launching apps at level (MLS) and polyinstantiation

launching apps at level (MLS) and polyinstantiation

[Ted X Toth]

I'm working on an application that launches other applications at a 
specified level. I have also configured polyinstantiation for a some 
directories. What I have found is that I had to make this application 
pam aware in order for the child process to get polyinstantiated 
directories. One issue is the reauthentication I've already 
authenticated why should I have to reauthenticate so that a child 
process can use polyinstantiated directories? Currently this app works 
when run as root but not as other users because the unshare call in 
pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I 
need to do so that the application has this capability? I tried making 
the app setuid but that didn't help.

Ted

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote:
> I'm working on an application that launches other applications at a 
> specified level. I have also configured polyinstantiation for a some 
> directories. What I have found is that I had to make this application 
> pam aware in order for the child process to get polyinstantiated 
> directories. One issue is the reauthentication I've already 
> authenticated why should I have to reauthenticate so that a child 
> process can use polyinstantiated directories? Currently this app works 
> when run as root but not as other users because the unshare call in 
> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I 
> need to do so that the application has this capability? I tried making 
> the app setuid but that didn't help.

First, your application sounds similar to newrole -l, so hopefully you
can draw from it.

What precisely requires your app to perform authentication?  You control
your app's pam config, so you can define those modules as you see fit,
including using trivial ones like pam_permit.so.  And you control
whether your app calls pam_authenticate().  Possibly you may need to set
up state to make pam_open_session() happy.

newrole has the same issue wrt needing capabilities, so look to it as an
example - look at the NAMESPACE_PRIV code.  It needs to be suid but also
needs to run in a domain that is allowed those capabilities.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote:
> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote:
> > I'm working on an application that launches other applications at a 
> > specified level. I have also configured polyinstantiation for a some 
> > directories. What I have found is that I had to make this application 
> > pam aware in order for the child process to get polyinstantiated 
> > directories. One issue is the reauthentication I've already 
> > authenticated why should I have to reauthenticate so that a child 
> > process can use polyinstantiated directories? Currently this app works 
> > when run as root but not as other users because the unshare call in 
> > pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I 
> > need to do so that the application has this capability? I tried making 
> > the app setuid but that didn't help.
> 
> First, your application sounds similar to newrole -l, so hopefully you
> can draw from it.

In fact, newrole -l <level> -- -c <app> will run an application in a
given level.

> 
> What precisely requires your app to perform authentication?  You control
> your app's pam config, so you can define those modules as you see fit,
> including using trivial ones like pam_permit.so.  And you control
> whether your app calls pam_authenticate().  Possibly you may need to set
> up state to make pam_open_session() happy.
> 
> newrole has the same issue wrt needing capabilities, so look to it as an
> example - look at the NAMESPACE_PRIV code.  It needs to be suid but also
> needs to run in a domain that is allowed those capabilities.
> 
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Ted X Toth]

Stephen Smalley wrote:
> On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote:
>>>   
>>>       
>>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote:
>>>>     
>>>>         
>>>>> I'm working on an application that launches other applications at a 
>>>>> specified level. I have also configured polyinstantiation for a some 
>>>>> directories. What I have found is that I had to make this application 
>>>>> pam aware in order for the child process to get polyinstantiated 
>>>>> directories. One issue is the reauthentication I've already 
>>>>> authenticated why should I have to reauthenticate so that a child 
>>>>> process can use polyinstantiated directories? Currently this app works 
>>>>> when run as root but not as other users because the unshare call in 
>>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I 
>>>>> need to do so that the application has this capability? I tried making 
>>>>> the app setuid but that didn't help.
>>>>>       
>>>>>           
>>>> First, your application sounds similar to newrole -l, so hopefully you
>>>> can draw from it.
>>>>     
>>>>         
>>> In fact, newrole -l <level> -- -c <app> will run an application in a
>>> given level.
>>>
>>>   
>>>       
>>>> What precisely requires your app to perform authentication?  You control
>>>> your app's pam config, so you can define those modules as you see fit,
>>>> including using trivial ones like pam_permit.so.  And you control
>>>> whether your app calls pam_authenticate().  Possibly you may need to set
>>>> up state to make pam_open_session() happy.
>>>>
>>>> newrole has the same issue wrt needing capabilities, so look to it as an
>>>> example - look at the NAMESPACE_PRIV code.  It needs to be suid but also
>>>> needs to run in a domain that is allowed those capabilities.
>>>>
>>>>     
>>>>         
>> Would it be reasonable to extend newrole by adding a parameter for the 
>> pam service name so that different authentication strategies could be 
>> employed?
>>     
>
> That would be dangerous - a user could then pick any pam service name he
> wants and run newrole with that, e.g. to bypass some aspect of the
> newrole pam stack.
>
> But you are certainly free to customize /etc/pam.d/newrole on your
> systems as you like.
>   
We wouldn't want to change newroles pam configuration across the board like that we're looking to be able to reuse its capability in more flexible ways. You could limit which pam configurations that could be used by defining a policy attribute and only allowing newrole access to files with that attribute, right? Another idea is to have a configuration file that would map service names to applications being run under newrole.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Mon, 2007-04-30 at 09:41 -0500, Ted X Toth wrote:
> Stephen Smalley wrote:
> > On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote:
> >   
> >> Stephen Smalley wrote:
> >>     
> >>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote:
> >>>   
> >>>       
> >>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote:
> >>>>     
> >>>>         
> >>>>> I'm working on an application that launches other applications at a 
> >>>>> specified level. I have also configured polyinstantiation for a some 
> >>>>> directories. What I have found is that I had to make this application 
> >>>>> pam aware in order for the child process to get polyinstantiated 
> >>>>> directories. One issue is the reauthentication I've already 
> >>>>> authenticated why should I have to reauthenticate so that a child 
> >>>>> process can use polyinstantiated directories? Currently this app works 
> >>>>> when run as root but not as other users because the unshare call in 
> >>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I 
> >>>>> need to do so that the application has this capability? I tried making 
> >>>>> the app setuid but that didn't help.
> >>>>>       
> >>>>>           
> >>>> First, your application sounds similar to newrole -l, so hopefully you
> >>>> can draw from it.
> >>>>     
> >>>>         
> >>> In fact, newrole -l <level> -- -c <app> will run an application in a
> >>> given level.
> >>>
> >>>   
> >>>       
> >>>> What precisely requires your app to perform authentication?  You control
> >>>> your app's pam config, so you can define those modules as you see fit,
> >>>> including using trivial ones like pam_permit.so.  And you control
> >>>> whether your app calls pam_authenticate().  Possibly you may need to set
> >>>> up state to make pam_open_session() happy.
> >>>>
> >>>> newrole has the same issue wrt needing capabilities, so look to it as an
> >>>> example - look at the NAMESPACE_PRIV code.  It needs to be suid but also
> >>>> needs to run in a domain that is allowed those capabilities.
> >>>>
> >>>>     
> >>>>         
> >> Would it be reasonable to extend newrole by adding a parameter for the 
> >> pam service name so that different authentication strategies could be 
> >> employed?
> >>     
> >
> > That would be dangerous - a user could then pick any pam service name he
> > wants and run newrole with that, e.g. to bypass some aspect of the
> > newrole pam stack.
> >
> > But you are certainly free to customize /etc/pam.d/newrole on your
> > systems as you like.
> >   
> We wouldn't want to change newroles pam configuration across the board
> like that we're looking to be able to reuse its capability in more
> flexible ways. You could limit which pam configurations that could be
> used by defining a policy attribute and only allowing newrole access
> to files with that attribute, right? Another idea is to have a
> configuration file that would map service names to applications being
> run under newrole.

I wouldn't want to base it on what types newrole can read, as that will
be too coarse-grained and too prone to misconfiguration.  Having an
explicit configuration for newrole'able apps would make more sense, more
like consolehelper aka usermode.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 3444 bytes --]

Stephen.
I'd appreciate you reviewing this proposed patch.

Ted

On 4/30/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2007-04-30 at 09:41 -0500, Ted X Toth wrote:
> > Stephen Smalley wrote:
> > > On Sat, 2007-04-28 at 09:56 -0500, Ted X Toth wrote:
> > >
> > >> Stephen Smalley wrote:
> > >>
> > >>> On Fri, 2007-04-27 at 15:01 -0400, Stephen Smalley wrote:
> > >>>
> > >>>
> > >>>> On Fri, 2007-04-27 at 13:41 -0500, Ted X Toth wrote:
> > >>>>
> > >>>>
> > >>>>> I'm working on an application that launches other applications at a
> > >>>>> specified level. I have also configured polyinstantiation for a some
> > >>>>> directories. What I have found is that I had to make this application
> > >>>>> pam aware in order for the child process to get polyinstantiated
> > >>>>> directories. One issue is the reauthentication I've already
> > >>>>> authenticated why should I have to reauthenticate so that a child
> > >>>>> process can use polyinstantiated directories? Currently this app works
> > >>>>> when run as root but not as other users because the unshare call in
> > >>>>> pam_namespace fails for lack of permissions (CAP_SYS_ADMIN?). What do I
> > >>>>> need to do so that the application has this capability? I tried making
> > >>>>> the app setuid but that didn't help.
> > >>>>>
> > >>>>>
> > >>>> First, your application sounds similar to newrole -l, so hopefully you
> > >>>> can draw from it.
> > >>>>
> > >>>>
> > >>> In fact, newrole -l <level> -- -c <app> will run an application in a
> > >>> given level.
> > >>>
> > >>>
> > >>>
> > >>>> What precisely requires your app to perform authentication?  You control
> > >>>> your app's pam config, so you can define those modules as you see fit,
> > >>>> including using trivial ones like pam_permit.so.  And you control
> > >>>> whether your app calls pam_authenticate().  Possibly you may need to set
> > >>>> up state to make pam_open_session() happy.
> > >>>>
> > >>>> newrole has the same issue wrt needing capabilities, so look to it as an
> > >>>> example - look at the NAMESPACE_PRIV code.  It needs to be suid but also
> > >>>> needs to run in a domain that is allowed those capabilities.
> > >>>>
> > >>>>
> > >>>>
> > >> Would it be reasonable to extend newrole by adding a parameter for the
> > >> pam service name so that different authentication strategies could be
> > >> employed?
> > >>
> > >
> > > That would be dangerous - a user could then pick any pam service name he
> > > wants and run newrole with that, e.g. to bypass some aspect of the
> > > newrole pam stack.
> > >
> > > But you are certainly free to customize /etc/pam.d/newrole on your
> > > systems as you like.
> > >
> > We wouldn't want to change newroles pam configuration across the board
> > like that we're looking to be able to reuse its capability in more
> > flexible ways. You could limit which pam configurations that could be
> > used by defining a policy attribute and only allowing newrole access
> > to files with that attribute, right? Another idea is to have a
> > configuration file that would map service names to applications being
> > run under newrole.
>
> I wouldn't want to base it on what types newrole can read, as that will
> be too coarse-grained and too prone to misconfiguration.  Having an
> explicit configuration for newrole'able apps would make more sense, more
> like consolehelper aka usermode.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: policycoreutils-service-name.patch --]
[-- Type: text/x-patch, Size: 6078 bytes --]

--- policycoreutils-1.33.12/newrole/newrole.c	2007-05-02 10:45:14.000000000 -0500
+++ policycoreutils-1.33.12.new/newrole/newrole.c	2007-05-02 10:45:05.000000000 -0500
@@ -54,6 +54,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -85,6 +86,8 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 
+#include <sepol/policydb/hashtab.h>
+
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
 
@@ -156,6 +159,7 @@
 #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
 
 #define SERVICE_NAME "newrole"	/* the name of this program for PAM */
+char *service_name = "newrole";
 
 /* authenticate_via_pam()
  *
@@ -921,6 +925,141 @@
 	return 0;
 }
 
+static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
+{
+	char *p, *keyp;
+	size_t size;
+	unsigned int val;
+
+	val = 0;
+	keyp = (char *)key;
+	size = strlen(keyp);
+	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+		val =
+		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+	return val & (h->size - 1);
+}
+
+static int reqsymcmp(hashtab_t h
+		     __attribute__ ((unused)), hashtab_key_t key1,
+		     hashtab_key_t key2)
+{
+	char *keyp1, *keyp2;
+
+	keyp1 = (char *)key1;
+	keyp2 = (char *)key2;
+	return strcmp(keyp1, keyp2);
+}
+
+static hashtab_t app_service_names = NULL;
+
+static void process_config(FILE * cfg)
+{
+	char *line_buf = NULL;
+	size_t len = 0;
+	size_t current_size = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+	char *local_app = NULL;
+	char *local_service_name = NULL;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+	  char *buffer = line_buf;
+	  while (isspace(*buffer))
+	    buffer++;
+	  if (buffer[0] == '#')
+	    continue;
+	  int l = strlen(buffer) - 1;
+	  if (l <= 0)
+	    continue;
+	  buffer[l] = 0;
+	  if (local_app == NULL) {
+	    current_size = len;
+	    local_app = malloc(current_size);
+	    local_service_name = malloc(current_size);
+	  }
+	  else {
+	    if (current_size < len) {
+	      current_size = len;
+	      local_app = (char *)realloc(local_app, current_size);
+	      local_service_name = (char *)realloc(local_service_name, current_size);
+	    }
+	  }
+	    
+	  local_app[0] = 0;
+	  local_service_name[0] = 0;
+	  /* 
+	     Split the buffer into the application and service names 
+	  */
+	  sscanf(buffer, "%s %s", local_app, local_service_name);
+	  if (strlen(local_app) > 0) {
+	    app = (char*) malloc( strlen(local_app)+1 );
+	    strcpy(app, local_app);
+	    /*
+	      Check for a service name
+	    */
+	    if (strlen(local_service_name) > 0) {
+	      service = (char*) malloc( strlen(local_service_name)+1 );
+	      strcpy(service, local_service_name);
+	      /*
+		Save the mapping to the hashtable.
+	      */
+	      ret = hashtab_insert(app_service_names,
+				   app,
+				   service);
+	    }
+	    else {
+	      /*
+		No service name specified for app.
+	      */
+	      free(app);
+	    }
+	  }
+	}
+	free(line_buf);
+	if (local_app == NULL) {
+	  free(local_app);
+	}
+	if (local_service_name == NULL) {
+	  free(local_service_name);
+	}
+}
+
+/* 
+   Read config file ignoring comment lines.
+   Files specified one per line executable with a corresponding
+   pam service name.
+*/
+
+static void read_config()
+{
+	char *config_file_path = "/etc/selinux/newrole.conf";
+	app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
+	FILE *cfg = NULL;
+	cfg = fopen(config_file_path, "r");
+	if (!cfg)
+	  return;
+	process_config(cfg);
+	fclose(cfg);
+}
+
+static void free_hashtab(hashtab_t req)
+{
+	unsigned int i;
+	hashtab_ptr_t cur;
+
+	for (i = 0; i < req->size; i++) {
+		cur = req->htable[i];
+		while (cur != NULL) {
+		  free(cur->datum);
+		  free(cur->key);
+		  cur = cur->next;
+		}
+	}
+	hashtab_destroy(req);
+}
+
 /************************************************************************
  *
  * All code used for both PAM and shadow passwd goes in this section.
@@ -1001,6 +1140,8 @@
 		return -1;
 	}
 
+	read_config();
+
 	ttyn = ttyname(0);
 	if (!ttyn || *ttyn == '\0') {
 		fprintf(stderr,
@@ -1025,7 +1166,27 @@
 
 	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	/*
+	  Are we being asked to execute a process in a new context?
+	*/
+	if (optind < argc) {
+	  /*
+	    Get the executable from the command line.
+	  */
+	  char *cmd = (char *)malloc(strlen(argv[optind+1]));
+	  sscanf(argv[optind+1], "%s", cmd);
+	  /*
+	    See if there is a pam configuration specific to the executable.
+	  */
+	  char* app_service_name = 
+	    (char *) hashtab_search(app_service_names, cmd);
+	  if (app_service_name != NULL) {
+	    service_name = app_service_name;
+	  }
+	  free(cmd);
+	}
+
+	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
 			       &pam_handle);
 	if (pam_status != PAM_SUCCESS) {
 		fprintf(stderr, _("failed to initialize PAM\n"));
@@ -1114,6 +1275,7 @@
 				pam_strerror(pam_handle, rc));
 			exit_code = -1;
 		}
+		free_hashtab(app_service_names);
 #endif
 		free(pw.pw_name);
 		free(pw.pw_dir);
--- policycoreutils-1.33.12/newrole/Makefile	2007-01-11 13:01:39.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/Makefile	2007-04-30 14:59:00.000000000 -0500
@@ -22,7 +22,7 @@
 
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
+LDLIBS += $(LIBDIR)/libsepol.a -lselinux -lsepol -L$(PREFIX)/lib
 ifeq (${PAMH}, /usr/include/security/pam_appl.h)
 	override CFLAGS += -DUSE_PAM
 	LDLIBS += -lpam -lpam_misc

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> Stephen.
> I'd appreciate you reviewing this proposed patch.
> 
> Ted

A few initial comments after a quick look (not a full review yet)

--- policycoreutils-1.33.12/newrole/newrole.c	2007-05-02 10:45:14.000000000 -0500
+++ policycoreutils-1.33.12.new/newrole/newrole.c	2007-05-02 10:45:05.000000000 -0500
@@ -54,6 +54,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -85,6 +86,8 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 
+#include <sepol/policydb/hashtab.h>

We don't want newrole to link with the static libsepol, so if you want
to use the libsepol hashtab (and symtab) support, copy it into the
newrole directory.

+static void process_config(FILE * cfg)
+{
+	char *line_buf = NULL;
+	size_t len = 0;
+	size_t current_size = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+	char *local_app = NULL;
+	char *local_service_name = NULL;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+	  char *buffer = line_buf;
+	  while (isspace(*buffer))
+	    buffer++;
+	  if (buffer[0] == '#')
+	    continue;
+	  int l = strlen(buffer) - 1;
+	  if (l <= 0)
+	    continue;
+	  buffer[l] = 0;
+	  if (local_app == NULL) {
+	    current_size = len;
+	    local_app = malloc(current_size);
+	    local_service_name = malloc(current_size);

General comment:  Always check for failure on function calls, and handle errors.

+	  sscanf(buffer, "%s %s", local_app, local_service_name);

You could just strtok() the buffer or similar to avoid making copies.
Or if you need a copy, you can use the %as format to have glibc allocate the memory
for you automatically.

+/* 
+   Read config file ignoring comment lines.
+   Files specified one per line executable with a corresponding
+   pam service name.
+*/
+
+static void read_config()
+{
+	char *config_file_path = "/etc/selinux/newrole.conf";
+	app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);

Check for failure.

+static void free_hashtab(hashtab_t req)
+{
+	unsigned int i;
+	hashtab_ptr_t cur;
+
+	for (i = 0; i < req->size; i++) {
+		cur = req->htable[i];
+		while (cur != NULL) {
+		  free(cur->datum);
+		  free(cur->key);
+		  cur = cur->next;
+		}
+	}
+	hashtab_destroy(req);
+}

Breaks the "abstraction".  Normally this would be done as a
hashtab_map() to free the keys and datum followed by a hashtab_destroy()
to free the table.  Or if you want a unified form, you could do
something like hashtab_map_remove_on_error() except always doing the
removal, but put it in your copy of the hashtab code.

@@ -1025,7 +1166,27 @@
 
 	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	/*
+	  Are we being asked to execute a process in a new context?
+	*/
+	if (optind < argc) {
+	  /*
+	    Get the executable from the command line.
+	  */
+	  char *cmd = (char *)malloc(strlen(argv[optind+1]));

argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.

+	  sscanf(argv[optind+1], "%s", cmd);

Pointless, argument vector has already been parsed by the shell.
Just use argv[optind] directly, no copy required.

+	  /*
+	    See if there is a pam configuration specific to the executable.
+	  */
+	  char* app_service_name = 
+	    (char *) hashtab_search(app_service_names, cmd);

I think you want to qualify these with a prefix so that if <app> also
uses pam, then there is no ambiguity between the pam configuration for
the <app> itself vs. the pam configuration used by newrole when
launching the <app>.  e.g. prefix them with "newrole_".

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Xavier Toth]

On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> > Stephen.
> > I'd appreciate you reviewing this proposed patch.
> >
> > Ted
>
> A few initial comments after a quick look (not a full review yet)
>
> --- policycoreutils-1.33.12/newrole/newrole.c   2007-05-02 10:45:14.000000000 -0500
> +++ policycoreutils-1.33.12.new/newrole/newrole.c       2007-05-02 10:45:05.000000000 -0500
> @@ -54,6 +54,7 @@
>  #include <stdio.h>
>  #include <stdlib.h>            /* for malloc(), realloc(), free() */
>  #include <pwd.h>               /* for getpwuid() */
> +#include <ctype.h>
>  #include <sys/types.h>         /* to make getuid() and getpwuid() happy */
>  #include <sys/wait.h>          /* for wait() */
>  #include <getopt.h>            /* for getopt_long() form of getopt() */
> @@ -85,6 +86,8 @@
>  #define PACKAGE "policycoreutils"      /* the name of this package lang translation */
>  #endif
>
> +#include <sepol/policydb/hashtab.h>
>
> We don't want newrole to link with the static libsepol, so if you want
> to use the libsepol hashtab (and symtab) support, copy it into the
> newrole directory.
>
> +static void process_config(FILE * cfg)
> +{
> +       char *line_buf = NULL;
> +       size_t len = 0;
> +       size_t current_size = 0;
> +       char *app = NULL;
> +       char *service = NULL;
> +       int ret;
> +       char *local_app = NULL;
> +       char *local_service_name = NULL;
> +
> +       while (getline(&line_buf, &len, cfg) > 0) {
> +         char *buffer = line_buf;
> +         while (isspace(*buffer))
> +           buffer++;
> +         if (buffer[0] == '#')
> +           continue;
> +         int l = strlen(buffer) - 1;
> +         if (l <= 0)
> +           continue;
> +         buffer[l] = 0;
> +         if (local_app == NULL) {
> +           current_size = len;
> +           local_app = malloc(current_size);
> +           local_service_name = malloc(current_size);
>
> General comment:  Always check for failure on function calls, and handle errors.
>
> +         sscanf(buffer, "%s %s", local_app, local_service_name);
>
> You could just strtok() the buffer or similar to avoid making copies.
> Or if you need a copy, you can use the %as format to have glibc allocate the memory
> for you automatically.
>
> +/*
> +   Read config file ignoring comment lines.
> +   Files specified one per line executable with a corresponding
> +   pam service name.
> +*/
> +
> +static void read_config()
> +{
> +       char *config_file_path = "/etc/selinux/newrole.conf";
> +       app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
>
> Check for failure.
>
> +static void free_hashtab(hashtab_t req)
> +{
> +       unsigned int i;
> +       hashtab_ptr_t cur;
> +
> +       for (i = 0; i < req->size; i++) {
> +               cur = req->htable[i];
> +               while (cur != NULL) {
> +                 free(cur->datum);
> +                 free(cur->key);
> +                 cur = cur->next;
> +               }
> +       }
> +       hashtab_destroy(req);
> +}
>
> Breaks the "abstraction".  Normally this would be done as a
> hashtab_map() to free the keys and datum followed by a hashtab_destroy()
> to free the table.  Or if you want a unified form, you could do
> something like hashtab_map_remove_on_error() except always doing the
> removal, but put it in your copy of the hashtab code.
>
> @@ -1025,7 +1166,27 @@
>
>         printf(_("Authenticating %s.\n"), pw.pw_name);
>  #ifdef USE_PAM
> -       pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> +       /*
> +         Are we being asked to execute a process in a new context?
> +       */
> +       if (optind < argc) {
> +         /*
> +           Get the executable from the command line.
> +         */
> +         char *cmd = (char *)malloc(strlen(argv[optind+1]));
>
> argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.
>
> +         sscanf(argv[optind+1], "%s", cmd);
>
> Pointless, argument vector has already been parsed by the shell.
> Just use argv[optind] directly, no copy required.
>
> +         /*
> +           See if there is a pam configuration specific to the executable.
> +         */
> +         char* app_service_name =
> +           (char *) hashtab_search(app_service_names, cmd);
>
> I think you want to qualify these with a prefix so that if <app> also
> uses pam, then there is no ambiguity between the pam configuration for
> the <app> itself vs. the pam configuration used by newrole when
> launching the <app>.  e.g. prefix them with "newrole_".

Are you talking about something more than a convention? Like the code
enforcing this somehow?

>
> --
> Stephen Smalley
> National Security Agency
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Wed, 2007-05-02 at 16:42 -0500, Xavier Toth wrote:
> On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> > > Stephen.
> > > I'd appreciate you reviewing this proposed patch.
> > >
> > > Ted
> >
> > A few initial comments after a quick look (not a full review yet)
> >
> > --- policycoreutils-1.33.12/newrole/newrole.c   2007-05-02 10:45:14.000000000 -0500
> > +++ policycoreutils-1.33.12.new/newrole/newrole.c       2007-05-02 10:45:05.000000000 -0500
> > @@ -54,6 +54,7 @@
> >  #include <stdio.h>
> >  #include <stdlib.h>            /* for malloc(), realloc(), free() */
> >  #include <pwd.h>               /* for getpwuid() */
> > +#include <ctype.h>
> >  #include <sys/types.h>         /* to make getuid() and getpwuid() happy */
> >  #include <sys/wait.h>          /* for wait() */
> >  #include <getopt.h>            /* for getopt_long() form of getopt() */
> > @@ -85,6 +86,8 @@
> >  #define PACKAGE "policycoreutils"      /* the name of this package lang translation */
> >  #endif
> >
> > +#include <sepol/policydb/hashtab.h>
> >
> > We don't want newrole to link with the static libsepol, so if you want
> > to use the libsepol hashtab (and symtab) support, copy it into the
> > newrole directory.
> >
> > +static void process_config(FILE * cfg)
> > +{
> > +       char *line_buf = NULL;
> > +       size_t len = 0;
> > +       size_t current_size = 0;
> > +       char *app = NULL;
> > +       char *service = NULL;
> > +       int ret;
> > +       char *local_app = NULL;
> > +       char *local_service_name = NULL;
> > +
> > +       while (getline(&line_buf, &len, cfg) > 0) {
> > +         char *buffer = line_buf;
> > +         while (isspace(*buffer))
> > +           buffer++;
> > +         if (buffer[0] == '#')
> > +           continue;
> > +         int l = strlen(buffer) - 1;
> > +         if (l <= 0)
> > +           continue;
> > +         buffer[l] = 0;
> > +         if (local_app == NULL) {
> > +           current_size = len;
> > +           local_app = malloc(current_size);
> > +           local_service_name = malloc(current_size);
> >
> > General comment:  Always check for failure on function calls, and handle errors.
> >
> > +         sscanf(buffer, "%s %s", local_app, local_service_name);
> >
> > You could just strtok() the buffer or similar to avoid making copies.
> > Or if you need a copy, you can use the %as format to have glibc allocate the memory
> > for you automatically.
> >
> > +/*
> > +   Read config file ignoring comment lines.
> > +   Files specified one per line executable with a corresponding
> > +   pam service name.
> > +*/
> > +
> > +static void read_config()
> > +{
> > +       char *config_file_path = "/etc/selinux/newrole.conf";
> > +       app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
> >
> > Check for failure.
> >
> > +static void free_hashtab(hashtab_t req)
> > +{
> > +       unsigned int i;
> > +       hashtab_ptr_t cur;
> > +
> > +       for (i = 0; i < req->size; i++) {
> > +               cur = req->htable[i];
> > +               while (cur != NULL) {
> > +                 free(cur->datum);
> > +                 free(cur->key);
> > +                 cur = cur->next;
> > +               }
> > +       }
> > +       hashtab_destroy(req);
> > +}
> >
> > Breaks the "abstraction".  Normally this would be done as a
> > hashtab_map() to free the keys and datum followed by a hashtab_destroy()
> > to free the table.  Or if you want a unified form, you could do
> > something like hashtab_map_remove_on_error() except always doing the
> > removal, but put it in your copy of the hashtab code.
> >
> > @@ -1025,7 +1166,27 @@
> >
> >         printf(_("Authenticating %s.\n"), pw.pw_name);
> >  #ifdef USE_PAM
> > -       pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> > +       /*
> > +         Are we being asked to execute a process in a new context?
> > +       */
> > +       if (optind < argc) {
> > +         /*
> > +           Get the executable from the command line.
> > +         */
> > +         char *cmd = (char *)malloc(strlen(argv[optind+1]));
> >
> > argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.
> >
> > +         sscanf(argv[optind+1], "%s", cmd);
> >
> > Pointless, argument vector has already been parsed by the shell.
> > Just use argv[optind] directly, no copy required.
> >
> > +         /*
> > +           See if there is a pam configuration specific to the executable.
> > +         */
> > +         char* app_service_name =
> > +           (char *) hashtab_search(app_service_names, cmd);
> >
> > I think you want to qualify these with a prefix so that if <app> also
> > uses pam, then there is no ambiguity between the pam configuration for
> > the <app> itself vs. the pam configuration used by newrole when
> > launching the <app>.  e.g. prefix them with "newrole_".
> 
> Are you talking about something more than a convention? Like the code
> enforcing this somehow?

Since you are putting the service names into a config file, it can just
be a convention, but it is important to note.  Otherwise, someone might
just use the application name as the pam service name, which could lead
to problems if the application already has a pam config of its own.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 4945 bytes --]

On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> > Stephen.
> > I'd appreciate you reviewing this proposed patch.
> >
> > Ted
>
> A few initial comments after a quick look (not a full review yet)
>
> --- policycoreutils-1.33.12/newrole/newrole.c   2007-05-02 10:45:14.000000000 -0500
> +++ policycoreutils-1.33.12.new/newrole/newrole.c       2007-05-02 10:45:05.000000000 -0500
> @@ -54,6 +54,7 @@
>  #include <stdio.h>
>  #include <stdlib.h>            /* for malloc(), realloc(), free() */
>  #include <pwd.h>               /* for getpwuid() */
> +#include <ctype.h>
>  #include <sys/types.h>         /* to make getuid() and getpwuid() happy */
>  #include <sys/wait.h>          /* for wait() */
>  #include <getopt.h>            /* for getopt_long() form of getopt() */
> @@ -85,6 +86,8 @@
>  #define PACKAGE "policycoreutils"      /* the name of this package lang translation */
>  #endif
>
> +#include <sepol/policydb/hashtab.h>
>
> We don't want newrole to link with the static libsepol, so if you want
> to use the libsepol hashtab (and symtab) support, copy it into the
> newrole directory.
>

I'd prefer it if this was in a shared library.

> +static void process_config(FILE * cfg)
> +{
> +       char *line_buf = NULL;
> +       size_t len = 0;
> +       size_t current_size = 0;
> +       char *app = NULL;
> +       char *service = NULL;
> +       int ret;
> +       char *local_app = NULL;
> +       char *local_service_name = NULL;
> +
> +       while (getline(&line_buf, &len, cfg) > 0) {
> +         char *buffer = line_buf;
> +         while (isspace(*buffer))
> +           buffer++;
> +         if (buffer[0] == '#')
> +           continue;
> +         int l = strlen(buffer) - 1;
> +         if (l <= 0)
> +           continue;
> +         buffer[l] = 0;
> +         if (local_app == NULL) {
> +           current_size = len;
> +           local_app = malloc(current_size);
> +           local_service_name = malloc(current_size);
>
> General comment:  Always check for failure on function calls, and handle errors.
>
> +         sscanf(buffer, "%s %s", local_app, local_service_name);
>
> You could just strtok() the buffer or similar to avoid making copies.
> Or if you need a copy, you can use the %as format to have glibc allocate the memory
> for you automatically.
>
> +/*
> +   Read config file ignoring comment lines.
> +   Files specified one per line executable with a corresponding
> +   pam service name.
> +*/
> +
> +static void read_config()
> +{
> +       char *config_file_path = "/etc/selinux/newrole.conf";
> +       app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
>
> Check for failure.
>
> +static void free_hashtab(hashtab_t req)
> +{
> +       unsigned int i;
> +       hashtab_ptr_t cur;
> +
> +       for (i = 0; i < req->size; i++) {
> +               cur = req->htable[i];
> +               while (cur != NULL) {
> +                 free(cur->datum);
> +                 free(cur->key);
> +                 cur = cur->next;
> +               }
> +       }
> +       hashtab_destroy(req);
> +}
>
> Breaks the "abstraction".  Normally this would be done as a
> hashtab_map() to free the keys and datum followed by a hashtab_destroy()
> to free the table.  Or if you want a unified form, you could do
> something like hashtab_map_remove_on_error() except always doing the
> removal, but put it in your copy of the hashtab code.
>

Hmmm, I pretty much copied this code from semodule_deps.c

> @@ -1025,7 +1166,27 @@
>
>         printf(_("Authenticating %s.\n"), pw.pw_name);
>  #ifdef USE_PAM
> -       pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> +       /*
> +         Are we being asked to execute a process in a new context?
> +       */
> +       if (optind < argc) {
> +         /*
> +           Get the executable from the command line.
> +         */
> +         char *cmd = (char *)malloc(strlen(argv[optind+1]));
>
> argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.
>
> +         sscanf(argv[optind+1], "%s", cmd);
>
> Pointless, argument vector has already been parsed by the shell.
> Just use argv[optind] directly, no copy required.
>

Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"'
agrv[optind] is '-c'
argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory'

> +         /*
> +           See if there is a pam configuration specific to the executable.
> +         */
> +         char* app_service_name =
> +           (char *) hashtab_search(app_service_names, cmd);
>
> I think you want to qualify these with a prefix so that if <app> also
> uses pam, then there is no ambiguity between the pam configuration for
> the <app> itself vs. the pam configuration used by newrole when
> launching the <app>.  e.g. prefix them with "newrole_".
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: policycoreutils-service-name.patch --]
[-- Type: text/x-patch, Size: 16080 bytes --]

--- policycoreutils-1.33.12/newrole/newrole.c	2007-05-03 08:03:44.000000000 -0500
+++ policycoreutils-1.33.12.new/newrole/newrole.c	2007-05-03 08:03:27.000000000 -0500
@@ -54,6 +54,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -85,6 +86,8 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 
+#include "hashtab.h"
+
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
 
@@ -155,7 +158,7 @@
 #include <security/pam_appl.h>	/* for PAM functions */
 #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
 
-#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
+char *service_name = "newrole";
 
 /* authenticate_via_pam()
  *
@@ -921,6 +924,110 @@
 	return 0;
 }
 
+static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, void *args)
+{
+  free(key);
+  free(d);
+  return 0;
+}
+
+static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
+{
+	char *p, *keyp;
+	size_t size;
+	unsigned int val;
+
+	val = 0;
+	keyp = (char *)key;
+	size = strlen(keyp);
+	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+		val =
+		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+	return val & (h->size - 1);
+}
+
+static int reqsymcmp(hashtab_t h
+		     __attribute__ ((unused)), hashtab_key_t key1,
+		     hashtab_key_t key2)
+{
+	char *keyp1, *keyp2;
+
+	keyp1 = (char *)key1;
+	keyp2 = (char *)key2;
+	return strcmp(keyp1, keyp2);
+}
+
+static hashtab_t app_service_names = NULL;
+
+static void process_config(FILE * cfg)
+{
+	char *line_buf = NULL;
+	size_t len = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+	  char *buffer = line_buf;
+	  while (isspace(*buffer))
+	    buffer++;
+	  if (buffer[0] == '#')
+	    continue;
+	  int l = strlen(buffer) - 1;
+	  if (l <= 0)
+	    continue;
+	  buffer[l] = 0;
+
+	  /* 
+	     Split the buffer into the application and service names 
+	  */
+	  ret = sscanf(buffer, "%as %as", &app, &service);
+	  if (ret != EOF && app!= NULL && strlen(app) > 0) {
+	    /*
+	      Check for a service name
+	    */
+	    if (service != NULL && strlen(service) > 0) {
+	      /*
+		Save the mapping to the hashtable.
+	      */
+	      ret = hashtab_insert(app_service_names,
+				   app,
+				   service);
+	      if (ret == HASHTAB_OVERFLOW) {
+		fprintf(stderr, _("newrole: service name configuration hashtable overflow\n"));
+		goto err_free;
+	      }
+	    }
+	    else
+	      /*
+		No service name specified for app.
+	      */
+	      free(app);
+	  }
+	}
+err_free:
+	free(line_buf);
+}
+
+/* 
+   Read config file ignoring comment lines.
+   Files specified one per line executable with a corresponding
+   pam service name.
+*/
+
+static void read_config()
+{
+	char *config_file_path = "/etc/selinux/newrole.conf";
+	FILE *cfg = NULL;
+	cfg = fopen(config_file_path, "r");
+	if (!cfg)
+	  return;
+	app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
+	if (app_service_names)
+	  process_config(cfg);
+	fclose(cfg);
+}
+
 /************************************************************************
  *
  * All code used for both PAM and shadow passwd goes in this section.
@@ -1001,6 +1108,8 @@
 		return -1;
 	}
 
+	read_config();
+
 	ttyn = ttyname(0);
 	if (!ttyn || *ttyn == '\0') {
 		fprintf(stderr,
@@ -1025,7 +1134,25 @@
 
 	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	/*
+	  Are we being asked to execute a process in a new context?
+	*/
+	if (app_service_names != NULL && optind < argc) {
+	  /*
+	    See if there is a pam configuration specific to the executable.
+	  */
+	  char *cmd = strtok(argv[optind+1], " \t");
+	  if (cmd != NULL) {
+	    char* app_service_name = 
+	      (char *) hashtab_search(app_service_names, cmd);
+	  
+	    if (app_service_name != NULL) {
+	      service_name = app_service_name;
+	    }
+	  }
+	}
+
+	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
 			       &pam_handle);
 	if (pam_status != PAM_SUCCESS) {
 		fprintf(stderr, _("failed to initialize PAM\n"));
@@ -1114,6 +1241,8 @@
 				pam_strerror(pam_handle, rc));
 			exit_code = -1;
 		}
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
 #endif
 		free(pw.pw_name);
 		free(pw.pw_dir);
--- policycoreutils-1.33.12/newrole/hashtab.c	1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/hashtab.c	2007-05-02 15:33:11.000000000 -0500
@@ -0,0 +1,292 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the hash table type.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "hashtab.h"
+
+hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+						     const hashtab_key_t key),
+			 int (*keycmp) (hashtab_t h,
+					const hashtab_key_t key1,
+					const hashtab_key_t key2),
+			 unsigned int size)
+{
+
+	hashtab_t p;
+	unsigned int i;
+
+	p = (hashtab_t) malloc(sizeof(hashtab_val_t));
+	if (p == NULL)
+		return p;
+
+	memset(p, 0, sizeof(hashtab_val_t));
+	p->size = size;
+	p->nel = 0;
+	p->hash_value = hash_value;
+	p->keycmp = keycmp;
+	p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size);
+	if (p->htable == NULL) {
+		free(p);
+		return NULL;
+	}
+	for (i = 0; i < size; i++)
+		p->htable[i] = (hashtab_ptr_t) NULL;
+
+	return p;
+}
+
+int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0))
+		return HASHTAB_PRESENT;
+
+	newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+	if (newnode == NULL)
+		return HASHTAB_OVERFLOW;
+	memset(newnode, 0, sizeof(struct hashtab_node));
+	newnode->key = key;
+	newnode->datum = datum;
+	if (prev) {
+		newnode->next = prev->next;
+		prev->next = newnode;
+	} else {
+		newnode->next = h->htable[hvalue];
+		h->htable[hvalue] = newnode;
+	}
+
+	h->nel++;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_remove(hashtab_t h, hashtab_key_t key,
+		   void (*destroy) (hashtab_key_t k,
+				    hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t cur, last;
+
+	if (!h)
+		return HASHTAB_MISSING;
+
+	hvalue = h->hash_value(h, key);
+	last = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		last = cur;
+		cur = cur->next;
+	}
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return HASHTAB_MISSING;
+
+	if (last == NULL)
+		h->htable[hvalue] = cur->next;
+	else
+		last->next = cur->next;
+
+	if (destroy)
+		destroy(cur->key, cur->datum, args);
+	free(cur);
+	h->nel--;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
+		    void (*destroy) (hashtab_key_t k,
+				     hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0)) {
+		if (destroy)
+			destroy(cur->key, cur->datum, args);
+		cur->key = key;
+		cur->datum = datum;
+	} else {
+		newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+		if (newnode == NULL)
+			return HASHTAB_OVERFLOW;
+		memset(newnode, 0, sizeof(struct hashtab_node));
+		newnode->key = key;
+		newnode->datum = datum;
+		if (prev) {
+			newnode->next = prev->next;
+			prev->next = newnode;
+		} else {
+			newnode->next = h->htable[hvalue];
+			h->htable[hvalue] = newnode;
+		}
+	}
+
+	return HASHTAB_SUCCESS;
+}
+
+hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
+{
+
+	int hvalue;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return NULL;
+
+	hvalue = h->hash_value(h, key);
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
+		cur = cur->next;
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return NULL;
+
+	return cur->datum;
+}
+
+void hashtab_destroy(hashtab_t h)
+{
+	unsigned int i;
+	hashtab_ptr_t cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			temp = cur;
+			cur = cur->next;
+			free(temp);
+		}
+		h->htable[i] = NULL;
+	}
+
+	free(h->htable);
+	h->htable = NULL;
+
+	free(h);
+}
+
+int hashtab_map(hashtab_t h,
+		int (*apply) (hashtab_key_t k,
+			      hashtab_datum_t d, void *args), void *args)
+{
+	unsigned int i, ret;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return HASHTAB_SUCCESS;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret)
+				return ret;
+			cur = cur->next;
+		}
+	}
+	return HASHTAB_SUCCESS;
+}
+
+void hashtab_map_remove_on_error(hashtab_t h,
+				 int (*apply) (hashtab_key_t k,
+					       hashtab_datum_t d,
+					       void *args),
+				 void (*destroy) (hashtab_key_t k,
+						  hashtab_datum_t d,
+						  void *args), void *args)
+{
+	unsigned int i;
+	int ret;
+	hashtab_ptr_t last, cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		last = NULL;
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret) {
+				if (last) {
+					last->next = cur->next;
+				} else {
+					h->htable[i] = cur->next;
+				}
+
+				temp = cur;
+				cur = cur->next;
+				if (destroy)
+					destroy(temp->key, temp->datum, args);
+				free(temp);
+				h->nel--;
+			} else {
+				last = cur;
+				cur = cur->next;
+			}
+		}
+	}
+
+	return;
+}
+
+void hashtab_hash_eval(hashtab_t h, char *tag)
+{
+	unsigned int i;
+	int chain_len, slots_used, max_chain_len;
+	hashtab_ptr_t cur;
+
+	slots_used = 0;
+	max_chain_len = 0;
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		if (cur) {
+			slots_used++;
+			chain_len = 0;
+			while (cur) {
+				chain_len++;
+				cur = cur->next;
+			}
+
+			if (chain_len > max_chain_len)
+				max_chain_len = chain_len;
+		}
+	}
+
+	printf
+	    ("%s:  %d entries and %d/%d buckets used, longest chain length %d\n",
+	     tag, h->nel, slots_used, h->size, max_chain_len);
+}
--- policycoreutils-1.33.12/newrole/hashtab.h	1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/hashtab.h	2007-05-02 15:25:46.000000000 -0500
@@ -0,0 +1,142 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A hash table (hashtab) maintains associations between
+ * key values and datum values.  The type of the key values 
+ * and the type of the datum values is arbitrary.  The
+ * functions for hash computation and key comparison are
+ * provided by the creator of the table.
+ */
+
+#ifndef _NEWROLE_HASHTAB_H_
+#define _NEWROLE_HASHTAB_H_
+
+#include <stdint.h>
+#include <errno.h>
+#include <stdio.h>
+
+typedef char *hashtab_key_t;	/* generic key type */
+typedef void *hashtab_datum_t;	/* generic datum type */
+
+typedef struct hashtab_node *hashtab_ptr_t;
+
+typedef struct hashtab_node {
+	hashtab_key_t key;
+	hashtab_datum_t datum;
+	hashtab_ptr_t next;
+} hashtab_node_t;
+
+typedef struct hashtab_val {
+	hashtab_ptr_t *htable;	/* hash table */
+	unsigned int size;	/* number of slots in hash table */
+	uint32_t nel;		/* number of elements in hash table */
+	unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key);	/* hash function */
+	int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2);	/* key comparison function */
+} hashtab_val_t;
+
+typedef hashtab_val_t *hashtab_t;
+
+/* Define status codes for hash table functions */
+#define HASHTAB_SUCCESS     0
+#define HASHTAB_OVERFLOW    -ENOMEM
+#define HASHTAB_PRESENT     -EEXIST
+#define HASHTAB_MISSING     -ENOENT
+
+/*
+   Creates a new hash table with the specified characteristics.
+
+   Returns NULL if insufficent space is available or
+   the new hash table otherwise.
+ */
+extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+							    const hashtab_key_t
+							    key),
+				int (*keycmp) (hashtab_t h,
+					       const hashtab_key_t key1,
+					       const hashtab_key_t key2),
+				unsigned int size);
+/*
+   Inserts the specified (key, datum) pair into the specified hash table.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_PRESENT  if there is already an entry with the same key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
+
+/*
+   Removes the entry with the specified key from the hash table.
+   Applies the specified destroy function to (key,datum,args) for
+   the entry.
+
+   Returns HASHTAB_MISSING if no entry has the specified key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
+			  void (*destroy) (hashtab_key_t k,
+					   hashtab_datum_t d,
+					   void *args), void *args);
+
+/*
+   Insert or replace the specified (key, datum) pair in the specified
+   hash table.  If an entry for the specified key already exists,
+   then the specified destroy function is applied to (key,datum,args)
+   for the entry prior to replacing the entry's contents.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
+			   void (*destroy) (hashtab_key_t k,
+					    hashtab_datum_t d,
+					    void *args), void *args);
+
+/*
+   Searches for the entry with the specified key in the hash table.
+
+   Returns NULL if no entry has the specified key or
+   the datum of the entry otherwise.
+ */
+extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
+
+/*
+   Destroys the specified hash table.
+ */
+extern void hashtab_destroy(hashtab_t h);
+
+/*
+   Applies the specified apply function to (key,datum,args)
+   for each entry in the specified hash table.
+
+   The order in which the function is applied to the entries
+   is dependent upon the internal structure of the hash table.
+
+   If apply returns a non-zero status, then hashtab_map will cease
+   iterating through the hash table and will propagate the error
+   return to its caller.
+ */
+extern int hashtab_map(hashtab_t h,
+		       int (*apply) (hashtab_key_t k,
+				     hashtab_datum_t d,
+				     void *args), void *args);
+
+/*
+   Same as hashtab_map, except that if apply returns a non-zero status,
+   then the (key,datum) pair will be removed from the hashtab and the
+   destroy function will be applied to (key,datum,args).
+ */
+extern void hashtab_map_remove_on_error(hashtab_t h,
+					int (*apply) (hashtab_key_t k,
+						      hashtab_datum_t d,
+						      void *args),
+					void (*destroy) (hashtab_key_t k,
+							 hashtab_datum_t d,
+							 void *args),
+					void *args);
+
+extern void hashtab_hash_eval(hashtab_t h, char *tag);
+
+#endif
--- policycoreutils-1.33.12/newrole/Makefile	2007-01-11 13:01:39.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/Makefile	2007-05-02 15:47:30.000000000 -0500
@@ -53,9 +53,10 @@
 	MODE := 0555
 endif
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+all: newrole
 
-all: $(TARGETS)
+newrole: newrole.o hashtab.o
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
 install: all
 	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote:
> On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> > +#include <sepol/policydb/hashtab.h>
> >
> > We don't want newrole to link with the static libsepol, so if you want
> > to use the libsepol hashtab (and symtab) support, copy it into the
> > newrole directory.
> >
> 
> I'd prefer it if this was in a shared library.

It isn't adequately encapsulated for that.

> > Breaks the "abstraction".  Normally this would be done as a
> > hashtab_map() to free the keys and datum followed by a hashtab_destroy()
> > to free the table.  Or if you want a unified form, you could do
> > something like hashtab_map_remove_on_error() except always doing the
> > removal, but put it in your copy of the hashtab code.
> >
> 
> Hmmm, I pretty much copied this code from semodule_deps.c

...which does require static libsepol and is a developer tool rather
than a production system tool.

> > +         char *cmd = (char *)malloc(strlen(argv[optind+1]));
> >
> > argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.
> >
> > +         sscanf(argv[optind+1], "%s", cmd);
> >
> > Pointless, argument vector has already been parsed by the shell.
> > Just use argv[optind] directly, no copy required.
> >
> 
> Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"'
> agrv[optind] is '-c'
> argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory'

I see, although you aren't explicitly checking that a "-c" was
specified, so it seems prone to error.   That form of usage seems
unpleasant, but it is consistent with su.  Might be nice if newrole
would just directly invoke the command if specified, but that could
cause problems with domain transitions.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote:
--- policycoreutils-1.33.12/newrole/newrole.c	2007-05-03 08:03:44.000000000 -0500
+++ policycoreutils-1.33.12.new/newrole/newrole.c	2007-05-03 08:03:27.000000000 -0500
@@ -1025,7 +1134,25 @@
 
 	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	/*
+	  Are we being asked to execute a process in a new context?
+	*/
+	if (app_service_names != NULL && optind < argc) {
+	  /*
+	    See if there is a pam configuration specific to the executable.
+	  */
+	  char *cmd = strtok(argv[optind+1], " \t");

Actually, here you don't want to use strtok() since it mutates the argument 
(inserting NUL separator), which will cause any subsequent arguments after
the command to be effectively lost.

Please update the man page as well to show the proper way to execute commands via newrole.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Xavier Toth]

[-- Attachment #1: Type: text/plain, Size: 2027 bytes --]

On 5/3/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2007-05-03 at 08:11 -0500, Xavier Toth wrote:
> > On 5/2/07, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > > On Wed, 2007-05-02 at 10:49 -0500, Xavier Toth wrote:
> > > +#include <sepol/policydb/hashtab.h>
> > >
> > > We don't want newrole to link with the static libsepol, so if you want
> > > to use the libsepol hashtab (and symtab) support, copy it into the
> > > newrole directory.
> > >
> >
> > I'd prefer it if this was in a shared library.
>
> It isn't adequately encapsulated for that.
>
> > > Breaks the "abstraction".  Normally this would be done as a
> > > hashtab_map() to free the keys and datum followed by a hashtab_destroy()
> > > to free the table.  Or if you want a unified form, you could do
> > > something like hashtab_map_remove_on_error() except always doing the
> > > removal, but put it in your copy of the hashtab code.
> > >
> >
> > Hmmm, I pretty much copied this code from semodule_deps.c
>
> ...which does require static libsepol and is a developer tool rather
> than a production system tool.
>
> > > +         char *cmd = (char *)malloc(strlen(argv[optind+1]));
> > >
> > > argv[optind+1] or argv[optind]?  And you'd need to add 1 to the length (not optind) for terminating NUL.
> > >
> > > +         sscanf(argv[optind+1], "%s", cmd);
> > >
> > > Pointless, argument vector has already been parsed by the shell.
> > > Just use argv[optind] directly, no copy required.
> > >
> >
> > Using 'newrole -l s2-s2 -- -c "/usr/bin/gnome-terminal --disable-factory"'
> > agrv[optind] is '-c'
> > argv[optind+1] is '/usr/bin/gnome-terminal --disable-factory'
>
> I see, although you aren't explicitly checking that a "-c" was
> specified, so it seems prone to error.

True

> That form of usage seems
> unpleasant, but it is consistent with su.  Might be nice if newrole
> would just directly invoke the command if specified, but that could
> cause problems with domain transitions.
>
> --
> Stephen Smalley
> National Security Agency
>
>

[-- Attachment #2: policycoreutils-service-name.patch --]
[-- Type: text/x-patch, Size: 16141 bytes --]

--- policycoreutils-1.33.12/newrole/newrole.c	2007-05-03 08:46:16.000000000 -0500
+++ policycoreutils-1.33.12.new/newrole/newrole.c	2007-05-03 08:46:03.000000000 -0500
@@ -54,6 +54,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -85,6 +86,8 @@
 #define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 #endif
 
+#include "hashtab.h"
+
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
 
@@ -155,7 +158,7 @@
 #include <security/pam_appl.h>	/* for PAM functions */
 #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
 
-#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
+char *service_name = "newrole";
 
 /* authenticate_via_pam()
  *
@@ -921,6 +924,110 @@
 	return 0;
 }
 
+static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, void *args)
+{
+  free(key);
+  free(d);
+  return 0;
+}
+
+static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
+{
+	char *p, *keyp;
+	size_t size;
+	unsigned int val;
+
+	val = 0;
+	keyp = (char *)key;
+	size = strlen(keyp);
+	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+		val =
+		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+	return val & (h->size - 1);
+}
+
+static int reqsymcmp(hashtab_t h
+		     __attribute__ ((unused)), hashtab_key_t key1,
+		     hashtab_key_t key2)
+{
+	char *keyp1, *keyp2;
+
+	keyp1 = (char *)key1;
+	keyp2 = (char *)key2;
+	return strcmp(keyp1, keyp2);
+}
+
+static hashtab_t app_service_names = NULL;
+
+static void process_config(FILE * cfg)
+{
+	char *line_buf = NULL;
+	size_t len = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+	  char *buffer = line_buf;
+	  while (isspace(*buffer))
+	    buffer++;
+	  if (buffer[0] == '#')
+	    continue;
+	  int l = strlen(buffer) - 1;
+	  if (l <= 0)
+	    continue;
+	  buffer[l] = 0;
+
+	  /* 
+	     Split the buffer into the application and service names 
+	  */
+	  ret = sscanf(buffer, "%as %as", &app, &service);
+	  if (ret != EOF && app!= NULL && strlen(app) > 0) {
+	    /*
+	      Check for a service name
+	    */
+	    if (service != NULL && strlen(service) > 0) {
+	      /*
+		Save the mapping to the hashtable.
+	      */
+	      ret = hashtab_insert(app_service_names,
+				   app,
+				   service);
+	      if (ret == HASHTAB_OVERFLOW) {
+		fprintf(stderr, _("newrole: service name configuration hashtable overflow\n"));
+		goto err_free;
+	      }
+	    }
+	    else
+	      /*
+		No service name specified for app.
+	      */
+	      free(app);
+	  }
+	}
+err_free:
+	free(line_buf);
+}
+
+/* 
+   Read config file ignoring comment lines.
+   Files specified one per line executable with a corresponding
+   pam service name.
+*/
+
+static void read_config()
+{
+	char *config_file_path = "/etc/selinux/newrole.conf";
+	FILE *cfg = NULL;
+	cfg = fopen(config_file_path, "r");
+	if (!cfg)
+	  return;
+	app_service_names = hashtab_create(reqsymhash, reqsymcmp, 64);
+	if (app_service_names)
+	  process_config(cfg);
+	fclose(cfg);
+}
+
 /************************************************************************
  *
  * All code used for both PAM and shadow passwd goes in this section.
@@ -1001,6 +1108,8 @@
 		return -1;
 	}
 
+	read_config();
+
 	ttyn = ttyname(0);
 	if (!ttyn || *ttyn == '\0') {
 		fprintf(stderr,
@@ -1025,7 +1134,27 @@
 
 	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	/*
+	  Are we being asked to execute a process in a new context?
+	*/
+	if (app_service_names != NULL && optind < argc) {
+	  if (strcmp(argv[optind], "-c") == 0) {
+	    /*
+	      See if there is a pam configuration specific to the executable.
+	    */
+	    char *cmd = strtok(argv[optind+1], " \t");
+	    if (cmd != NULL) {
+	      char* app_service_name = 
+		(char *) hashtab_search(app_service_names, cmd);
+	      
+	      if (app_service_name != NULL) {
+		service_name = app_service_name;
+	      }
+	    }
+	  }
+	}
+
+	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
 			       &pam_handle);
 	if (pam_status != PAM_SUCCESS) {
 		fprintf(stderr, _("failed to initialize PAM\n"));
@@ -1114,6 +1243,8 @@
 				pam_strerror(pam_handle, rc));
 			exit_code = -1;
 		}
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
 #endif
 		free(pw.pw_name);
 		free(pw.pw_dir);
--- policycoreutils-1.33.12/newrole/hashtab.c	1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/hashtab.c	2007-05-02 15:33:11.000000000 -0500
@@ -0,0 +1,292 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the hash table type.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "hashtab.h"
+
+hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+						     const hashtab_key_t key),
+			 int (*keycmp) (hashtab_t h,
+					const hashtab_key_t key1,
+					const hashtab_key_t key2),
+			 unsigned int size)
+{
+
+	hashtab_t p;
+	unsigned int i;
+
+	p = (hashtab_t) malloc(sizeof(hashtab_val_t));
+	if (p == NULL)
+		return p;
+
+	memset(p, 0, sizeof(hashtab_val_t));
+	p->size = size;
+	p->nel = 0;
+	p->hash_value = hash_value;
+	p->keycmp = keycmp;
+	p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size);
+	if (p->htable == NULL) {
+		free(p);
+		return NULL;
+	}
+	for (i = 0; i < size; i++)
+		p->htable[i] = (hashtab_ptr_t) NULL;
+
+	return p;
+}
+
+int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0))
+		return HASHTAB_PRESENT;
+
+	newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+	if (newnode == NULL)
+		return HASHTAB_OVERFLOW;
+	memset(newnode, 0, sizeof(struct hashtab_node));
+	newnode->key = key;
+	newnode->datum = datum;
+	if (prev) {
+		newnode->next = prev->next;
+		prev->next = newnode;
+	} else {
+		newnode->next = h->htable[hvalue];
+		h->htable[hvalue] = newnode;
+	}
+
+	h->nel++;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_remove(hashtab_t h, hashtab_key_t key,
+		   void (*destroy) (hashtab_key_t k,
+				    hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t cur, last;
+
+	if (!h)
+		return HASHTAB_MISSING;
+
+	hvalue = h->hash_value(h, key);
+	last = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		last = cur;
+		cur = cur->next;
+	}
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return HASHTAB_MISSING;
+
+	if (last == NULL)
+		h->htable[hvalue] = cur->next;
+	else
+		last->next = cur->next;
+
+	if (destroy)
+		destroy(cur->key, cur->datum, args);
+	free(cur);
+	h->nel--;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
+		    void (*destroy) (hashtab_key_t k,
+				     hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0)) {
+		if (destroy)
+			destroy(cur->key, cur->datum, args);
+		cur->key = key;
+		cur->datum = datum;
+	} else {
+		newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+		if (newnode == NULL)
+			return HASHTAB_OVERFLOW;
+		memset(newnode, 0, sizeof(struct hashtab_node));
+		newnode->key = key;
+		newnode->datum = datum;
+		if (prev) {
+			newnode->next = prev->next;
+			prev->next = newnode;
+		} else {
+			newnode->next = h->htable[hvalue];
+			h->htable[hvalue] = newnode;
+		}
+	}
+
+	return HASHTAB_SUCCESS;
+}
+
+hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
+{
+
+	int hvalue;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return NULL;
+
+	hvalue = h->hash_value(h, key);
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
+		cur = cur->next;
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return NULL;
+
+	return cur->datum;
+}
+
+void hashtab_destroy(hashtab_t h)
+{
+	unsigned int i;
+	hashtab_ptr_t cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			temp = cur;
+			cur = cur->next;
+			free(temp);
+		}
+		h->htable[i] = NULL;
+	}
+
+	free(h->htable);
+	h->htable = NULL;
+
+	free(h);
+}
+
+int hashtab_map(hashtab_t h,
+		int (*apply) (hashtab_key_t k,
+			      hashtab_datum_t d, void *args), void *args)
+{
+	unsigned int i, ret;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return HASHTAB_SUCCESS;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret)
+				return ret;
+			cur = cur->next;
+		}
+	}
+	return HASHTAB_SUCCESS;
+}
+
+void hashtab_map_remove_on_error(hashtab_t h,
+				 int (*apply) (hashtab_key_t k,
+					       hashtab_datum_t d,
+					       void *args),
+				 void (*destroy) (hashtab_key_t k,
+						  hashtab_datum_t d,
+						  void *args), void *args)
+{
+	unsigned int i;
+	int ret;
+	hashtab_ptr_t last, cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		last = NULL;
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret) {
+				if (last) {
+					last->next = cur->next;
+				} else {
+					h->htable[i] = cur->next;
+				}
+
+				temp = cur;
+				cur = cur->next;
+				if (destroy)
+					destroy(temp->key, temp->datum, args);
+				free(temp);
+				h->nel--;
+			} else {
+				last = cur;
+				cur = cur->next;
+			}
+		}
+	}
+
+	return;
+}
+
+void hashtab_hash_eval(hashtab_t h, char *tag)
+{
+	unsigned int i;
+	int chain_len, slots_used, max_chain_len;
+	hashtab_ptr_t cur;
+
+	slots_used = 0;
+	max_chain_len = 0;
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		if (cur) {
+			slots_used++;
+			chain_len = 0;
+			while (cur) {
+				chain_len++;
+				cur = cur->next;
+			}
+
+			if (chain_len > max_chain_len)
+				max_chain_len = chain_len;
+		}
+	}
+
+	printf
+	    ("%s:  %d entries and %d/%d buckets used, longest chain length %d\n",
+	     tag, h->nel, slots_used, h->size, max_chain_len);
+}
--- policycoreutils-1.33.12/newrole/hashtab.h	1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/hashtab.h	2007-05-02 15:25:46.000000000 -0500
@@ -0,0 +1,142 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A hash table (hashtab) maintains associations between
+ * key values and datum values.  The type of the key values 
+ * and the type of the datum values is arbitrary.  The
+ * functions for hash computation and key comparison are
+ * provided by the creator of the table.
+ */
+
+#ifndef _NEWROLE_HASHTAB_H_
+#define _NEWROLE_HASHTAB_H_
+
+#include <stdint.h>
+#include <errno.h>
+#include <stdio.h>
+
+typedef char *hashtab_key_t;	/* generic key type */
+typedef void *hashtab_datum_t;	/* generic datum type */
+
+typedef struct hashtab_node *hashtab_ptr_t;
+
+typedef struct hashtab_node {
+	hashtab_key_t key;
+	hashtab_datum_t datum;
+	hashtab_ptr_t next;
+} hashtab_node_t;
+
+typedef struct hashtab_val {
+	hashtab_ptr_t *htable;	/* hash table */
+	unsigned int size;	/* number of slots in hash table */
+	uint32_t nel;		/* number of elements in hash table */
+	unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key);	/* hash function */
+	int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2);	/* key comparison function */
+} hashtab_val_t;
+
+typedef hashtab_val_t *hashtab_t;
+
+/* Define status codes for hash table functions */
+#define HASHTAB_SUCCESS     0
+#define HASHTAB_OVERFLOW    -ENOMEM
+#define HASHTAB_PRESENT     -EEXIST
+#define HASHTAB_MISSING     -ENOENT
+
+/*
+   Creates a new hash table with the specified characteristics.
+
+   Returns NULL if insufficent space is available or
+   the new hash table otherwise.
+ */
+extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+							    const hashtab_key_t
+							    key),
+				int (*keycmp) (hashtab_t h,
+					       const hashtab_key_t key1,
+					       const hashtab_key_t key2),
+				unsigned int size);
+/*
+   Inserts the specified (key, datum) pair into the specified hash table.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_PRESENT  if there is already an entry with the same key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
+
+/*
+   Removes the entry with the specified key from the hash table.
+   Applies the specified destroy function to (key,datum,args) for
+   the entry.
+
+   Returns HASHTAB_MISSING if no entry has the specified key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
+			  void (*destroy) (hashtab_key_t k,
+					   hashtab_datum_t d,
+					   void *args), void *args);
+
+/*
+   Insert or replace the specified (key, datum) pair in the specified
+   hash table.  If an entry for the specified key already exists,
+   then the specified destroy function is applied to (key,datum,args)
+   for the entry prior to replacing the entry's contents.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
+			   void (*destroy) (hashtab_key_t k,
+					    hashtab_datum_t d,
+					    void *args), void *args);
+
+/*
+   Searches for the entry with the specified key in the hash table.
+
+   Returns NULL if no entry has the specified key or
+   the datum of the entry otherwise.
+ */
+extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
+
+/*
+   Destroys the specified hash table.
+ */
+extern void hashtab_destroy(hashtab_t h);
+
+/*
+   Applies the specified apply function to (key,datum,args)
+   for each entry in the specified hash table.
+
+   The order in which the function is applied to the entries
+   is dependent upon the internal structure of the hash table.
+
+   If apply returns a non-zero status, then hashtab_map will cease
+   iterating through the hash table and will propagate the error
+   return to its caller.
+ */
+extern int hashtab_map(hashtab_t h,
+		       int (*apply) (hashtab_key_t k,
+				     hashtab_datum_t d,
+				     void *args), void *args);
+
+/*
+   Same as hashtab_map, except that if apply returns a non-zero status,
+   then the (key,datum) pair will be removed from the hashtab and the
+   destroy function will be applied to (key,datum,args).
+ */
+extern void hashtab_map_remove_on_error(hashtab_t h,
+					int (*apply) (hashtab_key_t k,
+						      hashtab_datum_t d,
+						      void *args),
+					void (*destroy) (hashtab_key_t k,
+							 hashtab_datum_t d,
+							 void *args),
+					void *args);
+
+extern void hashtab_hash_eval(hashtab_t h, char *tag);
+
+#endif
--- policycoreutils-1.33.12/newrole/Makefile	2007-01-11 13:01:39.000000000 -0600
+++ policycoreutils-1.33.12.new/newrole/Makefile	2007-05-02 15:47:30.000000000 -0500
@@ -53,9 +53,10 @@
 	MODE := 0555
 endif
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+all: newrole
 
-all: $(TARGETS)
+newrole: newrole.o hashtab.o
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
 install: all
 	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

How about the revised patch below (only including the newrole.c and
Makefile diffs since the hashtab code is unchanged)?  The changes from
your patch are:
- Make sure everything is properly enabled/disabled by USE_PAM and move
the code into the existing USE_PAM block where appropriate.
- Call the config file newrole_pam.conf since there could be other
newrole config files in the future.
- Distinguish missing config file (ok) from errors during parsing of the
config file (should abort).
- Remove the Authenticating <username> message since it could be
confusing in the case where you are using a pam config that doesn't
require it and it doesn't really provide any benefit.
- Improve error checking and handling.
- Coding style cleanups (indentation, comment style, etc).

To test, I created a /etc/pam.d/newrole-noauth config that had
pam_permit.so for its auth module and created
a /etc/selinux/newrole_pam.conf that mapped one program to
newrole-noauth.

The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
entirely from the equation, and just have newrole look for (test via
access()) a /etc/pam.d/newrole_<appname> config and use
newrole_<appname> as the service name if present.

Index: policycoreutils/newrole/newrole.c
===================================================================
--- policycoreutils/newrole/newrole.c	(revision 2422)
+++ policycoreutils/newrole/newrole.c	(working copy)
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -92,6 +93,10 @@
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
 
+#ifdef USE_PAM
+#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
+#endif
+
 #define DEFAULT_PATH "/usr/bin:/bin"
 #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
 
@@ -159,7 +164,7 @@
 #include <security/pam_appl.h>	/* for PAM functions */
 #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
 
-#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
+char *service_name = "newrole";
 
 /* authenticate_via_pam()
  *
@@ -209,6 +214,113 @@
 	return result;
 }				/* authenticate_via_pam() */
 
+#include "hashtab.h"
+
+static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
+			      void *args __attribute__ ((unused)) )
+{
+	free(key);
+	free(d);
+	return 0;
+}
+
+static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
+{
+	char *p, *keyp;
+	size_t size;
+	unsigned int val;
+
+	val = 0;
+	keyp = (char *)key;
+	size = strlen(keyp);
+	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+		val =
+		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+	return val & (h->size - 1);
+}
+
+static int reqsymcmp(hashtab_t h
+		     __attribute__ ((unused)), hashtab_key_t key1,
+		     hashtab_key_t key2)
+{
+	char *keyp1, *keyp2;
+
+	keyp1 = (char *)key1;
+	keyp2 = (char *)key2;
+	return strcmp(keyp1, keyp2);
+}
+
+static hashtab_t app_service_names = NULL;
+#define PAM_SERVICE_SLOTS 64
+
+static int process_pam_config(FILE * cfg)
+{
+	const char *config_file_path = PAM_SERVICE_CONFIG;
+	char *line_buf = NULL;
+	unsigned long lineno = 0;
+	size_t len = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+		char *buffer = line_buf;
+		lineno++;
+		while (isspace(*buffer))
+			buffer++;
+		if (buffer[0] == '#')
+			continue;
+		if (buffer[0] == '\n' || buffer[0] == '\0')
+			continue;
+
+		app = service = NULL;
+		ret = sscanf(buffer, "%as %as\n", &app, &service);
+		if (ret < 2 || !app || !service)
+			goto err;
+
+		ret = hashtab_insert(app_service_names, app, service);
+		if (ret == HASHTAB_OVERFLOW) {
+			fprintf(stderr,
+				_("newrole: service name configuration hashtable overflow\n"));
+			goto err;
+		}
+	}
+
+	free(line_buf);
+	return 0;
+      err:
+	free(app);
+	free(service);
+	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
+	free(line_buf);
+	return -1;
+}
+
+/* 
+ *  Read config file ignoring comment lines.
+ *  Files specified one per line executable with a corresponding
+ *  pam service name.
+ */
+static int read_pam_config()
+{
+	const char *config_file_path = PAM_SERVICE_CONFIG;
+	FILE *cfg = NULL;
+	cfg = fopen(config_file_path, "r");
+	if (!cfg)
+		return 0;	/* This configuration is optional. */
+	app_service_names =
+	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
+	if (!app_service_names)
+		goto err;
+	if (process_pam_config(cfg))
+		goto err;
+	fclose(cfg);
+	return 0;
+      err:
+	fclose(cfg);
+	return -1;
+}
+
 #else				/* else !USE_PAM */
 
 /************************************************************************
@@ -1027,9 +1139,33 @@
 	if (extract_pw_data(&pw))
 		goto err_free;
 
-	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	if (read_pam_config()) {
+		fprintf(stderr, _("error on reading PAM service configuration.\n"));
+		goto err_free;
+	}
+
+	if (app_service_names != NULL && optind < argc) {
+		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
+			/*
+			 * Check for a separate pam service name for the command when
+			 * invoked by newrole.
+			 */
+			char *cmd = NULL;
+			rc = sscanf(argv[optind + 1], "%as", &cmd);
+			if (rc != EOF && cmd != NULL) {
+				char *app_service_name =
+				    (char *)hashtab_search(app_service_names,
+							   cmd);
+				free(cmd);
+				if (app_service_name != NULL) {
+					service_name = app_service_name;
+				}
+			}
+		}
+	}
+
+	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
 			       &pam_handle);
 	if (pam_status != PAM_SUCCESS) {
 		fprintf(stderr, _("failed to initialize PAM\n"));
@@ -1118,6 +1254,8 @@
 				pam_strerror(pam_handle, rc));
 			exit_code = -1;
 		}
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
 #endif
 		free(pw.pw_name);
 		free(pw.pw_dir);
@@ -1223,5 +1361,11 @@
 	free(pw.pw_dir);
 	free(pw.pw_shell);
 	free(shell_argv0);
+#ifdef USE_PAM
+	if (app_service_names) {
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
+	}
+#endif
 	return -1;
 }				/* main() */
Index: policycoreutils/newrole/Makefile
===================================================================
--- policycoreutils/newrole/Makefile	(revision 2422)
+++ policycoreutils/newrole/Makefile	(working copy)
@@ -21,10 +21,12 @@
 VERSION = $(shell cat ../VERSION)
 
 CFLAGS ?= -Werror -Wall -W
+EXTRA_OBJS =
 override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
 LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
 ifeq (${PAMH}, /usr/include/security/pam_appl.h)
 	override CFLAGS += -DUSE_PAM
+	EXTRA_OBJS += hashtab.o
 	LDLIBS += -lpam -lpam_misc
 else
 	override CFLAGS += -D_XOPEN_SOURCE=500
@@ -53,9 +55,10 @@
 	MODE := 0555
 endif
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+all: newrole
 
-all: $(TARGETS)
+newrole: newrole.o $(EXTRA_OBJS)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
 install: all
 	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Darrel Goeddel]

Stephen Smalley wrote:
> How about the revised patch below (only including the newrole.c and
> Makefile diffs since the hashtab code is unchanged)?  The changes from
> your patch are:
> - Make sure everything is properly enabled/disabled by USE_PAM and move
> the code into the existing USE_PAM block where appropriate.
> - Call the config file newrole_pam.conf since there could be other
> newrole config files in the future.
> - Distinguish missing config file (ok) from errors during parsing of the
> config file (should abort).
> - Remove the Authenticating <username> message since it could be
> confusing in the case where you are using a pam config that doesn't
> require it and it doesn't really provide any benefit.
> - Improve error checking and handling.
> - Coding style cleanups (indentation, comment style, etc).
> 
> To test, I created a /etc/pam.d/newrole-noauth config that had
> pam_permit.so for its auth module and created
> a /etc/selinux/newrole_pam.conf that mapped one program to
> newrole-noauth.
> 
> The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
> entirely from the equation, and just have newrole look for (test via
> access()) a /etc/pam.d/newrole_<appname> config and use
> newrole_<appname> as the service name if present.

I like this idea.  I haven't had a chance to test this yet, but it looks
to be assuming that the arg to -c is just the command name without any
path info.  Should we strip that down to its basename in case someone runs
'newrole -l secret -c /usr/bin/foo' as opposed to 'newrole -l secret -c foo'?

-- 

Darrel

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Ted X Toth]

Stephen Smalley wrote:
> How about the revised patch below (only including the newrole.c and
> Makefile diffs since the hashtab code is unchanged)?  The changes from
> your patch are:
> - Make sure everything is properly enabled/disabled by USE_PAM and move
> the code into the existing USE_PAM block where appropriate.
> - Call the config file newrole_pam.conf since there could be other
> newrole config files in the future.
> - Distinguish missing config file (ok) from errors during parsing of the
> config file (should abort).
> - Remove the Authenticating <username> message since it could be
> confusing in the case where you are using a pam config that doesn't
> require it and it doesn't really provide any benefit.
> - Improve error checking and handling.
> - Coding style cleanups (indentation, comment style, etc).
>
> To test, I created a /etc/pam.d/newrole-noauth config that had
> pam_permit.so for its auth module and created
> a /etc/selinux/newrole_pam.conf that mapped one program to
> newrole-noauth.
>
> The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
> entirely from the equation, and just have newrole look for (test via
> access()) a /etc/pam.d/newrole_<appname> config and use
> newrole_<appname> as the service name if present.
>   

I like it but one thing I had thought about was that if the current 
patch were to check for the existence of the pam configuration file 
(service name) and the file was missing the user could be warned of 
that. Of course there is no help in the event that newrole_pam.conf is 
misconfigured.
> Index: policycoreutils/newrole/newrole.c
> ===================================================================
> --- policycoreutils/newrole/newrole.c	(revision 2422)
> +++ policycoreutils/newrole/newrole.c	(working copy)
> @@ -58,6 +58,7 @@
>  #include <stdio.h>
>  #include <stdlib.h>		/* for malloc(), realloc(), free() */
>  #include <pwd.h>		/* for getpwuid() */
> +#include <ctype.h>
>  #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
>  #include <sys/wait.h>		/* for wait() */
>  #include <getopt.h>		/* for getopt_long() form of getopt() */
> @@ -92,6 +93,10 @@
>  /* USAGE_STRING describes the command-line args of this program. */
>  #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
>  
> +#ifdef USE_PAM
> +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
> +#endif
> +
>  #define DEFAULT_PATH "/usr/bin:/bin"
>  #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
>  
> @@ -159,7 +164,7 @@
>  #include <security/pam_appl.h>	/* for PAM functions */
>  #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
>  
> -#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
> +char *service_name = "newrole";
>  
>  /* authenticate_via_pam()
>   *
> @@ -209,6 +214,113 @@
>  	return result;
>  }				/* authenticate_via_pam() */
>  
> +#include "hashtab.h"
> +
> +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
> +			      void *args __attribute__ ((unused)) )
> +{
> +	free(key);
> +	free(d);
> +	return 0;
> +}
> +
> +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
> +{
> +	char *p, *keyp;
> +	size_t size;
> +	unsigned int val;
> +
> +	val = 0;
> +	keyp = (char *)key;
> +	size = strlen(keyp);
> +	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
> +		val =
> +		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
> +	return val & (h->size - 1);
> +}
> +
> +static int reqsymcmp(hashtab_t h
> +		     __attribute__ ((unused)), hashtab_key_t key1,
> +		     hashtab_key_t key2)
> +{
> +	char *keyp1, *keyp2;
> +
> +	keyp1 = (char *)key1;
> +	keyp2 = (char *)key2;
> +	return strcmp(keyp1, keyp2);
> +}
> +
> +static hashtab_t app_service_names = NULL;
> +#define PAM_SERVICE_SLOTS 64
> +
> +static int process_pam_config(FILE * cfg)
> +{
> +	const char *config_file_path = PAM_SERVICE_CONFIG;
> +	char *line_buf = NULL;
> +	unsigned long lineno = 0;
> +	size_t len = 0;
> +	char *app = NULL;
> +	char *service = NULL;
> +	int ret;
> +
> +	while (getline(&line_buf, &len, cfg) > 0) {
> +		char *buffer = line_buf;
> +		lineno++;
> +		while (isspace(*buffer))
> +			buffer++;
> +		if (buffer[0] == '#')
> +			continue;
> +		if (buffer[0] == '\n' || buffer[0] == '\0')
> +			continue;
> +
> +		app = service = NULL;
> +		ret = sscanf(buffer, "%as %as\n", &app, &service);
> +		if (ret < 2 || !app || !service)
> +			goto err;
> +
> +		ret = hashtab_insert(app_service_names, app, service);
> +		if (ret == HASHTAB_OVERFLOW) {
> +			fprintf(stderr,
> +				_("newrole: service name configuration hashtable overflow\n"));
> +			goto err;
> +		}
> +	}
> +
> +	free(line_buf);
> +	return 0;
> +      err:
> +	free(app);
> +	free(service);
> +	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
> +	free(line_buf);
> +	return -1;
> +}
> +
> +/* 
> + *  Read config file ignoring comment lines.
> + *  Files specified one per line executable with a corresponding
> + *  pam service name.
> + */
> +static int read_pam_config()
> +{
> +	const char *config_file_path = PAM_SERVICE_CONFIG;
> +	FILE *cfg = NULL;
> +	cfg = fopen(config_file_path, "r");
> +	if (!cfg)
> +		return 0;	/* This configuration is optional. */
> +	app_service_names =
> +	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
> +	if (!app_service_names)
> +		goto err;
> +	if (process_pam_config(cfg))
> +		goto err;
> +	fclose(cfg);
> +	return 0;
> +      err:
> +	fclose(cfg);
> +	return -1;
> +}
> +
>  #else				/* else !USE_PAM */
>  
>  /************************************************************************
> @@ -1027,9 +1139,33 @@
>  	if (extract_pw_data(&pw))
>  		goto err_free;
>  
> -	printf(_("Authenticating %s.\n"), pw.pw_name);
>  #ifdef USE_PAM
> -	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> +	if (read_pam_config()) {
> +		fprintf(stderr, _("error on reading PAM service configuration.\n"));
> +		goto err_free;
> +	}
> +
> +	if (app_service_names != NULL && optind < argc) {
> +		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
> +			/*
> +			 * Check for a separate pam service name for the command when
> +			 * invoked by newrole.
> +			 */
> +			char *cmd = NULL;
> +			rc = sscanf(argv[optind + 1], "%as", &cmd);
> +			if (rc != EOF && cmd != NULL) {
> +				char *app_service_name =
> +				    (char *)hashtab_search(app_service_names,
> +							   cmd);
> +				free(cmd);
> +				if (app_service_name != NULL) {
> +					service_name = app_service_name;
> +				}
> +			}
> +		}
> +	}
> +
> +	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
>  			       &pam_handle);
>  	if (pam_status != PAM_SUCCESS) {
>  		fprintf(stderr, _("failed to initialize PAM\n"));
> @@ -1118,6 +1254,8 @@
>  				pam_strerror(pam_handle, rc));
>  			exit_code = -1;
>  		}
> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> +		hashtab_destroy(app_service_names);
>  #endif
>  		free(pw.pw_name);
>  		free(pw.pw_dir);
> @@ -1223,5 +1361,11 @@
>  	free(pw.pw_dir);
>  	free(pw.pw_shell);
>  	free(shell_argv0);
> +#ifdef USE_PAM
> +	if (app_service_names) {
> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> +		hashtab_destroy(app_service_names);
> +	}
> +#endif
>  	return -1;
>  }				/* main() */
> Index: policycoreutils/newrole/Makefile
> ===================================================================
> --- policycoreutils/newrole/Makefile	(revision 2422)
> +++ policycoreutils/newrole/Makefile	(working copy)
> @@ -21,10 +21,12 @@
>  VERSION = $(shell cat ../VERSION)
>  
>  CFLAGS ?= -Werror -Wall -W
> +EXTRA_OBJS =
>  override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
>  ifeq (${PAMH}, /usr/include/security/pam_appl.h)
>  	override CFLAGS += -DUSE_PAM
> +	EXTRA_OBJS += hashtab.o
>  	LDLIBS += -lpam -lpam_misc
>  else
>  	override CFLAGS += -D_XOPEN_SOURCE=500
> @@ -53,9 +55,10 @@
>  	MODE := 0555
>  endif
>  
> -TARGETS=$(patsubst %.c,%,$(wildcard *.c))
> +all: newrole
>  
> -all: $(TARGETS)
> +newrole: newrole.o $(EXTRA_OBJS)
> +	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
>  
>  install: all
>  	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)
>
>   


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Fri, 2007-05-04 at 13:56 -0500, Ted X Toth wrote:
> Stephen Smalley wrote:
> > How about the revised patch below (only including the newrole.c and
> > Makefile diffs since the hashtab code is unchanged)?  The changes from
> > your patch are:
> > - Make sure everything is properly enabled/disabled by USE_PAM and move
> > the code into the existing USE_PAM block where appropriate.
> > - Call the config file newrole_pam.conf since there could be other
> > newrole config files in the future.
> > - Distinguish missing config file (ok) from errors during parsing of the
> > config file (should abort).
> > - Remove the Authenticating <username> message since it could be
> > confusing in the case where you are using a pam config that doesn't
> > require it and it doesn't really provide any benefit.
> > - Improve error checking and handling.
> > - Coding style cleanups (indentation, comment style, etc).
> >
> > To test, I created a /etc/pam.d/newrole-noauth config that had
> > pam_permit.so for its auth module and created
> > a /etc/selinux/newrole_pam.conf that mapped one program to
> > newrole-noauth.
> >
> > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
> > entirely from the equation, and just have newrole look for (test via
> > access()) a /etc/pam.d/newrole_<appname> config and use
> > newrole_<appname> as the service name if present.
> >   
> 
> I like it but one thing I had thought about was that if the current 
> patch were to check for the existence of the pam configuration file 
> (service name) and the file was missing the user could be warned of 
> that. Of course there is no help in the event that newrole_pam.conf is 
> misconfigured.

Sorry, are you suggesting eliminating the need for newrole_pam.conf
altogether (as I described above as an alternative, implicitly mapping
each app to a newrole_<app> service name if present) or retaining it but
just adding a test for the presence of the pam config for error
reporting purposes?

I'll incorporate Darrel's suggestion about using the basename() of the
command in the next version of the patch.


> > Index: policycoreutils/newrole/newrole.c
> > ===================================================================
> > --- policycoreutils/newrole/newrole.c	(revision 2422)
> > +++ policycoreutils/newrole/newrole.c	(working copy)
> > @@ -58,6 +58,7 @@
> >  #include <stdio.h>
> >  #include <stdlib.h>		/* for malloc(), realloc(), free() */
> >  #include <pwd.h>		/* for getpwuid() */
> > +#include <ctype.h>
> >  #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
> >  #include <sys/wait.h>		/* for wait() */
> >  #include <getopt.h>		/* for getopt_long() form of getopt() */
> > @@ -92,6 +93,10 @@
> >  /* USAGE_STRING describes the command-line args of this program. */
> >  #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
> >  
> > +#ifdef USE_PAM
> > +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
> > +#endif
> > +
> >  #define DEFAULT_PATH "/usr/bin:/bin"
> >  #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
> >  
> > @@ -159,7 +164,7 @@
> >  #include <security/pam_appl.h>	/* for PAM functions */
> >  #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
> >  
> > -#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
> > +char *service_name = "newrole";
> >  
> >  /* authenticate_via_pam()
> >   *
> > @@ -209,6 +214,113 @@
> >  	return result;
> >  }				/* authenticate_via_pam() */
> >  
> > +#include "hashtab.h"
> > +
> > +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
> > +			      void *args __attribute__ ((unused)) )
> > +{
> > +	free(key);
> > +	free(d);
> > +	return 0;
> > +}
> > +
> > +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
> > +{
> > +	char *p, *keyp;
> > +	size_t size;
> > +	unsigned int val;
> > +
> > +	val = 0;
> > +	keyp = (char *)key;
> > +	size = strlen(keyp);
> > +	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
> > +		val =
> > +		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
> > +	return val & (h->size - 1);
> > +}
> > +
> > +static int reqsymcmp(hashtab_t h
> > +		     __attribute__ ((unused)), hashtab_key_t key1,
> > +		     hashtab_key_t key2)
> > +{
> > +	char *keyp1, *keyp2;
> > +
> > +	keyp1 = (char *)key1;
> > +	keyp2 = (char *)key2;
> > +	return strcmp(keyp1, keyp2);
> > +}
> > +
> > +static hashtab_t app_service_names = NULL;
> > +#define PAM_SERVICE_SLOTS 64
> > +
> > +static int process_pam_config(FILE * cfg)
> > +{
> > +	const char *config_file_path = PAM_SERVICE_CONFIG;
> > +	char *line_buf = NULL;
> > +	unsigned long lineno = 0;
> > +	size_t len = 0;
> > +	char *app = NULL;
> > +	char *service = NULL;
> > +	int ret;
> > +
> > +	while (getline(&line_buf, &len, cfg) > 0) {
> > +		char *buffer = line_buf;
> > +		lineno++;
> > +		while (isspace(*buffer))
> > +			buffer++;
> > +		if (buffer[0] == '#')
> > +			continue;
> > +		if (buffer[0] == '\n' || buffer[0] == '\0')
> > +			continue;
> > +
> > +		app = service = NULL;
> > +		ret = sscanf(buffer, "%as %as\n", &app, &service);
> > +		if (ret < 2 || !app || !service)
> > +			goto err;
> > +
> > +		ret = hashtab_insert(app_service_names, app, service);
> > +		if (ret == HASHTAB_OVERFLOW) {
> > +			fprintf(stderr,
> > +				_("newrole: service name configuration hashtable overflow\n"));
> > +			goto err;
> > +		}
> > +	}
> > +
> > +	free(line_buf);
> > +	return 0;
> > +      err:
> > +	free(app);
> > +	free(service);
> > +	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
> > +	free(line_buf);
> > +	return -1;
> > +}
> > +
> > +/* 
> > + *  Read config file ignoring comment lines.
> > + *  Files specified one per line executable with a corresponding
> > + *  pam service name.
> > + */
> > +static int read_pam_config()
> > +{
> > +	const char *config_file_path = PAM_SERVICE_CONFIG;
> > +	FILE *cfg = NULL;
> > +	cfg = fopen(config_file_path, "r");
> > +	if (!cfg)
> > +		return 0;	/* This configuration is optional. */
> > +	app_service_names =
> > +	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
> > +	if (!app_service_names)
> > +		goto err;
> > +	if (process_pam_config(cfg))
> > +		goto err;
> > +	fclose(cfg);
> > +	return 0;
> > +      err:
> > +	fclose(cfg);
> > +	return -1;
> > +}
> > +
> >  #else				/* else !USE_PAM */
> >  
> >  /************************************************************************
> > @@ -1027,9 +1139,33 @@
> >  	if (extract_pw_data(&pw))
> >  		goto err_free;
> >  
> > -	printf(_("Authenticating %s.\n"), pw.pw_name);
> >  #ifdef USE_PAM
> > -	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> > +	if (read_pam_config()) {
> > +		fprintf(stderr, _("error on reading PAM service configuration.\n"));
> > +		goto err_free;
> > +	}
> > +
> > +	if (app_service_names != NULL && optind < argc) {
> > +		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
> > +			/*
> > +			 * Check for a separate pam service name for the command when
> > +			 * invoked by newrole.
> > +			 */
> > +			char *cmd = NULL;
> > +			rc = sscanf(argv[optind + 1], "%as", &cmd);
> > +			if (rc != EOF && cmd != NULL) {
> > +				char *app_service_name =
> > +				    (char *)hashtab_search(app_service_names,
> > +							   cmd);
> > +				free(cmd);
> > +				if (app_service_name != NULL) {
> > +					service_name = app_service_name;
> > +				}
> > +			}
> > +		}
> > +	}
> > +
> > +	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
> >  			       &pam_handle);
> >  	if (pam_status != PAM_SUCCESS) {
> >  		fprintf(stderr, _("failed to initialize PAM\n"));
> > @@ -1118,6 +1254,8 @@
> >  				pam_strerror(pam_handle, rc));
> >  			exit_code = -1;
> >  		}
> > +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> > +		hashtab_destroy(app_service_names);
> >  #endif
> >  		free(pw.pw_name);
> >  		free(pw.pw_dir);
> > @@ -1223,5 +1361,11 @@
> >  	free(pw.pw_dir);
> >  	free(pw.pw_shell);
> >  	free(shell_argv0);
> > +#ifdef USE_PAM
> > +	if (app_service_names) {
> > +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> > +		hashtab_destroy(app_service_names);
> > +	}
> > +#endif
> >  	return -1;
> >  }				/* main() */
> > Index: policycoreutils/newrole/Makefile
> > ===================================================================
> > --- policycoreutils/newrole/Makefile	(revision 2422)
> > +++ policycoreutils/newrole/Makefile	(working copy)
> > @@ -21,10 +21,12 @@
> >  VERSION = $(shell cat ../VERSION)
> >  
> >  CFLAGS ?= -Werror -Wall -W
> > +EXTRA_OBJS =
> >  override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> >  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
> >  ifeq (${PAMH}, /usr/include/security/pam_appl.h)
> >  	override CFLAGS += -DUSE_PAM
> > +	EXTRA_OBJS += hashtab.o
> >  	LDLIBS += -lpam -lpam_misc
> >  else
> >  	override CFLAGS += -D_XOPEN_SOURCE=500
> > @@ -53,9 +55,10 @@
> >  	MODE := 0555
> >  endif
> >  
> > -TARGETS=$(patsubst %.c,%,$(wildcard *.c))
> > +all: newrole
> >  
> > -all: $(TARGETS)
> > +newrole: newrole.o $(EXTRA_OBJS)
> > +	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
> >  
> >  install: all
> >  	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)
> >
> >   
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Ted X Toth]

Stephen Smalley wrote:
> On Fri, 2007-05-04 at 13:56 -0500, Ted X Toth wrote:
>   
>> Stephen Smalley wrote:
>>     
>>> How about the revised patch below (only including the newrole.c and
>>> Makefile diffs since the hashtab code is unchanged)?  The changes from
>>> your patch are:
>>> - Make sure everything is properly enabled/disabled by USE_PAM and move
>>> the code into the existing USE_PAM block where appropriate.
>>> - Call the config file newrole_pam.conf since there could be other
>>> newrole config files in the future.
>>> - Distinguish missing config file (ok) from errors during parsing of the
>>> config file (should abort).
>>> - Remove the Authenticating <username> message since it could be
>>> confusing in the case where you are using a pam config that doesn't
>>> require it and it doesn't really provide any benefit.
>>> - Improve error checking and handling.
>>> - Coding style cleanups (indentation, comment style, etc).
>>>
>>> To test, I created a /etc/pam.d/newrole-noauth config that had
>>> pam_permit.so for its auth module and created
>>> a /etc/selinux/newrole_pam.conf that mapped one program to
>>> newrole-noauth.
>>>
>>> The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
>>> entirely from the equation, and just have newrole look for (test via
>>> access()) a /etc/pam.d/newrole_<appname> config and use
>>> newrole_<appname> as the service name if present.
>>>   
>>>       
>> I like it but one thing I had thought about was that if the current 
>> patch were to check for the existence of the pam configuration file 
>> (service name) and the file was missing the user could be warned of 
>> that. Of course there is no help in the event that newrole_pam.conf is 
>> misconfigured.
>>     
>
> Sorry, are you suggesting eliminating the need for newrole_pam.conf
> altogether (as I described above as an alternative, implicitly mapping
> each app to a newrole_<app> service name if present) or retaining it but
> just adding a test for the presence of the pam config for error
> reporting purposes?
>   

I don't have a strong feeling one way or the other. Eliminating 
newrole_pam.conf would certainly simplify the implementation. I was just 
thinking about whether there were any good arguments for keeping it and 
usability was the only thing I could come up with.

> I'll incorporate Darrel's suggestion about using the basename() of the
> command in the next version of the patch.
>
>
>   
>>> Index: policycoreutils/newrole/newrole.c
>>> ===================================================================
>>> --- policycoreutils/newrole/newrole.c	(revision 2422)
>>> +++ policycoreutils/newrole/newrole.c	(working copy)
>>> @@ -58,6 +58,7 @@
>>>  #include <stdio.h>
>>>  #include <stdlib.h>		/* for malloc(), realloc(), free() */
>>>  #include <pwd.h>		/* for getpwuid() */
>>> +#include <ctype.h>
>>>  #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
>>>  #include <sys/wait.h>		/* for wait() */
>>>  #include <getopt.h>		/* for getopt_long() form of getopt() */
>>> @@ -92,6 +93,10 @@
>>>  /* USAGE_STRING describes the command-line args of this program. */
>>>  #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
>>>  
>>> +#ifdef USE_PAM
>>> +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
>>> +#endif
>>> +
>>>  #define DEFAULT_PATH "/usr/bin:/bin"
>>>  #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
>>>  
>>> @@ -159,7 +164,7 @@
>>>  #include <security/pam_appl.h>	/* for PAM functions */
>>>  #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
>>>  
>>> -#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
>>> +char *service_name = "newrole";
>>>  
>>>  /* authenticate_via_pam()
>>>   *
>>> @@ -209,6 +214,113 @@
>>>  	return result;
>>>  }				/* authenticate_via_pam() */
>>>  
>>> +#include "hashtab.h"
>>> +
>>> +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
>>> +			      void *args __attribute__ ((unused)) )
>>> +{
>>> +	free(key);
>>> +	free(d);
>>> +	return 0;
>>> +}
>>> +
>>> +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
>>> +{
>>> +	char *p, *keyp;
>>> +	size_t size;
>>> +	unsigned int val;
>>> +
>>> +	val = 0;
>>> +	keyp = (char *)key;
>>> +	size = strlen(keyp);
>>> +	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
>>> +		val =
>>> +		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
>>> +	return val & (h->size - 1);
>>> +}
>>> +
>>> +static int reqsymcmp(hashtab_t h
>>> +		     __attribute__ ((unused)), hashtab_key_t key1,
>>> +		     hashtab_key_t key2)
>>> +{
>>> +	char *keyp1, *keyp2;
>>> +
>>> +	keyp1 = (char *)key1;
>>> +	keyp2 = (char *)key2;
>>> +	return strcmp(keyp1, keyp2);
>>> +}
>>> +
>>> +static hashtab_t app_service_names = NULL;
>>> +#define PAM_SERVICE_SLOTS 64
>>> +
>>> +static int process_pam_config(FILE * cfg)
>>> +{
>>> +	const char *config_file_path = PAM_SERVICE_CONFIG;
>>> +	char *line_buf = NULL;
>>> +	unsigned long lineno = 0;
>>> +	size_t len = 0;
>>> +	char *app = NULL;
>>> +	char *service = NULL;
>>> +	int ret;
>>> +
>>> +	while (getline(&line_buf, &len, cfg) > 0) {
>>> +		char *buffer = line_buf;
>>> +		lineno++;
>>> +		while (isspace(*buffer))
>>> +			buffer++;
>>> +		if (buffer[0] == '#')
>>> +			continue;
>>> +		if (buffer[0] == '\n' || buffer[0] == '\0')
>>> +			continue;
>>> +
>>> +		app = service = NULL;
>>> +		ret = sscanf(buffer, "%as %as\n", &app, &service);
>>> +		if (ret < 2 || !app || !service)
>>> +			goto err;
>>> +
>>> +		ret = hashtab_insert(app_service_names, app, service);
>>> +		if (ret == HASHTAB_OVERFLOW) {
>>> +			fprintf(stderr,
>>> +				_("newrole: service name configuration hashtable overflow\n"));
>>> +			goto err;
>>> +		}
>>> +	}
>>> +
>>> +	free(line_buf);
>>> +	return 0;
>>> +      err:
>>> +	free(app);
>>> +	free(service);
>>> +	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
>>> +	free(line_buf);
>>> +	return -1;
>>> +}
>>> +
>>> +/* 
>>> + *  Read config file ignoring comment lines.
>>> + *  Files specified one per line executable with a corresponding
>>> + *  pam service name.
>>> + */
>>> +static int read_pam_config()
>>> +{
>>> +	const char *config_file_path = PAM_SERVICE_CONFIG;
>>> +	FILE *cfg = NULL;
>>> +	cfg = fopen(config_file_path, "r");
>>> +	if (!cfg)
>>> +		return 0;	/* This configuration is optional. */
>>> +	app_service_names =
>>> +	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
>>> +	if (!app_service_names)
>>> +		goto err;
>>> +	if (process_pam_config(cfg))
>>> +		goto err;
>>> +	fclose(cfg);
>>> +	return 0;
>>> +      err:
>>> +	fclose(cfg);
>>> +	return -1;
>>> +}
>>> +
>>>  #else				/* else !USE_PAM */
>>>  
>>>  /************************************************************************
>>> @@ -1027,9 +1139,33 @@
>>>  	if (extract_pw_data(&pw))
>>>  		goto err_free;
>>>  
>>> -	printf(_("Authenticating %s.\n"), pw.pw_name);
>>>  #ifdef USE_PAM
>>> -	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
>>> +	if (read_pam_config()) {
>>> +		fprintf(stderr, _("error on reading PAM service configuration.\n"));
>>> +		goto err_free;
>>> +	}
>>> +
>>> +	if (app_service_names != NULL && optind < argc) {
>>> +		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
>>> +			/*
>>> +			 * Check for a separate pam service name for the command when
>>> +			 * invoked by newrole.
>>> +			 */
>>> +			char *cmd = NULL;
>>> +			rc = sscanf(argv[optind + 1], "%as", &cmd);
>>> +			if (rc != EOF && cmd != NULL) {
>>> +				char *app_service_name =
>>> +				    (char *)hashtab_search(app_service_names,
>>> +							   cmd);
>>> +				free(cmd);
>>> +				if (app_service_name != NULL) {
>>> +					service_name = app_service_name;
>>> +				}
>>> +			}
>>> +		}
>>> +	}
>>> +
>>> +	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
>>>  			       &pam_handle);
>>>  	if (pam_status != PAM_SUCCESS) {
>>>  		fprintf(stderr, _("failed to initialize PAM\n"));
>>> @@ -1118,6 +1254,8 @@
>>>  				pam_strerror(pam_handle, rc));
>>>  			exit_code = -1;
>>>  		}
>>> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
>>> +		hashtab_destroy(app_service_names);
>>>  #endif
>>>  		free(pw.pw_name);
>>>  		free(pw.pw_dir);
>>> @@ -1223,5 +1361,11 @@
>>>  	free(pw.pw_dir);
>>>  	free(pw.pw_shell);
>>>  	free(shell_argv0);
>>> +#ifdef USE_PAM
>>> +	if (app_service_names) {
>>> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
>>> +		hashtab_destroy(app_service_names);
>>> +	}
>>> +#endif
>>>  	return -1;
>>>  }				/* main() */
>>> Index: policycoreutils/newrole/Makefile
>>> ===================================================================
>>> --- policycoreutils/newrole/Makefile	(revision 2422)
>>> +++ policycoreutils/newrole/Makefile	(working copy)
>>> @@ -21,10 +21,12 @@
>>>  VERSION = $(shell cat ../VERSION)
>>>  
>>>  CFLAGS ?= -Werror -Wall -W
>>> +EXTRA_OBJS =
>>>  override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>>>  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
>>>  ifeq (${PAMH}, /usr/include/security/pam_appl.h)
>>>  	override CFLAGS += -DUSE_PAM
>>> +	EXTRA_OBJS += hashtab.o
>>>  	LDLIBS += -lpam -lpam_misc
>>>  else
>>>  	override CFLAGS += -D_XOPEN_SOURCE=500
>>> @@ -53,9 +55,10 @@
>>>  	MODE := 0555
>>>  endif
>>>  
>>> -TARGETS=$(patsubst %.c,%,$(wildcard *.c))
>>> +all: newrole
>>>  
>>> -all: $(TARGETS)
>>> +newrole: newrole.o $(EXTRA_OBJS)
>>> +	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
>>>  
>>>  install: all
>>>  	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)
>>>
>>>   
>>>       


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: launching apps at level (MLS) and polyinstantiation

[Stephen Smalley]

On Thu, 2007-05-03 at 16:09 -0500, Darrel Goeddel wrote:
> Stephen Smalley wrote:
> > How about the revised patch below (only including the newrole.c and
> > Makefile diffs since the hashtab code is unchanged)?  The changes from
> > your patch are:
> > - Make sure everything is properly enabled/disabled by USE_PAM and move
> > the code into the existing USE_PAM block where appropriate.
> > - Call the config file newrole_pam.conf since there could be other
> > newrole config files in the future.
> > - Distinguish missing config file (ok) from errors during parsing of the
> > config file (should abort).
> > - Remove the Authenticating <username> message since it could be
> > confusing in the case where you are using a pam config that doesn't
> > require it and it doesn't really provide any benefit.
> > - Improve error checking and handling.
> > - Coding style cleanups (indentation, comment style, etc).
> > 
> > To test, I created a /etc/pam.d/newrole-noauth config that had
> > pam_permit.so for its auth module and created
> > a /etc/selinux/newrole_pam.conf that mapped one program to
> > newrole-noauth.
> > 
> > The alternative model would be to eliminate /etc/selnux/newrole_pam.conf
> > entirely from the equation, and just have newrole look for (test via
> > access()) a /etc/pam.d/newrole_<appname> config and use
> > newrole_<appname> as the service name if present.
> 
> I like this idea.  I haven't had a chance to test this yet, but it looks
> to be assuming that the arg to -c is just the command name without any
> path info.  Should we strip that down to its basename in case someone runs
> 'newrole -l secret -c /usr/bin/foo' as opposed to 'newrole -l secret -c foo'?

Actually, on second thought, do we really want that behavior?  IOW, if I
specify "/usr/bin/foo newrole-noauth" in
my /etc/selinux/newrole_pam.conf, then I want "newrole -l s1 --
-c /usr/bin/foo" to use /etc/pam.d/newrole-noauth.  But I don't want the
caller to be able to do "newrole -l s1 -- -c ./foo" and get the same
effect.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation)

[Stephen Smalley]

From: 	Ted X Toth <txtoth@gmail.com>

With some modifications by Stephen Smalley <sds@tycho.nsa.gov>.

Extend newrole to enable use of alternate pam configurations when
running an application in a different context.  Introduces
/etc/selinux/newrole_pam.conf as a config file mapping application
pathnames to pam service names when the application is invoked via
newrole.  In the absence of the config file or the absence of a
matching entry, falls back to the standard newrole pam configuration.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

---

 policycoreutils/newrole/Makefile  |    7 
 policycoreutils/newrole/hashtab.c |  292 ++++++++++++++++++++++++++++++++++++++
 policycoreutils/newrole/hashtab.h |  142 ++++++++++++++++++
 policycoreutils/newrole/newrole.1 |   14 +
 policycoreutils/newrole/newrole.c |  149 +++++++++++++++++++
 5 files changed, 599 insertions(+), 5 deletions(-)

Index: trunk/policycoreutils/newrole/hashtab.h
===================================================================
--- trunk/policycoreutils/newrole/hashtab.h	(revision 0)
+++ trunk/policycoreutils/newrole/hashtab.h	(revision 0)
@@ -0,0 +1,142 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * A hash table (hashtab) maintains associations between
+ * key values and datum values.  The type of the key values 
+ * and the type of the datum values is arbitrary.  The
+ * functions for hash computation and key comparison are
+ * provided by the creator of the table.
+ */
+
+#ifndef _NEWROLE_HASHTAB_H_
+#define _NEWROLE_HASHTAB_H_
+
+#include <stdint.h>
+#include <errno.h>
+#include <stdio.h>
+
+typedef char *hashtab_key_t;	/* generic key type */
+typedef void *hashtab_datum_t;	/* generic datum type */
+
+typedef struct hashtab_node *hashtab_ptr_t;
+
+typedef struct hashtab_node {
+	hashtab_key_t key;
+	hashtab_datum_t datum;
+	hashtab_ptr_t next;
+} hashtab_node_t;
+
+typedef struct hashtab_val {
+	hashtab_ptr_t *htable;	/* hash table */
+	unsigned int size;	/* number of slots in hash table */
+	uint32_t nel;		/* number of elements in hash table */
+	unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key);	/* hash function */
+	int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2);	/* key comparison function */
+} hashtab_val_t;
+
+typedef hashtab_val_t *hashtab_t;
+
+/* Define status codes for hash table functions */
+#define HASHTAB_SUCCESS     0
+#define HASHTAB_OVERFLOW    -ENOMEM
+#define HASHTAB_PRESENT     -EEXIST
+#define HASHTAB_MISSING     -ENOENT
+
+/*
+   Creates a new hash table with the specified characteristics.
+
+   Returns NULL if insufficent space is available or
+   the new hash table otherwise.
+ */
+extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+							    const hashtab_key_t
+							    key),
+				int (*keycmp) (hashtab_t h,
+					       const hashtab_key_t key1,
+					       const hashtab_key_t key2),
+				unsigned int size);
+/*
+   Inserts the specified (key, datum) pair into the specified hash table.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_PRESENT  if there is already an entry with the same key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
+
+/*
+   Removes the entry with the specified key from the hash table.
+   Applies the specified destroy function to (key,datum,args) for
+   the entry.
+
+   Returns HASHTAB_MISSING if no entry has the specified key or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
+			  void (*destroy) (hashtab_key_t k,
+					   hashtab_datum_t d,
+					   void *args), void *args);
+
+/*
+   Insert or replace the specified (key, datum) pair in the specified
+   hash table.  If an entry for the specified key already exists,
+   then the specified destroy function is applied to (key,datum,args)
+   for the entry prior to replacing the entry's contents.
+
+   Returns HASHTAB_OVERFLOW if insufficient space is available or
+   HASHTAB_SUCCESS otherwise.
+ */
+extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
+			   void (*destroy) (hashtab_key_t k,
+					    hashtab_datum_t d,
+					    void *args), void *args);
+
+/*
+   Searches for the entry with the specified key in the hash table.
+
+   Returns NULL if no entry has the specified key or
+   the datum of the entry otherwise.
+ */
+extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
+
+/*
+   Destroys the specified hash table.
+ */
+extern void hashtab_destroy(hashtab_t h);
+
+/*
+   Applies the specified apply function to (key,datum,args)
+   for each entry in the specified hash table.
+
+   The order in which the function is applied to the entries
+   is dependent upon the internal structure of the hash table.
+
+   If apply returns a non-zero status, then hashtab_map will cease
+   iterating through the hash table and will propagate the error
+   return to its caller.
+ */
+extern int hashtab_map(hashtab_t h,
+		       int (*apply) (hashtab_key_t k,
+				     hashtab_datum_t d,
+				     void *args), void *args);
+
+/*
+   Same as hashtab_map, except that if apply returns a non-zero status,
+   then the (key,datum) pair will be removed from the hashtab and the
+   destroy function will be applied to (key,datum,args).
+ */
+extern void hashtab_map_remove_on_error(hashtab_t h,
+					int (*apply) (hashtab_key_t k,
+						      hashtab_datum_t d,
+						      void *args),
+					void (*destroy) (hashtab_key_t k,
+							 hashtab_datum_t d,
+							 void *args),
+					void *args);
+
+extern void hashtab_hash_eval(hashtab_t h, char *tag);
+
+#endif
Index: trunk/policycoreutils/newrole/newrole.1
===================================================================
--- trunk/policycoreutils/newrole/newrole.1	(revision 2422)
+++ trunk/policycoreutils/newrole/newrole.1	(working copy)
@@ -47,6 +47,12 @@
 In particular, an argument of -- -c will cause the next argument to be
 treated as a command by most command interpreters.
 .PP
+If a command argument is specified to newrole and the command name is found
+in /etc/selinux/newrole_pam.conf, then the pam service name listed in that
+file for the command will be used rather than the normal newrole pam
+configuration.  This allows for per-command pam configuration when
+invoked via newrole, e.g. to skip the interactive re-authentication phase.
+.PP
 The new shell will be the shell specified in the user's entry in the 
 .I /etc/passwd
 file.
@@ -81,14 +87,22 @@
    # id -Z
    staff_u:sysadm_r:sysadm_t:Secret
 
+.PP
+Running a program in a given role or level:
+   # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
+   # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
+
 .SH FILES
 /etc/passwd - user account information
 .br
 /etc/shadow - encrypted passwords and age information
 .br
 /etc/selinux/<policy>/contexts/default_type - default types for roles
+.br
 /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
 .br
+/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names
+.br
 .SH SEE ALSO
 .B runcon
 (1)
Index: trunk/policycoreutils/newrole/hashtab.c
===================================================================
--- trunk/policycoreutils/newrole/hashtab.c	(revision 0)
+++ trunk/policycoreutils/newrole/hashtab.c	(revision 0)
@@ -0,0 +1,292 @@
+
+/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
+
+/* FLASK */
+
+/*
+ * Implementation of the hash table type.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "hashtab.h"
+
+hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
+						     const hashtab_key_t key),
+			 int (*keycmp) (hashtab_t h,
+					const hashtab_key_t key1,
+					const hashtab_key_t key2),
+			 unsigned int size)
+{
+
+	hashtab_t p;
+	unsigned int i;
+
+	p = (hashtab_t) malloc(sizeof(hashtab_val_t));
+	if (p == NULL)
+		return p;
+
+	memset(p, 0, sizeof(hashtab_val_t));
+	p->size = size;
+	p->nel = 0;
+	p->hash_value = hash_value;
+	p->keycmp = keycmp;
+	p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size);
+	if (p->htable == NULL) {
+		free(p);
+		return NULL;
+	}
+	for (i = 0; i < size; i++)
+		p->htable[i] = (hashtab_ptr_t) NULL;
+
+	return p;
+}
+
+int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0))
+		return HASHTAB_PRESENT;
+
+	newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+	if (newnode == NULL)
+		return HASHTAB_OVERFLOW;
+	memset(newnode, 0, sizeof(struct hashtab_node));
+	newnode->key = key;
+	newnode->datum = datum;
+	if (prev) {
+		newnode->next = prev->next;
+		prev->next = newnode;
+	} else {
+		newnode->next = h->htable[hvalue];
+		h->htable[hvalue] = newnode;
+	}
+
+	h->nel++;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_remove(hashtab_t h, hashtab_key_t key,
+		   void (*destroy) (hashtab_key_t k,
+				    hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t cur, last;
+
+	if (!h)
+		return HASHTAB_MISSING;
+
+	hvalue = h->hash_value(h, key);
+	last = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		last = cur;
+		cur = cur->next;
+	}
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return HASHTAB_MISSING;
+
+	if (last == NULL)
+		h->htable[hvalue] = cur->next;
+	else
+		last->next = cur->next;
+
+	if (destroy)
+		destroy(cur->key, cur->datum, args);
+	free(cur);
+	h->nel--;
+	return HASHTAB_SUCCESS;
+}
+
+int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
+		    void (*destroy) (hashtab_key_t k,
+				     hashtab_datum_t d, void *args), void *args)
+{
+	int hvalue;
+	hashtab_ptr_t prev, cur, newnode;
+
+	if (!h)
+		return HASHTAB_OVERFLOW;
+
+	hvalue = h->hash_value(h, key);
+	prev = NULL;
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
+		prev = cur;
+		cur = cur->next;
+	}
+
+	if (cur && (h->keycmp(h, key, cur->key) == 0)) {
+		if (destroy)
+			destroy(cur->key, cur->datum, args);
+		cur->key = key;
+		cur->datum = datum;
+	} else {
+		newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
+		if (newnode == NULL)
+			return HASHTAB_OVERFLOW;
+		memset(newnode, 0, sizeof(struct hashtab_node));
+		newnode->key = key;
+		newnode->datum = datum;
+		if (prev) {
+			newnode->next = prev->next;
+			prev->next = newnode;
+		} else {
+			newnode->next = h->htable[hvalue];
+			h->htable[hvalue] = newnode;
+		}
+	}
+
+	return HASHTAB_SUCCESS;
+}
+
+hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
+{
+
+	int hvalue;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return NULL;
+
+	hvalue = h->hash_value(h, key);
+	cur = h->htable[hvalue];
+	while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
+		cur = cur->next;
+
+	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
+		return NULL;
+
+	return cur->datum;
+}
+
+void hashtab_destroy(hashtab_t h)
+{
+	unsigned int i;
+	hashtab_ptr_t cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			temp = cur;
+			cur = cur->next;
+			free(temp);
+		}
+		h->htable[i] = NULL;
+	}
+
+	free(h->htable);
+	h->htable = NULL;
+
+	free(h);
+}
+
+int hashtab_map(hashtab_t h,
+		int (*apply) (hashtab_key_t k,
+			      hashtab_datum_t d, void *args), void *args)
+{
+	unsigned int i, ret;
+	hashtab_ptr_t cur;
+
+	if (!h)
+		return HASHTAB_SUCCESS;
+
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret)
+				return ret;
+			cur = cur->next;
+		}
+	}
+	return HASHTAB_SUCCESS;
+}
+
+void hashtab_map_remove_on_error(hashtab_t h,
+				 int (*apply) (hashtab_key_t k,
+					       hashtab_datum_t d,
+					       void *args),
+				 void (*destroy) (hashtab_key_t k,
+						  hashtab_datum_t d,
+						  void *args), void *args)
+{
+	unsigned int i;
+	int ret;
+	hashtab_ptr_t last, cur, temp;
+
+	if (!h)
+		return;
+
+	for (i = 0; i < h->size; i++) {
+		last = NULL;
+		cur = h->htable[i];
+		while (cur != NULL) {
+			ret = apply(cur->key, cur->datum, args);
+			if (ret) {
+				if (last) {
+					last->next = cur->next;
+				} else {
+					h->htable[i] = cur->next;
+				}
+
+				temp = cur;
+				cur = cur->next;
+				if (destroy)
+					destroy(temp->key, temp->datum, args);
+				free(temp);
+				h->nel--;
+			} else {
+				last = cur;
+				cur = cur->next;
+			}
+		}
+	}
+
+	return;
+}
+
+void hashtab_hash_eval(hashtab_t h, char *tag)
+{
+	unsigned int i;
+	int chain_len, slots_used, max_chain_len;
+	hashtab_ptr_t cur;
+
+	slots_used = 0;
+	max_chain_len = 0;
+	for (i = 0; i < h->size; i++) {
+		cur = h->htable[i];
+		if (cur) {
+			slots_used++;
+			chain_len = 0;
+			while (cur) {
+				chain_len++;
+				cur = cur->next;
+			}
+
+			if (chain_len > max_chain_len)
+				max_chain_len = chain_len;
+		}
+	}
+
+	printf
+	    ("%s:  %d entries and %d/%d buckets used, longest chain length %d\n",
+	     tag, h->nel, slots_used, h->size, max_chain_len);
+}
Index: trunk/policycoreutils/newrole/newrole.c
===================================================================
--- trunk/policycoreutils/newrole/newrole.c	(revision 2422)
+++ trunk/policycoreutils/newrole/newrole.c	(working copy)
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include <stdlib.h>		/* for malloc(), realloc(), free() */
 #include <pwd.h>		/* for getpwuid() */
+#include <ctype.h>
 #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
 #include <sys/wait.h>		/* for wait() */
 #include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -92,6 +93,10 @@
 /* USAGE_STRING describes the command-line args of this program. */
 #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
 
+#ifdef USE_PAM
+#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
+#endif
+
 #define DEFAULT_PATH "/usr/bin:/bin"
 #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
 
@@ -159,7 +164,7 @@
 #include <security/pam_appl.h>	/* for PAM functions */
 #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
 
-#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
+char *service_name = "newrole";
 
 /* authenticate_via_pam()
  *
@@ -209,6 +214,113 @@
 	return result;
 }				/* authenticate_via_pam() */
 
+#include "hashtab.h"
+
+static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
+			      void *args __attribute__ ((unused)) )
+{
+	free(key);
+	free(d);
+	return 0;
+}
+
+static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
+{
+	char *p, *keyp;
+	size_t size;
+	unsigned int val;
+
+	val = 0;
+	keyp = (char *)key;
+	size = strlen(keyp);
+	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
+		val =
+		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
+	return val & (h->size - 1);
+}
+
+static int reqsymcmp(hashtab_t h
+		     __attribute__ ((unused)), hashtab_key_t key1,
+		     hashtab_key_t key2)
+{
+	char *keyp1, *keyp2;
+
+	keyp1 = (char *)key1;
+	keyp2 = (char *)key2;
+	return strcmp(keyp1, keyp2);
+}
+
+static hashtab_t app_service_names = NULL;
+#define PAM_SERVICE_SLOTS 64
+
+static int process_pam_config(FILE * cfg)
+{
+	const char *config_file_path = PAM_SERVICE_CONFIG;
+	char *line_buf = NULL;
+	unsigned long lineno = 0;
+	size_t len = 0;
+	char *app = NULL;
+	char *service = NULL;
+	int ret;
+
+	while (getline(&line_buf, &len, cfg) > 0) {
+		char *buffer = line_buf;
+		lineno++;
+		while (isspace(*buffer))
+			buffer++;
+		if (buffer[0] == '#')
+			continue;
+		if (buffer[0] == '\n' || buffer[0] == '\0')
+			continue;
+
+		app = service = NULL;
+		ret = sscanf(buffer, "%as %as\n", &app, &service);
+		if (ret < 2 || !app || !service)
+			goto err;
+
+		ret = hashtab_insert(app_service_names, app, service);
+		if (ret == HASHTAB_OVERFLOW) {
+			fprintf(stderr,
+				_("newrole: service name configuration hashtable overflow\n"));
+			goto err;
+		}
+	}
+
+	free(line_buf);
+	return 0;
+      err:
+	free(app);
+	free(service);
+	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
+	free(line_buf);
+	return -1;
+}
+
+/* 
+ *  Read config file ignoring comment lines.
+ *  Files specified one per line executable with a corresponding
+ *  pam service name.
+ */
+static int read_pam_config()
+{
+	const char *config_file_path = PAM_SERVICE_CONFIG;
+	FILE *cfg = NULL;
+	cfg = fopen(config_file_path, "r");
+	if (!cfg)
+		return 0;	/* This configuration is optional. */
+	app_service_names =
+	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
+	if (!app_service_names)
+		goto err;
+	if (process_pam_config(cfg))
+		goto err;
+	fclose(cfg);
+	return 0;
+      err:
+	fclose(cfg);
+	return -1;
+}
+
 #else				/* else !USE_PAM */
 
 /************************************************************************
@@ -1027,9 +1139,32 @@
 	if (extract_pw_data(&pw))
 		goto err_free;
 
-	printf(_("Authenticating %s.\n"), pw.pw_name);
 #ifdef USE_PAM
-	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
+	if (read_pam_config()) {
+		fprintf(stderr, _("error on reading PAM service configuration.\n"));
+		goto err_free;
+	}
+
+	if (app_service_names != NULL && optind < argc) {
+		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
+			/*
+			 * Check for a separate pam service name for the 
+			 * command when invoked by newrole.
+			 */
+			char *cmd = NULL;
+			rc = sscanf(argv[optind + 1], "%as", &cmd);
+			if (rc != EOF && cmd) {
+				char *app_service_name =
+				    (char *)hashtab_search(app_service_names,
+							   cmd);
+				free(cmd);
+				if (app_service_name != NULL)
+					service_name = app_service_name;
+			}
+		}
+	}
+
+	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
 			       &pam_handle);
 	if (pam_status != PAM_SUCCESS) {
 		fprintf(stderr, _("failed to initialize PAM\n"));
@@ -1118,6 +1253,8 @@
 				pam_strerror(pam_handle, rc));
 			exit_code = -1;
 		}
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
 #endif
 		free(pw.pw_name);
 		free(pw.pw_dir);
@@ -1223,5 +1360,11 @@
 	free(pw.pw_dir);
 	free(pw.pw_shell);
 	free(shell_argv0);
+#ifdef USE_PAM
+	if (app_service_names) {
+		hashtab_map(app_service_names, free_hashtab_entry, NULL);
+		hashtab_destroy(app_service_names);
+	}
+#endif
 	return -1;
 }				/* main() */
Index: trunk/policycoreutils/newrole/Makefile
===================================================================
--- trunk/policycoreutils/newrole/Makefile	(revision 2422)
+++ trunk/policycoreutils/newrole/Makefile	(working copy)
@@ -21,10 +21,12 @@
 VERSION = $(shell cat ../VERSION)
 
 CFLAGS ?= -Werror -Wall -W
+EXTRA_OBJS =
 override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
 LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
 ifeq (${PAMH}, /usr/include/security/pam_appl.h)
 	override CFLAGS += -DUSE_PAM
+	EXTRA_OBJS += hashtab.o
 	LDLIBS += -lpam -lpam_misc
 else
 	override CFLAGS += -D_XOPEN_SOURCE=500
@@ -53,9 +55,10 @@
 	MODE := 0555
 endif
 
-TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+all: newrole
 
-all: $(TARGETS)
+newrole: newrole.o $(EXTRA_OBJS)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
 install: all
 	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation)

[Karl MacMillan]

On Tue, 2007-05-08 at 15:11 -0400, Stephen Smalley wrote:
> From: 	Ted X Toth <txtoth@gmail.com>
> 
> With some modifications by Stephen Smalley <sds@tycho.nsa.gov>.
> 
> Extend newrole to enable use of alternate pam configurations when
> running an application in a different context.  Introduces
> /etc/selinux/newrole_pam.conf as a config file mapping application
> pathnames to pam service names when the application is invoked via
> newrole.  In the absence of the config file or the absence of a
> matching entry, falls back to the standard newrole pam configuration.
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> 

We should eventually make the hashtabs exportable by libsepol to avoid
this duplication - it's irritating. I've done some work along that path,
but not enough. No reason to hold this up waiting for that though.

Acked-by: Karl MacMillan <kmacmillan@mentalrootkit.com> for trunk and
policyrep.

> ---
> 
>  policycoreutils/newrole/Makefile  |    7 
>  policycoreutils/newrole/hashtab.c |  292 ++++++++++++++++++++++++++++++++++++++
>  policycoreutils/newrole/hashtab.h |  142 ++++++++++++++++++
>  policycoreutils/newrole/newrole.1 |   14 +
>  policycoreutils/newrole/newrole.c |  149 +++++++++++++++++++
>  5 files changed, 599 insertions(+), 5 deletions(-)
> 
> Index: trunk/policycoreutils/newrole/hashtab.h
> ===================================================================
> --- trunk/policycoreutils/newrole/hashtab.h	(revision 0)
> +++ trunk/policycoreutils/newrole/hashtab.h	(revision 0)
> @@ -0,0 +1,142 @@
> +
> +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
> +
> +/* FLASK */
> +
> +/*
> + * A hash table (hashtab) maintains associations between
> + * key values and datum values.  The type of the key values 
> + * and the type of the datum values is arbitrary.  The
> + * functions for hash computation and key comparison are
> + * provided by the creator of the table.
> + */
> +
> +#ifndef _NEWROLE_HASHTAB_H_
> +#define _NEWROLE_HASHTAB_H_
> +
> +#include <stdint.h>
> +#include <errno.h>
> +#include <stdio.h>
> +
> +typedef char *hashtab_key_t;	/* generic key type */
> +typedef void *hashtab_datum_t;	/* generic datum type */
> +
> +typedef struct hashtab_node *hashtab_ptr_t;
> +
> +typedef struct hashtab_node {
> +	hashtab_key_t key;
> +	hashtab_datum_t datum;
> +	hashtab_ptr_t next;
> +} hashtab_node_t;
> +
> +typedef struct hashtab_val {
> +	hashtab_ptr_t *htable;	/* hash table */
> +	unsigned int size;	/* number of slots in hash table */
> +	uint32_t nel;		/* number of elements in hash table */
> +	unsigned int (*hash_value) (struct hashtab_val * h, hashtab_key_t key);	/* hash function */
> +	int (*keycmp) (struct hashtab_val * h, hashtab_key_t key1, hashtab_key_t key2);	/* key comparison function */
> +} hashtab_val_t;
> +
> +typedef hashtab_val_t *hashtab_t;
> +
> +/* Define status codes for hash table functions */
> +#define HASHTAB_SUCCESS     0
> +#define HASHTAB_OVERFLOW    -ENOMEM
> +#define HASHTAB_PRESENT     -EEXIST
> +#define HASHTAB_MISSING     -ENOENT
> +
> +/*
> +   Creates a new hash table with the specified characteristics.
> +
> +   Returns NULL if insufficent space is available or
> +   the new hash table otherwise.
> + */
> +extern hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
> +							    const hashtab_key_t
> +							    key),
> +				int (*keycmp) (hashtab_t h,
> +					       const hashtab_key_t key1,
> +					       const hashtab_key_t key2),
> +				unsigned int size);
> +/*
> +   Inserts the specified (key, datum) pair into the specified hash table.
> +
> +   Returns HASHTAB_OVERFLOW if insufficient space is available or
> +   HASHTAB_PRESENT  if there is already an entry with the same key or
> +   HASHTAB_SUCCESS otherwise.
> + */
> +extern int hashtab_insert(hashtab_t h, hashtab_key_t k, hashtab_datum_t d);
> +
> +/*
> +   Removes the entry with the specified key from the hash table.
> +   Applies the specified destroy function to (key,datum,args) for
> +   the entry.
> +
> +   Returns HASHTAB_MISSING if no entry has the specified key or
> +   HASHTAB_SUCCESS otherwise.
> + */
> +extern int hashtab_remove(hashtab_t h, hashtab_key_t k,
> +			  void (*destroy) (hashtab_key_t k,
> +					   hashtab_datum_t d,
> +					   void *args), void *args);
> +
> +/*
> +   Insert or replace the specified (key, datum) pair in the specified
> +   hash table.  If an entry for the specified key already exists,
> +   then the specified destroy function is applied to (key,datum,args)
> +   for the entry prior to replacing the entry's contents.
> +
> +   Returns HASHTAB_OVERFLOW if insufficient space is available or
> +   HASHTAB_SUCCESS otherwise.
> + */
> +extern int hashtab_replace(hashtab_t h, hashtab_key_t k, hashtab_datum_t d,
> +			   void (*destroy) (hashtab_key_t k,
> +					    hashtab_datum_t d,
> +					    void *args), void *args);
> +
> +/*
> +   Searches for the entry with the specified key in the hash table.
> +
> +   Returns NULL if no entry has the specified key or
> +   the datum of the entry otherwise.
> + */
> +extern hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t k);
> +
> +/*
> +   Destroys the specified hash table.
> + */
> +extern void hashtab_destroy(hashtab_t h);
> +
> +/*
> +   Applies the specified apply function to (key,datum,args)
> +   for each entry in the specified hash table.
> +
> +   The order in which the function is applied to the entries
> +   is dependent upon the internal structure of the hash table.
> +
> +   If apply returns a non-zero status, then hashtab_map will cease
> +   iterating through the hash table and will propagate the error
> +   return to its caller.
> + */
> +extern int hashtab_map(hashtab_t h,
> +		       int (*apply) (hashtab_key_t k,
> +				     hashtab_datum_t d,
> +				     void *args), void *args);
> +
> +/*
> +   Same as hashtab_map, except that if apply returns a non-zero status,
> +   then the (key,datum) pair will be removed from the hashtab and the
> +   destroy function will be applied to (key,datum,args).
> + */
> +extern void hashtab_map_remove_on_error(hashtab_t h,
> +					int (*apply) (hashtab_key_t k,
> +						      hashtab_datum_t d,
> +						      void *args),
> +					void (*destroy) (hashtab_key_t k,
> +							 hashtab_datum_t d,
> +							 void *args),
> +					void *args);
> +
> +extern void hashtab_hash_eval(hashtab_t h, char *tag);
> +
> +#endif
> Index: trunk/policycoreutils/newrole/newrole.1
> ===================================================================
> --- trunk/policycoreutils/newrole/newrole.1	(revision 2422)
> +++ trunk/policycoreutils/newrole/newrole.1	(working copy)
> @@ -47,6 +47,12 @@
>  In particular, an argument of -- -c will cause the next argument to be
>  treated as a command by most command interpreters.
>  .PP
> +If a command argument is specified to newrole and the command name is found
> +in /etc/selinux/newrole_pam.conf, then the pam service name listed in that
> +file for the command will be used rather than the normal newrole pam
> +configuration.  This allows for per-command pam configuration when
> +invoked via newrole, e.g. to skip the interactive re-authentication phase.
> +.PP
>  The new shell will be the shell specified in the user's entry in the 
>  .I /etc/passwd
>  file.
> @@ -81,14 +87,22 @@
>     # id -Z
>     staff_u:sysadm_r:sysadm_t:Secret
>  
> +.PP
> +Running a program in a given role or level:
> +   # newrole -r sysadm_r -- -c "/path/to/app arg1 arg2..."
> +   # newrole -l Secret -- -c "/path/to/app arg1 arg2..."
> +
>  .SH FILES
>  /etc/passwd - user account information
>  .br
>  /etc/shadow - encrypted passwords and age information
>  .br
>  /etc/selinux/<policy>/contexts/default_type - default types for roles
> +.br
>  /etc/selinux/<policy>/contexts/securetty_types - securetty types for level changes
>  .br
> +/etc/selinux/newrole_pam.conf - optional mapping of commands to separate pam service names
> +.br
>  .SH SEE ALSO
>  .B runcon
>  (1)
> Index: trunk/policycoreutils/newrole/hashtab.c
> ===================================================================
> --- trunk/policycoreutils/newrole/hashtab.c	(revision 0)
> +++ trunk/policycoreutils/newrole/hashtab.c	(revision 0)
> @@ -0,0 +1,292 @@
> +
> +/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
> +
> +/* FLASK */
> +
> +/*
> + * Implementation of the hash table type.
> + */
> +
> +#include <stdlib.h>
> +#include <string.h>
> +#include "hashtab.h"
> +
> +hashtab_t hashtab_create(unsigned int (*hash_value) (hashtab_t h,
> +						     const hashtab_key_t key),
> +			 int (*keycmp) (hashtab_t h,
> +					const hashtab_key_t key1,
> +					const hashtab_key_t key2),
> +			 unsigned int size)
> +{
> +
> +	hashtab_t p;
> +	unsigned int i;
> +
> +	p = (hashtab_t) malloc(sizeof(hashtab_val_t));
> +	if (p == NULL)
> +		return p;
> +
> +	memset(p, 0, sizeof(hashtab_val_t));
> +	p->size = size;
> +	p->nel = 0;
> +	p->hash_value = hash_value;
> +	p->keycmp = keycmp;
> +	p->htable = (hashtab_ptr_t *) malloc(sizeof(hashtab_ptr_t) * size);
> +	if (p->htable == NULL) {
> +		free(p);
> +		return NULL;
> +	}
> +	for (i = 0; i < size; i++)
> +		p->htable[i] = (hashtab_ptr_t) NULL;
> +
> +	return p;
> +}
> +
> +int hashtab_insert(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum)
> +{
> +	int hvalue;
> +	hashtab_ptr_t prev, cur, newnode;
> +
> +	if (!h)
> +		return HASHTAB_OVERFLOW;
> +
> +	hvalue = h->hash_value(h, key);
> +	prev = NULL;
> +	cur = h->htable[hvalue];
> +	while (cur && h->keycmp(h, key, cur->key) > 0) {
> +		prev = cur;
> +		cur = cur->next;
> +	}
> +
> +	if (cur && (h->keycmp(h, key, cur->key) == 0))
> +		return HASHTAB_PRESENT;
> +
> +	newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
> +	if (newnode == NULL)
> +		return HASHTAB_OVERFLOW;
> +	memset(newnode, 0, sizeof(struct hashtab_node));
> +	newnode->key = key;
> +	newnode->datum = datum;
> +	if (prev) {
> +		newnode->next = prev->next;
> +		prev->next = newnode;
> +	} else {
> +		newnode->next = h->htable[hvalue];
> +		h->htable[hvalue] = newnode;
> +	}
> +
> +	h->nel++;
> +	return HASHTAB_SUCCESS;
> +}
> +
> +int hashtab_remove(hashtab_t h, hashtab_key_t key,
> +		   void (*destroy) (hashtab_key_t k,
> +				    hashtab_datum_t d, void *args), void *args)
> +{
> +	int hvalue;
> +	hashtab_ptr_t cur, last;
> +
> +	if (!h)
> +		return HASHTAB_MISSING;
> +
> +	hvalue = h->hash_value(h, key);
> +	last = NULL;
> +	cur = h->htable[hvalue];
> +	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
> +		last = cur;
> +		cur = cur->next;
> +	}
> +
> +	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
> +		return HASHTAB_MISSING;
> +
> +	if (last == NULL)
> +		h->htable[hvalue] = cur->next;
> +	else
> +		last->next = cur->next;
> +
> +	if (destroy)
> +		destroy(cur->key, cur->datum, args);
> +	free(cur);
> +	h->nel--;
> +	return HASHTAB_SUCCESS;
> +}
> +
> +int hashtab_replace(hashtab_t h, hashtab_key_t key, hashtab_datum_t datum,
> +		    void (*destroy) (hashtab_key_t k,
> +				     hashtab_datum_t d, void *args), void *args)
> +{
> +	int hvalue;
> +	hashtab_ptr_t prev, cur, newnode;
> +
> +	if (!h)
> +		return HASHTAB_OVERFLOW;
> +
> +	hvalue = h->hash_value(h, key);
> +	prev = NULL;
> +	cur = h->htable[hvalue];
> +	while (cur != NULL && h->keycmp(h, key, cur->key) > 0) {
> +		prev = cur;
> +		cur = cur->next;
> +	}
> +
> +	if (cur && (h->keycmp(h, key, cur->key) == 0)) {
> +		if (destroy)
> +			destroy(cur->key, cur->datum, args);
> +		cur->key = key;
> +		cur->datum = datum;
> +	} else {
> +		newnode = (hashtab_ptr_t) malloc(sizeof(hashtab_node_t));
> +		if (newnode == NULL)
> +			return HASHTAB_OVERFLOW;
> +		memset(newnode, 0, sizeof(struct hashtab_node));
> +		newnode->key = key;
> +		newnode->datum = datum;
> +		if (prev) {
> +			newnode->next = prev->next;
> +			prev->next = newnode;
> +		} else {
> +			newnode->next = h->htable[hvalue];
> +			h->htable[hvalue] = newnode;
> +		}
> +	}
> +
> +	return HASHTAB_SUCCESS;
> +}
> +
> +hashtab_datum_t hashtab_search(hashtab_t h, const hashtab_key_t key)
> +{
> +
> +	int hvalue;
> +	hashtab_ptr_t cur;
> +
> +	if (!h)
> +		return NULL;
> +
> +	hvalue = h->hash_value(h, key);
> +	cur = h->htable[hvalue];
> +	while (cur != NULL && h->keycmp(h, key, cur->key) > 0)
> +		cur = cur->next;
> +
> +	if (cur == NULL || (h->keycmp(h, key, cur->key) != 0))
> +		return NULL;
> +
> +	return cur->datum;
> +}
> +
> +void hashtab_destroy(hashtab_t h)
> +{
> +	unsigned int i;
> +	hashtab_ptr_t cur, temp;
> +
> +	if (!h)
> +		return;
> +
> +	for (i = 0; i < h->size; i++) {
> +		cur = h->htable[i];
> +		while (cur != NULL) {
> +			temp = cur;
> +			cur = cur->next;
> +			free(temp);
> +		}
> +		h->htable[i] = NULL;
> +	}
> +
> +	free(h->htable);
> +	h->htable = NULL;
> +
> +	free(h);
> +}
> +
> +int hashtab_map(hashtab_t h,
> +		int (*apply) (hashtab_key_t k,
> +			      hashtab_datum_t d, void *args), void *args)
> +{
> +	unsigned int i, ret;
> +	hashtab_ptr_t cur;
> +
> +	if (!h)
> +		return HASHTAB_SUCCESS;
> +
> +	for (i = 0; i < h->size; i++) {
> +		cur = h->htable[i];
> +		while (cur != NULL) {
> +			ret = apply(cur->key, cur->datum, args);
> +			if (ret)
> +				return ret;
> +			cur = cur->next;
> +		}
> +	}
> +	return HASHTAB_SUCCESS;
> +}
> +
> +void hashtab_map_remove_on_error(hashtab_t h,
> +				 int (*apply) (hashtab_key_t k,
> +					       hashtab_datum_t d,
> +					       void *args),
> +				 void (*destroy) (hashtab_key_t k,
> +						  hashtab_datum_t d,
> +						  void *args), void *args)
> +{
> +	unsigned int i;
> +	int ret;
> +	hashtab_ptr_t last, cur, temp;
> +
> +	if (!h)
> +		return;
> +
> +	for (i = 0; i < h->size; i++) {
> +		last = NULL;
> +		cur = h->htable[i];
> +		while (cur != NULL) {
> +			ret = apply(cur->key, cur->datum, args);
> +			if (ret) {
> +				if (last) {
> +					last->next = cur->next;
> +				} else {
> +					h->htable[i] = cur->next;
> +				}
> +
> +				temp = cur;
> +				cur = cur->next;
> +				if (destroy)
> +					destroy(temp->key, temp->datum, args);
> +				free(temp);
> +				h->nel--;
> +			} else {
> +				last = cur;
> +				cur = cur->next;
> +			}
> +		}
> +	}
> +
> +	return;
> +}
> +
> +void hashtab_hash_eval(hashtab_t h, char *tag)
> +{
> +	unsigned int i;
> +	int chain_len, slots_used, max_chain_len;
> +	hashtab_ptr_t cur;
> +
> +	slots_used = 0;
> +	max_chain_len = 0;
> +	for (i = 0; i < h->size; i++) {
> +		cur = h->htable[i];
> +		if (cur) {
> +			slots_used++;
> +			chain_len = 0;
> +			while (cur) {
> +				chain_len++;
> +				cur = cur->next;
> +			}
> +
> +			if (chain_len > max_chain_len)
> +				max_chain_len = chain_len;
> +		}
> +	}
> +
> +	printf
> +	    ("%s:  %d entries and %d/%d buckets used, longest chain length %d\n",
> +	     tag, h->nel, slots_used, h->size, max_chain_len);
> +}
> Index: trunk/policycoreutils/newrole/newrole.c
> ===================================================================
> --- trunk/policycoreutils/newrole/newrole.c	(revision 2422)
> +++ trunk/policycoreutils/newrole/newrole.c	(working copy)
> @@ -58,6 +58,7 @@
>  #include <stdio.h>
>  #include <stdlib.h>		/* for malloc(), realloc(), free() */
>  #include <pwd.h>		/* for getpwuid() */
> +#include <ctype.h>
>  #include <sys/types.h>		/* to make getuid() and getpwuid() happy */
>  #include <sys/wait.h>		/* for wait() */
>  #include <getopt.h>		/* for getopt_long() form of getopt() */
> @@ -92,6 +93,10 @@
>  /* USAGE_STRING describes the command-line args of this program. */
>  #define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
>  
> +#ifdef USE_PAM
> +#define PAM_SERVICE_CONFIG "/etc/selinux/newrole_pam.conf";
> +#endif
> +
>  #define DEFAULT_PATH "/usr/bin:/bin"
>  #define DEFAULT_CONTEXT_SIZE 255	/* first guess at context size */
>  
> @@ -159,7 +164,7 @@
>  #include <security/pam_appl.h>	/* for PAM functions */
>  #include <security/pam_misc.h>	/* for misc_conv PAM utility function */
>  
> -#define SERVICE_NAME "newrole"	/* the name of this program for PAM */
> +char *service_name = "newrole";
>  
>  /* authenticate_via_pam()
>   *
> @@ -209,6 +214,113 @@
>  	return result;
>  }				/* authenticate_via_pam() */
>  
> +#include "hashtab.h"
> +
> +static int free_hashtab_entry(hashtab_key_t key, hashtab_datum_t d, 
> +			      void *args __attribute__ ((unused)) )
> +{
> +	free(key);
> +	free(d);
> +	return 0;
> +}
> +
> +static unsigned int reqsymhash(hashtab_t h, hashtab_key_t key)
> +{
> +	char *p, *keyp;
> +	size_t size;
> +	unsigned int val;
> +
> +	val = 0;
> +	keyp = (char *)key;
> +	size = strlen(keyp);
> +	for (p = keyp; ((size_t) (p - keyp)) < size; p++)
> +		val =
> +		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
> +	return val & (h->size - 1);
> +}
> +
> +static int reqsymcmp(hashtab_t h
> +		     __attribute__ ((unused)), hashtab_key_t key1,
> +		     hashtab_key_t key2)
> +{
> +	char *keyp1, *keyp2;
> +
> +	keyp1 = (char *)key1;
> +	keyp2 = (char *)key2;
> +	return strcmp(keyp1, keyp2);
> +}
> +
> +static hashtab_t app_service_names = NULL;
> +#define PAM_SERVICE_SLOTS 64
> +
> +static int process_pam_config(FILE * cfg)
> +{
> +	const char *config_file_path = PAM_SERVICE_CONFIG;
> +	char *line_buf = NULL;
> +	unsigned long lineno = 0;
> +	size_t len = 0;
> +	char *app = NULL;
> +	char *service = NULL;
> +	int ret;
> +
> +	while (getline(&line_buf, &len, cfg) > 0) {
> +		char *buffer = line_buf;
> +		lineno++;
> +		while (isspace(*buffer))
> +			buffer++;
> +		if (buffer[0] == '#')
> +			continue;
> +		if (buffer[0] == '\n' || buffer[0] == '\0')
> +			continue;
> +
> +		app = service = NULL;
> +		ret = sscanf(buffer, "%as %as\n", &app, &service);
> +		if (ret < 2 || !app || !service)
> +			goto err;
> +
> +		ret = hashtab_insert(app_service_names, app, service);
> +		if (ret == HASHTAB_OVERFLOW) {
> +			fprintf(stderr,
> +				_("newrole: service name configuration hashtable overflow\n"));
> +			goto err;
> +		}
> +	}
> +
> +	free(line_buf);
> +	return 0;
> +      err:
> +	free(app);
> +	free(service);
> +	fprintf(stderr,	_("newrole:  %s:  error on line %lu.\n"), config_file_path, lineno);
> +	free(line_buf);
> +	return -1;
> +}
> +
> +/* 
> + *  Read config file ignoring comment lines.
> + *  Files specified one per line executable with a corresponding
> + *  pam service name.
> + */
> +static int read_pam_config()
> +{
> +	const char *config_file_path = PAM_SERVICE_CONFIG;
> +	FILE *cfg = NULL;
> +	cfg = fopen(config_file_path, "r");
> +	if (!cfg)
> +		return 0;	/* This configuration is optional. */
> +	app_service_names =
> +	    hashtab_create(reqsymhash, reqsymcmp, PAM_SERVICE_SLOTS);
> +	if (!app_service_names)
> +		goto err;
> +	if (process_pam_config(cfg))
> +		goto err;
> +	fclose(cfg);
> +	return 0;
> +      err:
> +	fclose(cfg);
> +	return -1;
> +}
> +
>  #else				/* else !USE_PAM */
>  
>  /************************************************************************
> @@ -1027,9 +1139,32 @@
>  	if (extract_pw_data(&pw))
>  		goto err_free;
>  
> -	printf(_("Authenticating %s.\n"), pw.pw_name);
>  #ifdef USE_PAM
> -	pam_status = pam_start(SERVICE_NAME, pw.pw_name, &pam_conversation,
> +	if (read_pam_config()) {
> +		fprintf(stderr, _("error on reading PAM service configuration.\n"));
> +		goto err_free;
> +	}
> +
> +	if (app_service_names != NULL && optind < argc) {
> +		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
> +			/*
> +			 * Check for a separate pam service name for the 
> +			 * command when invoked by newrole.
> +			 */
> +			char *cmd = NULL;
> +			rc = sscanf(argv[optind + 1], "%as", &cmd);
> +			if (rc != EOF && cmd) {
> +				char *app_service_name =
> +				    (char *)hashtab_search(app_service_names,
> +							   cmd);
> +				free(cmd);
> +				if (app_service_name != NULL)
> +					service_name = app_service_name;
> +			}
> +		}
> +	}
> +
> +	pam_status = pam_start(service_name, pw.pw_name, &pam_conversation,
>  			       &pam_handle);
>  	if (pam_status != PAM_SUCCESS) {
>  		fprintf(stderr, _("failed to initialize PAM\n"));
> @@ -1118,6 +1253,8 @@
>  				pam_strerror(pam_handle, rc));
>  			exit_code = -1;
>  		}
> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> +		hashtab_destroy(app_service_names);
>  #endif
>  		free(pw.pw_name);
>  		free(pw.pw_dir);
> @@ -1223,5 +1360,11 @@
>  	free(pw.pw_dir);
>  	free(pw.pw_shell);
>  	free(shell_argv0);
> +#ifdef USE_PAM
> +	if (app_service_names) {
> +		hashtab_map(app_service_names, free_hashtab_entry, NULL);
> +		hashtab_destroy(app_service_names);
> +	}
> +#endif
>  	return -1;
>  }				/* main() */
> Index: trunk/policycoreutils/newrole/Makefile
> ===================================================================
> --- trunk/policycoreutils/newrole/Makefile	(revision 2422)
> +++ trunk/policycoreutils/newrole/Makefile	(working copy)
> @@ -21,10 +21,12 @@
>  VERSION = $(shell cat ../VERSION)
>  
>  CFLAGS ?= -Werror -Wall -W
> +EXTRA_OBJS =
>  override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>  LDLIBS += -lselinux -lsepol -L$(PREFIX)/lib
>  ifeq (${PAMH}, /usr/include/security/pam_appl.h)
>  	override CFLAGS += -DUSE_PAM
> +	EXTRA_OBJS += hashtab.o
>  	LDLIBS += -lpam -lpam_misc
>  else
>  	override CFLAGS += -D_XOPEN_SOURCE=500
> @@ -53,9 +55,10 @@
>  	MODE := 0555
>  endif
>  
> -TARGETS=$(patsubst %.c,%,$(wildcard *.c))
> +all: newrole
>  
> -all: $(TARGETS)
> +newrole: newrole.o $(EXTRA_OBJS)
> +	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
>  
>  install: all
>  	test -d $(BINDIR)      || install -m 755 -d $(BINDIR)
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH -trunk] newrole: enable use of alternate pam configurations for running applications in a different context (Was: Re: launching apps at level (MLS) and polyinstantiation)

[Karl MacMillan]

On Tue, 2007-05-08 at 15:11 -0400, Stephen Smalley wrote:
> From: 	Ted X Toth <txtoth@gmail.com>
> 
> With some modifications by Stephen Smalley <sds@tycho.nsa.gov>.
> 
> Extend newrole to enable use of alternate pam configurations when
> running an application in a different context.  Introduces
> /etc/selinux/newrole_pam.conf as a config file mapping application
> pathnames to pam service names when the application is invoked via
> newrole.  In the absence of the config file or the absence of a
> matching entry, falls back to the standard newrole pam configuration.
> 
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> 

Merged into trunk and policyrep.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.