diff options
| author | Denis Vlasenko <vda.linux@googlemail.com> | 2007-10-20 02:00:49 +0000 |
|---|---|---|
| committer | Denis Vlasenko <vda.linux@googlemail.com> | 2007-10-20 02:00:49 +0000 |
| commit | 2edbc2ab85b96fb01a3862db09df12f40d4382cd (patch) | |
| tree | 0637a680a89fb11a986e59657875adda2546ec18 /libbb | |
| parent | aa7a888e423fc85daa8af0ac3aabe8fc7af86312 (diff) | |
| download | busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.gz busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.tar.bz2 busybox-w32-2edbc2ab85b96fb01a3862db09df12f40d4382cd.zip | |
ping: fix breakage from -I fix
passwd: SELinux support by KaiGai Kohei <kaigai@ak.jp.nec.com>
Diffstat (limited to 'libbb')
| -rw-r--r-- | libbb/selinux_common.c | 14 | ||||
| -rw-r--r-- | libbb/update_passwd.c | 29 |
2 files changed, 43 insertions, 0 deletions
diff --git a/libbb/selinux_common.c b/libbb/selinux_common.c index ff076f6f0..7478cc7b5 100644 --- a/libbb/selinux_common.c +++ b/libbb/selinux_common.c | |||
| @@ -38,3 +38,17 @@ void setfscreatecon_or_die(security_context_t scontext) | |||
| 38 | "file creation context to %s", scontext); | 38 | "file creation context to %s", scontext); |
| 39 | } | 39 | } |
| 40 | } | 40 | } |
| 41 | |||
| 42 | void selinux_preserve_fcontext(int fdesc) | ||
| 43 | { | ||
| 44 | security_context_t context; | ||
| 45 | |||
| 46 | if (fgetfilecon(fdesc, &context) < 0) { | ||
| 47 | if (errno == ENODATA || errno == ENOTSUP) | ||
| 48 | return; | ||
| 49 | bb_perror_msg_and_die("fgetfilecon failed"); | ||
| 50 | } | ||
| 51 | setfscreatecon_or_die(context); | ||
| 52 | freecon(context); | ||
| 53 | } | ||
| 54 | |||
diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c index 8914b8b45..388adf81f 100644 --- a/libbb/update_passwd.c +++ b/libbb/update_passwd.c | |||
| @@ -11,6 +11,31 @@ | |||
| 11 | 11 | ||
| 12 | #include "libbb.h" | 12 | #include "libbb.h" |
| 13 | 13 | ||
| 14 | #if ENABLE_SELINUX | ||
| 15 | static void check_selinux_update_passwd(const char *username) | ||
| 16 | { | ||
| 17 | security_context_t context; | ||
| 18 | char *seuser; | ||
| 19 | |||
| 20 | if (getuid() != (uid_t)0 || is_selinux_enabled() == 0) | ||
| 21 | return; /* No need to check */ | ||
| 22 | |||
| 23 | if (getprevcon_raw(&context) < 0) | ||
| 24 | bb_perror_msg_and_die("getprevcon failed"); | ||
| 25 | seuser = strtok(context, ":"); | ||
| 26 | if (!seuser) | ||
| 27 | bb_error_msg_and_die("invalid context '%s'", context); | ||
| 28 | if (strcmp(seuser, username) != 0) { | ||
| 29 | if (checkPasswdAccess(PASSWD__PASSWD) != 0) | ||
| 30 | bb_error_msg_and_die("SELinux: access denied"); | ||
| 31 | } | ||
| 32 | if (ENABLE_FEATURE_CLEAN_UP) | ||
| 33 | freecon(context); | ||
| 34 | } | ||
| 35 | #else | ||
| 36 | #define check_selinux_update_passwd(username) ((void)0) | ||
| 37 | #endif | ||
| 38 | |||
| 14 | int update_passwd(const char *filename, const char *username, | 39 | int update_passwd(const char *filename, const char *username, |
| 15 | const char *new_pw) | 40 | const char *new_pw) |
| 16 | { | 41 | { |
| @@ -27,6 +52,8 @@ int update_passwd(const char *filename, const char *username, | |||
| 27 | int cnt = 0; | 52 | int cnt = 0; |
| 28 | int ret = -1; /* failure */ | 53 | int ret = -1; /* failure */ |
| 29 | 54 | ||
| 55 | check_selinux_update_passwd(username); | ||
| 56 | |||
| 30 | /* New passwd file, "/etc/passwd+" for now */ | 57 | /* New passwd file, "/etc/passwd+" for now */ |
| 31 | fnamesfx = xasprintf("%s+", filename); | 58 | fnamesfx = xasprintf("%s+", filename); |
| 32 | sfx_char = &fnamesfx[strlen(fnamesfx)-1]; | 59 | sfx_char = &fnamesfx[strlen(fnamesfx)-1]; |
| @@ -38,6 +65,8 @@ int update_passwd(const char *filename, const char *username, | |||
| 38 | goto free_mem; | 65 | goto free_mem; |
| 39 | old_fd = fileno(old_fp); | 66 | old_fd = fileno(old_fp); |
| 40 | 67 | ||
| 68 | selinux_preserve_fcontext(old_fd); | ||
| 69 | |||
| 41 | /* Try to create "/etc/passwd+". Wait if it exists. */ | 70 | /* Try to create "/etc/passwd+". Wait if it exists. */ |
| 42 | i = 30; | 71 | i = 30; |
| 43 | do { | 72 | do { |