From 2f49047debc1c45f913d2b0eb91f45b4de4889e0 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Sun, 9 Oct 2005 17:03:26 +0000 Subject: [PATCH] Jan-Simon Moller adapted SVN 10238 (the selinux update) to the 1.0 line. --- busybox/Makefile | 3 +- busybox/coreutils/id.c | 28 ++++++++------- busybox/coreutils/ls.c | 47 +++++++++++++------------ busybox/include/libbb.h | 15 ++++---- busybox/libbb/find_pid_by_name.c | 7 ++-- busybox/libbb/procps.c | 15 ++------ busybox/libbb/run_shell.c | 42 +++++++++++++++++----- busybox/loginutils/login.c | 60 +++++++++++++++++--------------- busybox/loginutils/su.c | 6 ++-- busybox/loginutils/sulogin.c | 6 ++++ busybox/procps/ps.c | 44 +++++++++++++---------- busybox/procps/top.c | 4 --- 12 files changed, 151 insertions(+), 126 deletions(-) diff --git a/busybox/Makefile b/busybox/Makefile index 0f91679c7..f33437823 100644 --- a/busybox/Makefile +++ b/busybox/Makefile @@ -47,8 +47,7 @@ DIRS:=applets archival archival/libunarchive coreutils console-tools \ SRC_DIRS:=$(patsubst %,$(top_srcdir)/%,$(DIRS)) ifeq ($(strip $(CONFIG_SELINUX)),y) -CFLAGS += -I/usr/include/selinux -LIBRARIES += -lsecure +LIBRARIES += -lselinux endif CONFIG_CONFIG_IN = $(top_srcdir)/sysdeps/$(TARGET_OS)/Config.in diff --git a/busybox/coreutils/id.c b/busybox/coreutils/id.c index b10a7c1bf..d4d23525d 100644 --- a/busybox/coreutils/id.c +++ b/busybox/coreutils/id.c @@ -32,8 +32,7 @@ #include #ifdef CONFIG_SELINUX -#include -#include +#include #endif #define PRINT_REAL 1 @@ -61,9 +60,7 @@ extern int id_main(int argc, char **argv) gid_t gid; unsigned long flags; short status; -#ifdef CONFIG_SELINUX - int is_flask_enabled_flag = is_flask_enabled(); -#endif + bb_opt_complementaly = "u~g:g~u"; flags = bb_getopt_ulflags(argc, argv, "rnug"); @@ -110,13 +107,20 @@ extern int id_main(int argc, char **argv) /* my_getgrgid doesn't exit on failure here */ status|=printf_full(gid, my_getgrgid(NULL, gid, 0), 'g'); #ifdef CONFIG_SELINUX - if(is_flask_enabled_flag) { - security_id_t mysid = getsecsid(); - char context[80]; - int len = sizeof(context); - context[0] = '\0'; - if(security_sid_to_context(mysid, context, &len)) - strcpy(context, "unknown"); + if ( is_selinux_enabled() ) { + security_context_t mysid; + char context[80]; + int len = sizeof(context); + + getcon(&mysid); + context[0] = '\0'; + if (mysid) { + len = strlen(mysid)+1; + safe_strncpy(context, mysid, len); + freecon(mysid); + }else{ + safe_strncpy(context, "unknown",8); + } bb_printf(" context=%s", context); } #endif diff --git a/busybox/coreutils/ls.c b/busybox/coreutils/ls.c index 4e21454ce..84c5c0218 100644 --- a/busybox/coreutils/ls.c +++ b/busybox/coreutils/ls.c @@ -64,9 +64,7 @@ enum { #include /* major() and minor() */ #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include +#include #endif #ifdef CONFIG_FEATURE_LS_TIMESTAMPS @@ -182,7 +180,7 @@ struct dnode { /* the basic node */ char *fullname; /* the dir entry name */ struct stat dstat; /* the file stat info */ #ifdef CONFIG_SELINUX - security_id_t sid; + security_context_t sid; #endif struct dnode *next; /* point at the next node */ }; @@ -195,7 +193,7 @@ static int list_single(struct dnode *); static unsigned int all_fmt; #ifdef CONFIG_SELINUX -static int is_flask_enabled_flag; +static int selinux_enabled= 0; #endif #ifdef CONFIG_FEATURE_AUTOWIDTH @@ -213,18 +211,19 @@ static struct dnode *my_stat(char *fullname, char *name) struct stat dstat; struct dnode *cur; #ifdef CONFIG_SELINUX - security_id_t sid; + security_context_t sid=NULL; #endif int rc; #ifdef CONFIG_FEATURE_LS_FOLLOWLINKS if (all_fmt & FOLLOW_LINKS) { #ifdef CONFIG_SELINUX - if(is_flask_enabled_flag) - rc = stat_secure(fullname, &dstat, &sid); - else + if (is_selinux_enabled()) { + rc=0; /* Set the number which means success before hand. */ + rc = getfilecon(fullname,&sid); + } #endif - rc = stat(fullname, &dstat); + rc = stat(fullname, &dstat); if(rc) { bb_perror_msg("%s", fullname); @@ -235,9 +234,12 @@ static struct dnode *my_stat(char *fullname, char *name) #endif { #ifdef CONFIG_SELINUX - if(is_flask_enabled_flag) - rc = lstat_secure(fullname, &dstat, &sid); - else + if (is_selinux_enabled()) { + rc=0; /* Set the number which means success before hand. */ + rc = lgetfilecon(fullname,&sid); + } + + #endif rc = lstat(fullname, &dstat); if(rc) @@ -736,12 +738,16 @@ static int list_single(struct dnode *dn) #ifdef CONFIG_SELINUX case LIST_CONTEXT: { - char context[64]; - int len = sizeof(context); - if(security_sid_to_context(dn->sid, context, &len)) - { - strcpy(context, "unknown"); - len = 7; + char context[80]; + int len; + + if (dn->sid) { + /* I assume sid initilized with NULL */ + len = strlen(dn->sid)+1; + safe_strncpy(context, dn->sid, len); + freecon(dn->sid); + }else { + safe_strncpy(context, "unknown",8); } printf("%-32s ", context); column += MAX(33, len); @@ -963,9 +969,6 @@ extern int ls_main(int argc, char **argv) char *terminal_width_str = NULL; #endif -#ifdef CONFIG_SELINUX - is_flask_enabled_flag = is_flask_enabled(); -#endif all_fmt = LIST_SHORT | DISP_NORMAL | STYLE_AUTO #ifdef CONFIG_FEATURE_LS_TIMESTAMPS diff --git a/busybox/include/libbb.h b/busybox/include/libbb.h index c1531eaf5..eaa8c577d 100644 --- a/busybox/include/libbb.h +++ b/busybox/include/libbb.h @@ -44,7 +44,7 @@ #include "config.h" #ifdef CONFIG_SELINUX -#include +#include #endif #include "pwd_.h" @@ -424,11 +424,12 @@ void bb_xasprintf(char **string_ptr, const char *format, ...) __attribute__ ((fo #define FAIL_DELAY 3 extern void change_identity ( const struct passwd *pw ); extern const char *change_identity_e2str ( const struct passwd *pw ); -extern void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args +extern void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args); #ifdef CONFIG_SELINUX - , security_id_t sid +extern void renew_current_security_context(void); +extern void set_current_security_context(security_context_t sid); #endif -); + extern int run_parts(char **args, const unsigned char test_mode, char **env); extern int restricted_shell ( const char *shell ); extern void setup_environment ( const char *shell, int loginshell, int changeenv, const struct passwd *pw ); @@ -459,11 +460,7 @@ typedef struct { char short_cmd[16]; } procps_status_t; -extern procps_status_t * procps_scan(int save_user_arg0 -#ifdef CONFIG_SELINUX - , int use_selinux, security_id_t *sid -#endif -); +extern procps_status_t * procps_scan(int save_user_arg0); extern unsigned short compare_string_array(const char *string_array[], const char *key); extern int my_query_module(const char *name, int which, void **buf, size_t *bufsize, size_t *ret); diff --git a/busybox/libbb/find_pid_by_name.c b/busybox/libbb/find_pid_by_name.c index 930710f32..570e7bd93 100644 --- a/busybox/libbb/find_pid_by_name.c +++ b/busybox/libbb/find_pid_by_name.c @@ -45,11 +45,8 @@ extern long* find_pid_by_name( const char* pidName) procps_status_t * p; pidList = xmalloc(sizeof(long)); -#ifdef CONFIG_SELINUX - while ((p = procps_scan(0, 0, NULL)) != 0) { -#else - while ((p = procps_scan(0)) != 0) { -#endif + while ((p = procps_scan(0)) != 0) + { if (strncmp(p->short_cmd, pidName, COMM_LEN-1) == 0) { pidList=xrealloc( pidList, sizeof(long) * (i+2)); pidList[i++]=p->pid; diff --git a/busybox/libbb/procps.c b/busybox/libbb/procps.c index e405fb7ef..39d8a9091 100644 --- a/busybox/libbb/procps.c +++ b/busybox/libbb/procps.c @@ -16,11 +16,7 @@ #include "libbb.h" -extern procps_status_t * procps_scan(int save_user_arg0 -#ifdef CONFIG_SELINUX - , int use_selinux , security_id_t *sid -#endif - ) +extern procps_status_t * procps_scan(int save_user_arg0) { static DIR *dir; struct dirent *entry; @@ -62,14 +58,7 @@ extern procps_status_t * procps_scan(int save_user_arg0 sprintf(status, "/proc/%d/stat", pid); if((fp = fopen(status, "r")) == NULL) continue; -#ifdef CONFIG_SELINUX - if(use_selinux) - { - if(fstat_secure(fileno(fp), &sb, sid)) - continue; - } - else -#endif + name = fgets(buf, sizeof(buf), fp); fclose(fp); if(name == NULL) diff --git a/busybox/libbb/run_shell.c b/busybox/libbb/run_shell.c index 993b4e711..e4577e114 100644 --- a/busybox/libbb/run_shell.c +++ b/busybox/libbb/run_shell.c @@ -37,19 +37,42 @@ #include #include "libbb.h" #ifdef CONFIG_SELINUX -#include +#include #endif +#ifdef CONFIG_SELINUX +static security_context_t current_sid=NULL; + +void +renew_current_security_context(void) +{ + if (current_sid) + freecon(current_sid); /* Release old context */ + + getcon(¤t_sid); /* update */ + + return; +} +void +set_current_security_context(security_context_t sid) +{ + if (current_sid) + freecon(current_sid); /* Release old context */ + + current_sid=sid; + + return; +} + +#endif + + /* Run SHELL, or DEFAULT_SHELL if SHELL is empty. If COMMAND is nonzero, pass it to the shell with the -c option. If ADDITIONAL_ARGS is nonzero, pass it to the shell as more arguments. */ -void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args -#ifdef CONFIG_SELINUX - , security_id_t sid -#endif -) +void run_shell ( const char *shell, int loginshell, const char *command, const char **additional_args ) { const char **args; int argno = 1; @@ -78,9 +101,10 @@ void run_shell ( const char *shell, int loginshell, const char *command, const c } args [argno] = 0; #ifdef CONFIG_SELINUX - if(sid) - execve_secure(shell, (char **) args, environ, sid); - else + if ( (current_sid) && (!setexeccon(current_sid)) ) { + freecon(current_sid); + execve(shell, (char **) args, environ); + } else #endif execv ( shell, (char **) args ); bb_perror_msg_and_die ( "cannot run %s", shell ); diff --git a/busybox/loginutils/login.c b/busybox/loginutils/login.c index 5ed10b91b..7496dcba7 100644 --- a/busybox/loginutils/login.c +++ b/busybox/loginutils/login.c @@ -17,10 +17,10 @@ #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include -#include +#include /* for is_selinux_enabled() */ +#include /* for get_default_context() */ +#include /* for security class definitions */ +#include #endif #ifdef CONFIG_FEATURE_UTMP @@ -79,8 +79,7 @@ extern int login_main(int argc, char **argv) char *opt_host = 0; int alarmstarted = 0; #ifdef CONFIG_SELINUX - int flask_enabled = is_flask_enabled(); - security_id_t sid = 0, old_tty_sid, new_tty_sid; + security_context_t stat_sid = NULL, sid = NULL, old_tty_sid=NULL, new_tty_sid=NULL; #endif username[0]=0; @@ -225,41 +224,46 @@ auth_ok: #ifdef CONFIG_FEATURE_UTMP setutmp ( username, tty ); #endif + + if ( *tty != '/' ) + snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty); + else + safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 ); + + #ifdef CONFIG_SELINUX - if (flask_enabled) + if (is_selinux_enabled()) { struct stat st; + int rc; - if (get_default_sid(username, 0, &sid)) + if (get_default_context(username, NULL, &sid)) { fprintf(stderr, "Unable to get SID for %s\n", username); exit(1); } - if (stat_secure(tty, &st, &old_tty_sid)) + rc = getfilecon(full_tty,&stat_sid); + freecon(stat_sid); + if ((rc<0) || (stat(full_tty, &st)<0)) { - fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno)); + fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", full_tty, strerror(errno)); return EXIT_FAILURE; } - if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) + if (security_compute_relabel (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) { - fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno)); - return EXIT_FAILURE; - } - if(chsid(tty, new_tty_sid) != 0) - { - fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno)); + fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", full_tty, strerror(errno)); return EXIT_FAILURE; } + if(setfilecon(full_tty, new_tty_sid) != 0) + { + fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", full_tty, new_tty_sid, strerror(errno)); + return EXIT_FAILURE; + } + freecon(sid); + freecon(old_tty_sid); + freecon(new_tty_sid); } - else - sid = 0; #endif - - if ( *tty != '/' ) - snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty); - else - safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 ); - if ( !is_my_tty ( full_tty )) syslog ( LOG_ERR, "unable to determine TTY name, got %s\n", full_tty ); @@ -279,11 +283,11 @@ auth_ok: if ( pw-> pw_uid == 0 ) syslog ( LOG_INFO, "root login %s\n", fromhost ); - run_shell ( tmp, 1, 0, 0 + #ifdef CONFIG_SELINUX - , sid + set_current_security_context(sid); #endif - ); /* exec the shell finally. */ + run_shell ( tmp, 1, 0, 0); /* exec the shell finally. */ return EXIT_FAILURE; } diff --git a/busybox/loginutils/su.c b/busybox/loginutils/su.c index 1e93aacd4..04fdad40a 100644 --- a/busybox/loginutils/su.c +++ b/busybox/loginutils/su.c @@ -147,11 +147,11 @@ int su_main ( int argc, char **argv ) change_identity ( pw ); setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw ); - run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args + #ifdef CONFIG_SELINUX - , 0 + set_current_security_context(NULL); #endif - ); + run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args); return EXIT_FAILURE; } diff --git a/busybox/loginutils/sulogin.c b/busybox/loginutils/sulogin.c index f21b09571..a458b6ed7 100644 --- a/busybox/loginutils/sulogin.c +++ b/busybox/loginutils/sulogin.c @@ -153,6 +153,12 @@ extern int sulogin_main(int argc, char **argv) puts("Entering System Maintenance Mode\n"); fflush(stdout); syslog(LOG_INFO, "System Maintenance Mode\n"); + +#ifdef CONFIG_SELINUX + renew_current_security_context(); +#endif + run_shell(pwent.pw_shell, 1, 0, 0); + return (0); } diff --git a/busybox/procps/ps.c b/busybox/procps/ps.c index 0b603314d..eaa1edca5 100644 --- a/busybox/procps/ps.c +++ b/busybox/procps/ps.c @@ -31,9 +31,7 @@ #include #include "busybox.h" #ifdef CONFIG_SELINUX -#include -#include -#include /* for is_flask_enabled() */ +#include /* for is_flask_enabled() */ #endif static const int TERMINAL_WIDTH = 79; /* not 80 in case terminal has linefold bug */ @@ -48,8 +46,8 @@ extern int ps_main(int argc, char **argv) #ifdef CONFIG_SELINUX int use_selinux = 0; - security_id_t sid; - if(is_flask_enabled() && argv[1] && !strcmp(argv[1], "-c") ) + security_context_t sid=NULL; + if(is_selinux_enabled() && argv[1] && !strcmp(argv[1], "-c") ) use_selinux = 1; #endif @@ -58,34 +56,42 @@ extern int ps_main(int argc, char **argv) terminal_width--; #ifdef CONFIG_SELINUX - if(use_selinux) + if (use_selinux) printf(" PID Context Stat Command\n"); else #endif - printf(" PID Uid VmSize Stat Command\n"); -#ifdef CONFIG_SELINUX - while ((p = procps_scan(1, use_selinux, &sid)) != 0) { -#else - while ((p = procps_scan(1)) != 0) { -#endif + printf(" PID Uid VmSize Stat Command\n"); + + while ((p = procps_scan(1)) != 0) { char *namecmd = p->cmd; #ifdef CONFIG_SELINUX - if(use_selinux) + if (use_selinux) { char sbuf[128]; len = sizeof(sbuf); - if(security_sid_to_context(sid, (security_context_t)&sbuf, &len)) - strcpy(sbuf, "unknown"); + if (is_selinux_enabled()) { + if (getpidcon(p->pid,&sid)<0) + sid=NULL; + } + if (sid) { + /* I assume sid initilized with NULL */ + len = strlen(sid)+1; + safe_strncpy(sbuf, sid, len); + freecon(sid); + sid=NULL; + }else { + safe_strncpy(sbuf, "unknown",7); + } len = printf("%5d %-32s %s ", p->pid, sbuf, p->state); } else #endif - if(p->rss == 0) - len = printf("%5d %-8s %s ", p->pid, p->user, p->state); - else - len = printf("%5d %-8s %6ld %s ", p->pid, p->user, p->rss, p->state); + if(p->rss == 0) + len = printf("%5d %-8s %s ", p->pid, p->user, p->state); + else + len = printf("%5d %-8s %6ld %s ", p->pid, p->user, p->rss, p->state); i = terminal_width-len; if(namecmd != 0 && namecmd[0] != 0) { diff --git a/busybox/procps/top.c b/busybox/procps/top.c index 6a129efcf..2a5a33f64 100644 --- a/busybox/procps/top.c +++ b/busybox/procps/top.c @@ -513,11 +513,7 @@ int top_main(int argc, char **argv) /* read process IDs & status for all the processes */ procps_status_t * p; -#ifdef CONFIG_SELINUX - while ((p = procps_scan(0, 0, NULL) ) != 0) { -#else while ((p = procps_scan(0)) != 0) { -#endif int n = ntop; top = xrealloc(top, (++ntop)*sizeof(procps_status_t)); -- 2.25.1