diff options
| author | Rob Landley <rob@landley.net> | 2005-05-03 06:25:50 +0000 |
|---|---|---|
| committer | Rob Landley <rob@landley.net> | 2005-05-03 06:25:50 +0000 |
| commit | 60158cb93eb0b3207dd1084cdf5bdd9226bd9e89 (patch) | |
| tree | fe97ec71775deb1f3078c6db0cb8db554bc6b76f /loginutils | |
| parent | 988a78c61cffe91b005d37f0b7d6e2cb2c5ea713 (diff) | |
| download | busybox-w32-60158cb93eb0b3207dd1084cdf5bdd9226bd9e89.tar.gz busybox-w32-60158cb93eb0b3207dd1084cdf5bdd9226bd9e89.tar.bz2 busybox-w32-60158cb93eb0b3207dd1084cdf5bdd9226bd9e89.zip | |
A patch from Takeharu KATO to update/fix SE-Linux support.
Diffstat (limited to 'loginutils')
| -rw-r--r-- | loginutils/login.c | 52 | ||||
| -rw-r--r-- | loginutils/su.c | 5 | ||||
| -rw-r--r-- | loginutils/sulogin.c | 6 |
3 files changed, 35 insertions, 28 deletions
diff --git a/loginutils/login.c b/loginutils/login.c index 34095a6a7..5186e2369 100644 --- a/loginutils/login.c +++ b/loginutils/login.c | |||
| @@ -17,10 +17,10 @@ | |||
| 17 | 17 | ||
| 18 | #include "busybox.h" | 18 | #include "busybox.h" |
| 19 | #ifdef CONFIG_SELINUX | 19 | #ifdef CONFIG_SELINUX |
| 20 | #include <flask_util.h> | 20 | #include <selinux/selinux.h> /* for is_selinux_enabled() */ |
| 21 | #include <get_sid_list.h> | 21 | #include <selinux/get_context_list.h> /* for get_default_context() */ |
| 22 | #include <proc_secure.h> | 22 | #include <selinux/flask.h> /* for security class definitions */ |
| 23 | #include <fs_secure.h> | 23 | #include <errno.h> |
| 24 | #endif | 24 | #endif |
| 25 | 25 | ||
| 26 | #ifdef CONFIG_FEATURE_U_W_TMP | 26 | #ifdef CONFIG_FEATURE_U_W_TMP |
| @@ -79,8 +79,7 @@ extern int login_main(int argc, char **argv) | |||
| 79 | char *opt_host = 0; | 79 | char *opt_host = 0; |
| 80 | int alarmstarted = 0; | 80 | int alarmstarted = 0; |
| 81 | #ifdef CONFIG_SELINUX | 81 | #ifdef CONFIG_SELINUX |
| 82 | int flask_enabled = is_flask_enabled(); | 82 | security_context_t stat_sid = NULL, sid = NULL, old_tty_sid=NULL, new_tty_sid=NULL; |
| 83 | security_id_t sid = 0, old_tty_sid, new_tty_sid; | ||
| 84 | #endif | 83 | #endif |
| 85 | 84 | ||
| 86 | username[0]=0; | 85 | username[0]=0; |
| @@ -225,41 +224,45 @@ auth_ok: | |||
| 225 | #ifdef CONFIG_FEATURE_U_W_TMP | 224 | #ifdef CONFIG_FEATURE_U_W_TMP |
| 226 | setutmp ( username, tty ); | 225 | setutmp ( username, tty ); |
| 227 | #endif | 226 | #endif |
| 227 | |||
| 228 | if ( *tty != '/' ) | ||
| 229 | snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty); | ||
| 230 | else | ||
| 231 | safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 ); | ||
| 232 | |||
| 228 | #ifdef CONFIG_SELINUX | 233 | #ifdef CONFIG_SELINUX |
| 229 | if (flask_enabled) | 234 | if (is_selinux_enabled()) |
| 230 | { | 235 | { |
| 231 | struct stat st; | 236 | struct stat st; |
| 237 | int rc; | ||
| 232 | 238 | ||
| 233 | if (get_default_sid(username, 0, &sid)) | 239 | if (get_default_context(username, NULL, &sid)) |
| 234 | { | 240 | { |
| 235 | fprintf(stderr, "Unable to get SID for %s\n", username); | 241 | fprintf(stderr, "Unable to get SID for %s\n", username); |
| 236 | exit(1); | 242 | exit(1); |
| 237 | } | 243 | } |
| 238 | if (stat_secure(tty, &st, &old_tty_sid)) | 244 | rc = getfilecon(full_tty,&stat_sid); |
| 245 | freecon(stat_sid); | ||
| 246 | if ((rc<0) || (stat(full_tty, &st)<0)) | ||
| 239 | { | 247 | { |
| 240 | fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno)); | 248 | fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", full_tty, strerror(errno)); |
| 241 | return EXIT_FAILURE; | 249 | return EXIT_FAILURE; |
| 242 | } | 250 | } |
| 243 | if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) | 251 | if (security_compute_relabel (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) |
| 244 | { | 252 | { |
| 245 | fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno)); | 253 | fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", full_tty, strerror(errno)); |
| 246 | return EXIT_FAILURE; | 254 | return EXIT_FAILURE; |
| 247 | } | 255 | } |
| 248 | if(chsid(tty, new_tty_sid) != 0) | 256 | if(setfilecon(full_tty, new_tty_sid) != 0) |
| 249 | { | 257 | { |
| 250 | fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno)); | 258 | fprintf(stderr, "chsid(%.100s, %s) failed: %.100s\n", full_tty, new_tty_sid, strerror(errno)); |
| 251 | return EXIT_FAILURE; | 259 | return EXIT_FAILURE; |
| 252 | } | 260 | } |
| 261 | freecon(sid); | ||
| 262 | freecon(old_tty_sid); | ||
| 263 | freecon(new_tty_sid); | ||
| 253 | } | 264 | } |
| 254 | else | ||
| 255 | sid = 0; | ||
| 256 | #endif | 265 | #endif |
| 257 | |||
| 258 | if ( *tty != '/' ) | ||
| 259 | snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty); | ||
| 260 | else | ||
| 261 | safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 ); | ||
| 262 | |||
| 263 | if ( !is_my_tty ( full_tty )) | 266 | if ( !is_my_tty ( full_tty )) |
| 264 | syslog ( LOG_ERR, "unable to determine TTY name, got %s\n", full_tty ); | 267 | syslog ( LOG_ERR, "unable to determine TTY name, got %s\n", full_tty ); |
| 265 | 268 | ||
| @@ -279,11 +282,10 @@ auth_ok: | |||
| 279 | 282 | ||
| 280 | if ( pw-> pw_uid == 0 ) | 283 | if ( pw-> pw_uid == 0 ) |
| 281 | syslog ( LOG_INFO, "root login %s\n", fromhost ); | 284 | syslog ( LOG_INFO, "root login %s\n", fromhost ); |
| 282 | run_shell ( tmp, 1, 0, 0 | ||
| 283 | #ifdef CONFIG_SELINUX | 285 | #ifdef CONFIG_SELINUX |
| 284 | , sid | 286 | set_current_security_context(sid); |
| 285 | #endif | 287 | #endif |
| 286 | ); /* exec the shell finally. */ | 288 | run_shell ( tmp, 1, 0, 0); /* exec the shell finally. */ |
| 287 | 289 | ||
| 288 | return EXIT_FAILURE; | 290 | return EXIT_FAILURE; |
| 289 | } | 291 | } |
diff --git a/loginutils/su.c b/loginutils/su.c index ec0c16c7d..5f6140917 100644 --- a/loginutils/su.c +++ b/loginutils/su.c | |||
| @@ -147,11 +147,10 @@ int su_main ( int argc, char **argv ) | |||
| 147 | 147 | ||
| 148 | change_identity ( pw ); | 148 | change_identity ( pw ); |
| 149 | setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw ); | 149 | setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw ); |
| 150 | run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args | ||
| 151 | #ifdef CONFIG_SELINUX | 150 | #ifdef CONFIG_SELINUX |
| 152 | , 0 | 151 | set_current_security_context(NULL); |
| 153 | #endif | 152 | #endif |
| 154 | ); | 153 | run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args); |
| 155 | 154 | ||
| 156 | return EXIT_FAILURE; | 155 | return EXIT_FAILURE; |
| 157 | } | 156 | } |
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c index f21b09571..a458b6ed7 100644 --- a/loginutils/sulogin.c +++ b/loginutils/sulogin.c | |||
| @@ -153,6 +153,12 @@ extern int sulogin_main(int argc, char **argv) | |||
| 153 | puts("Entering System Maintenance Mode\n"); | 153 | puts("Entering System Maintenance Mode\n"); |
| 154 | fflush(stdout); | 154 | fflush(stdout); |
| 155 | syslog(LOG_INFO, "System Maintenance Mode\n"); | 155 | syslog(LOG_INFO, "System Maintenance Mode\n"); |
| 156 | |||
| 157 | #ifdef CONFIG_SELINUX | ||
| 158 | renew_current_security_context(); | ||
| 159 | #endif | ||
| 160 | |||
| 156 | run_shell(pwent.pw_shell, 1, 0, 0); | 161 | run_shell(pwent.pw_shell, 1, 0, 0); |
| 162 | |||
| 157 | return (0); | 163 | return (0); |
| 158 | } | 164 | } |