diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | modules/pam_selinux/pam_selinux.c | 19 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 2 |
3 files changed, 21 insertions, 9 deletions
@@ -1,3 +1,12 @@ +2011-03-17 Tomas Mraz <tm@t8m.info> + + * modules/pam_selinux/pam_selinux.c (config_context): Fix leak of type. + (manual_context): Likewise. + (context_from_env): Remove extraneous auditing in success case. + + * modules/pam_unix/support.c (_unix_run_helper_binary): Remove extra + close() call. + 2011-02-22 Tomas Mraz <tm@t8m.info> * modules/pam_nologin/pam_nologin.8.xml: Add missing space. diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index a6ca8af2..f99d433a 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -196,6 +196,7 @@ manual_context (pam_handle_t *pamh, const char *user, int debug) goto fail_set; if (context_type_set (new_context, type)) goto fail_set; + _pam_drop(type); } _pam_drop(response); @@ -306,6 +307,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; if (context_type_set (new_context, type)) goto fail_set; + _pam_drop(type); } } _pam_drop(response); @@ -390,6 +392,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par int mls_enabled = is_selinux_mls_enabled(); const char *env = NULL; char *type = NULL; + int fail = 1; if ((new_context = context_new(defaultcon)) == NULL) goto fail_set; @@ -450,9 +453,6 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par /* Get the string value of the context and see if it is valid. */ if (security_check_context(newcon)) { pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); - send_audit_message(pamh, 0, defaultcon, newcon); - freecon(newcon); - newcon = NULL; goto fail_set; } @@ -462,16 +462,21 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par be checked at setexeccon time */ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - send_audit_message(pamh, 0, defaultcon, newcon); - freecon(newcon); - newcon = NULL; + + goto fail_set; } + fail = 0; + fail_set: free(type); context_free(my_context); context_free(new_context); - send_audit_message(pamh, 0, defaultcon, NULL); + if (fail) { + send_audit_message(pamh, 0, defaultcon, newcon); + freecon(newcon); + newcon = NULL; + } return newcon; } diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index bddafd4b..0b8d4d64 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -493,14 +493,12 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, if (passwd != NULL) { /* send the password to the child */ if (write(fds[1], passwd, strlen(passwd)+1) == -1) { pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); - close(fds[1]); retval = PAM_AUTH_ERR; } passwd = NULL; } else { /* blank password */ if (write(fds[1], "", 1) == -1) { pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m"); - close(fds[1]); retval = PAM_AUTH_ERR; } } |