[redhat-lspp] Xinetd patches for selinux context configuration
James Antill
jantill at redhat.com
Wed Nov 29 21:14:51 UTC 2006
On Wed, 2006-11-29 at 14:22 -0500, Stephen Smalley wrote:
> > Ok, I assume you still also want the MLS range to be configurably bound
> > as in:
> >
> > http://www.redhat.com/archives/redhat-lspp/2005-September/msg00125.html
>
> Yes, although one might be able to handle that in the labeled networking
> code itself, by rejecting packets with labels outside of the client
> host's authorized range before they are ever received by userspace.
Ok, this patch doesn't do any bounding then.
I've currently left the old config. context stuff in atm. in case we
want to change that to specify the MLS bound, it's easier for me. But if
this is fine as is I'll drop that part before I hand it off to Steve.
> > "user_u:system_r:fingerd_exec_t",
>
> Not quite - this should be an object context; you should have used
> object_r above.
Right, this would be: system_u:object_r:fingerd_exec_t
> > PROCESS__DYNTRANSITION,
>
> Completely wrong - this should be a security class value, not a
> permission value. In particular, SECCLASS_PROCESS.
Ahh, duh! Not sure what I was thinking there. Here is an updated patch,
all of the real changes are localized to child.c now, I think:
diff -rup xinetd-2.3.14-orig/xinetd/attr.h xinetd-2.3.14/xinetd/attr.h
--- xinetd-2.3.14-orig/xinetd/attr.h 2005-10-05 13:15:33.000000000 -0400
+++ xinetd-2.3.14/xinetd/attr.h 2006-11-29 15:55:07.000000000 -0500
@@ -61,12 +61,13 @@
#define A_DISABLED 43
#define A_MDNS 44
#define A_LIBWRAP 45
+#define A_SEC_CONTEXT 46
/*
* SERVICE_ATTRIBUTES is the number of service attributes and also
* the number from which defaults-only attributes start.
*/
-#define SERVICE_ATTRIBUTES ( A_MDNS + 1 )
+#define SERVICE_ATTRIBUTES ( A_SEC_CONTEXT + 1 )
/*
* Mask of attributes that must be specified.
Only in xinetd-2.3.14/xinetd: attr.h.confcntx
diff -rup xinetd-2.3.14-orig/xinetd/child.c xinetd-2.3.14/xinetd/child.c
--- xinetd-2.3.14-orig/xinetd/child.c 2006-11-28 14:03:07.000000000
-0500
+++ xinetd-2.3.14/xinetd/child.c 2006-11-29 15:55:27.000000000 -0500
@@ -31,9 +31,6 @@
#ifdef HAVE_NETDB_H
#include <netdb.h>
#endif
-#ifdef LABELED_NET
-#include <selinux/selinux.h>
-#endif
#include "str.h"
#include "child.h"
@@ -49,7 +46,8 @@
/* Local declarations */
#ifdef LABELED_NET
-static int set_context_from_socket( int fd );
+static int set_context_from_socket( const struct service_config *scp,
int fd );
+static int set_context_from_config( const struct service_config *scp );
#endif
@@ -158,12 +156,17 @@ void exec_server( const struct server *s
#ifdef LABELED_NET
if (SC_LABELED_NET(scp))
{
- if (set_context_from_socket( descriptor ) < 0) {
+ if (set_context_from_socket( scp, descriptor ) < 0) {
msg( LOG_ERR, func,
"Changing process context failed for %s", SC_ID( scp )) ;
_exit( 1 ) ;
}
}
+ else if (set_context_from_config( scp ) < 0) {
+ msg( LOG_ERR, func,
+ "Changing process context failed for %s", SC_ID( scp )) ;
+ _exit( 1 ) ;
+ }
#endif
(void) Sclose( descriptor ) ;
@@ -485,16 +488,11 @@ void child_exit(void)
}
#ifdef LABELED_NET
-static int set_context_from_socket( int fd )
+static int set_context( security_context_t cntx )
{
- const char *func = "set_context_from_socket" ;
- security_context_t peer_context;
+ const char *func = "set_context" ;
- if (getpeercon(fd, &peer_context) < 0)
- return -1;
-
- int retval = setexeccon(peer_context);
- freecon( peer_context );
+ int retval = setexeccon(cntx);
if (debug.on)
{
@@ -513,4 +511,74 @@ static int set_context_from_socket( int
return retval;
}
+
+static int set_context_from_socket( const struct service_config *scp,
int fd )
+{
+ security_context_t curr_context;
+ security_context_t peer_context;
+ security_context_t exec_context;
+ context_t bcon;
+ context_t pcon;
+ security_context_t new_context;
+ security_context_t new_exec_context;
+ int retval = -1;
+ const char *exepath = NULL;
+
+ if (getcon(&curr_context) < 0)
+ goto fail_getcon;
+
+ if (getpeercon(fd, &peer_context) < 0)
+ goto fail_getpeercon;
+
+ exepath = SC_SERVER_ARGV( scp )[0];
+ if (lgetfilecon(exepath, &exec_context) < 0)
+ goto fail_lgetfilecon;
+
+ if (!(bcon = context_new(curr_context)))
+ goto fail_context_new_curr;
+
+ if (!(pcon = context_new(peer_context)))
+ goto fail_context_new_peer;
+
+ if (!context_range_get(pcon))
+ goto fail_context_range_get;
+
+ if (!context_range_set(bcon, context_range_get(pcon)))
+ goto fail_context_range_set;
+
+ if (!(new_context = context_str(bcon)))
+ goto fail_context_str;
+
+ if (security_compute_create(new_context, exec_context,
SECCLASS_PROCESS,
+ &new_exec_context) < 0)
+ goto fail_security_compute_create;
+
+ retval = set_context(new_exec_context);
+
+ freecon(new_exec_context);
+
+ fail_security_compute_create:
+ fail_context_str:
+ fail_context_range_set:
+ fail_context_range_get:
+ context_free(pcon);
+ fail_context_new_peer:
+ context_free(bcon);
+ fail_context_new_curr:
+ freecon(exec_context);
+ fail_lgetfilecon:
+ freecon(peer_context);
+ fail_getpeercon:
+ freecon(curr_context);
+ fail_getcon:
+ return retval;
+}
+
+static int set_context_from_config( const struct service_config *scp )
+{
+ if (!SC_HAS_SEC_CONTEXT(scp)) /* no config. don't do anything */
+ return 0;
+
+ return set_context(SC_SEC_CONTEXT(scp));
+}
#endif
Only in xinetd-2.3.14/xinetd: child.c.confcntx
diff -rup xinetd-2.3.14-orig/xinetd/parse.c xinetd-2.3.14/xinetd/parse.c
--- xinetd-2.3.14-orig/xinetd/parse.c 2005-10-05 13:15:33.000000000
-0400
+++ xinetd-2.3.14/xinetd/parse.c 2006-11-29 15:55:07.000000000 -0500
@@ -98,6 +98,10 @@ static const struct attribute service_at
#ifdef RLIMIT_STACK
{ "rlimit_stack", A_RLIMIT_STACK, 1, rlim_stack_parser },
#endif
+#ifdef LABELED_NET
+ { "sec_context", A_SEC_CONTEXT, 1, selinux_context_parser },
+ { "selinux_context",A_SEC_CONTEXT, 1, selinux_context_parser },
+#endif
{ "v6only", A_V6ONLY, 1, v6only_parser },
{ "deny_time", A_DENY_TIME, 1, deny_time_parser },
{ "umask", A_UMASK, 1, umask_parser },
Only in xinetd-2.3.14/xinetd: parse.c.confcntx
diff -rup xinetd-2.3.14-orig/xinetd/parsers.c
xinetd-2.3.14/xinetd/parsers.c
--- xinetd-2.3.14-orig/xinetd/parsers.c 2005-10-05 17:45:41.000000000
-0400
+++ xinetd-2.3.14/xinetd/parsers.c 2006-11-29 15:55:07.000000000 -0500
@@ -1513,3 +1513,24 @@ status_e libwrap_parser( pset_h values,
}
#endif
+#ifdef LABELED_NET
+status_e selinux_context_parser(pset_h values,
+ struct service_config *scp, enum
assign_op op)
+{
+ const char *func = "selinux_context_parser";
+
+ if( pset_pointer(values, 0) == NULL )
+ {
+ msg(LOG_ERR, func, "pset_pointer returned NULL");
+ return( FAILED );
+ }
+
+ SC_SEC_CONTEXT(scp) = new_string( pset_pointer(values,0) );
+ if( SC_SEC_CONTEXT(scp) == NULL ) {
+ msg(LOG_ERR, func, ES_NOMEM);
+ return( FAILED );
+ }
+
+ return OK;
+}
+#endif
Only in xinetd-2.3.14/xinetd: parsers.c.confcntx
diff -rup xinetd-2.3.14-orig/xinetd/parsers.h
xinetd-2.3.14/xinetd/parsers.h
--- xinetd-2.3.14-orig/xinetd/parsers.h 2005-10-05 13:15:33.000000000
-0400
+++ xinetd-2.3.14/xinetd/parsers.h 2006-11-29 15:55:07.000000000 -0500
@@ -70,5 +70,9 @@ status_e mdns_parser(pset_h, struct serv
#ifdef LIBWRAP
status_e libwrap_parser(pset_h, struct service_config *, enum
assign_op) ;
#endif
+#ifdef LABELED_NET
+status_e selinux_context_parser(pset_h values,
+ struct service_config *scp, enum
assign_op op) ;
+#endif
#endif
Only in xinetd-2.3.14/xinetd: parsers.h.confcntx
diff -rup xinetd-2.3.14-orig/xinetd/sconf.h xinetd-2.3.14/xinetd/sconf.h
--- xinetd-2.3.14-orig/xinetd/sconf.h 2006-11-28 14:03:07.000000000
-0500
+++ xinetd-2.3.14/xinetd/sconf.h 2006-11-29 15:55:07.000000000 -0500
@@ -25,6 +25,12 @@
#endif
#include "libportable.h"
+#ifdef LABELED_NET
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/flask.h>
+#endif
+
#include "pset.h"
#include "m_env.h"
#include "mask.h"
@@ -158,6 +164,9 @@ struct service_config
#ifdef LIBWRAP
char *sc_libwrap;
#endif
+#ifdef LABELED_NET
+ security_context_t sc_sec_context;
+#endif
} ;
#define SCP( p ) ((struct service_config *)(p))
@@ -219,6 +228,7 @@ struct service_config
#define SC_MDNS( scp ) (scp)->sc_mdns
#define SC_PER_SOURCE( scp ) (scp)->sc_per_source
#define SC_LIBWRAP( scp ) (scp)->sc_libwrap
+#define SC_SEC_CONTEXT( scp ) (scp)->sc_sec_context
/*
* Field set macros
*/
@@ -255,6 +265,8 @@ struct service_config
#define SC_IS_TCPMUX( scp ) ( (scp)->sc_builtin &&
\
(BUILTIN_HANDLER( (scp)->sc_builtin ) == \
(void *)tcpmux_handler ) )
+#define SC_HAS_SEC_CONTEXT(scp) ( (scp)->sc_sec_context && \
+ *(scp)->sc_sec_context)
#define LOGS_USERID( scp, flags ) \
( M_IS_SET( (scp)->flags, LO_USERID ) &&
SC_ACCEPTS_CONNECTIONS( scp ) )
Only in xinetd-2.3.14/xinetd: sconf.h.confcntx
--
James Antill <jantill at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20061129/0996b0f5/attachment.sig>
More information about the redhat-lspp
mailing list