PERFORCE change 70544 for review

Mon Feb 7 20:19:10 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=70544

Change 70544 by areisse at areisse_tislabs on 2005/02/07 20:18:30

	Change the TE policy to allow the ssh_sysadm_login boolean to work
	if UseLogin is enabled (which it must be on SEBSD).
	
	Provide the boolean interface from selinux in libsebsd.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 edit
.. //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/libselinux/src/booleans.c#2 (text+ko) ====

@@ -20,196 +20,108 @@
 #include <errno.h>
 
 #include <selinux/selinux.h>
+#include <security/sebsd/sebsd_syscalls.h>
 #include "policy.h"
 
-#define SELINUX_BOOL_DIR "/booleans/"
+int security_get_boolean_names(char ***names, int *len)
+{
+	struct sebsd_get_bools gb;
+	int i, err, rc = -1;
+	char **n;
+	int num = 0;
+	char *p, *q;
+
+	gb.out = NULL;
+	gb.len = 0;
 
-static int filename_select(const struct dirent *d)
-{
-	int len;
+	err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb);
 
-	len = strlen(d->d_name);
-	if (len == 1 && d->d_name[0] == '.')
-		return 0;
-	if (len == 2 && d->d_name[0] == '.' &&
-	    d->d_name[1] == '.')
-		return 0;
-	return 1;
-}
+	if (err && errno != ENOMEM)
+		return (-1);
+	gb.out = malloc (gb.len);
 
-int security_get_boolean_names(char ***names, int *len)
-{
-	char path[PATH_MAX];
-	int i, rc;
-	struct dirent **namelist;
-	char **n;
+	err = mac_syscall("sebsd", SEBSDCALL_GET_BOOLS, &gb);
+	if (err)
+		goto out;
 
-	assert(len);
+	for (p = gb.out; p-gb.out < gb.len; p++)
+		if (*p == ';')
+			num++;
 
-	snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
-	*len = scandir(path, &namelist, &filename_select,
-		       alphasort);
-	if (*len <= 0) {
-		return -1;
-	}
+	n = (char**)malloc(sizeof(char*) * num);
+	if (!n)
+		goto out;
 
-	n = (char**)malloc(sizeof(char*) * *len);
-	if (!n) {
-		rc = -1;
-		goto bad;
-	}
+	p = gb.out;
+	for (i = 0; i < num; i++) {
+		p += 2;
+		for (q = p; *q != ';'; q++);
 
-	memset(n, 0, sizeof(char*) * *len);
-	
-	for (i = 0; i < *len; i++) {
-		n[i] = (char*)malloc(sizeof(char)
-				     * (namelist[i]->d_reclen + 1));
-		if (!n[i]) {
-			rc = -1;
+		n[i] = (char*)malloc(sizeof(char) * (1+q-p));
+		if (!n[i])
 			goto bad;
-		}
-		strncpy(n[i], namelist[i]->d_name, namelist[i]->d_reclen + 1);
+		strncpy(n[i], p, q-p);
+		n[i][q-p] = 0;
+		p = q+1;
 	}
 	rc = 0;
 	*names = n;
-out:
-	for (i = 0; i < *len; i++) {
-		free(namelist[i]);
-	}
-	free(namelist);
-	return rc;
+	*len = num;
+	goto out;
+
 bad:
 	for (i = 0; i < *len; i++) {
 		if (n[i])
 			free(n[i]);
 	}
 	free(n);
-	goto out;
-}
+out:
+	if (gb.out)
+		free(gb.out);
 
-#define STRBUF_SIZE 3 
-static int get_bool_value(const char *name, char **buf)
-{
-	int fd, len;
-	char *fname = NULL;
-
-	*buf = (char*)malloc(sizeof(char) * (STRBUF_SIZE + 1));
-	if (!*buf)
-		goto out;
-	(*buf)[STRBUF_SIZE] = 0;
-
-	len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
-	fname = (char*)malloc(sizeof(char) * len);
-	if (!fname)
-		goto out;
-	snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
-
-	fd = open(fname, O_RDONLY);
-	if (fd < 0)
-		goto out;
-
-	len = read(fd, *buf, STRBUF_SIZE);
-	close(fd);
-	if (len != STRBUF_SIZE)
-		goto out;
-
-	free(fname);
-	return 0;
-out:
-	if (*buf)
-		free(*buf);
-	if (fname)
-		free(fname);
-	return -1;
+	return rc;
 }
 
 int security_get_boolean_pending(const char *name)
 {
-	char *buf;
-	int val;
-
-	if (get_bool_value(name, &buf))
+	int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name);
+	if (r < 0)
 		return -1;
-
-	if (atoi(&buf[1]))
-		val = 1;
-	else
-		val = 0;
-	free(buf);
-	return val;
+	return (r & 2) >> 1;
 }
 
 int security_get_boolean_active(const char *name)
 {
-	char *buf;
-	int val;
-
-	if (get_bool_value(name, &buf))
+	int r = mac_syscall("sebsd", SEBSDCALL_GET_BOOL, name);
+	if (r < 0)
 		return -1;
+	return (r & 1);
+}
 
-	buf[1] = '\0';
-	if (atoi(buf))
-		val = 1;
-	else
-		val = 0;
-	free(buf);
-	return val;
-}
+struct lp_args
+{
+	void  *data;
+	size_t len;
+};
 
 int security_set_boolean(const char *name, int value)
 {
-	int fd, ret, len;
-	char buf[2], *fname;
+	struct lp_args args;
+	char str[strlen(name) + 2];
 
-	len = strlen(name) + strlen(selinux_mnt) + sizeof(SELINUX_BOOL_DIR);
-	fname = (char*)malloc(sizeof(char) * len);
-	if (!fname)
-		return -1;
-	snprintf(fname, len, "%s%s%s", selinux_mnt, SELINUX_BOOL_DIR, name);
-
-	fd = open(fname, O_WRONLY);
-	if (fd < 0) {
-		ret = -1;
-		goto out;
-	}
-
-	if (value)
-		buf[0] = '1';
-	else
-		buf[0] = '0';
-	buf[1] = '\0';
-	
-	ret = write(fd, buf, 2);
-	close(fd);
-out:
-	free(fname);
-	if (ret > 0)
-		return 0;
-	else
-		return -1;
+	str[0] = value + '0';
+	strcpy (str+1, name);
+	args.data = str;
+	args.len = 1+strlen(str);
+	int err = mac_syscall("sebsd", SEBSDCALL_SET_BOOL, &args);
+	if (err)
+		perror (name);
+	return err;
 }
 
 int security_commit_booleans(void)
 {
-	int fd, ret;
-	char buf[2];
-	char path[PATH_MAX];
-
-	snprintf(path, sizeof path, "%s/commit_pending_bools", selinux_mnt);
-	fd = open(path, O_WRONLY);
-	if (fd < 0)
-		return -1;
-
-	buf[0] = '1';
-	buf[1] = '\0';
-	
-	ret = write(fd, buf, 2);
-	close(fd);
-
-	if (ret > 0)
-		return 0;
-	else
-		return -1;
+	return mac_syscall ("sebsd", SEBSDCALL_COMMIT_BOOLS, NULL);
 }
 
 static char *strtrim(char *dest, char *source, int size) {

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/ssh.te#11 (text+ko) ====

@@ -302,5 +302,9 @@
 
 # run user shells
 domain_auto_trans(sshd_login_t, shell_exec_t, user_t)
+
+if (ssh_sysadm_login) {
+domain_trans(sshd_login_t, shell_exec_t, userdomain)
+} else {
 domain_trans(sshd_login_t, shell_exec_t, unpriv_userdomain)
-
+}

==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/Makefile#7 (text+ko) ====

@@ -16,7 +16,7 @@
 	getseccontext.c query_user_context.c security_change_context.c \
 	string_to_security_class.c security_compute_av.c context.c \
 	get_default_type.c filecon.c sebsd_config.c \
-	freecon.c freeconary.c
+	freecon.c freeconary.c booleans.c
 
 INCSDIR=${INCLUDEDIR}/selinux
 

==== //depot/projects/trustedbsd/sebsd/lib/libsebsd/sebsd_config.c#2 (text+ko) ====

@@ -5,3 +5,8 @@
 {
 	return _DEFTYPE_PATH;
 }
+
+char *selinux_booleans_path()
+{
+	return "/etc/security/sebsd/booleans";
+}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

