1: /*
2: * Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
3: * Copyright (c) 2008 Dan Walsh <dwalsh@redhat.com>
4: *
5: * Borrowed heavily from newrole source code
6: * Authors:
7: * Anthony Colatrella
8: * Tim Fraser
9: * Steve Grubb <sgrubb@redhat.com>
10: * Darrel Goeddel <DGoeddel@trustedcs.com>
11: * Michael Thompson <mcthomps@us.ibm.com>
12: * Dan Walsh <dwalsh@redhat.com>
13: *
14: * Permission to use, copy, modify, and distribute this software for any
15: * purpose with or without fee is hereby granted, provided that the above
16: * copyright notice and this permission notice appear in all copies.
17: *
18: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
19: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
20: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
21: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
22: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
23: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
24: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25: */
26:
27: #include <config.h>
28:
29: #include <sys/types.h>
30: #include <sys/wait.h>
31: #include <stdio.h>
32: #include <stdlib.h>
33: #include <stddef.h>
34: #include <string.h>
35: #include <unistd.h>
36: #include <errno.h>
37: #include <fcntl.h>
38: #include <signal.h>
39:
40: #include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
41: #include <selinux/selinux.h> /* for is_selinux_enabled() */
42: #include <selinux/context.h> /* for context-mangling functions */
43: #include <selinux/get_default_type.h>
44: #include <selinux/get_context_list.h>
45:
46: #ifdef HAVE_LINUX_AUDIT
47: # include <libaudit.h>
48: #endif
49:
50: #include "sudo.h"
51:
52: static struct selinux_state {
53: security_context_t old_context;
54: security_context_t new_context;
55: security_context_t tty_context;
56: security_context_t new_tty_context;
57: const char *ttyn;
58: int ttyfd;
59: int enforcing;
60: } se_state;
61:
62: #ifdef HAVE_LINUX_AUDIT
63: static int
64: audit_role_change(const security_context_t old_context,
65: const security_context_t new_context, const char *ttyn)
66: {
67: int au_fd, rc;
68: char *message;
69:
70: au_fd = audit_open();
71: if (au_fd == -1) {
72: /* Kernel may not have audit support. */
73: if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT
74: )
75: error(1, _("unable to open audit system"));
76: return -1;
77: }
78:
79: /* audit role change using the same format as newrole(1) */
80: easprintf(&message, "newrole: old-context=%s new-context=%s",
81: old_context, new_context);
82: rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE,
83: message, NULL, NULL, ttyn, 1);
84: if (rc <= 0)
85: warning(_("unable to send audit message"));
86:
87: efree(message);
88: close(au_fd);
89:
90: return rc;
91: }
92: #endif
93:
94: /*
95: * This function attempts to revert the relabeling done to the tty.
96: * fd - referencing the opened ttyn
97: * ttyn - name of tty to restore
98: *
99: * Returns zero on success, non-zero otherwise
100: */
101: int
102: selinux_restore_tty(void)
103: {
104: int retval = 0;
105: security_context_t chk_tty_context = NULL;
106:
107: if (se_state.ttyfd == -1 || se_state.new_tty_context == NULL)
108: goto skip_relabel;
109:
110: /* Verify that the tty still has the context set by sudo. */
111: if ((retval = fgetfilecon(se_state.ttyfd, &chk_tty_context)) < 0) {
112: warning(_("unable to fgetfilecon %s"), se_state.ttyn);
113: goto skip_relabel;
114: }
115:
116: if ((retval = strcmp(chk_tty_context, se_state.new_tty_context))) {
117: warningx(_("%s changed labels"), se_state.ttyn);
118: goto skip_relabel;
119: }
120:
121: if ((retval = fsetfilecon(se_state.ttyfd, se_state.tty_context)) < 0)
122: warning(_("unable to restore context for %s"), se_state.ttyn);
123:
124: skip_relabel:
125: if (se_state.ttyfd != -1) {
126: close(se_state.ttyfd);
127: se_state.ttyfd = -1;
128: }
129: if (chk_tty_context != NULL) {
130: freecon(chk_tty_context);
131: chk_tty_context = NULL;
132: }
133: return retval;
134: }
135:
136: /*
137: * This function attempts to relabel the tty. If this function fails, then
138: * the contexts are free'd and -1 is returned. On success, 0 is returned
139: * and tty_context and new_tty_context are set.
140: *
141: * This function will not fail if it can not relabel the tty when selinux is
142: * in permissive mode.
143: */
144: static int
145: relabel_tty(const char *ttyn, int ptyfd)
146: {
147: security_context_t tty_con = NULL;
148: security_context_t new_tty_con = NULL;
149: int fd;
150:
151: se_state.ttyfd = ptyfd;
152:
153: /* It is perfectly legal to have no tty. */
154: if (ptyfd == -1 && ttyn == NULL)
155: return 0;
156:
157: /* If sudo is not allocating a pty for the command, open current tty. */
158: if (ptyfd == -1) {
159: se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
160: if (se_state.ttyfd == -1) {
161: warning(_("unable to open %s, not relabeling tty"), ttyn);
162: if (se_state.enforcing)
163: goto bad;
164: }
165: (void)fcntl(se_state.ttyfd, F_SETFL,
166: fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
167: }
168:
169: if (fgetfilecon(se_state.ttyfd, &tty_con) < 0) {
170: warning(_("unable to get current tty context, not relabeling tty"));
171: if (se_state.enforcing)
172: goto bad;
173: }
174:
175: if (tty_con && (security_compute_relabel(se_state.new_context, tty_con,
176: SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
177: warning(_("unable to get new tty context, not relabeling tty"));
178: if (se_state.enforcing)
179: goto bad;
180: }
181:
182: if (new_tty_con != NULL) {
183: if (fsetfilecon(se_state.ttyfd, new_tty_con) < 0) {
184: warning(_("unable to set new tty context"));
185: if (se_state.enforcing)
186: goto bad;
187: }
188: }
189:
190: if (ptyfd != -1) {
191: /* Reopen pty that was relabeled, std{in,out,err} are reset later. */
192: se_state.ttyfd = open(ttyn, O_RDWR|O_NOCTTY, 0);
193: if (se_state.ttyfd == -1) {
194: warning(_("unable to open %s"), ttyn);
195: if (se_state.enforcing)
196: goto bad;
197: }
198: if (dup2(se_state.ttyfd, ptyfd) == -1) {
199: warning("dup2");
200: goto bad;
201: }
202: } else {
203: /* Re-open tty to get new label and reset std{in,out,err} */
204: close(se_state.ttyfd);
205: se_state.ttyfd = open(ttyn, O_RDWR|O_NONBLOCK);
206: if (se_state.ttyfd == -1) {
207: warning(_("unable to open %s"), ttyn);
208: goto bad;
209: }
210: (void)fcntl(se_state.ttyfd, F_SETFL,
211: fcntl(se_state.ttyfd, F_GETFL, 0) & ~O_NONBLOCK);
212: for (fd = STDIN_FILENO; fd <= STDERR_FILENO; fd++) {
213: if (isatty(fd) && dup2(se_state.ttyfd, fd) == -1) {
214: warning("dup2");
215: goto bad;
216: }
217: }
218: }
219: /* Retain se_state.ttyfd so we can restore label when command finishes. */
220: (void)fcntl(se_state.ttyfd, F_SETFD, FD_CLOEXEC);
221:
222: se_state.ttyn = ttyn;
223: se_state.tty_context = tty_con;
224: se_state.new_tty_context = new_tty_con;
225: return 0;
226:
227: bad:
228: if (se_state.ttyfd != -1 && se_state.ttyfd != ptyfd) {
229: close(se_state.ttyfd);
230: se_state.ttyfd = -1;
231: }
232: freecon(tty_con);
233: return -1;
234: }
235:
236: /*
237: * Returns a new security context based on the old context and the
238: * specified role and type.
239: */
240: security_context_t
241: get_exec_context(security_context_t old_context, const char *role, const char *type)
242: {
243: security_context_t new_context = NULL;
244: context_t context = NULL;
245: char *typebuf = NULL;
246:
247: /* We must have a role, the type is optional (we can use the default). */
248: if (!role) {
249: warningx(_("you must specify a role for type %s"), type);
250: errno = EINVAL;
251: return NULL;
252: }
253: if (!type) {
254: if (get_default_type(role, &typebuf)) {
255: warningx(_("unable to get default type for role %s"), role);
256: errno = EINVAL;
257: return NULL;
258: }
259: type = typebuf;
260: }
261:
262: /*
263: * Expand old_context into a context_t so that we extract and modify
264: * its components easily.
265: */
266: context = context_new(old_context);
267:
268: /*
269: * Replace the role and type in "context" with the role and
270: * type we will be running the command as.
271: */
272: if (context_role_set(context, role)) {
273: warning(_("failed to set new role %s"), role);
274: goto bad;
275: }
276: if (context_type_set(context, type)) {
277: warning(_("failed to set new type %s"), type);
278: goto bad;
279: }
280:
281: /*
282: * Convert "context" back into a string and verify it.
283: */
284: new_context = estrdup(context_str(context));
285: if (security_check_context(new_context) < 0) {
286: warningx(_("%s is not a valid context"), new_context);
287: errno = EINVAL;
288: goto bad;
289: }
290:
291: #ifdef DEBUG
292: warningx("Your new context is %s", new_context);
293: #endif
294:
295: context_free(context);
296: return new_context;
297:
298: bad:
299: free(typebuf);
300: context_free(context);
301: freecon(new_context);
302: return NULL;
303: }
304:
305: /*
306: * Set the exec and tty contexts in preparation for fork/exec.
307: * Must run as root, before the uid change.
308: * If ptyfd is not -1, it indicates we are running
309: * in a pty and do not need to reset std{in,out,err}.
310: * Returns 0 on success and -1 on failure.
311: */
312: int
313: selinux_setup(const char *role, const char *type, const char *ttyn,
314: int ptyfd)
315: {
316: int rval = -1;
317:
318: /* Store the caller's SID in old_context. */
319: if (getprevcon(&se_state.old_context)) {
320: warning(_("failed to get old_context"));
321: goto done;
322: }
323:
324: se_state.enforcing = security_getenforce();
325: if (se_state.enforcing < 0) {
326: warning(_("unable to determine enforcing mode."));
327: goto done;
328: }
329:
330: #ifdef DEBUG
331: warningx("your old context was %s", se_state.old_context);
332: #endif
333: se_state.new_context = get_exec_context(se_state.old_context, role, type);
334: if (!se_state.new_context)
335: goto done;
336:
337: if (relabel_tty(ttyn, ptyfd) < 0) {
338: warning(_("unable to setup tty context for %s"), se_state.new_context);
339: goto done;
340: }
341:
342: #ifdef DEBUG
343: if (se_state.ttyfd != -1) {
344: warningx("your old tty context is %s", se_state.tty_context);
345: warningx("your new tty context is %s", se_state.new_tty_context);
346: }
347: #endif
348:
349: #ifdef HAVE_LINUX_AUDIT
350: audit_role_change(se_state.old_context, se_state.new_context,
351: se_state.ttyn);
352: #endif
353:
354: rval = 0;
355:
356: done:
357: return rval;
358: }
359:
360: void
361: selinux_execve(const char *path, char *argv[], char *envp[])
362: {
363: char **nargv;
364: int argc, serrno;
365:
366: if (setexeccon(se_state.new_context)) {
367: warning(_("unable to set exec context to %s"), se_state.new_context);
368: if (se_state.enforcing)
369: return;
370: }
371:
372: #ifdef HAVE_SETKEYCREATECON
373: if (setkeycreatecon(se_state.new_context)) {
374: warning(_("unable to set key creation context to %s"), se_state.new_context);
375: if (se_state.enforcing)
376: return;
377: }
378: #endif /* HAVE_SETKEYCREATECON */
379:
380: for (argc = 0; argv[argc] != NULL; argc++)
381: continue;
382:
383: /* Build new argv with sesh as argv[0]. */
384: nargv = emalloc2(argc + 2, sizeof(char *));
385: nargv[0] = *argv[0] == '-' ? "-sesh" : "sesh";
386: nargv[1] = (char *)path;
387: memcpy(&nargv[2], &argv[1], argc * sizeof(char *)); /* copies NULL */
388:
389: execve(_PATH_SUDO_SESH, nargv, envp);
390: serrno = errno;
391: free(nargv);
392: errno = serrno;
393: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to selinux.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / src