PERFORCE change 91439 for review

Rob Deker deker at FreeBSD.org
Thu Feb 9 10:37:40 PST 2006 

http://perforce.freebsd.org/chv.cgi?CH=91439

Change 91439 by deker at deker_build1.columbia.sparta.com on 2006/02/09 18:37:17

	per millert:
	
	  "Allow the user to login even if sedarwin module is not loaded.
	   the MAC login plugin bits could be much better but this
	   probably requires changes to the generic MAC login plugin
	   code."
	
	Submitted by: millert

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/MAC.loginPlugin.xcode/project.pbxproj#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.h#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.m#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/GNUmakefile#2 edit
.. //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/pam_sedarwin.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/MAC.loginPlugin.xcode/project.pbxproj#2 (text+ko) ====

@@ -81,7 +81,7 @@
 				GCC_PRECOMPILE_PREFIX_HEADER = YES;
 				GCC_PREFIX_HEADER = "$(SYSTEM_LIBRARY_DIR)/Frameworks/AppKit.framework/Headers/AppKit.h";
 				INFOPLIST_FILE = plugins/SEDarwin/Info.plist;
-				OTHER_CFLAGS = "-I../../xnu/BUILD/obj/EXPORT_HDRS/bsd -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk -I../../../sedarwin/libselinux/include";
+				OTHER_CFLAGS = "-I../../xnu/BUILD/obj/EXPORT_HDRS/bsd -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk -I../../../sedarwin/libselinux/include  -I../../../sedarwin";
 				OTHER_LDFLAGS = "-framework Foundation -framework AppKit -L../../libmac -lmac -L../../../sedarwin/libselinux/src -lselinux";
 				OTHER_REZFLAGS = "";
 				PRODUCT_NAME = SEDarwin;

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.h#2 (text+ko) ====

@@ -7,6 +7,7 @@
 #include <sys/mac.h> 
 #include <pwd.h> 
 #include <selinux/get_context_list.h>
+#include <sedarwin/sebsd.h>
 
 @interface SEDarwin : NSObject <MACpolicyPlugin>
 {

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/osx_cmds/MAC.loginPlugin/plugins/SEDarwin/SEDarwin.m#2 (text+ko) ====

@@ -41,6 +41,9 @@
 		return;
 	}
 
+	if (!sebsd_enabled())
+		return;
+
 	/*
 	 * Get an ordered list of possible contexts for the user and
 	 * use them to populate the popup button (in the same order).
@@ -84,6 +87,10 @@
 		return (MAC_LOGIN_FAIL);
 	}
 
+	/* XXX - use SELINUX_DEFAULTUSER and fill in selector if not enabled? */
+	if (!sebsd_enabled())
+		return (MAC_LOGIN_OK);
+
 	/*
 	 * Get the selected context from the popup button and
 	 * convert it to a label.
@@ -119,6 +126,7 @@
 
 - (void) policyWillLogin {
 	free(username);
+	if (label != NULL)	/* XXX */
 	mac_free(label);
 }
 

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/GNUmakefile#2 (text+ko) ====

@@ -7,7 +7,7 @@
 Extra_CC_Flags	=-I../../pam/pam/libpam/include/pam/ \
 		 -I../../xnu/BUILD/obj/EXPORT_HDRS/bsd/ \
 		 -idirafter ../../xnu/BUILD/obj/EXPORT_HDRS/osfmk \
-		 -I../../../sedarwin/libselinux/include/
+		 -I../../../sedarwin -I../../../sedarwin/libselinux/include
 
 Extra_LD_Flags	=-L../../../sedarwin/libselinux/src/ -lselinux \
 		 -L../../libmac/ -lmac

==== //depot/projects/trustedbsd/sedarwin7/src/darwin/pam_modules/pam_sedarwin/pam_sedarwin.c#2 (text+ko) ====

@@ -33,6 +33,7 @@
 #include <sys/types.h>
 #include <sys/mac.h> 
 #include <selinux/get_context_list.h>
+#include <sedarwin/sebsd.h>
 
 #include <ctype.h>
 #include <stdio.h>
@@ -113,6 +114,12 @@
 	const char *user;
 	int ncontexts, retval, which;
 
+	/* XXX - use SELINUX_DEFAULTUSER if not enabled? */
+	if (!sebsd_enabled()) {
+		syslog(LOG_ERR, "%s(): SEDarwin not enabled", __func__);
+		return (PAM_SUCCESS);
+	}
+
 	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
 		syslog(LOG_ERR, "%s(): unable to get user %s",
 		    __func__, user);
@@ -164,6 +171,11 @@
 	mac_t label;
 	int retval;
 
+	if (!sebsd_enabled()) {
+		syslog(LOG_ERR, "%s(): SEDarwin not enabled", __func__);
+		return (PAM_SUCCESS);
+	}
+
 	/*
 	 * If the user didn't specify a label to use in the authentication
 	 * function get the default label.
@@ -172,8 +184,11 @@
 		security_context_t con;
 		const char *user;
 
-		if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
+		if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+			syslog(LOG_ERR, "%s(): unable to get user %s",
+			    __func__, user);
 			return (retval);
+		}
 
 		/*
 		 * Get user's default context.  If we had a way to

More information about the p4-projects mailing list