Patch from Russell Coker:

I've attached my latest SE Linux patch for busybox against the latest CVS version of busybox.
author: Eric Andersen <andersen@codepoet.org> 2003-07-03 10:07:04 +0000
committer: Eric Andersen <andersen@codepoet.org> 2003-07-03 10:07:04 +0000
commit: 9e48045e45df7e3e205575a4eb3dc39d634b05aa (patch)
tree: e8f993dffc34380fbcc54cc858c81da594bdb95b /loginutils
parent: c48d49ad988a4163cff7f38ee4bd1f9886d0ed11 (diff)
download: busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.tar.gz
busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.tar.bz2
busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.zip
2 files changed, 50 insertions, 3 deletions
diff --git a/loginutils/login.c b/loginutils/login.c
index e239f421c..741d15c93 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -16,7 +16,12 @@
 #include <time.h>
 #include "busybox.h"
+#ifdef CONFIG_SELINUX
+#include <flask_util.h>
+#include <get_sid_list.h>
+#include <proc_secure.h>
+#include <fs_secure.h>
+#endif
 #ifdef CONFIG_FEATURE_U_W_TMP
 // import from utmp.c
@@ -73,6 +78,10 @@ extern int login_main(int argc, char **argv)
        int opt_fflag = 0;
        char *opt_host = 0;
        int alarmstarted = 0;   
+#ifdef CONFIG_SELINUX
+        int flask_enabled = is_flask_enabled();
+        security_id_t sid = 0, old_tty_sid, new_tty_sid;
+#endif
        username[0]=0;
        amroot = ( getuid ( ) == 0 );
@@ -217,6 +226,36 @@ auth_ok:
 #ifdef CONFIG_FEATURE_U_W_TMP
        setutmp ( username, tty );
 #endif
+#ifdef CONFIG_SELINUX
+        if (flask_enabled)
+        {
+                struct stat st;
+                if (get_default_sid(username, 0, &sid))
+                {
+                        fprintf(stderr, "Unable to get SID for %s\n", username);
+                        exit(1);
+                }
+                if (stat_secure(tty, &st, &old_tty_sid))
+                {
+                        fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno));
+                        return EXIT_FAILURE;
+                }
+                if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
+                {
+                        fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno));
+                        return EXIT_FAILURE;
+                }
+                if(chsid(tty, new_tty_sid) != 0)
+                {
+                        fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno));
+                        return EXIT_FAILURE;
+                }
+        }
+        else
+                sid = 0;
+#endif
        if ( *tty != '/' ) 
                snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
        else
@@ -239,7 +278,11 @@ auth_ok:
        if ( pw-> pw_uid == 0 ) 
                syslog ( LOG_INFO, "root login %s\n", fromhost );
        
-        run_shell ( pw-> pw_shell, 1, 0, 0 );   /* exec the shell finally. */
+        run_shell ( pw-> pw_shell, 1, 0, 0
+#ifdef CONFIG_SELINUX
+        , sid
+#endif
+         );     /* exec the shell finally. */
        
        return EXIT_FAILURE;
 }
diff --git a/loginutils/su.c b/loginutils/su.c
index 5e40cf2e4..85f5cbe7b 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -156,7 +156,11 @@ int su_main ( int argc, char **argv )
        change_identity ( pw ); 
        setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw );
-        run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args );
+        run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args
+#ifdef CONFIG_SELINUX
+        , 0
+#endif
+        );
        
        return EXIT_FAILURE;
 }
author	Eric Andersen <andersen@codepoet.org>	2003-07-03 10:07:04 +0000
committer	Eric Andersen <andersen@codepoet.org>	2003-07-03 10:07:04 +0000
commit	9e48045e45df7e3e205575a4eb3dc39d634b05aa (patch)
tree	e8f993dffc34380fbcc54cc858c81da594bdb95b /loginutils
parent	c48d49ad988a4163cff7f38ee4bd1f9886d0ed11 (diff)
download	busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.tar.gz busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.tar.bz2 busybox-w32-9e48045e45df7e3e205575a4eb3dc39d634b05aa.zip

diff --git a/loginutils/login.c b/loginutils/login.c index e239f421c..741d15c93 100644 --- a/loginutils/login.c +++ b/loginutils/login.c
@@ -16,7 +16,12 @@
16	#include <time.h>	16	#include <time.h>
17		17
18	#include "busybox.h"	18	#include "busybox.h"
19		19	#ifdef CONFIG_SELINUX
		20	#include <flask_util.h>
		21	#include <get_sid_list.h>
		22	#include <proc_secure.h>
		23	#include <fs_secure.h>
		24	#endif
20		25
21	#ifdef CONFIG_FEATURE_U_W_TMP	26	#ifdef CONFIG_FEATURE_U_W_TMP
22	// import from utmp.c	27	// import from utmp.c
@@ -73,6 +78,10 @@ extern int login_main(int argc, char **argv)
73	int opt_fflag = 0;	78	int opt_fflag = 0;
74	char *opt_host = 0;	79	char *opt_host = 0;
75	int alarmstarted = 0;	80	int alarmstarted = 0;
		81	#ifdef CONFIG_SELINUX
		82	int flask_enabled = is_flask_enabled();
		83	security_id_t sid = 0, old_tty_sid, new_tty_sid;
		84	#endif
76		85
77	username[0]=0;	86	username[0]=0;
78	amroot = ( getuid ( ) == 0 );	87	amroot = ( getuid ( ) == 0 );
@@ -217,6 +226,36 @@ auth_ok:
217	#ifdef CONFIG_FEATURE_U_W_TMP	226	#ifdef CONFIG_FEATURE_U_W_TMP
218	setutmp ( username, tty );	227	setutmp ( username, tty );
219	#endif	228	#endif
		229	#ifdef CONFIG_SELINUX
		230	if (flask_enabled)
		231	{
		232	struct stat st;
		233
		234	if (get_default_sid(username, 0, &sid))
		235	{
		236	fprintf(stderr, "Unable to get SID for %s\n", username);
		237	exit(1);
		238	}
		239	if (stat_secure(tty, &st, &old_tty_sid))
		240	{
		241	fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno));
		242	return EXIT_FAILURE;
		243	}
		244	if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
		245	{
		246	fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno));
		247	return EXIT_FAILURE;
		248	}
		249	if(chsid(tty, new_tty_sid) != 0)
		250	{
		251	fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno));
		252	return EXIT_FAILURE;
		253	}
		254	}
		255	else
		256	sid = 0;
		257	#endif
		258
220	if ( *tty != '/' )	259	if ( *tty != '/' )
221	snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);	260	snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
222	else	261	else
@@ -239,7 +278,11 @@ auth_ok:
239	if ( pw-> pw_uid == 0 )	278	if ( pw-> pw_uid == 0 )
240	syslog ( LOG_INFO, "root login %s\n", fromhost );	279	syslog ( LOG_INFO, "root login %s\n", fromhost );
241		280
242	run_shell ( pw-> pw_shell, 1, 0, 0 ); /* exec the shell finally. */	281	run_shell ( pw-> pw_shell, 1, 0, 0
		282	#ifdef CONFIG_SELINUX
		283	, sid
		284	#endif
		285	); /* exec the shell finally. */
243		286
244	return EXIT_FAILURE;	287	return EXIT_FAILURE;
245	}	288	}


diff --git a/loginutils/su.c b/loginutils/su.c index 5e40cf2e4..85f5cbe7b 100644 --- a/loginutils/su.c +++ b/loginutils/su.c
@@ -156,7 +156,11 @@ int su_main ( int argc, char **argv )
156		156
157	change_identity ( pw );	157	change_identity ( pw );
158	setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw );	158	setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw );
159	run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args );	159	run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args
		160	#ifdef CONFIG_SELINUX
		161	, 0
		162	#endif
		163	);
160		164
161	return EXIT_FAILURE;	165	return EXIT_FAILURE;
162	}	166	}