc/pam.d/newrole on your > > systems as you like. > > > We wouldn't want to change newroles pam configuration across the board > like that we're looking to be able to reuse its capability in more > flexible ways. You could limit which pam configurations that could be > used by defining a policy attribute and only allowing newrole access > to files with that attribute, right? Another idea is to have a > configuration file that would map service names to applications being > run under newrole. I wouldn't want to base it on what types newrole can read, as that will be too coarse-grained and too prone to misconfiguration. Having an explicit configuration for newrole'able apps would make more sense, more like consolehelper aka usermode. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-04-30 14:52 ` Stephen Smalley @ 2007-05-02 15:49 ` Xavier Toth 2007-05-02 16:57 ` Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Xavier Toth @ 2007-05-02 15:49 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 3444 bytes --] Stephen. I'd appreciate you reviewing this proposed patch. Ted On 4/30/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Mon, 2007-04-30 at 09:41 -0500, Ted X Toth wrote: > > Stephen Smalley wrote: > > > On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote: > > > > > >> Stephen Smalley wrote: > > >> > > >>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote: > > >>> > > >>> > > >>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote: > > >>>> > > >>>> > > >>>>> I'm working on an application that launches other applications at a > > >>>>> specified level. I have also configured polyinstantiation for a some > > >>>>> directories. What I have found is that I had to make this application > > >>>>> pam aware in order for the child process to get polyinstantiated > > >>>>> directories. One issue is the reauthentication I've already > > >>>>> authenticated why should I have to reauthenticate so that a child > > >>>>> process can use polyinstantiated directories? Currently this app works > > >>>>> when run as root but not as other users because the unshare call in > > >>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I > > >>>>> need to do so that the application has this capability? I tried making > > >>>>> the app setuid but that didn't help. > > >>>>> > > >>>>> > > >>>> First, your application sounds similar to newrole -l, so hopefully you > > >>>> can draw from it. > > >>>> > > >>>> > > >>> In fact, newrole -l <level> -- -c <app> will run an application in a > > >>> given level. > > >>> > > >>> > > >>> > > >>>> What precisely requires your app to perform authentication? You control > > >>>> your app's pam config, so you can define those modules as you see fit, > > >>>> including using trivial ones like pam_permit.so. And you control > > >>>> whether your app calls pam_authenticate(). Possibly you may need to set > > >>>> up state to make pam_open_session() happy. > > >>>> > > >>>> newrole has the same issue wrt needing capabilities, so look to it as an > > >>>> example - look at the NAMESPACE_PRIV code. It needs to be suid but also > > >>>> needs to run in a domain that is allowed those capabilities. > > >>>> > > >>>> > > >>>> > > >> Would it be reasonable to extend newrole by adding a parameter for the > > >> pam service name so that different authentication strategies could be > > >> employed? > > >> > > > > > > That would be dangerous - a user could then pick any pam service name he > > > wants and run newrole with that, e.g. to bypass some aspect of the > > > newrole pam stack. > > > > > > But you are certainly free to customize /etc/pam.d/newrole on your > > > systems as you like. > > > > > We wouldn't want to change newroles pam configuration across the board > > like that we're looking to be able to reuse its capability in more > > flexible ways. You could limit which pam configurations that could be > > used by defining a policy attribute and only allowing newrole access > > to files with that attribute, right? Another idea is to have a > > configuration file that would map service names to applications being > > run under newrole. > > I wouldn't want to base it on what types newrole can read, as that will > be too coarse-grained and too prone to misconfiguration. Having an > explicit configuration for newrole'able apps would make more sense, more > like consolehelper aka usermode. > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #2: policycoreutils-service-name.patch --] [-- Type: text/x-patch, Size: 6078 bytes --] --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-02 10:45:14.000000000 -0500 +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-02 10:45:05.000000000 -0500 @@ -54,6 +54,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -85,6 +86,8 @@ #define PACKAGE "policycoreutils" /* the name of this package lang translation */ #endif +#include <sepol/policydb/hashtab.h> + /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" @@ -156,6 +159,7 @@ #include <security/pam_misc.h> /* for misc_conv PAM utility function */ #define SERVICE_NAME "newrole" /* the name of this program for PAM */ +char *service_name = "newrole"; /* authenticate_via_pam() * @@ -921,6 +925,141 @@ return 0; } +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) +{ + char *p, *keyp; + size_t size; + unsigned int val; + + val = 0; + keyp = (char *)key; + size = strlen(keyp); + for (p = keyp; ((size_t) (p - keyp)) < size; p++) + val = + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); + return val & (h->size - 1); +} + +static int reqsymcmp(hashtab_t h + __attribute__ ((unused)), hashtab_key_t key1, + hashtab_key_t key2) +{ + char *keyp1, *keyp2; + + keyp1 = (char *)key1; + keyp2 = (char *)key2; + return strcmp(keyp1, keyp2); +} + +static hashtab_t app_service_names = NULL; + +static void process_config(FILE * cfg) +{ + char *line_buf = NULL; + size_t len = 0; + size_t current_size = 0; + char *app = NULL; + char *service = NULL; + int ret; + char *local_app = NULL; + char *local_service_name = NULL; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + int l = strlen(buffer) - 1; + if (l <= 0) + continue; + buffer[l] = 0; + if (local_app == NULL) { + current_size = len; + local_app = malloc(current_size); + local_service_name = malloc(current_size); + } + else { + if (current_size < len) { + current_size = len; + local_app = (char *)realloc(local_app, current_size); + local_service_name = (char *)realloc(local_service_name, current_size); + } + } + + local_app[0] = 0; + local_service_name[0] = 0; + /* + Split the buffer into the application and service names + */ + sscanf(buffer, "%s %s", local_app, local_service_name); + if (strlen(local_app) > 0) { + app = (char*) malloc( strlen(local_app)+1 ); + strcpy(app, local_app); + /* + Check for a service name + */ + if (strlen(local_service_name) > 0) { + service = (char*) malloc( strlen(local_service_name)+1 ); + strcpy(service, local_service_name); + /* + Save the mapping to the hashtable. + */ + ret = hashtab_insert(app_service_names, + app, + service); + } + else { + /* + No service name specified for app. + */ + free(app); + } + } + } + free(line_buf); + if (local_app == NULL) { + free(local_app); + } + if (local_service_name == NULL) { + free(local_service_name); + } +} + +/* + Read config file ignoring comment lines. + Files specified one per line executable with a corresponding + pam service name. +*/ + +static void read_config() +{ + char *config_file_path = "/etc/selinux/newrole.conf"; + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); + FILE *cfg = NULL; + cfg = fopen(config_file_path, "r"); + if (!cfg) + return; + process_config(cfg); + fclose(cfg); +} + +static void free_hashtab(hashtab_t req) +{ + unsigned int i; + hashtab_ptr_t cur; + + for (i = 0; i < req->size; i++) { + cur = req->htable[i]; + while (cur != NULL) { + free(cur->datum); + free(cur->key); + cur = cur->next; + } + } + hashtab_destroy(req); +} + /************************************************************************ * * All code used for both PAM and shadow passwd goes in this section. @@ -1001,6 +1140,8 @@ return -1; } + read_config(); + ttyn = ttyname(0); if (!ttyn || *ttyn == '\0') { fprintf(stderr, @@ -1025,7 +1166,27 @@ printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + /* + Are we being asked to execute a process in a new context? + */ + if (optind < argc) { + /* + Get the executable from the command line. + */ + char *cmd = (char *)malloc(strlen(argv[optind+1])); + sscanf(argv[optind+1], "%s", cmd); + /* + See if there is a pam configuration specific to the executable. + */ + char* app_service_name = + (char *) hashtab_search(app_service_names, cmd); + if (app_service_name != NULL) { + service_name = app_service_name; + } + free(cmd); + } + + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, &pam_handle); if (pam_status != PAM_SUCCESS) { fprintf(stderr, _("failed to initialize PAM\n")); @@ -1114,6 +1275,7 @@ pam_strerror(pam_handle, rc)); exit_code = -1; } + free_hashtab(app_service_names); #endif free(pw.pw_name); free(pw.pw_dir); --- policycoreutils-1.33.12/newrole/Makefile 2007-01-11 13:01:39.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/Makefile 2007-04-30 14:59:00.000000000 -0500 @@ -22,7 +22,7 @@ CFLAGS ?= -Werror -Wall -W override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" -LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib +LDLIBS += $(LIBDIR)/libsepol.a -lselinux -lsepol -L$(PREFIX)/lib ifeq (${PAMH}, /usr/include/security/pam_appl.h) override CFLAGS += -DUSE_PAM LDLIBS += -lpam -lpam_misc ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-02 15:49 ` Xavier Toth @ 2007-05-02 16:57 ` Stephen Smalley 2007-05-02 21:42 ` Xavier Toth 2007-05-03 13:11 ` Xavier Toth 0 siblings, 2 replies; 22+ messages in thread From: Stephen Smalley @ 2007-05-02 16:57 UTC (permalink / raw) To: Xavier Toth; +Cc: selinux On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > Stephen. > I'd appreciate you reviewing this proposed patch. > > Ted A few initial comments after a quick look (not a full review yet) --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-02 10:45:14.000000000 -0500 +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-02 10:45:05.000000000 -0500 @@ -54,6 +54,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -85,6 +86,8 @@ #define PACKAGE "policycoreutils" /* the name of this package lang translation */ #endif +#include <sepol/policydb/hashtab.h> We don't want newrole to link with the static libsepol, so if you want to use the libsepol hashtab (and symtab) support, copy it into the newrole directory. +static void process_config(FILE * cfg) +{ + char *line_buf = NULL; + size_t len = 0; + size_t current_size = 0; + char *app = NULL; + char *service = NULL; + int ret; + char *local_app = NULL; + char *local_service_name = NULL; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + int l = strlen(buffer) - 1; + if (l <= 0) + continue; + buffer[l] = 0; + if (local_app == NULL) { + current_size = len; + local_app = malloc(current_size); + local_service_name = malloc(current_size); General comment: Always check for failure on function calls, and handle errors. + sscanf(buffer, "%s %s", local_app, local_service_name); You could just strtok() the buffer or similar to avoid making copies. Or if you need a copy, you can use the %as format to have glibc allocate the memory for you automatically. +/* + Read config file ignoring comment lines. + Files specified one per line executable with a corresponding + pam service name. +*/ + +static void read_config() +{ + char *config_file_path = "/etc/selinux/newrole.conf"; + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); Check for failure. +static void free_hashtab(hashtab_t req) +{ + unsigned int i; + hashtab_ptr_t cur; + + for (i = 0; i < req->size; i++) { + cur = req->htable[i]; + while (cur != NULL) { + free(cur->datum); + free(cur->key); + cur = cur->next; + } + } + hashtab_destroy(req); +} Breaks the "abstraction". Normally this would be done as a hashtab_map() to free the keys and datum followed by a hashtab_destroy() to free the table. Or if you want a unified form, you could do something like hashtab_map_remove_on_error() except always doing the removal, but put it in your copy of the hashtab code. @@ -1025,7 +1166,27 @@ printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + /* + Are we being asked to execute a process in a new context? + */ + if (optind < argc) { + /* + Get the executable from the command line. + */ + char *cmd = (char *)malloc(strlen(argv[optind+1])); argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. + sscanf(argv[optind+1], "%s", cmd); Pointless, argument vector has already been parsed by the shell. Just use argv[optind] directly, no copy required. + /* + See if there is a pam configuration specific to the executable. + */ + char* app_service_name = + (char *) hashtab_search(app_service_names, cmd); I think you want to qualify these with a prefix so that if <app> also uses pam, then there is no ambiguity between the pam configuration for the <app> itself vs. the pam configuration used by newrole when launching the <app>. e.g. prefix them with "newrole_". -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-02 16:57 ` Stephen Smalley @ 2007-05-02 21:42 ` Xavier Toth 2007-05-03 12:35 ` Stephen Smalley 2007-05-03 13:11 ` Xavier Toth 1 sibling, 1 reply; 22+ messages in thread From: Xavier Toth @ 2007-05-02 21:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > Stephen. > > I'd appreciate you reviewing this proposed patch. > > > > Ted > > A few initial comments after a quick look (not a full review yet) > > --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-02 10:45:14.000000000 -0500 > +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-02 10:45:05.000000000 -0500 > @@ -54,6 +54,7 @@ > #include <stdio.h> > #include <stdlib.h> /* for malloc(), realloc(), free() */ > #include <pwd.h> /* for getpwuid() */ > +#include <ctype.h> > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > #include <sys/wait.h> /* for wait() */ > #include <getopt.h> /* for getopt_long() form of getopt() */ > @@ -85,6 +86,8 @@ > #define PACKAGE "policycoreutils" /* the name of this package lang translation */ > #endif > > +#include <sepol/policydb/hashtab.h> > > We don't want newrole to link with the static libsepol, so if you want > to use the libsepol hashtab (and symtab) support, copy it into the > newrole directory. > > +static void process_config(FILE * cfg) > +{ > + char *line_buf = NULL; > + size_t len = 0; > + size_t current_size = 0; > + char *app = NULL; > + char *service = NULL; > + int ret; > + char *local_app = NULL; > + char *local_service_name = NULL; > + > + while (getline(&line_buf, &len, cfg) > 0) { > + char *buffer = line_buf; > + while (isspace(*buffer)) > + buffer++; > + if (buffer[0] == '#') > + continue; > + int l = strlen(buffer) - 1; > + if (l <= 0) > + continue; > + buffer[l] = 0; > + if (local_app == NULL) { > + current_size = len; > + local_app = malloc(current_size); > + local_service_name = malloc(current_size); > > General comment: Always check for failure on function calls, and handle errors. > > + sscanf(buffer, "%s %s", local_app, local_service_name); > > You could just strtok() the buffer or similar to avoid making copies. > Or if you need a copy, you can use the %as format to have glibc allocate the memory > for you automatically. > > +/* > + Read config file ignoring comment lines. > + Files specified one per line executable with a corresponding > + pam service name. > +*/ > + > +static void read_config() > +{ > + char *config_file_path = "/etc/selinux/newrole.conf"; > + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); > > Check for failure. > > +static void free_hashtab(hashtab_t req) > +{ > + unsigned int i; > + hashtab_ptr_t cur; > + > + for (i = 0; i < req->size; i++) { > + cur = req->htable[i]; > + while (cur != NULL) { > + free(cur->datum); > + free(cur->key); > + cur = cur->next; > + } > + } > + hashtab_destroy(req); > +} > > Breaks the "abstraction". Normally this would be done as a > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > to free the table. Or if you want a unified form, you could do > something like hashtab_map_remove_on_error() except always doing the > removal, but put it in your copy of the hashtab code. > > @@ -1025,7 +1166,27 @@ > > printf(_("Authenticating %s.\n"), pw.pw_name); > #ifdef USE_PAM > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > + /* > + Are we being asked to execute a process in a new context? > + */ > + if (optind < argc) { > + /* > + Get the executable from the command line. > + */ > + char *cmd = (char *)malloc(strlen(argv[optind+1])); > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > + sscanf(argv[optind+1], "%s", cmd); > > Pointless, argument vector has already been parsed by the shell. > Just use argv[optind] directly, no copy required. > > + /* > + See if there is a pam configuration specific to the executable. > + */ > + char* app_service_name = > + (char *) hashtab_search(app_service_names, cmd); > > I think you want to qualify these with a prefix so that if <app> also > uses pam, then there is no ambiguity between the pam configuration for > the <app> itself vs. the pam configuration used by newrole when > launching the <app>. e.g. prefix them with "newrole_". Are you talking about something more than a convention? Like the code enforcing this somehow? > > -- > Stephen Smalley > National Security Agency > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-02 21:42 ` Xavier Toth @ 2007-05-03 12:35 ` Stephen Smalley 0 siblings, 0 replies; 22+ messages in thread From: Stephen Smalley @ 2007-05-03 12:35 UTC (permalink / raw) To: Xavier Toth; +Cc: selinux On Wed, 2007-05-02 at 16:42 -0500, Xavier Toth wrote: > On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > > Stephen. > > > I'd appreciate you reviewing this proposed patch. > > > > > > Ted > > > > A few initial comments after a quick look (not a full review yet) > > > > --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-02 10:45:14.000000000 -0500 > > +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-02 10:45:05.000000000 -0500 > > @@ -54,6 +54,7 @@ > > #include <stdio.h> > > #include <stdlib.h> /* for malloc(), realloc(), free() */ > > #include <pwd.h> /* for getpwuid() */ > > +#include <ctype.h> > > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > > #include <sys/wait.h> /* for wait() */ > > #include <getopt.h> /* for getopt_long() form of getopt() */ > > @@ -85,6 +86,8 @@ > > #define PACKAGE "policycoreutils" /* the name of this package lang translation */ > > #endif > > > > +#include <sepol/policydb/hashtab.h> > > > > We don't want newrole to link with the static libsepol, so if you want > > to use the libsepol hashtab (and symtab) support, copy it into the > > newrole directory. > > > > +static void process_config(FILE * cfg) > > +{ > > + char *line_buf = NULL; > > + size_t len = 0; > > + size_t current_size = 0; > > + char *app = NULL; > > + char *service = NULL; > > + int ret; > > + char *local_app = NULL; > > + char *local_service_name = NULL; > > + > > + while (getline(&line_buf, &len, cfg) > 0) { > > + char *buffer = line_buf; > > + while (isspace(*buffer)) > > + buffer++; > > + if (buffer[0] == '#') > > + continue; > > + int l = strlen(buffer) - 1; > > + if (l <= 0) > > + continue; > > + buffer[l] = 0; > > + if (local_app == NULL) { > > + current_size = len; > > + local_app = malloc(current_size); > > + local_service_name = malloc(current_size); > > > > General comment: Always check for failure on function calls, and handle errors. > > > > + sscanf(buffer, "%s %s", local_app, local_service_name); > > > > You could just strtok() the buffer or similar to avoid making copies. > > Or if you need a copy, you can use the %as format to have glibc allocate the memory > > for you automatically. > > > > +/* > > + Read config file ignoring comment lines. > > + Files specified one per line executable with a corresponding > > + pam service name. > > +*/ > > + > > +static void read_config() > > +{ > > + char *config_file_path = "/etc/selinux/newrole.conf"; > > + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); > > > > Check for failure. > > > > +static void free_hashtab(hashtab_t req) > > +{ > > + unsigned int i; > > + hashtab_ptr_t cur; > > + > > + for (i = 0; i < req->size; i++) { > > + cur = req->htable[i]; > > + while (cur != NULL) { > > + free(cur->datum); > > + free(cur->key); > > + cur = cur->next; > > + } > > + } > > + hashtab_destroy(req); > > +} > > > > Breaks the "abstraction". Normally this would be done as a > > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > > to free the table. Or if you want a unified form, you could do > > something like hashtab_map_remove_on_error() except always doing the > > removal, but put it in your copy of the hashtab code. > > > > @@ -1025,7 +1166,27 @@ > > > > printf(_("Authenticating %s.\n"), pw.pw_name); > > #ifdef USE_PAM > > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > > + /* > > + Are we being asked to execute a process in a new context? > > + */ > > + if (optind < argc) { > > + /* > > + Get the executable from the command line. > > + */ > > + char *cmd = (char *)malloc(strlen(argv[optind+1])); > > > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > > > + sscanf(argv[optind+1], "%s", cmd); > > > > Pointless, argument vector has already been parsed by the shell. > > Just use argv[optind] directly, no copy required. > > > > + /* > > + See if there is a pam configuration specific to the executable. > > + */ > > + char* app_service_name = > > + (char *) hashtab_search(app_service_names, cmd); > > > > I think you want to qualify these with a prefix so that if <app> also > > uses pam, then there is no ambiguity between the pam configuration for > > the <app> itself vs. the pam configuration used by newrole when > > launching the <app>. e.g. prefix them with "newrole_". > > Are you talking about something more than a convention? Like the code > enforcing this somehow? Since you are putting the service names into a config file, it can just be a convention, but it is important to note. Otherwise, someone might just use the application name as the pam service name, which could lead to problems if the application already has a pam config of its own. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-02 16:57 ` Stephen Smalley 2007-05-02 21:42 ` Xavier Toth @ 2007-05-03 13:11 ` Xavier Toth 2007-05-03 13:40 ` Stephen Smalley 2007-05-03 13:49 ` Stephen Smalley 1 sibling, 2 replies; 22+ messages in thread From: Xavier Toth @ 2007-05-03 13:11 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux [-- Attachment #1: Type: text/plain, Size: 4945 bytes --] On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > Stephen. > > I'd appreciate you reviewing this proposed patch. > > > > Ted > > A few initial comments after a quick look (not a full review yet) > > --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-02 10:45:14.000000000 -0500 > +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-02 10:45:05.000000000 -0500 > @@ -54,6 +54,7 @@ > #include <stdio.h> > #include <stdlib.h> /* for malloc(), realloc(), free() */ > #include <pwd.h> /* for getpwuid() */ > +#include <ctype.h> > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > #include <sys/wait.h> /* for wait() */ > #include <getopt.h> /* for getopt_long() form of getopt() */ > @@ -85,6 +86,8 @@ > #define PACKAGE "policycoreutils" /* the name of this package lang translation */ > #endif > > +#include <sepol/policydb/hashtab.h> > > We don't want newrole to link with the static libsepol, so if you want > to use the libsepol hashtab (and symtab) support, copy it into the > newrole directory. > I'd prefer it if this was in a shared library. > +static void process_config(FILE * cfg) > +{ > + char *line_buf = NULL; > + size_t len = 0; > + size_t current_size = 0; > + char *app = NULL; > + char *service = NULL; > + int ret; > + char *local_app = NULL; > + char *local_service_name = NULL; > + > + while (getline(&line_buf, &len, cfg) > 0) { > + char *buffer = line_buf; > + while (isspace(*buffer)) > + buffer++; > + if (buffer[0] == '#') > + continue; > + int l = strlen(buffer) - 1; > + if (l <= 0) > + continue; > + buffer[l] = 0; > + if (local_app == NULL) { > + current_size = len; > + local_app = malloc(current_size); > + local_service_name = malloc(current_size); > > General comment: Always check for failure on function calls, and handle errors. > > + sscanf(buffer, "%s %s", local_app, local_service_name); > > You could just strtok() the buffer or similar to avoid making copies. > Or if you need a copy, you can use the %as format to have glibc allocate the memory > for you automatically. > > +/* > + Read config file ignoring comment lines. > + Files specified one per line executable with a corresponding > + pam service name. > +*/ > + > +static void read_config() > +{ > + char *config_file_path = "/etc/selinux/newrole.conf"; > + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); > > Check for failure. > > +static void free_hashtab(hashtab_t req) > +{ > + unsigned int i; > + hashtab_ptr_t cur; > + > + for (i = 0; i < req->size; i++) { > + cur = req->htable[i]; > + while (cur != NULL) { > + free(cur->datum); > + free(cur->key); > + cur = cur->next; > + } > + } > + hashtab_destroy(req); > +} > > Breaks the "abstraction". Normally this would be done as a > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > to free the table. Or if you want a unified form, you could do > something like hashtab_map_remove_on_error() except always doing the > removal, but put it in your copy of the hashtab code. > Hmmm, I pretty much copied this code from semodule_deps.c > @@ -1025,7 +1166,27 @@ > > printf(_("Authenticating %s.\n"), pw.pw_name); > #ifdef USE_PAM > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > + /* > + Are we being asked to execute a process in a new context? > + */ > + if (optind < argc) { > + /* > + Get the executable from the command line. > + */ > + char *cmd = (char *)malloc(strlen(argv[optind+1])); > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > + sscanf(argv[optind+1], "%s", cmd); > > Pointless, argument vector has already been parsed by the shell. > Just use argv[optind] directly, no copy required. > Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"' agrv[optind] is '-c' argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory' > + /* > + See if there is a pam configuration specific to the executable. > + */ > + char* app_service_name = > + (char *) hashtab_search(app_service_names, cmd); > > I think you want to qualify these with a prefix so that if <app> also > uses pam, then there is no ambiguity between the pam configuration for > the <app> itself vs. the pam configuration used by newrole when > launching the <app>. e.g. prefix them with "newrole_". > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #2: policycoreutils-service-name.patch --] [-- Type: text/x-patch, Size: 16080 bytes --] --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-03 08:03:44.000000000 -0500 +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-03 08:03:27.000000000 -0500 @@ -54,6 +54,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -85,6 +86,8 @@ #define PACKAGE "policycoreutils" /* the name of this package lang translation */ #endif +#include "hashtab.h" + /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" @@ -155,7 +158,7 @@ #include <security/pam_appl.h> /* for PAM functions */ #include <security/pam_misc.h> /* for misc_conv PAM utility function */ -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ +char *service_name = "newrole"; /* authenticate_via_pam() * @@ -921,6 +924,110 @@ return 0; } +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, void *args) +{ + free(key); + free(d); + return 0; +} + +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) +{ + char *p, *keyp; + size_t size; + unsigned int val; + + val = 0; + keyp = (char *)key; + size = strlen(keyp); + for (p = keyp; ((size_t) (p - keyp)) < size; p++) + val = + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); + return val & (h->size - 1); +} + +static int reqsymcmp(hashtab_t h + __attribute__ ((unused)), hashtab_key_t key1, + hashtab_key_t key2) +{ + char *keyp1, *keyp2; + + keyp1 = (char *)key1; + keyp2 = (char *)key2; + return strcmp(keyp1, keyp2); +} + +static hashtab_t app_service_names = NULL; + +static void process_config(FILE * cfg) +{ + char *line_buf = NULL; + size_t len = 0; + char *app = NULL; + char *service = NULL; + int ret; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + int l = strlen(buffer) - 1; + if (l <= 0) + continue; + buffer[l] = 0; + + /* + Split the buffer into the application and service names + */ + ret = sscanf(buffer, "%as %as", &app, &service); + if (ret != EOF && app!= NULL && strlen(app) > 0) { + /* + Check for a service name + */ + if (service != NULL && strlen(service) > 0) { + /* + Save the mapping to the hashtable. + */ + ret = hashtab_insert(app_service_names, + app, + service); + if (ret == HASHTAB_OVERFLOW) { + fprintf(stderr, _("newrole: service name configuration hashtable overflow\n")); + goto err_free; + } + } + else + /* + No service name specified for app. + */ + free(app); + } + } +err_free: + free(line_buf); +} + +/* + Read config file ignoring comment lines. + Files specified one per line executable with a corresponding + pam service name. +*/ + +static void read_config() +{ + char *config_file_path = "/etc/selinux/newrole.conf"; + FILE *cfg = NULL; + cfg = fopen(config_file_path, "r"); + if (!cfg) + return; + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); + if (app_service_names) + process_config(cfg); + fclose(cfg); +} + /************************************************************************ * * All code used for both PAM and shadow passwd goes in this section. @@ -1001,6 +1108,8 @@ return -1; } + read_config(); + ttyn = ttyname(0); if (!ttyn || *ttyn == '\0') { fprintf(stderr, @@ -1025,7 +1134,25 @@ printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + /* + Are we being asked to execute a process in a new context? + */ + if (app_service_names != NULL && optind < argc) { + /* + See if there is a pam configuration specific to the executable. + */ + char *cmd = strtok(argv[optind+1], " \t"); + if (cmd != NULL) { + char* app_service_name = + (char *) hashtab_search(app_service_names, cmd); + + if (app_service_name != NULL) { + service_name = app_service_name; + } + } + } + + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, &pam_handle); if (pam_status != PAM_SUCCESS) { fprintf(stderr, _("failed to initialize PAM\n")); @@ -1114,6 +1241,8 @@ pam_strerror(pam_handle, rc)); exit_code = -1; } + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); #endif free(pw.pw_name); free(pw.pw_dir); --- policycoreutils-1.33.12/newrole/hashtab.c 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/hashtab.c 2007-05-02 15:33:11.000000000 -0500 @@ -0,0 +1,292 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * Implementation of the hash table type. + */ + +#include <stdlib.h> +#include <string.h> +#include "hashtab.h" + +hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size) +{ + + hashtab_t p; + unsigned int i; + + p = (hashtab_t) malloc(sizeof(hashtab_val_t)); + if (p == NULL) + return p; + + memset(p, 0, sizeof(hashtab_val_t)); + p->size = size; + p->nel = 0; + p->hash_value = hash_value; + p->keycmp = keycmp; + p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size); + if (p->htable == NULL) { + free(p); + return NULL; + } + for (i = 0; i < size; i++) + p->htable[i] = (hashtab_ptr_t) NULL; + + return p; +} + +int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) + return HASHTAB_PRESENT; + + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + + h->nel++; + return HASHTAB_SUCCESS; +} + +int hashtab_remove(hashtab_t h, hashtab_key_t key, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t cur, last; + + if (!h) + return HASHTAB_MISSING; + + hvalue = h->hash_value(h, key); + last = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + last = cur; + cur = cur->next; + } + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return HASHTAB_MISSING; + + if (last == NULL) + h->htable[hvalue] = cur->next; + else + last->next = cur->next; + + if (destroy) + destroy(cur->key, cur->datum, args); + free(cur); + h->nel--; + return HASHTAB_SUCCESS; +} + +int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) { + if (destroy) + destroy(cur->key, cur->datum, args); + cur->key = key; + cur->datum = datum; + } else { + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + } + + return HASHTAB_SUCCESS; +} + +hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key) +{ + + int hvalue; + hashtab_ptr_t cur; + + if (!h) + return NULL; + + hvalue = h->hash_value(h, key); + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) + cur = cur->next; + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return NULL; + + return cur->datum; +} + +void hashtab_destroy(hashtab_t h) +{ + unsigned int i; + hashtab_ptr_t cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + temp = cur; + cur = cur->next; + free(temp); + } + h->htable[i] = NULL; + } + + free(h->htable); + h->htable = NULL; + + free(h); +} + +int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + unsigned int i, ret; + hashtab_ptr_t cur; + + if (!h) + return HASHTAB_SUCCESS; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) + return ret; + cur = cur->next; + } + } + return HASHTAB_SUCCESS; +} + +void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args) +{ + unsigned int i; + int ret; + hashtab_ptr_t last, cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + last = NULL; + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) { + if (last) { + last->next = cur->next; + } else { + h->htable[i] = cur->next; + } + + temp = cur; + cur = cur->next; + if (destroy) + destroy(temp->key, temp->datum, args); + free(temp); + h->nel--; + } else { + last = cur; + cur = cur->next; + } + } + } + + return; +} + +void hashtab_hash_eval(hashtab_t h, char *tag) +{ + unsigned int i; + int chain_len, slots_used, max_chain_len; + hashtab_ptr_t cur; + + slots_used = 0; + max_chain_len = 0; + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + if (cur) { + slots_used++; + chain_len = 0; + while (cur) { + chain_len++; + cur = cur->next; + } + + if (chain_len > max_chain_len) + max_chain_len = chain_len; + } + } + + printf + ("%s: %d entries and %d/%d buckets used, longest chain length %d\n", + tag, h->nel, slots_used, h->size, max_chain_len); +} --- policycoreutils-1.33.12/newrole/hashtab.h 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/hashtab.h 2007-05-02 15:25:46.000000000 -0500 @@ -0,0 +1,142 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * A hash table (hashtab) maintains associations between + * key values and datum values. The type of the key values + * and the type of the datum values is arbitrary. The + * functions for hash computation and key comparison are + * provided by the creator of the table. + */ + +#ifndef _NEWROLE_HASHTAB_H_ +#define _NEWROLE_HASHTAB_H_ + +#include <stdint.h> +#include <errno.h> +#include <stdio.h> + +typedef char *hashtab_key_t; /* generic key type */ +typedef void *hashtab_datum_t; /* generic datum type */ + +typedef struct hashtab_node *hashtab_ptr_t; + +typedef struct hashtab_node { + hashtab_key_t key; + hashtab_datum_t datum; + hashtab_ptr_t next; +} hashtab_node_t; + +typedef struct hashtab_val { + hashtab_ptr_t *htable; /* hash table */ + unsigned int size; /* number of slots in hash table */ + uint32_t nel; /* number of elements in hash table */ + unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key); /* hash function */ + int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2); /* key comparison function */ +} hashtab_val_t; + +typedef hashtab_val_t *hashtab_t; + +/* Define status codes for hash table functions */ +#define HASHTAB_SUCCESS 0 +#define HASHTAB_OVERFLOW -ENOMEM +#define HASHTAB_PRESENT -EEXIST +#define HASHTAB_MISSING -ENOENT + +/* + Creates a new hash table with the specified characteristics. + + Returns NULL if insufficent space is available or + the new hash table otherwise. + */ +extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t + key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size); +/* + Inserts the specified (key, datum) pair into the specified hash table. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_PRESENT if there is already an entry with the same key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d); + +/* + Removes the entry with the specified key from the hash table. + Applies the specified destroy function to (key,datum,args) for + the entry. + + Returns HASHTAB_MISSING if no entry has the specified key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_remove(hashtab_t h, hashtab_key_t k, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Insert or replace the specified (key, datum) pair in the specified + hash table. If an entry for the specified key already exists, + then the specified destroy function is applied to (key,datum,args) + for the entry prior to replacing the entry's contents. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Searches for the entry with the specified key in the hash table. + + Returns NULL if no entry has the specified key or + the datum of the entry otherwise. + */ +extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k); + +/* + Destroys the specified hash table. + */ +extern void hashtab_destroy(hashtab_t h); + +/* + Applies the specified apply function to (key,datum,args) + for each entry in the specified hash table. + + The order in which the function is applied to the entries + is dependent upon the internal structure of the hash table. + + If apply returns a non-zero status, then hashtab_map will cease + iterating through the hash table and will propagate the error + return to its caller. + */ +extern int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Same as hashtab_map, except that if apply returns a non-zero status, + then the (key,datum) pair will be removed from the hashtab and the + destroy function will be applied to (key,datum,args). + */ +extern void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void *args); + +extern void hashtab_hash_eval(hashtab_t h, char *tag); + +#endif --- policycoreutils-1.33.12/newrole/Makefile 2007-01-11 13:01:39.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/Makefile 2007-05-02 15:47:30.000000000 -0500 @@ -53,9 +53,10 @@ MODE := 0555 endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: newrole -all: $(TARGETS) +newrole: newrole.o hashtab.o + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all test -d $(BINDIR) || install -m 755 -d $(BINDIR) ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 13:11 ` Xavier Toth @ 2007-05-03 13:40 ` Stephen Smalley 2007-05-03 13:51 ` Xavier Toth 2007-05-03 13:49 ` Stephen Smalley 1 sibling, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-05-03 13:40 UTC (permalink / raw) To: Xavier Toth; +Cc: selinux, Karl MacMillan, Joshua Brindle, Darrel Goeddel On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote: > On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > +#include <sepol/policydb/hashtab.h> > > > > We don't want newrole to link with the static libsepol, so if you want > > to use the libsepol hashtab (and symtab) support, copy it into the > > newrole directory. > > > > I'd prefer it if this was in a shared library. It isn't adequately encapsulated for that. > > Breaks the "abstraction". Normally this would be done as a > > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > > to free the table. Or if you want a unified form, you could do > > something like hashtab_map_remove_on_error() except always doing the > > removal, but put it in your copy of the hashtab code. > > > > Hmmm, I pretty much copied this code from semodule_deps.c ...which does require static libsepol and is a developer tool rather than a production system tool. > > + char *cmd = (char *)malloc(strlen(argv[optind+1])); > > > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > > > + sscanf(argv[optind+1], "%s", cmd); > > > > Pointless, argument vector has already been parsed by the shell. > > Just use argv[optind] directly, no copy required. > > > > Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"' > agrv[optind] is '-c' > argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory' I see, although you aren't explicitly checking that a "-c" was specified, so it seems prone to error. That form of usage seems unpleasant, but it is consistent with su. Might be nice if newrole would just directly invoke the command if specified, but that could cause problems with domain transitions. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 13:40 ` Stephen Smalley @ 2007-05-03 13:51 ` Xavier Toth 0 siblings, 0 replies; 22+ messages in thread From: Xavier Toth @ 2007-05-03 13:51 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Karl MacMillan, Joshua Brindle, Darrel Goeddel [-- Attachment #1: Type: text/plain, Size: 2027 bytes --] On 5/3/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote: > > On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote: > > > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote: > > > +#include <sepol/policydb/hashtab.h> > > > > > > We don't want newrole to link with the static libsepol, so if you want > > > to use the libsepol hashtab (and symtab) support, copy it into the > > > newrole directory. > > > > > > > I'd prefer it if this was in a shared library. > > It isn't adequately encapsulated for that. > > > > Breaks the "abstraction". Normally this would be done as a > > > hashtab_map() to free the keys and datum followed by a hashtab_destroy() > > > to free the table. Or if you want a unified form, you could do > > > something like hashtab_map_remove_on_error() except always doing the > > > removal, but put it in your copy of the hashtab code. > > > > > > > Hmmm, I pretty much copied this code from semodule_deps.c > > ...which does require static libsepol and is a developer tool rather > than a production system tool. > > > > + char *cmd = (char *)malloc(strlen(argv[optind+1])); > > > > > > argv[optind+1] or argv[optind]? And you'd need to add 1 to the length (not optind) for terminating NUL. > > > > > > + sscanf(argv[optind+1], "%s", cmd); > > > > > > Pointless, argument vector has already been parsed by the shell. > > > Just use argv[optind] directly, no copy required. > > > > > > > Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"' > > agrv[optind] is '-c' > > argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory' > > I see, although you aren't explicitly checking that a "-c" was > specified, so it seems prone to error. True > That form of usage seems > unpleasant, but it is consistent with su. Might be nice if newrole > would just directly invoke the command if specified, but that could > cause problems with domain transitions. > > -- > Stephen Smalley > National Security Agency > > [-- Attachment #2: policycoreutils-service-name.patch --] [-- Type: text/x-patch, Size: 16141 bytes --] --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-03 08:46:16.000000000 -0500 +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-03 08:46:03.000000000 -0500 @@ -54,6 +54,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -85,6 +86,8 @@ #define PACKAGE "policycoreutils" /* the name of this package lang translation */ #endif +#include "hashtab.h" + /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" @@ -155,7 +158,7 @@ #include <security/pam_appl.h> /* for PAM functions */ #include <security/pam_misc.h> /* for misc_conv PAM utility function */ -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ +char *service_name = "newrole"; /* authenticate_via_pam() * @@ -921,6 +924,110 @@ return 0; } +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, void *args) +{ + free(key); + free(d); + return 0; +} + +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) +{ + char *p, *keyp; + size_t size; + unsigned int val; + + val = 0; + keyp = (char *)key; + size = strlen(keyp); + for (p = keyp; ((size_t) (p - keyp)) < size; p++) + val = + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); + return val & (h->size - 1); +} + +static int reqsymcmp(hashtab_t h + __attribute__ ((unused)), hashtab_key_t key1, + hashtab_key_t key2) +{ + char *keyp1, *keyp2; + + keyp1 = (char *)key1; + keyp2 = (char *)key2; + return strcmp(keyp1, keyp2); +} + +static hashtab_t app_service_names = NULL; + +static void process_config(FILE * cfg) +{ + char *line_buf = NULL; + size_t len = 0; + char *app = NULL; + char *service = NULL; + int ret; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + int l = strlen(buffer) - 1; + if (l <= 0) + continue; + buffer[l] = 0; + + /* + Split the buffer into the application and service names + */ + ret = sscanf(buffer, "%as %as", &app, &service); + if (ret != EOF && app!= NULL && strlen(app) > 0) { + /* + Check for a service name + */ + if (service != NULL && strlen(service) > 0) { + /* + Save the mapping to the hashtable. + */ + ret = hashtab_insert(app_service_names, + app, + service); + if (ret == HASHTAB_OVERFLOW) { + fprintf(stderr, _("newrole: service name configuration hashtable overflow\n")); + goto err_free; + } + } + else + /* + No service name specified for app. + */ + free(app); + } + } +err_free: + free(line_buf); +} + +/* + Read config file ignoring comment lines. + Files specified one per line executable with a corresponding + pam service name. +*/ + +static void read_config() +{ + char *config_file_path = "/etc/selinux/newrole.conf"; + FILE *cfg = NULL; + cfg = fopen(config_file_path, "r"); + if (!cfg) + return; + app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64); + if (app_service_names) + process_config(cfg); + fclose(cfg); +} + /************************************************************************ * * All code used for both PAM and shadow passwd goes in this section. @@ -1001,6 +1108,8 @@ return -1; } + read_config(); + ttyn = ttyname(0); if (!ttyn || *ttyn == '\0') { fprintf(stderr, @@ -1025,7 +1134,27 @@ printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + /* + Are we being asked to execute a process in a new context? + */ + if (app_service_names != NULL && optind < argc) { + if (strcmp(argv[optind], "-c") == 0) { + /* + See if there is a pam configuration specific to the executable. + */ + char *cmd = strtok(argv[optind+1], " \t"); + if (cmd != NULL) { + char* app_service_name = + (char *) hashtab_search(app_service_names, cmd); + + if (app_service_name != NULL) { + service_name = app_service_name; + } + } + } + } + + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, &pam_handle); if (pam_status != PAM_SUCCESS) { fprintf(stderr, _("failed to initialize PAM\n")); @@ -1114,6 +1243,8 @@ pam_strerror(pam_handle, rc)); exit_code = -1; } + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); #endif free(pw.pw_name); free(pw.pw_dir); --- policycoreutils-1.33.12/newrole/hashtab.c 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/hashtab.c 2007-05-02 15:33:11.000000000 -0500 @@ -0,0 +1,292 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * Implementation of the hash table type. + */ + +#include <stdlib.h> +#include <string.h> +#include "hashtab.h" + +hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size) +{ + + hashtab_t p; + unsigned int i; + + p = (hashtab_t) malloc(sizeof(hashtab_val_t)); + if (p == NULL) + return p; + + memset(p, 0, sizeof(hashtab_val_t)); + p->size = size; + p->nel = 0; + p->hash_value = hash_value; + p->keycmp = keycmp; + p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size); + if (p->htable == NULL) { + free(p); + return NULL; + } + for (i = 0; i < size; i++) + p->htable[i] = (hashtab_ptr_t) NULL; + + return p; +} + +int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) + return HASHTAB_PRESENT; + + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + + h->nel++; + return HASHTAB_SUCCESS; +} + +int hashtab_remove(hashtab_t h, hashtab_key_t key, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t cur, last; + + if (!h) + return HASHTAB_MISSING; + + hvalue = h->hash_value(h, key); + last = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + last = cur; + cur = cur->next; + } + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return HASHTAB_MISSING; + + if (last == NULL) + h->htable[hvalue] = cur->next; + else + last->next = cur->next; + + if (destroy) + destroy(cur->key, cur->datum, args); + free(cur); + h->nel--; + return HASHTAB_SUCCESS; +} + +int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) { + if (destroy) + destroy(cur->key, cur->datum, args); + cur->key = key; + cur->datum = datum; + } else { + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + } + + return HASHTAB_SUCCESS; +} + +hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key) +{ + + int hvalue; + hashtab_ptr_t cur; + + if (!h) + return NULL; + + hvalue = h->hash_value(h, key); + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) + cur = cur->next; + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return NULL; + + return cur->datum; +} + +void hashtab_destroy(hashtab_t h) +{ + unsigned int i; + hashtab_ptr_t cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + temp = cur; + cur = cur->next; + free(temp); + } + h->htable[i] = NULL; + } + + free(h->htable); + h->htable = NULL; + + free(h); +} + +int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + unsigned int i, ret; + hashtab_ptr_t cur; + + if (!h) + return HASHTAB_SUCCESS; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) + return ret; + cur = cur->next; + } + } + return HASHTAB_SUCCESS; +} + +void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args) +{ + unsigned int i; + int ret; + hashtab_ptr_t last, cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + last = NULL; + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) { + if (last) { + last->next = cur->next; + } else { + h->htable[i] = cur->next; + } + + temp = cur; + cur = cur->next; + if (destroy) + destroy(temp->key, temp->datum, args); + free(temp); + h->nel--; + } else { + last = cur; + cur = cur->next; + } + } + } + + return; +} + +void hashtab_hash_eval(hashtab_t h, char *tag) +{ + unsigned int i; + int chain_len, slots_used, max_chain_len; + hashtab_ptr_t cur; + + slots_used = 0; + max_chain_len = 0; + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + if (cur) { + slots_used++; + chain_len = 0; + while (cur) { + chain_len++; + cur = cur->next; + } + + if (chain_len > max_chain_len) + max_chain_len = chain_len; + } + } + + printf + ("%s: %d entries and %d/%d buckets used, longest chain length %d\n", + tag, h->nel, slots_used, h->size, max_chain_len); +} --- policycoreutils-1.33.12/newrole/hashtab.h 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/hashtab.h 2007-05-02 15:25:46.000000000 -0500 @@ -0,0 +1,142 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * A hash table (hashtab) maintains associations between + * key values and datum values. The type of the key values + * and the type of the datum values is arbitrary. The + * functions for hash computation and key comparison are + * provided by the creator of the table. + */ + +#ifndef _NEWROLE_HASHTAB_H_ +#define _NEWROLE_HASHTAB_H_ + +#include <stdint.h> +#include <errno.h> +#include <stdio.h> + +typedef char *hashtab_key_t; /* generic key type */ +typedef void *hashtab_datum_t; /* generic datum type */ + +typedef struct hashtab_node *hashtab_ptr_t; + +typedef struct hashtab_node { + hashtab_key_t key; + hashtab_datum_t datum; + hashtab_ptr_t next; +} hashtab_node_t; + +typedef struct hashtab_val { + hashtab_ptr_t *htable; /* hash table */ + unsigned int size; /* number of slots in hash table */ + uint32_t nel; /* number of elements in hash table */ + unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key); /* hash function */ + int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2); /* key comparison function */ +} hashtab_val_t; + +typedef hashtab_val_t *hashtab_t; + +/* Define status codes for hash table functions */ +#define HASHTAB_SUCCESS 0 +#define HASHTAB_OVERFLOW -ENOMEM +#define HASHTAB_PRESENT -EEXIST +#define HASHTAB_MISSING -ENOENT + +/* + Creates a new hash table with the specified characteristics. + + Returns NULL if insufficent space is available or + the new hash table otherwise. + */ +extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t + key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size); +/* + Inserts the specified (key, datum) pair into the specified hash table. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_PRESENT if there is already an entry with the same key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d); + +/* + Removes the entry with the specified key from the hash table. + Applies the specified destroy function to (key,datum,args) for + the entry. + + Returns HASHTAB_MISSING if no entry has the specified key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_remove(hashtab_t h, hashtab_key_t k, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Insert or replace the specified (key, datum) pair in the specified + hash table. If an entry for the specified key already exists, + then the specified destroy function is applied to (key,datum,args) + for the entry prior to replacing the entry's contents. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Searches for the entry with the specified key in the hash table. + + Returns NULL if no entry has the specified key or + the datum of the entry otherwise. + */ +extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k); + +/* + Destroys the specified hash table. + */ +extern void hashtab_destroy(hashtab_t h); + +/* + Applies the specified apply function to (key,datum,args) + for each entry in the specified hash table. + + The order in which the function is applied to the entries + is dependent upon the internal structure of the hash table. + + If apply returns a non-zero status, then hashtab_map will cease + iterating through the hash table and will propagate the error + return to its caller. + */ +extern int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Same as hashtab_map, except that if apply returns a non-zero status, + then the (key,datum) pair will be removed from the hashtab and the + destroy function will be applied to (key,datum,args). + */ +extern void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void *args); + +extern void hashtab_hash_eval(hashtab_t h, char *tag); + +#endif --- policycoreutils-1.33.12/newrole/Makefile 2007-01-11 13:01:39.000000000 -0600 +++ policycoreutils-1.33.12.new/newrole/Makefile 2007-05-02 15:47:30.000000000 -0500 @@ -53,9 +53,10 @@ MODE := 0555 endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: newrole -all: $(TARGETS) +newrole: newrole.o hashtab.o + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all test -d $(BINDIR) || install -m 755 -d $(BINDIR) ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 13:11 ` Xavier Toth 2007-05-03 13:40 ` Stephen Smalley @ 2007-05-03 13:49 ` Stephen Smalley 2007-05-03 19:18 ` Stephen Smalley 1 sibling, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-05-03 13:49 UTC (permalink / raw) To: Xavier Toth; +Cc: selinux On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote: --- policycoreutils-1.33.12/newrole/newrole.c 2007-05-03 08:03:44.000000000 -0500 +++ policycoreutils-1.33.12.new/newrole/newrole.c 2007-05-03 08:03:27.000000000 -0500 @@ -1025,7 +1134,25 @@ printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + /* + Are we being asked to execute a process in a new context? + */ + if (app_service_names != NULL && optind < argc) { + /* + See if there is a pam configuration specific to the executable. + */ + char *cmd = strtok(argv[optind+1], " \t"); Actually, here you don't want to use strtok() since it mutates the argument (inserting NUL separator), which will cause any subsequent arguments after the command to be effectively lost. Please update the man page as well to show the proper way to execute commands via newrole. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 13:49 ` Stephen Smalley @ 2007-05-03 19:18 ` Stephen Smalley 2007-05-03 21:09 ` Darrel Goeddel 2007-05-04 18:56 ` Ted X Toth 0 siblings, 2 replies; 22+ messages in thread From: Stephen Smalley @ 2007-05-03 19:18 UTC (permalink / raw) To: Xavier Toth; +Cc: selinux, Joshua Brindle, Karl MacMillan, Darrel Goeddel How about the revised patch below (only including the newrole.c and Makefile diffs since the hashtab code is unchanged)? The changes from your patch are: - Make sure everything is properly enabled/disabled by USE_PAM and move the code into the existing USE_PAM block where appropriate. - Call the config file newrole_pam.conf since there could be other newrole config files in the future. - Distinguish missing config file (ok) from errors during parsing of the config file (should abort). - Remove the Authenticating <username> message since it could be confusing in the case where you are using a pam config that doesn't require it and it doesn't really provide any benefit. - Improve error checking and handling. - Coding style cleanups (indentation, comment style, etc). To test, I created a /etc/pam.d/newrole-noauth config that had pam_permit.so for its auth module and created a /etc/selinux/newrole_pam.conf that mapped one program to newrole-noauth. The alternative model would be to eliminate /etc/selnux/newrole_pam.conf entirely from the equation, and just have newrole look for (test via access()) a /etc/pam.d/newrole_<appname> config and use newrole_<appname> as the service name if present. Index: policycoreutils/newrole/newrole.c =================================================================== --- policycoreutils/newrole/newrole.c (revision 2422) +++ policycoreutils/newrole/newrole.c (working copy) @@ -58,6 +58,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -92,6 +93,10 @@ /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" +#ifdef USE_PAM +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; +#endif + #define DEFAULT_PATH "/usr/bin:/bin" #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ @@ -159,7 +164,7 @@ #include <security/pam_appl.h> /* for PAM functions */ #include <security/pam_misc.h> /* for misc_conv PAM utility function */ -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ +char *service_name = "newrole"; /* authenticate_via_pam() * @@ -209,6 +214,113 @@ return result; } /* authenticate_via_pam() */ +#include "hashtab.h" + +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, + void *args __attribute__ ((unused)) ) +{ + free(key); + free(d); + return 0; +} + +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) +{ + char *p, *keyp; + size_t size; + unsigned int val; + + val = 0; + keyp = (char *)key; + size = strlen(keyp); + for (p = keyp; ((size_t) (p - keyp)) < size; p++) + val = + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); + return val & (h->size - 1); +} + +static int reqsymcmp(hashtab_t h + __attribute__ ((unused)), hashtab_key_t key1, + hashtab_key_t key2) +{ + char *keyp1, *keyp2; + + keyp1 = (char *)key1; + keyp2 = (char *)key2; + return strcmp(keyp1, keyp2); +} + +static hashtab_t app_service_names = NULL; +#define PAM_SERVICE_SLOTS 64 + +static int process_pam_config(FILE * cfg) +{ + const char *config_file_path = PAM_SERVICE_CONFIG; + char *line_buf = NULL; + unsigned long lineno = 0; + size_t len = 0; + char *app = NULL; + char *service = NULL; + int ret; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + lineno++; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + if (buffer[0] == '\n' || buffer[0] == '\0') + continue; + + app = service = NULL; + ret = sscanf(buffer, "%as %as\n", &app, &service); + if (ret < 2 || !app || !service) + goto err; + + ret = hashtab_insert(app_service_names, app, service); + if (ret == HASHTAB_OVERFLOW) { + fprintf(stderr, + _("newrole: service name configuration hashtable overflow\n")); + goto err; + } + } + + free(line_buf); + return 0; + err: + free(app); + free(service); + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); + free(line_buf); + return -1; +} + +/* + * Read config file ignoring comment lines. + * Files specified one per line executable with a corresponding + * pam service name. + */ +static int read_pam_config() +{ + const char *config_file_path = PAM_SERVICE_CONFIG; + FILE *cfg = NULL; + cfg = fopen(config_file_path, "r"); + if (!cfg) + return 0; /* This configuration is optional. */ + app_service_names = + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); + if (!app_service_names) + goto err; + if (process_pam_config(cfg)) + goto err; + fclose(cfg); + return 0; + err: + fclose(cfg); + return -1; +} + #else /* else !USE_PAM */ /************************************************************************ @@ -1027,9 +1139,33 @@ if (extract_pw_data(&pw)) goto err_free; - printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + if (read_pam_config()) { + fprintf(stderr, _("error on reading PAM service configuration.\n")); + goto err_free; + } + + if (app_service_names != NULL && optind < argc) { + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { + /* + * Check for a separate pam service name for the command when + * invoked by newrole. + */ + char *cmd = NULL; + rc = sscanf(argv[optind + 1], "%as", &cmd); + if (rc != EOF && cmd != NULL) { + char *app_service_name = + (char *)hashtab_search(app_service_names, + cmd); + free(cmd); + if (app_service_name != NULL) { + service_name = app_service_name; + } + } + } + } + + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, &pam_handle); if (pam_status != PAM_SUCCESS) { fprintf(stderr, _("failed to initialize PAM\n")); @@ -1118,6 +1254,8 @@ pam_strerror(pam_handle, rc)); exit_code = -1; } + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); #endif free(pw.pw_name); free(pw.pw_dir); @@ -1223,5 +1361,11 @@ free(pw.pw_dir); free(pw.pw_shell); free(shell_argv0); +#ifdef USE_PAM + if (app_service_names) { + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); + } +#endif return -1; } /* main() */ Index: policycoreutils/newrole/Makefile =================================================================== --- policycoreutils/newrole/Makefile (revision 2422) +++ policycoreutils/newrole/Makefile (working copy) @@ -21,10 +21,12 @@ VERSION = $(shell cat ../VERSION) CFLAGS ?= -Werror -Wall -W +EXTRA_OBJS = override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib ifeq (${PAMH}, /usr/include/security/pam_appl.h) override CFLAGS += -DUSE_PAM + EXTRA_OBJS += hashtab.o LDLIBS += -lpam -lpam_misc else override CFLAGS += -D_XOPEN_SOURCE=500 @@ -53,9 +55,10 @@ MODE := 0555 endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: newrole -all: $(TARGETS) +newrole: newrole.o $(EXTRA_OBJS) + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all test -d $(BINDIR) || install -m 755 -d $(BINDIR) -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 19:18 ` Stephen Smalley @ 2007-05-03 21:09 ` Darrel Goeddel 2007-05-08 17:54 ` Stephen Smalley 2007-05-04 18:56 ` Ted X Toth 1 sibling, 1 reply; 22+ messages in thread From: Darrel Goeddel @ 2007-05-03 21:09 UTC (permalink / raw) To: Stephen Smalley; +Cc: Xavier Toth, selinux, Joshua Brindle, Karl MacMillan Stephen Smalley wrote: > How about the revised patch below (only including the newrole.c and > Makefile diffs since the hashtab code is unchanged)? The changes from > your patch are: > - Make sure everything is properly enabled/disabled by USE_PAM and move > the code into the existing USE_PAM block where appropriate. > - Call the config file newrole_pam.conf since there could be other > newrole config files in the future. > - Distinguish missing config file (ok) from errors during parsing of the > config file (should abort). > - Remove the Authenticating <username> message since it could be > confusing in the case where you are using a pam config that doesn't > require it and it doesn't really provide any benefit. > - Improve error checking and handling. > - Coding style cleanups (indentation, comment style, etc). > > To test, I created a /etc/pam.d/newrole-noauth config that had > pam_permit.so for its auth module and created > a /etc/selinux/newrole_pam.conf that mapped one program to > newrole-noauth. > > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf > entirely from the equation, and just have newrole look for (test via > access()) a /etc/pam.d/newrole_<appname> config and use > newrole_<appname> as the service name if present. I like this idea. I haven't had a chance to test this yet, but it looks to be assuming that the arg to -c is just the command name without any path info. Should we strip that down to its basename in case someone runs 'newrole -l secret -c /usr/bin/foo' as opposed to 'newrole -l secret -c foo'? -- Darrel -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 21:09 ` Darrel Goeddel @ 2007-05-08 17:54 ` Stephen Smalley 0 siblings, 0 replies; 22+ messages in thread From: Stephen Smalley @ 2007-05-08 17:54 UTC (permalink / raw) To: Darrel Goeddel; +Cc: Xavier Toth, selinux, Joshua Brindle, Karl MacMillan On Thu, 2007-05-03 at 16:09 -0500, Darrel Goeddel wrote: > Stephen Smalley wrote: > > How about the revised patch below (only including the newrole.c and > > Makefile diffs since the hashtab code is unchanged)? The changes from > > your patch are: > > - Make sure everything is properly enabled/disabled by USE_PAM and move > > the code into the existing USE_PAM block where appropriate. > > - Call the config file newrole_pam.conf since there could be other > > newrole config files in the future. > > - Distinguish missing config file (ok) from errors during parsing of the > > config file (should abort). > > - Remove the Authenticating <username> message since it could be > > confusing in the case where you are using a pam config that doesn't > > require it and it doesn't really provide any benefit. > > - Improve error checking and handling. > > - Coding style cleanups (indentation, comment style, etc). > > > > To test, I created a /etc/pam.d/newrole-noauth config that had > > pam_permit.so for its auth module and created > > a /etc/selinux/newrole_pam.conf that mapped one program to > > newrole-noauth. > > > > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf > > entirely from the equation, and just have newrole look for (test via > > access()) a /etc/pam.d/newrole_<appname> config and use > > newrole_<appname> as the service name if present. > > I like this idea. I haven't had a chance to test this yet, but it looks > to be assuming that the arg to -c is just the command name without any > path info. Should we strip that down to its basename in case someone runs > 'newrole -l secret -c /usr/bin/foo' as opposed to 'newrole -l secret -c foo'? Actually, on second thought, do we really want that behavior? IOW, if I specify "/usr/bin/foo newrole-noauth" in my /etc/selinux/newrole_pam.conf, then I want "newrole -l s1 -- -c /usr/bin/foo" to use /etc/pam.d/newrole-noauth. But I don't want the caller to be able to do "newrole -l s1 -- -c ./foo" and get the same effect. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-03 19:18 ` Stephen Smalley 2007-05-03 21:09 ` Darrel Goeddel @ 2007-05-04 18:56 ` Ted X Toth 2007-05-04 19:23 ` Stephen Smalley 1 sibling, 1 reply; 22+ messages in thread From: Ted X Toth @ 2007-05-04 18:56 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Joshua Brindle, Karl MacMillan, Darrel Goeddel Stephen Smalley wrote: > How about the revised patch below (only including the newrole.c and > Makefile diffs since the hashtab code is unchanged)? The changes from > your patch are: > - Make sure everything is properly enabled/disabled by USE_PAM and move > the code into the existing USE_PAM block where appropriate. > - Call the config file newrole_pam.conf since there could be other > newrole config files in the future. > - Distinguish missing config file (ok) from errors during parsing of the > config file (should abort). > - Remove the Authenticating <username> message since it could be > confusing in the case where you are using a pam config that doesn't > require it and it doesn't really provide any benefit. > - Improve error checking and handling. > - Coding style cleanups (indentation, comment style, etc). > > To test, I created a /etc/pam.d/newrole-noauth config that had > pam_permit.so for its auth module and created > a /etc/selinux/newrole_pam.conf that mapped one program to > newrole-noauth. > > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf > entirely from the equation, and just have newrole look for (test via > access()) a /etc/pam.d/newrole_<appname> config and use > newrole_<appname> as the service name if present. > I like it but one thing I had thought about was that if the current patch were to check for the existence of the pam configuration file (service name) and the file was missing the user could be warned of that. Of course there is no help in the event that newrole_pam.conf is misconfigured. > Index: policycoreutils/newrole/newrole.c > =================================================================== > --- policycoreutils/newrole/newrole.c (revision 2422) > +++ policycoreutils/newrole/newrole.c (working copy) > @@ -58,6 +58,7 @@ > #include <stdio.h> > #include <stdlib.h> /* for malloc(), realloc(), free() */ > #include <pwd.h> /* for getpwuid() */ > +#include <ctype.h> > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > #include <sys/wait.h> /* for wait() */ > #include <getopt.h> /* for getopt_long() form of getopt() */ > @@ -92,6 +93,10 @@ > /* USAGE_STRING describes the command-line args of this program. */ > #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" > > +#ifdef USE_PAM > +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; > +#endif > + > #define DEFAULT_PATH "/usr/bin:/bin" > #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ > > @@ -159,7 +164,7 @@ > #include <security/pam_appl.h> /* for PAM functions */ > #include <security/pam_misc.h> /* for misc_conv PAM utility function */ > > -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ > +char *service_name = "newrole"; > > /* authenticate_via_pam() > * > @@ -209,6 +214,113 @@ > return result; > } /* authenticate_via_pam() */ > > +#include "hashtab.h" > + > +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, > + void *args __attribute__ ((unused)) ) > +{ > + free(key); > + free(d); > + return 0; > +} > + > +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) > +{ > + char *p, *keyp; > + size_t size; > + unsigned int val; > + > + val = 0; > + keyp = (char *)key; > + size = strlen(keyp); > + for (p = keyp; ((size_t) (p - keyp)) < size; p++) > + val = > + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); > + return val & (h->size - 1); > +} > + > +static int reqsymcmp(hashtab_t h > + __attribute__ ((unused)), hashtab_key_t key1, > + hashtab_key_t key2) > +{ > + char *keyp1, *keyp2; > + > + keyp1 = (char *)key1; > + keyp2 = (char *)key2; > + return strcmp(keyp1, keyp2); > +} > + > +static hashtab_t app_service_names = NULL; > +#define PAM_SERVICE_SLOTS 64 > + > +static int process_pam_config(FILE * cfg) > +{ > + const char *config_file_path = PAM_SERVICE_CONFIG; > + char *line_buf = NULL; > + unsigned long lineno = 0; > + size_t len = 0; > + char *app = NULL; > + char *service = NULL; > + int ret; > + > + while (getline(&line_buf, &len, cfg) > 0) { > + char *buffer = line_buf; > + lineno++; > + while (isspace(*buffer)) > + buffer++; > + if (buffer[0] == '#') > + continue; > + if (buffer[0] == '\n' || buffer[0] == '\0') > + continue; > + > + app = service = NULL; > + ret = sscanf(buffer, "%as %as\n", &app, &service); > + if (ret < 2 || !app || !service) > + goto err; > + > + ret = hashtab_insert(app_service_names, app, service); > + if (ret == HASHTAB_OVERFLOW) { > + fprintf(stderr, > + _("newrole: service name configuration hashtable overflow\n")); > + goto err; > + } > + } > + > + free(line_buf); > + return 0; > + err: > + free(app); > + free(service); > + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); > + free(line_buf); > + return -1; > +} > + > +/* > + * Read config file ignoring comment lines. > + * Files specified one per line executable with a corresponding > + * pam service name. > + */ > +static int read_pam_config() > +{ > + const char *config_file_path = PAM_SERVICE_CONFIG; > + FILE *cfg = NULL; > + cfg = fopen(config_file_path, "r"); > + if (!cfg) > + return 0; /* This configuration is optional. */ > + app_service_names = > + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); > + if (!app_service_names) > + goto err; > + if (process_pam_config(cfg)) > + goto err; > + fclose(cfg); > + return 0; > + err: > + fclose(cfg); > + return -1; > +} > + > #else /* else !USE_PAM */ > > /************************************************************************ > @@ -1027,9 +1139,33 @@ > if (extract_pw_data(&pw)) > goto err_free; > > - printf(_("Authenticating %s.\n"), pw.pw_name); > #ifdef USE_PAM > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > + if (read_pam_config()) { > + fprintf(stderr, _("error on reading PAM service configuration.\n")); > + goto err_free; > + } > + > + if (app_service_names != NULL && optind < argc) { > + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { > + /* > + * Check for a separate pam service name for the command when > + * invoked by newrole. > + */ > + char *cmd = NULL; > + rc = sscanf(argv[optind + 1], "%as", &cmd); > + if (rc != EOF && cmd != NULL) { > + char *app_service_name = > + (char *)hashtab_search(app_service_names, > + cmd); > + free(cmd); > + if (app_service_name != NULL) { > + service_name = app_service_name; > + } > + } > + } > + } > + > + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, > &pam_handle); > if (pam_status != PAM_SUCCESS) { > fprintf(stderr, _("failed to initialize PAM\n")); > @@ -1118,6 +1254,8 @@ > pam_strerror(pam_handle, rc)); > exit_code = -1; > } > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > + hashtab_destroy(app_service_names); > #endif > free(pw.pw_name); > free(pw.pw_dir); > @@ -1223,5 +1361,11 @@ > free(pw.pw_dir); > free(pw.pw_shell); > free(shell_argv0); > +#ifdef USE_PAM > + if (app_service_names) { > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > + hashtab_destroy(app_service_names); > + } > +#endif > return -1; > } /* main() */ > Index: policycoreutils/newrole/Makefile > =================================================================== > --- policycoreutils/newrole/Makefile (revision 2422) > +++ policycoreutils/newrole/Makefile (working copy) > @@ -21,10 +21,12 @@ > VERSION = $(shell cat ../VERSION) > > CFLAGS ?= -Werror -Wall -W > +EXTRA_OBJS = > override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" > LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib > ifeq (${PAMH}, /usr/include/security/pam_appl.h) > override CFLAGS += -DUSE_PAM > + EXTRA_OBJS += hashtab.o > LDLIBS += -lpam -lpam_misc > else > override CFLAGS += -D_XOPEN_SOURCE=500 > @@ -53,9 +55,10 @@ > MODE := 0555 > endif > > -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) > +all: newrole > > -all: $(TARGETS) > +newrole: newrole.o $(EXTRA_OBJS) > + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > install: all > test -d $(BINDIR) || install -m 755 -d $(BINDIR) > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-04 18:56 ` Ted X Toth @ 2007-05-04 19:23 ` Stephen Smalley 2007-05-04 20:15 ` Ted X Toth 0 siblings, 1 reply; 22+ messages in thread From: Stephen Smalley @ 2007-05-04 19:23 UTC (permalink / raw) To: Ted X Toth; +Cc: selinux, Joshua Brindle, Karl MacMillan, Darrel Goeddel On Fri, 2007-05-04 at 13:56 -0500, Ted X Toth wrote: > Stephen Smalley wrote: > > How about the revised patch below (only including the newrole.c and > > Makefile diffs since the hashtab code is unchanged)? The changes from > > your patch are: > > - Make sure everything is properly enabled/disabled by USE_PAM and move > > the code into the existing USE_PAM block where appropriate. > > - Call the config file newrole_pam.conf since there could be other > > newrole config files in the future. > > - Distinguish missing config file (ok) from errors during parsing of the > > config file (should abort). > > - Remove the Authenticating <username> message since it could be > > confusing in the case where you are using a pam config that doesn't > > require it and it doesn't really provide any benefit. > > - Improve error checking and handling. > > - Coding style cleanups (indentation, comment style, etc). > > > > To test, I created a /etc/pam.d/newrole-noauth config that had > > pam_permit.so for its auth module and created > > a /etc/selinux/newrole_pam.conf that mapped one program to > > newrole-noauth. > > > > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf > > entirely from the equation, and just have newrole look for (test via > > access()) a /etc/pam.d/newrole_<appname> config and use > > newrole_<appname> as the service name if present. > > > > I like it but one thing I had thought about was that if the current > patch were to check for the existence of the pam configuration file > (service name) and the file was missing the user could be warned of > that. Of course there is no help in the event that newrole_pam.conf is > misconfigured. Sorry, are you suggesting eliminating the need for newrole_pam.conf altogether (as I described above as an alternative, implicitly mapping each app to a newrole_<app> service name if present) or retaining it but just adding a test for the presence of the pam config for error reporting purposes? I'll incorporate Darrel's suggestion about using the basename() of the command in the next version of the patch. > > Index: policycoreutils/newrole/newrole.c > > =================================================================== > > --- policycoreutils/newrole/newrole.c (revision 2422) > > +++ policycoreutils/newrole/newrole.c (working copy) > > @@ -58,6 +58,7 @@ > > #include <stdio.h> > > #include <stdlib.h> /* for malloc(), realloc(), free() */ > > #include <pwd.h> /* for getpwuid() */ > > +#include <ctype.h> > > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > > #include <sys/wait.h> /* for wait() */ > > #include <getopt.h> /* for getopt_long() form of getopt() */ > > @@ -92,6 +93,10 @@ > > /* USAGE_STRING describes the command-line args of this program. */ > > #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" > > > > +#ifdef USE_PAM > > +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; > > +#endif > > + > > #define DEFAULT_PATH "/usr/bin:/bin" > > #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ > > > > @@ -159,7 +164,7 @@ > > #include <security/pam_appl.h> /* for PAM functions */ > > #include <security/pam_misc.h> /* for misc_conv PAM utility function */ > > > > -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ > > +char *service_name = "newrole"; > > > > /* authenticate_via_pam() > > * > > @@ -209,6 +214,113 @@ > > return result; > > } /* authenticate_via_pam() */ > > > > +#include "hashtab.h" > > + > > +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, > > + void *args __attribute__ ((unused)) ) > > +{ > > + free(key); > > + free(d); > > + return 0; > > +} > > + > > +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) > > +{ > > + char *p, *keyp; > > + size_t size; > > + unsigned int val; > > + > > + val = 0; > > + keyp = (char *)key; > > + size = strlen(keyp); > > + for (p = keyp; ((size_t) (p - keyp)) < size; p++) > > + val = > > + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); > > + return val & (h->size - 1); > > +} > > + > > +static int reqsymcmp(hashtab_t h > > + __attribute__ ((unused)), hashtab_key_t key1, > > + hashtab_key_t key2) > > +{ > > + char *keyp1, *keyp2; > > + > > + keyp1 = (char *)key1; > > + keyp2 = (char *)key2; > > + return strcmp(keyp1, keyp2); > > +} > > + > > +static hashtab_t app_service_names = NULL; > > +#define PAM_SERVICE_SLOTS 64 > > + > > +static int process_pam_config(FILE * cfg) > > +{ > > + const char *config_file_path = PAM_SERVICE_CONFIG; > > + char *line_buf = NULL; > > + unsigned long lineno = 0; > > + size_t len = 0; > > + char *app = NULL; > > + char *service = NULL; > > + int ret; > > + > > + while (getline(&line_buf, &len, cfg) > 0) { > > + char *buffer = line_buf; > > + lineno++; > > + while (isspace(*buffer)) > > + buffer++; > > + if (buffer[0] == '#') > > + continue; > > + if (buffer[0] == '\n' || buffer[0] == '\0') > > + continue; > > + > > + app = service = NULL; > > + ret = sscanf(buffer, "%as %as\n", &app, &service); > > + if (ret < 2 || !app || !service) > > + goto err; > > + > > + ret = hashtab_insert(app_service_names, app, service); > > + if (ret == HASHTAB_OVERFLOW) { > > + fprintf(stderr, > > + _("newrole: service name configuration hashtable overflow\n")); > > + goto err; > > + } > > + } > > + > > + free(line_buf); > > + return 0; > > + err: > > + free(app); > > + free(service); > > + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); > > + free(line_buf); > > + return -1; > > +} > > + > > +/* > > + * Read config file ignoring comment lines. > > + * Files specified one per line executable with a corresponding > > + * pam service name. > > + */ > > +static int read_pam_config() > > +{ > > + const char *config_file_path = PAM_SERVICE_CONFIG; > > + FILE *cfg = NULL; > > + cfg = fopen(config_file_path, "r"); > > + if (!cfg) > > + return 0; /* This configuration is optional. */ > > + app_service_names = > > + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); > > + if (!app_service_names) > > + goto err; > > + if (process_pam_config(cfg)) > > + goto err; > > + fclose(cfg); > > + return 0; > > + err: > > + fclose(cfg); > > + return -1; > > +} > > + > > #else /* else !USE_PAM */ > > > > /************************************************************************ > > @@ -1027,9 +1139,33 @@ > > if (extract_pw_data(&pw)) > > goto err_free; > > > > - printf(_("Authenticating %s.\n"), pw.pw_name); > > #ifdef USE_PAM > > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > > + if (read_pam_config()) { > > + fprintf(stderr, _("error on reading PAM service configuration.\n")); > > + goto err_free; > > + } > > + > > + if (app_service_names != NULL && optind < argc) { > > + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { > > + /* > > + * Check for a separate pam service name for the command when > > + * invoked by newrole. > > + */ > > + char *cmd = NULL; > > + rc = sscanf(argv[optind + 1], "%as", &cmd); > > + if (rc != EOF && cmd != NULL) { > > + char *app_service_name = > > + (char *)hashtab_search(app_service_names, > > + cmd); > > + free(cmd); > > + if (app_service_name != NULL) { > > + service_name = app_service_name; > > + } > > + } > > + } > > + } > > + > > + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, > > &pam_handle); > > if (pam_status != PAM_SUCCESS) { > > fprintf(stderr, _("failed to initialize PAM\n")); > > @@ -1118,6 +1254,8 @@ > > pam_strerror(pam_handle, rc)); > > exit_code = -1; > > } > > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > > + hashtab_destroy(app_service_names); > > #endif > > free(pw.pw_name); > > free(pw.pw_dir); > > @@ -1223,5 +1361,11 @@ > > free(pw.pw_dir); > > free(pw.pw_shell); > > free(shell_argv0); > > +#ifdef USE_PAM > > + if (app_service_names) { > > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > > + hashtab_destroy(app_service_names); > > + } > > +#endif > > return -1; > > } /* main() */ > > Index: policycoreutils/newrole/Makefile > > =================================================================== > > --- policycoreutils/newrole/Makefile (revision 2422) > > +++ policycoreutils/newrole/Makefile (working copy) > > @@ -21,10 +21,12 @@ > > VERSION = $(shell cat ../VERSION) > > > > CFLAGS ?= -Werror -Wall -W > > +EXTRA_OBJS = > > override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" > > LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib > > ifeq (${PAMH}, /usr/include/security/pam_appl.h) > > override CFLAGS += -DUSE_PAM > > + EXTRA_OBJS += hashtab.o > > LDLIBS += -lpam -lpam_misc > > else > > override CFLAGS += -D_XOPEN_SOURCE=500 > > @@ -53,9 +55,10 @@ > > MODE := 0555 > > endif > > > > -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) > > +all: newrole > > > > -all: $(TARGETS) > > +newrole: newrole.o $(EXTRA_OBJS) > > + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > > > install: all > > test -d $(BINDIR) || install -m 755 -d $(BINDIR) > > > > -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: launching apps at level (MLS) and polyinstantiation 2007-05-04 19:23 ` Stephen Smalley @ 2007-05-04 20:15 ` Ted X Toth 2007-05-08 19:11 ` [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) Stephen Smalley 0 siblings, 1 reply; 22+ messages in thread From: Ted X Toth @ 2007-05-04 20:15 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, Joshua Brindle, Karl MacMillan, Darrel Goeddel Stephen Smalley wrote: > On Fri, 2007-05-04 at 13:56 -0500, Ted X Toth wrote: > >> Stephen Smalley wrote: >> >>> How about the revised patch below (only including the newrole.c and >>> Makefile diffs since the hashtab code is unchanged)? The changes from >>> your patch are: >>> - Make sure everything is properly enabled/disabled by USE_PAM and move >>> the code into the existing USE_PAM block where appropriate. >>> - Call the config file newrole_pam.conf since there could be other >>> newrole config files in the future. >>> - Distinguish missing config file (ok) from errors during parsing of the >>> config file (should abort). >>> - Remove the Authenticating <username> message since it could be >>> confusing in the case where you are using a pam config that doesn't >>> require it and it doesn't really provide any benefit. >>> - Improve error checking and handling. >>> - Coding style cleanups (indentation, comment style, etc). >>> >>> To test, I created a /etc/pam.d/newrole-noauth config that had >>> pam_permit.so for its auth module and created >>> a /etc/selinux/newrole_pam.conf that mapped one program to >>> newrole-noauth. >>> >>> The alternative model would be to eliminate /etc/selnux/newrole_pam.conf >>> entirely from the equation, and just have newrole look for (test via >>> access()) a /etc/pam.d/newrole_<appname> config and use >>> newrole_<appname> as the service name if present. >>> >>> >> I like it but one thing I had thought about was that if the current >> patch were to check for the existence of the pam configuration file >> (service name) and the file was missing the user could be warned of >> that. Of course there is no help in the event that newrole_pam.conf is >> misconfigured. >> > > Sorry, are you suggesting eliminating the need for newrole_pam.conf > altogether (as I described above as an alternative, implicitly mapping > each app to a newrole_<app> service name if present) or retaining it but > just adding a test for the presence of the pam config for error > reporting purposes? > I don't have a strong feeling one way or the other. Eliminating newrole_pam.conf would certainly simplify the implementation. I was just thinking about whether there were any good arguments for keeping it and usability was the only thing I could come up with. > I'll incorporate Darrel's suggestion about using the basename() of the > command in the next version of the patch. > > > >>> Index: policycoreutils/newrole/newrole.c >>> =================================================================== >>> --- policycoreutils/newrole/newrole.c (revision 2422) >>> +++ policycoreutils/newrole/newrole.c (working copy) >>> @@ -58,6 +58,7 @@ >>> #include <stdio.h> >>> #include <stdlib.h> /* for malloc(), realloc(), free() */ >>> #include <pwd.h> /* for getpwuid() */ >>> +#include <ctype.h> >>> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ >>> #include <sys/wait.h> /* for wait() */ >>> #include <getopt.h> /* for getopt_long() form of getopt() */ >>> @@ -92,6 +93,10 @@ >>> /* USAGE_STRING describes the command-line args of this program. */ >>> #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" >>> >>> +#ifdef USE_PAM >>> +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; >>> +#endif >>> + >>> #define DEFAULT_PATH "/usr/bin:/bin" >>> #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ >>> >>> @@ -159,7 +164,7 @@ >>> #include <security/pam_appl.h> /* for PAM functions */ >>> #include <security/pam_misc.h> /* for misc_conv PAM utility function */ >>> >>> -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ >>> +char *service_name = "newrole"; >>> >>> /* authenticate_via_pam() >>> * >>> @@ -209,6 +214,113 @@ >>> return result; >>> } /* authenticate_via_pam() */ >>> >>> +#include "hashtab.h" >>> + >>> +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, >>> + void *args __attribute__ ((unused)) ) >>> +{ >>> + free(key); >>> + free(d); >>> + return 0; >>> +} >>> + >>> +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) >>> +{ >>> + char *p, *keyp; >>> + size_t size; >>> + unsigned int val; >>> + >>> + val = 0; >>> + keyp = (char *)key; >>> + size = strlen(keyp); >>> + for (p = keyp; ((size_t) (p - keyp)) < size; p++) >>> + val = >>> + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); >>> + return val & (h->size - 1); >>> +} >>> + >>> +static int reqsymcmp(hashtab_t h >>> + __attribute__ ((unused)), hashtab_key_t key1, >>> + hashtab_key_t key2) >>> +{ >>> + char *keyp1, *keyp2; >>> + >>> + keyp1 = (char *)key1; >>> + keyp2 = (char *)key2; >>> + return strcmp(keyp1, keyp2); >>> +} >>> + >>> +static hashtab_t app_service_names = NULL; >>> +#define PAM_SERVICE_SLOTS 64 >>> + >>> +static int process_pam_config(FILE * cfg) >>> +{ >>> + const char *config_file_path = PAM_SERVICE_CONFIG; >>> + char *line_buf = NULL; >>> + unsigned long lineno = 0; >>> + size_t len = 0; >>> + char *app = NULL; >>> + char *service = NULL; >>> + int ret; >>> + >>> + while (getline(&line_buf, &len, cfg) > 0) { >>> + char *buffer = line_buf; >>> + lineno++; >>> + while (isspace(*buffer)) >>> + buffer++; >>> + if (buffer[0] == '#') >>> + continue; >>> + if (buffer[0] == '\n' || buffer[0] == '\0') >>> + continue; >>> + >>> + app = service = NULL; >>> + ret = sscanf(buffer, "%as %as\n", &app, &service); >>> + if (ret < 2 || !app || !service) >>> + goto err; >>> + >>> + ret = hashtab_insert(app_service_names, app, service); >>> + if (ret == HASHTAB_OVERFLOW) { >>> + fprintf(stderr, >>> + _("newrole: service name configuration hashtable overflow\n")); >>> + goto err; >>> + } >>> + } >>> + >>> + free(line_buf); >>> + return 0; >>> + err: >>> + free(app); >>> + free(service); >>> + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); >>> + free(line_buf); >>> + return -1; >>> +} >>> + >>> +/* >>> + * Read config file ignoring comment lines. >>> + * Files specified one per line executable with a corresponding >>> + * pam service name. >>> + */ >>> +static int read_pam_config() >>> +{ >>> + const char *config_file_path = PAM_SERVICE_CONFIG; >>> + FILE *cfg = NULL; >>> + cfg = fopen(config_file_path, "r"); >>> + if (!cfg) >>> + return 0; /* This configuration is optional. */ >>> + app_service_names = >>> + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); >>> + if (!app_service_names) >>> + goto err; >>> + if (process_pam_config(cfg)) >>> + goto err; >>> + fclose(cfg); >>> + return 0; >>> + err: >>> + fclose(cfg); >>> + return -1; >>> +} >>> + >>> #else /* else !USE_PAM */ >>> >>> /************************************************************************ >>> @@ -1027,9 +1139,33 @@ >>> if (extract_pw_data(&pw)) >>> goto err_free; >>> >>> - printf(_("Authenticating %s.\n"), pw.pw_name); >>> #ifdef USE_PAM >>> - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, >>> + if (read_pam_config()) { >>> + fprintf(stderr, _("error on reading PAM service configuration.\n")); >>> + goto err_free; >>> + } >>> + >>> + if (app_service_names != NULL && optind < argc) { >>> + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { >>> + /* >>> + * Check for a separate pam service name for the command when >>> + * invoked by newrole. >>> + */ >>> + char *cmd = NULL; >>> + rc = sscanf(argv[optind + 1], "%as", &cmd); >>> + if (rc != EOF && cmd != NULL) { >>> + char *app_service_name = >>> + (char *)hashtab_search(app_service_names, >>> + cmd); >>> + free(cmd); >>> + if (app_service_name != NULL) { >>> + service_name = app_service_name; >>> + } >>> + } >>> + } >>> + } >>> + >>> + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, >>> &pam_handle); >>> if (pam_status != PAM_SUCCESS) { >>> fprintf(stderr, _("failed to initialize PAM\n")); >>> @@ -1118,6 +1254,8 @@ >>> pam_strerror(pam_handle, rc)); >>> exit_code = -1; >>> } >>> + hashtab_map(app_service_names, free_hashtab_entry, NULL); >>> + hashtab_destroy(app_service_names); >>> #endif >>> free(pw.pw_name); >>> free(pw.pw_dir); >>> @@ -1223,5 +1361,11 @@ >>> free(pw.pw_dir); >>> free(pw.pw_shell); >>> free(shell_argv0); >>> +#ifdef USE_PAM >>> + if (app_service_names) { >>> + hashtab_map(app_service_names, free_hashtab_entry, NULL); >>> + hashtab_destroy(app_service_names); >>> + } >>> +#endif >>> return -1; >>> } /* main() */ >>> Index: policycoreutils/newrole/Makefile >>> =================================================================== >>> --- policycoreutils/newrole/Makefile (revision 2422) >>> +++ policycoreutils/newrole/Makefile (working copy) >>> @@ -21,10 +21,12 @@ >>> VERSION = $(shell cat ../VERSION) >>> >>> CFLAGS ?= -Werror -Wall -W >>> +EXTRA_OBJS = >>> override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" >>> LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib >>> ifeq (${PAMH}, /usr/include/security/pam_appl.h) >>> override CFLAGS += -DUSE_PAM >>> + EXTRA_OBJS += hashtab.o >>> LDLIBS += -lpam -lpam_misc >>> else >>> override CFLAGS += -D_XOPEN_SOURCE=500 >>> @@ -53,9 +55,10 @@ >>> MODE := 0555 >>> endif >>> >>> -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) >>> +all: newrole >>> >>> -all: $(TARGETS) >>> +newrole: newrole.o $(EXTRA_OBJS) >>> + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) >>> >>> install: all >>> test -d $(BINDIR) || install -m 755 -d $(BINDIR) >>> >>> >>> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) 2007-05-04 20:15 ` Ted X Toth @ 2007-05-08 19:11 ` Stephen Smalley 2007-05-08 19:54 ` Karl MacMillan 2007-05-11 18:42 ` Karl MacMillan 0 siblings, 2 replies; 22+ messages in thread From: Stephen Smalley @ 2007-05-08 19:11 UTC (permalink / raw) To: Ted X Toth; +Cc: selinux, Joshua Brindle, Karl MacMillan, Darrel Goeddel From: Ted X Toth <txtoth@gmail.com> With some modifications by Stephen Smalley <sds@tycho.nsa.gov>. Extend newrole to enable use of alternate pam configurations when running an application in a different context. Introduces /etc/selinux/newrole_pam.conf as a config file mapping application pathnames to pam service names when the application is invoked via newrole. In the absence of the config file or the absence of a matching entry, falls back to the standard newrole pam configuration. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> --- policycoreutils/newrole/Makefile | 7 policycoreutils/newrole/hashtab.c | 292 ++++++++++++++++++++++++++++++++++++++ policycoreutils/newrole/hashtab.h | 142 ++++++++++++++++++ policycoreutils/newrole/newrole.1 | 14 + policycoreutils/newrole/newrole.c | 149 +++++++++++++++++++ 5 files changed, 599 insertions(+), 5 deletions(-) Index: trunk/policycoreutils/newrole/hashtab.h =================================================================== --- trunk/policycoreutils/newrole/hashtab.h (revision 0) +++ trunk/policycoreutils/newrole/hashtab.h (revision 0) @@ -0,0 +1,142 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * A hash table (hashtab) maintains associations between + * key values and datum values. The type of the key values + * and the type of the datum values is arbitrary. The + * functions for hash computation and key comparison are + * provided by the creator of the table. + */ + +#ifndef _NEWROLE_HASHTAB_H_ +#define _NEWROLE_HASHTAB_H_ + +#include <stdint.h> +#include <errno.h> +#include <stdio.h> + +typedef char *hashtab_key_t; /* generic key type */ +typedef void *hashtab_datum_t; /* generic datum type */ + +typedef struct hashtab_node *hashtab_ptr_t; + +typedef struct hashtab_node { + hashtab_key_t key; + hashtab_datum_t datum; + hashtab_ptr_t next; +} hashtab_node_t; + +typedef struct hashtab_val { + hashtab_ptr_t *htable; /* hash table */ + unsigned int size; /* number of slots in hash table */ + uint32_t nel; /* number of elements in hash table */ + unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key); /* hash function */ + int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2); /* key comparison function */ +} hashtab_val_t; + +typedef hashtab_val_t *hashtab_t; + +/* Define status codes for hash table functions */ +#define HASHTAB_SUCCESS 0 +#define HASHTAB_OVERFLOW -ENOMEM +#define HASHTAB_PRESENT -EEXIST +#define HASHTAB_MISSING -ENOENT + +/* + Creates a new hash table with the specified characteristics. + + Returns NULL if insufficent space is available or + the new hash table otherwise. + */ +extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t + key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size); +/* + Inserts the specified (key, datum) pair into the specified hash table. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_PRESENT if there is already an entry with the same key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d); + +/* + Removes the entry with the specified key from the hash table. + Applies the specified destroy function to (key,datum,args) for + the entry. + + Returns HASHTAB_MISSING if no entry has the specified key or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_remove(hashtab_t h, hashtab_key_t k, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Insert or replace the specified (key, datum) pair in the specified + hash table. If an entry for the specified key already exists, + then the specified destroy function is applied to (key,datum,args) + for the entry prior to replacing the entry's contents. + + Returns HASHTAB_OVERFLOW if insufficient space is available or + HASHTAB_SUCCESS otherwise. + */ +extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Searches for the entry with the specified key in the hash table. + + Returns NULL if no entry has the specified key or + the datum of the entry otherwise. + */ +extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k); + +/* + Destroys the specified hash table. + */ +extern void hashtab_destroy(hashtab_t h); + +/* + Applies the specified apply function to (key,datum,args) + for each entry in the specified hash table. + + The order in which the function is applied to the entries + is dependent upon the internal structure of the hash table. + + If apply returns a non-zero status, then hashtab_map will cease + iterating through the hash table and will propagate the error + return to its caller. + */ +extern int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args); + +/* + Same as hashtab_map, except that if apply returns a non-zero status, + then the (key,datum) pair will be removed from the hashtab and the + destroy function will be applied to (key,datum,args). + */ +extern void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void *args); + +extern void hashtab_hash_eval(hashtab_t h, char *tag); + +#endif Index: trunk/policycoreutils/newrole/newrole.1 =================================================================== --- trunk/policycoreutils/newrole/newrole.1 (revision 2422) +++ trunk/policycoreutils/newrole/newrole.1 (working copy) @@ -47,6 +47,12 @@ In particular, an argument of -- -c will cause the next argument to be treated as a command by most command interpreters. .PP +If a command argument is specified to newrole and the command name is found +in /etc/selinux/newrole_pam.conf, then the pam service name listed in that +file for the command will be used rather than the normal newrole pam +configuration. This allows for per-command pam configuration when +invoked via newrole, e.g. to skip the interactive re-authentication phase. +.PP The new shell will be the shell specified in the user's entry in the .I /etc/passwd file. @@ -81,14 +87,22 @@ # id -Z staff_u:sysadm_r:sysadm_t:Secret +.PP +Running a program in a given role or level: + # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..." + # newrole -l Secret -- -c "/path/to/app arg1 arg2..." + .SH FILES /etc/passwd - user account information .br /etc/shadow - encrypted passwords and age information .br /etc/selinux/<policy>/contexts/default_type - default types for roles +.br /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes .br +/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names +.br .SH SEE ALSO .B runcon (1) Index: trunk/policycoreutils/newrole/hashtab.c =================================================================== --- trunk/policycoreutils/newrole/hashtab.c (revision 0) +++ trunk/policycoreutils/newrole/hashtab.c (revision 0) @@ -0,0 +1,292 @@ + +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ + +/* FLASK */ + +/* + * Implementation of the hash table type. + */ + +#include <stdlib.h> +#include <string.h> +#include "hashtab.h" + +hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, + const hashtab_key_t key), + int (*keycmp) (hashtab_t h, + const hashtab_key_t key1, + const hashtab_key_t key2), + unsigned int size) +{ + + hashtab_t p; + unsigned int i; + + p = (hashtab_t) malloc(sizeof(hashtab_val_t)); + if (p == NULL) + return p; + + memset(p, 0, sizeof(hashtab_val_t)); + p->size = size; + p->nel = 0; + p->hash_value = hash_value; + p->keycmp = keycmp; + p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size); + if (p->htable == NULL) { + free(p); + return NULL; + } + for (i = 0; i < size; i++) + p->htable[i] = (hashtab_ptr_t) NULL; + + return p; +} + +int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) + return HASHTAB_PRESENT; + + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + + h->nel++; + return HASHTAB_SUCCESS; +} + +int hashtab_remove(hashtab_t h, hashtab_key_t key, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t cur, last; + + if (!h) + return HASHTAB_MISSING; + + hvalue = h->hash_value(h, key); + last = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + last = cur; + cur = cur->next; + } + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return HASHTAB_MISSING; + + if (last == NULL) + h->htable[hvalue] = cur->next; + else + last->next = cur->next; + + if (destroy) + destroy(cur->key, cur->datum, args); + free(cur); + h->nel--; + return HASHTAB_SUCCESS; +} + +int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum, + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + int hvalue; + hashtab_ptr_t prev, cur, newnode; + + if (!h) + return HASHTAB_OVERFLOW; + + hvalue = h->hash_value(h, key); + prev = NULL; + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { + prev = cur; + cur = cur->next; + } + + if (cur && (h->keycmp(h, key, cur->key) == 0)) { + if (destroy) + destroy(cur->key, cur->datum, args); + cur->key = key; + cur->datum = datum; + } else { + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); + if (newnode == NULL) + return HASHTAB_OVERFLOW; + memset(newnode, 0, sizeof(struct hashtab_node)); + newnode->key = key; + newnode->datum = datum; + if (prev) { + newnode->next = prev->next; + prev->next = newnode; + } else { + newnode->next = h->htable[hvalue]; + h->htable[hvalue] = newnode; + } + } + + return HASHTAB_SUCCESS; +} + +hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key) +{ + + int hvalue; + hashtab_ptr_t cur; + + if (!h) + return NULL; + + hvalue = h->hash_value(h, key); + cur = h->htable[hvalue]; + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) + cur = cur->next; + + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) + return NULL; + + return cur->datum; +} + +void hashtab_destroy(hashtab_t h) +{ + unsigned int i; + hashtab_ptr_t cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + temp = cur; + cur = cur->next; + free(temp); + } + h->htable[i] = NULL; + } + + free(h->htable); + h->htable = NULL; + + free(h); +} + +int hashtab_map(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, void *args), void *args) +{ + unsigned int i, ret; + hashtab_ptr_t cur; + + if (!h) + return HASHTAB_SUCCESS; + + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) + return ret; + cur = cur->next; + } + } + return HASHTAB_SUCCESS; +} + +void hashtab_map_remove_on_error(hashtab_t h, + int (*apply) (hashtab_key_t k, + hashtab_datum_t d, + void *args), + void (*destroy) (hashtab_key_t k, + hashtab_datum_t d, + void *args), void *args) +{ + unsigned int i; + int ret; + hashtab_ptr_t last, cur, temp; + + if (!h) + return; + + for (i = 0; i < h->size; i++) { + last = NULL; + cur = h->htable[i]; + while (cur != NULL) { + ret = apply(cur->key, cur->datum, args); + if (ret) { + if (last) { + last->next = cur->next; + } else { + h->htable[i] = cur->next; + } + + temp = cur; + cur = cur->next; + if (destroy) + destroy(temp->key, temp->datum, args); + free(temp); + h->nel--; + } else { + last = cur; + cur = cur->next; + } + } + } + + return; +} + +void hashtab_hash_eval(hashtab_t h, char *tag) +{ + unsigned int i; + int chain_len, slots_used, max_chain_len; + hashtab_ptr_t cur; + + slots_used = 0; + max_chain_len = 0; + for (i = 0; i < h->size; i++) { + cur = h->htable[i]; + if (cur) { + slots_used++; + chain_len = 0; + while (cur) { + chain_len++; + cur = cur->next; + } + + if (chain_len > max_chain_len) + max_chain_len = chain_len; + } + } + + printf + ("%s: %d entries and %d/%d buckets used, longest chain length %d\n", + tag, h->nel, slots_used, h->size, max_chain_len); +} Index: trunk/policycoreutils/newrole/newrole.c =================================================================== --- trunk/policycoreutils/newrole/newrole.c (revision 2422) +++ trunk/policycoreutils/newrole/newrole.c (working copy) @@ -58,6 +58,7 @@ #include <stdio.h> #include <stdlib.h> /* for malloc(), realloc(), free() */ #include <pwd.h> /* for getpwuid() */ +#include <ctype.h> #include <sys/types.h> /* to make getuid() and getpwuid() happy */ #include <sys/wait.h> /* for wait() */ #include <getopt.h> /* for getopt_long() form of getopt() */ @@ -92,6 +93,10 @@ /* USAGE_STRING describes the command-line args of this program. */ #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" +#ifdef USE_PAM +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; +#endif + #define DEFAULT_PATH "/usr/bin:/bin" #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ @@ -159,7 +164,7 @@ #include <security/pam_appl.h> /* for PAM functions */ #include <security/pam_misc.h> /* for misc_conv PAM utility function */ -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ +char *service_name = "newrole"; /* authenticate_via_pam() * @@ -209,6 +214,113 @@ return result; } /* authenticate_via_pam() */ +#include "hashtab.h" + +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, + void *args __attribute__ ((unused)) ) +{ + free(key); + free(d); + return 0; +} + +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) +{ + char *p, *keyp; + size_t size; + unsigned int val; + + val = 0; + keyp = (char *)key; + size = strlen(keyp); + for (p = keyp; ((size_t) (p - keyp)) < size; p++) + val = + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); + return val & (h->size - 1); +} + +static int reqsymcmp(hashtab_t h + __attribute__ ((unused)), hashtab_key_t key1, + hashtab_key_t key2) +{ + char *keyp1, *keyp2; + + keyp1 = (char *)key1; + keyp2 = (char *)key2; + return strcmp(keyp1, keyp2); +} + +static hashtab_t app_service_names = NULL; +#define PAM_SERVICE_SLOTS 64 + +static int process_pam_config(FILE * cfg) +{ + const char *config_file_path = PAM_SERVICE_CONFIG; + char *line_buf = NULL; + unsigned long lineno = 0; + size_t len = 0; + char *app = NULL; + char *service = NULL; + int ret; + + while (getline(&line_buf, &len, cfg) > 0) { + char *buffer = line_buf; + lineno++; + while (isspace(*buffer)) + buffer++; + if (buffer[0] == '#') + continue; + if (buffer[0] == '\n' || buffer[0] == '\0') + continue; + + app = service = NULL; + ret = sscanf(buffer, "%as %as\n", &app, &service); + if (ret < 2 || !app || !service) + goto err; + + ret = hashtab_insert(app_service_names, app, service); + if (ret == HASHTAB_OVERFLOW) { + fprintf(stderr, + _("newrole: service name configuration hashtable overflow\n")); + goto err; + } + } + + free(line_buf); + return 0; + err: + free(app); + free(service); + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); + free(line_buf); + return -1; +} + +/* + * Read config file ignoring comment lines. + * Files specified one per line executable with a corresponding + * pam service name. + */ +static int read_pam_config() +{ + const char *config_file_path = PAM_SERVICE_CONFIG; + FILE *cfg = NULL; + cfg = fopen(config_file_path, "r"); + if (!cfg) + return 0; /* This configuration is optional. */ + app_service_names = + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); + if (!app_service_names) + goto err; + if (process_pam_config(cfg)) + goto err; + fclose(cfg); + return 0; + err: + fclose(cfg); + return -1; +} + #else /* else !USE_PAM */ /************************************************************************ @@ -1027,9 +1139,32 @@ if (extract_pw_data(&pw)) goto err_free; - printf(_("Authenticating %s.\n"), pw.pw_name); #ifdef USE_PAM - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, + if (read_pam_config()) { + fprintf(stderr, _("error on reading PAM service configuration.\n")); + goto err_free; + } + + if (app_service_names != NULL && optind < argc) { + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { + /* + * Check for a separate pam service name for the + * command when invoked by newrole. + */ + char *cmd = NULL; + rc = sscanf(argv[optind + 1], "%as", &cmd); + if (rc != EOF && cmd) { + char *app_service_name = + (char *)hashtab_search(app_service_names, + cmd); + free(cmd); + if (app_service_name != NULL) + service_name = app_service_name; + } + } + } + + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, &pam_handle); if (pam_status != PAM_SUCCESS) { fprintf(stderr, _("failed to initialize PAM\n")); @@ -1118,6 +1253,8 @@ pam_strerror(pam_handle, rc)); exit_code = -1; } + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); #endif free(pw.pw_name); free(pw.pw_dir); @@ -1223,5 +1360,11 @@ free(pw.pw_dir); free(pw.pw_shell); free(shell_argv0); +#ifdef USE_PAM + if (app_service_names) { + hashtab_map(app_service_names, free_hashtab_entry, NULL); + hashtab_destroy(app_service_names); + } +#endif return -1; } /* main() */ Index: trunk/policycoreutils/newrole/Makefile =================================================================== --- trunk/policycoreutils/newrole/Makefile (revision 2422) +++ trunk/policycoreutils/newrole/Makefile (working copy) @@ -21,10 +21,12 @@ VERSION = $(shell cat ../VERSION) CFLAGS ?= -Werror -Wall -W +EXTRA_OBJS = override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib ifeq (${PAMH}, /usr/include/security/pam_appl.h) override CFLAGS += -DUSE_PAM + EXTRA_OBJS += hashtab.o LDLIBS += -lpam -lpam_misc else override CFLAGS += -D_XOPEN_SOURCE=500 @@ -53,9 +55,10 @@ MODE := 0555 endif -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) +all: newrole -all: $(TARGETS) +newrole: newrole.o $(EXTRA_OBJS) + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) install: all test -d $(BINDIR) || install -m 755 -d $(BINDIR) -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) 2007-05-08 19:11 ` [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) Stephen Smalley @ 2007-05-08 19:54 ` Karl MacMillan 2007-05-11 18:42 ` Karl MacMillan 1 sibling, 0 replies; 22+ messages in thread From: Karl MacMillan @ 2007-05-08 19:54 UTC (permalink / raw) To: Stephen Smalley; +Cc: Ted X Toth, selinux, Joshua Brindle, Darrel Goeddel On Tue, 2007-05-08 at 15:11 -0400, Stephen Smalley wrote: > From: Ted X Toth <txtoth@gmail.com> > > With some modifications by Stephen Smalley <sds@tycho.nsa.gov>. > > Extend newrole to enable use of alternate pam configurations when > running an application in a different context. Introduces > /etc/selinux/newrole_pam.conf as a config file mapping application > pathnames to pam service names when the application is invoked via > newrole. In the absence of the config file or the absence of a > matching entry, falls back to the standard newrole pam configuration. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > We should eventually make the hashtabs exportable by libsepol to avoid this duplication - it's irritating. I've done some work along that path, but not enough. No reason to hold this up waiting for that though. Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com> for trunk and policyrep. > --- > > policycoreutils/newrole/Makefile | 7 > policycoreutils/newrole/hashtab.c | 292 ++++++++++++++++++++++++++++++++++++++ > policycoreutils/newrole/hashtab.h | 142 ++++++++++++++++++ > policycoreutils/newrole/newrole.1 | 14 + > policycoreutils/newrole/newrole.c | 149 +++++++++++++++++++ > 5 files changed, 599 insertions(+), 5 deletions(-) > > Index: trunk/policycoreutils/newrole/hashtab.h > =================================================================== > --- trunk/policycoreutils/newrole/hashtab.h (revision 0) > +++ trunk/policycoreutils/newrole/hashtab.h (revision 0) > @@ -0,0 +1,142 @@ > + > +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ > + > +/* FLASK */ > + > +/* > + * A hash table (hashtab) maintains associations between > + * key values and datum values. The type of the key values > + * and the type of the datum values is arbitrary. The > + * functions for hash computation and key comparison are > + * provided by the creator of the table. > + */ > + > +#ifndef _NEWROLE_HASHTAB_H_ > +#define _NEWROLE_HASHTAB_H_ > + > +#include <stdint.h> > +#include <errno.h> > +#include <stdio.h> > + > +typedef char *hashtab_key_t; /* generic key type */ > +typedef void *hashtab_datum_t; /* generic datum type */ > + > +typedef struct hashtab_node *hashtab_ptr_t; > + > +typedef struct hashtab_node { > + hashtab_key_t key; > + hashtab_datum_t datum; > + hashtab_ptr_t next; > +} hashtab_node_t; > + > +typedef struct hashtab_val { > + hashtab_ptr_t *htable; /* hash table */ > + unsigned int size; /* number of slots in hash table */ > + uint32_t nel; /* number of elements in hash table */ > + unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key); /* hash function */ > + int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2); /* key comparison function */ > +} hashtab_val_t; > + > +typedef hashtab_val_t *hashtab_t; > + > +/* Define status codes for hash table functions */ > +#define HASHTAB_SUCCESS 0 > +#define HASHTAB_OVERFLOW -ENOMEM > +#define HASHTAB_PRESENT -EEXIST > +#define HASHTAB_MISSING -ENOENT > + > +/* > + Creates a new hash table with the specified characteristics. > + > + Returns NULL if insufficent space is available or > + the new hash table otherwise. > + */ > +extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, > + const hashtab_key_t > + key), > + int (*keycmp) (hashtab_t h, > + const hashtab_key_t key1, > + const hashtab_key_t key2), > + unsigned int size); > +/* > + Inserts the specified (key, datum) pair into the specified hash table. > + > + Returns HASHTAB_OVERFLOW if insufficient space is available or > + HASHTAB_PRESENT if there is already an entry with the same key or > + HASHTAB_SUCCESS otherwise. > + */ > +extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d); > + > +/* > + Removes the entry with the specified key from the hash table. > + Applies the specified destroy function to (key,datum,args) for > + the entry. > + > + Returns HASHTAB_MISSING if no entry has the specified key or > + HASHTAB_SUCCESS otherwise. > + */ > +extern int hashtab_remove(hashtab_t h, hashtab_key_t k, > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), void *args); > + > +/* > + Insert or replace the specified (key, datum) pair in the specified > + hash table. If an entry for the specified key already exists, > + then the specified destroy function is applied to (key,datum,args) > + for the entry prior to replacing the entry's contents. > + > + Returns HASHTAB_OVERFLOW if insufficient space is available or > + HASHTAB_SUCCESS otherwise. > + */ > +extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d, > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), void *args); > + > +/* > + Searches for the entry with the specified key in the hash table. > + > + Returns NULL if no entry has the specified key or > + the datum of the entry otherwise. > + */ > +extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k); > + > +/* > + Destroys the specified hash table. > + */ > +extern void hashtab_destroy(hashtab_t h); > + > +/* > + Applies the specified apply function to (key,datum,args) > + for each entry in the specified hash table. > + > + The order in which the function is applied to the entries > + is dependent upon the internal structure of the hash table. > + > + If apply returns a non-zero status, then hashtab_map will cease > + iterating through the hash table and will propagate the error > + return to its caller. > + */ > +extern int hashtab_map(hashtab_t h, > + int (*apply) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), void *args); > + > +/* > + Same as hashtab_map, except that if apply returns a non-zero status, > + then the (key,datum) pair will be removed from the hashtab and the > + destroy function will be applied to (key,datum,args). > + */ > +extern void hashtab_map_remove_on_error(hashtab_t h, > + int (*apply) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), > + void *args); > + > +extern void hashtab_hash_eval(hashtab_t h, char *tag); > + > +#endif > Index: trunk/policycoreutils/newrole/newrole.1 > =================================================================== > --- trunk/policycoreutils/newrole/newrole.1 (revision 2422) > +++ trunk/policycoreutils/newrole/newrole.1 (working copy) > @@ -47,6 +47,12 @@ > In particular, an argument of -- -c will cause the next argument to be > treated as a command by most command interpreters. > .PP > +If a command argument is specified to newrole and the command name is found > +in /etc/selinux/newrole_pam.conf, then the pam service name listed in that > +file for the command will be used rather than the normal newrole pam > +configuration. This allows for per-command pam configuration when > +invoked via newrole, e.g. to skip the interactive re-authentication phase. > +.PP > The new shell will be the shell specified in the user's entry in the > .I /etc/passwd > file. > @@ -81,14 +87,22 @@ > # id -Z > staff_u:sysadm_r:sysadm_t:Secret > > +.PP > +Running a program in a given role or level: > + # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..." > + # newrole -l Secret -- -c "/path/to/app arg1 arg2..." > + > .SH FILES > /etc/passwd - user account information > .br > /etc/shadow - encrypted passwords and age information > .br > /etc/selinux/<policy>/contexts/default_type - default types for roles > +.br > /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes > .br > +/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names > +.br > .SH SEE ALSO > .B runcon > (1) > Index: trunk/policycoreutils/newrole/hashtab.c > =================================================================== > --- trunk/policycoreutils/newrole/hashtab.c (revision 0) > +++ trunk/policycoreutils/newrole/hashtab.c (revision 0) > @@ -0,0 +1,292 @@ > + > +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */ > + > +/* FLASK */ > + > +/* > + * Implementation of the hash table type. > + */ > + > +#include <stdlib.h> > +#include <string.h> > +#include "hashtab.h" > + > +hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h, > + const hashtab_key_t key), > + int (*keycmp) (hashtab_t h, > + const hashtab_key_t key1, > + const hashtab_key_t key2), > + unsigned int size) > +{ > + > + hashtab_t p; > + unsigned int i; > + > + p = (hashtab_t) malloc(sizeof(hashtab_val_t)); > + if (p == NULL) > + return p; > + > + memset(p, 0, sizeof(hashtab_val_t)); > + p->size = size; > + p->nel = 0; > + p->hash_value = hash_value; > + p->keycmp = keycmp; > + p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size); > + if (p->htable == NULL) { > + free(p); > + return NULL; > + } > + for (i = 0; i < size; i++) > + p->htable[i] = (hashtab_ptr_t) NULL; > + > + return p; > +} > + > +int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum) > +{ > + int hvalue; > + hashtab_ptr_t prev, cur, newnode; > + > + if (!h) > + return HASHTAB_OVERFLOW; > + > + hvalue = h->hash_value(h, key); > + prev = NULL; > + cur = h->htable[hvalue]; > + while (cur && h->keycmp(h, key, cur->key) > 0) { > + prev = cur; > + cur = cur->next; > + } > + > + if (cur && (h->keycmp(h, key, cur->key) == 0)) > + return HASHTAB_PRESENT; > + > + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); > + if (newnode == NULL) > + return HASHTAB_OVERFLOW; > + memset(newnode, 0, sizeof(struct hashtab_node)); > + newnode->key = key; > + newnode->datum = datum; > + if (prev) { > + newnode->next = prev->next; > + prev->next = newnode; > + } else { > + newnode->next = h->htable[hvalue]; > + h->htable[hvalue] = newnode; > + } > + > + h->nel++; > + return HASHTAB_SUCCESS; > +} > + > +int hashtab_remove(hashtab_t h, hashtab_key_t key, > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, void *args), void *args) > +{ > + int hvalue; > + hashtab_ptr_t cur, last; > + > + if (!h) > + return HASHTAB_MISSING; > + > + hvalue = h->hash_value(h, key); > + last = NULL; > + cur = h->htable[hvalue]; > + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { > + last = cur; > + cur = cur->next; > + } > + > + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) > + return HASHTAB_MISSING; > + > + if (last == NULL) > + h->htable[hvalue] = cur->next; > + else > + last->next = cur->next; > + > + if (destroy) > + destroy(cur->key, cur->datum, args); > + free(cur); > + h->nel--; > + return HASHTAB_SUCCESS; > +} > + > +int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum, > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, void *args), void *args) > +{ > + int hvalue; > + hashtab_ptr_t prev, cur, newnode; > + > + if (!h) > + return HASHTAB_OVERFLOW; > + > + hvalue = h->hash_value(h, key); > + prev = NULL; > + cur = h->htable[hvalue]; > + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) { > + prev = cur; > + cur = cur->next; > + } > + > + if (cur && (h->keycmp(h, key, cur->key) == 0)) { > + if (destroy) > + destroy(cur->key, cur->datum, args); > + cur->key = key; > + cur->datum = datum; > + } else { > + newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t)); > + if (newnode == NULL) > + return HASHTAB_OVERFLOW; > + memset(newnode, 0, sizeof(struct hashtab_node)); > + newnode->key = key; > + newnode->datum = datum; > + if (prev) { > + newnode->next = prev->next; > + prev->next = newnode; > + } else { > + newnode->next = h->htable[hvalue]; > + h->htable[hvalue] = newnode; > + } > + } > + > + return HASHTAB_SUCCESS; > +} > + > +hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key) > +{ > + > + int hvalue; > + hashtab_ptr_t cur; > + > + if (!h) > + return NULL; > + > + hvalue = h->hash_value(h, key); > + cur = h->htable[hvalue]; > + while (cur != NULL && h->keycmp(h, key, cur->key) > 0) > + cur = cur->next; > + > + if (cur == NULL || (h->keycmp(h, key, cur->key) != 0)) > + return NULL; > + > + return cur->datum; > +} > + > +void hashtab_destroy(hashtab_t h) > +{ > + unsigned int i; > + hashtab_ptr_t cur, temp; > + > + if (!h) > + return; > + > + for (i = 0; i < h->size; i++) { > + cur = h->htable[i]; > + while (cur != NULL) { > + temp = cur; > + cur = cur->next; > + free(temp); > + } > + h->htable[i] = NULL; > + } > + > + free(h->htable); > + h->htable = NULL; > + > + free(h); > +} > + > +int hashtab_map(hashtab_t h, > + int (*apply) (hashtab_key_t k, > + hashtab_datum_t d, void *args), void *args) > +{ > + unsigned int i, ret; > + hashtab_ptr_t cur; > + > + if (!h) > + return HASHTAB_SUCCESS; > + > + for (i = 0; i < h->size; i++) { > + cur = h->htable[i]; > + while (cur != NULL) { > + ret = apply(cur->key, cur->datum, args); > + if (ret) > + return ret; > + cur = cur->next; > + } > + } > + return HASHTAB_SUCCESS; > +} > + > +void hashtab_map_remove_on_error(hashtab_t h, > + int (*apply) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), > + void (*destroy) (hashtab_key_t k, > + hashtab_datum_t d, > + void *args), void *args) > +{ > + unsigned int i; > + int ret; > + hashtab_ptr_t last, cur, temp; > + > + if (!h) > + return; > + > + for (i = 0; i < h->size; i++) { > + last = NULL; > + cur = h->htable[i]; > + while (cur != NULL) { > + ret = apply(cur->key, cur->datum, args); > + if (ret) { > + if (last) { > + last->next = cur->next; > + } else { > + h->htable[i] = cur->next; > + } > + > + temp = cur; > + cur = cur->next; > + if (destroy) > + destroy(temp->key, temp->datum, args); > + free(temp); > + h->nel--; > + } else { > + last = cur; > + cur = cur->next; > + } > + } > + } > + > + return; > +} > + > +void hashtab_hash_eval(hashtab_t h, char *tag) > +{ > + unsigned int i; > + int chain_len, slots_used, max_chain_len; > + hashtab_ptr_t cur; > + > + slots_used = 0; > + max_chain_len = 0; > + for (i = 0; i < h->size; i++) { > + cur = h->htable[i]; > + if (cur) { > + slots_used++; > + chain_len = 0; > + while (cur) { > + chain_len++; > + cur = cur->next; > + } > + > + if (chain_len > max_chain_len) > + max_chain_len = chain_len; > + } > + } > + > + printf > + ("%s: %d entries and %d/%d buckets used, longest chain length %d\n", > + tag, h->nel, slots_used, h->size, max_chain_len); > +} > Index: trunk/policycoreutils/newrole/newrole.c > =================================================================== > --- trunk/policycoreutils/newrole/newrole.c (revision 2422) > +++ trunk/policycoreutils/newrole/newrole.c (working copy) > @@ -58,6 +58,7 @@ > #include <stdio.h> > #include <stdlib.h> /* for malloc(), realloc(), free() */ > #include <pwd.h> /* for getpwuid() */ > +#include <ctype.h> > #include <sys/types.h> /* to make getuid() and getpwuid() happy */ > #include <sys/wait.h> /* for wait() */ > #include <getopt.h> /* for getopt_long() form of getopt() */ > @@ -92,6 +93,10 @@ > /* USAGE_STRING describes the command-line args of this program. */ > #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]" > > +#ifdef USE_PAM > +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf"; > +#endif > + > #define DEFAULT_PATH "/usr/bin:/bin" > #define DEFAULT_CONTEXT_SIZE 255 /* first guess at context size */ > > @@ -159,7 +164,7 @@ > #include <security/pam_appl.h> /* for PAM functions */ > #include <security/pam_misc.h> /* for misc_conv PAM utility function */ > > -#define SERVICE_NAME "newrole" /* the name of this program for PAM */ > +char *service_name = "newrole"; > > /* authenticate_via_pam() > * > @@ -209,6 +214,113 @@ > return result; > } /* authenticate_via_pam() */ > > +#include "hashtab.h" > + > +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, > + void *args __attribute__ ((unused)) ) > +{ > + free(key); > + free(d); > + return 0; > +} > + > +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key) > +{ > + char *p, *keyp; > + size_t size; > + unsigned int val; > + > + val = 0; > + keyp = (char *)key; > + size = strlen(keyp); > + for (p = keyp; ((size_t) (p - keyp)) < size; p++) > + val = > + (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p); > + return val & (h->size - 1); > +} > + > +static int reqsymcmp(hashtab_t h > + __attribute__ ((unused)), hashtab_key_t key1, > + hashtab_key_t key2) > +{ > + char *keyp1, *keyp2; > + > + keyp1 = (char *)key1; > + keyp2 = (char *)key2; > + return strcmp(keyp1, keyp2); > +} > + > +static hashtab_t app_service_names = NULL; > +#define PAM_SERVICE_SLOTS 64 > + > +static int process_pam_config(FILE * cfg) > +{ > + const char *config_file_path = PAM_SERVICE_CONFIG; > + char *line_buf = NULL; > + unsigned long lineno = 0; > + size_t len = 0; > + char *app = NULL; > + char *service = NULL; > + int ret; > + > + while (getline(&line_buf, &len, cfg) > 0) { > + char *buffer = line_buf; > + lineno++; > + while (isspace(*buffer)) > + buffer++; > + if (buffer[0] == '#') > + continue; > + if (buffer[0] == '\n' || buffer[0] == '\0') > + continue; > + > + app = service = NULL; > + ret = sscanf(buffer, "%as %as\n", &app, &service); > + if (ret < 2 || !app || !service) > + goto err; > + > + ret = hashtab_insert(app_service_names, app, service); > + if (ret == HASHTAB_OVERFLOW) { > + fprintf(stderr, > + _("newrole: service name configuration hashtable overflow\n")); > + goto err; > + } > + } > + > + free(line_buf); > + return 0; > + err: > + free(app); > + free(service); > + fprintf(stderr, _("newrole: %s: error on line %lu.\n"), config_file_path, lineno); > + free(line_buf); > + return -1; > +} > + > +/* > + * Read config file ignoring comment lines. > + * Files specified one per line executable with a corresponding > + * pam service name. > + */ > +static int read_pam_config() > +{ > + const char *config_file_path = PAM_SERVICE_CONFIG; > + FILE *cfg = NULL; > + cfg = fopen(config_file_path, "r"); > + if (!cfg) > + return 0; /* This configuration is optional. */ > + app_service_names = > + hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS); > + if (!app_service_names) > + goto err; > + if (process_pam_config(cfg)) > + goto err; > + fclose(cfg); > + return 0; > + err: > + fclose(cfg); > + return -1; > +} > + > #else /* else !USE_PAM */ > > /************************************************************************ > @@ -1027,9 +1139,32 @@ > if (extract_pw_data(&pw)) > goto err_free; > > - printf(_("Authenticating %s.\n"), pw.pw_name); > #ifdef USE_PAM > - pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation, > + if (read_pam_config()) { > + fprintf(stderr, _("error on reading PAM service configuration.\n")); > + goto err_free; > + } > + > + if (app_service_names != NULL && optind < argc) { > + if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) { > + /* > + * Check for a separate pam service name for the > + * command when invoked by newrole. > + */ > + char *cmd = NULL; > + rc = sscanf(argv[optind + 1], "%as", &cmd); > + if (rc != EOF && cmd) { > + char *app_service_name = > + (char *)hashtab_search(app_service_names, > + cmd); > + free(cmd); > + if (app_service_name != NULL) > + service_name = app_service_name; > + } > + } > + } > + > + pam_status = pam_start(service_name, pw.pw_name, &pam_conversation, > &pam_handle); > if (pam_status != PAM_SUCCESS) { > fprintf(stderr, _("failed to initialize PAM\n")); > @@ -1118,6 +1253,8 @@ > pam_strerror(pam_handle, rc)); > exit_code = -1; > } > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > + hashtab_destroy(app_service_names); > #endif > free(pw.pw_name); > free(pw.pw_dir); > @@ -1223,5 +1360,11 @@ > free(pw.pw_dir); > free(pw.pw_shell); > free(shell_argv0); > +#ifdef USE_PAM > + if (app_service_names) { > + hashtab_map(app_service_names, free_hashtab_entry, NULL); > + hashtab_destroy(app_service_names); > + } > +#endif > return -1; > } /* main() */ > Index: trunk/policycoreutils/newrole/Makefile > =================================================================== > --- trunk/policycoreutils/newrole/Makefile (revision 2422) > +++ trunk/policycoreutils/newrole/Makefile (working copy) > @@ -21,10 +21,12 @@ > VERSION = $(shell cat ../VERSION) > > CFLAGS ?= -Werror -Wall -W > +EXTRA_OBJS = > override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" > LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib > ifeq (${PAMH}, /usr/include/security/pam_appl.h) > override CFLAGS += -DUSE_PAM > + EXTRA_OBJS += hashtab.o > LDLIBS += -lpam -lpam_misc > else > override CFLAGS += -D_XOPEN_SOURCE=500 > @@ -53,9 +55,10 @@ > MODE := 0555 > endif > > -TARGETS=$(patsubst %.c,%,$(wildcard *.c)) > +all: newrole > > -all: $(TARGETS) > +newrole: newrole.o $(EXTRA_OBJS) > + $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) > > install: all > test -d $(BINDIR) || install -m 755 -d $(BINDIR) > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) 2007-05-08 19:11 ` [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) Stephen Smalley 2007-05-08 19:54 ` Karl MacMillan @ 2007-05-11 18:42 ` Karl MacMillan 1 sibling, 0 replies; 22+ messages in thread From: Karl MacMillan @ 2007-05-11 18:42 UTC (permalink / raw) To: Stephen Smalley; +Cc: Ted X Toth, selinux, Joshua Brindle, Darrel Goeddel On Tue, 2007-05-08 at 15:11 -0400, Stephen Smalley wrote: > From: Ted X Toth <txtoth@gmail.com> > > With some modifications by Stephen Smalley <sds@tycho.nsa.gov>. > > Extend newrole to enable use of alternate pam configurations when > running an application in a different context. Introduces > /etc/selinux/newrole_pam.conf as a config file mapping application > pathnames to pam service names when the application is invoked via > newrole. In the absence of the config file or the absence of a > matching entry, falls back to the standard newrole pam configuration. > > Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> > Merged into trunk and policyrep. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2007-05-11 18:42 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-27 18:41 launching apps at level (MLS) and polyinstantiation Ted X Toth
2007-04-27 19:01 ` Stephen Smalley
2007-04-27 19:05 ` Stephen Smalley
[not found] ` <463360B0.7020106@gmail.com>
[not found] ` <1177934887.16232.7.camel@moss-spartans.epoch.ncsc.mil>
2007-04-30 14:41 ` Ted X Toth
2007-04-30 14:52 ` Stephen Smalley
2007-05-02 15:49 ` Xavier Toth
2007-05-02 16:57 ` Stephen Smalley
2007-05-02 21:42 ` Xavier Toth
2007-05-03 12:35 ` Stephen Smalley
2007-05-03 13:11 ` Xavier Toth
2007-05-03 13:40 ` Stephen Smalley
2007-05-03 13:51 ` Xavier Toth
2007-05-03 13:49 ` Stephen Smalley
2007-05-03 19:18 ` Stephen Smalley
2007-05-03 21:09 ` Darrel Goeddel
2007-05-08 17:54 ` Stephen Smalley
2007-05-04 18:56 ` Ted X Toth
2007-05-04 19:23 ` Stephen Smalley
2007-05-04 20:15 ` Ted X Toth
2007-05-08 19:11 ` [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation) Stephen Smalley
2007-05-08 19:54 ` Karl MacMillan
2007-05-11 18:42 ` Karl MacMillan
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.