summaryrefslogtreecommitdiff
path: root/modules/pam_selinux
diff options
context:
space:
mode:
authorSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 21:13:04 -0800
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 21:13:04 -0800
commitc55c14c5c6762139ec6695d84ea0e2e917da5264 (patch)
tree9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_selinux
parentf3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff)
parentfc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff)
New upstream version 1.1.5
Diffstat (limited to 'modules/pam_selinux')
-rw-r--r--modules/pam_selinux/pam_selinux.c52
1 files changed, 38 insertions, 14 deletions
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index 64fabafd..f99d433a 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -196,6 +196,7 @@ manual_context (pam_handle_t *pamh, const char *user, int debug)
goto fail_set;
if (context_type_set (new_context, type))
goto fail_set;
+ _pam_drop(type);
}
_pam_drop(response);
@@ -236,19 +237,35 @@ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, securit
{
struct av_decision avd;
int retval;
- unsigned int bit = CONTEXT__CONTAINS;
- context_t src_context = context_new (src);
- context_t dst_context = context_new (dst);
+ security_class_t class;
+ access_vector_t bit;
+ context_t src_context;
+ context_t dst_context;
+
+ class = string_to_security_class("context");
+ if (!class) {
+ pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m");
+ return 0;
+ }
+
+ bit = string_to_av_perm(class, "contains");
+ if (!bit) {
+ pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m");
+ return 0;
+ }
+
+ src_context = context_new (src);
+ dst_context = context_new (dst);
context_range_set(dst_context, context_range_get(src_context));
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context));
- retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd);
+ retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd);
context_free(src_context);
context_free(dst_context);
if (retval || ((bit & avd.allowed) != bit))
return 0;
-
+
return 1;
}
@@ -290,6 +307,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
goto fail_set;
if (context_type_set (new_context, type))
goto fail_set;
+ _pam_drop(type);
}
}
_pam_drop(response);
@@ -374,6 +392,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
int mls_enabled = is_selinux_mls_enabled();
const char *env = NULL;
char *type = NULL;
+ int fail = 1;
if ((new_context = context_new(defaultcon)) == NULL)
goto fail_set;
@@ -434,9 +453,6 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
/* Get the string value of the context and see if it is valid. */
if (security_check_context(newcon)) {
pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon);
- send_audit_message(pamh, 0, defaultcon, newcon);
- freecon(newcon);
- newcon = NULL;
goto fail_set;
}
@@ -446,16 +462,21 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
be checked at setexeccon time */
if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
- send_audit_message(pamh, 0, defaultcon, newcon);
- freecon(newcon);
- newcon = NULL;
+
+ goto fail_set;
}
+ fail = 0;
+
fail_set:
free(type);
context_free(my_context);
context_free(new_context);
- send_audit_message(pamh, 0, defaultcon, NULL);
+ if (fail) {
+ send_audit_message(pamh, 0, defaultcon, newcon);
+ freecon(newcon);
+ newcon = NULL;
+ }
return newcon;
}
@@ -642,10 +663,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
username, seuser, level);
- free(seuser);
free(level);
}
if (num_contexts > 0) {
+ free(seuser);
default_user_context=strdup(contextlist[0]);
freeconary(contextlist);
if (default_user_context == NULL) {
@@ -672,7 +693,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
}
}
else {
- user_context = manual_context(pamh,seuser,debug);
+ if (seuser != NULL) {
+ user_context = manual_context(pamh,seuser,debug);
+ free(seuser);
+ }
if (user_context == NULL) {
pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
username);