[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [PATCH] Use seuser for SELinux login
From: <pchang9 () itri ! org ! tw>
Date: 2020-01-16 6:31:42
Message-ID: 1579156302999.61281 () itri ! org ! tw
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi,
The previous mail is missing in the wild, so I resend the same patch again.
We are working on enabling SELinux for BusyBox.
We thought login should use the seuser for the SELinux default context, but the Linux \
username.
Reference and example:
getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary
https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c
Signed-off-by: Po-Chun Chang <pchang9@itri.org.tw>
---
loginutils/login.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/loginutils/login.c b/loginutils/login.c
index 4e65b3a19..11a82421b 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -178,12 +178,16 @@ static void die_if_nologin(void)
static void initselinux(char *username, char *full_tty,
security_context_t *user_sid)
{
+ char *seuser = NULL, *level = NULL;
security_context_t old_tty_sid, new_tty_sid;
if (!is_selinux_enabled())
return;
- if (get_default_context(username, NULL, user_sid)) {
+ if (getseuserbyname(username, &seuser, &level)) {
+ bb_error_msg_and_die("can't get seuser for %s", username);
+ }
+ if (get_default_context(seuser, NULL, user_sid)) {
bb_error_msg_and_die("can't get SID for %s", username);
}
if (getfilecon(full_tty, &old_tty_sid) < 0) {
@@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
if (setfilecon(full_tty, new_tty_sid) != 0) {
bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);
}
+
+ if (ENABLE_FEATURE_CLEAN_UP) {
+ free(seuser);
+ free(level);
+ }
}
#endif
---
--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient.
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} p
{margin-top:0;
margin-bottom:0}--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>The previous mail is missing in the wild, so I resend the same patch again.</p>
<p><br>
</p>
<p>We are working on enabling SELinux for BusyBox.</p>
<p>We thought login should use the seuser for the SELinux default context, but \
the Linux username.</p> <p><br>
</p>
<p>Reference and example:</p>
<p>getseuserbyname on <a href="https://selinuxproject.org/page/LibselinuxAPISummary" \
target="_blank"> https://selinuxproject.org/page/LibselinuxAPISummary</a><br>
</p>
<div> <em><a href="https://github.com/SELinuxProject/selinux/blob/master/libselin \
ux/utils/getseuser.c">https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c</a><br>
</em></div>
<div><br>
</div>
<div>Signed-off-by: Po-Chun Chang <<span><span class="_rpc_41 ms-font-s \
allowTextSelection _rpc_l1" style="">pchang9@itri.org.tw</span></span>></div> \
<div>---</div> <div> loginutils/login.c | 11 \
++++++++++-<br> 1 file changed, 10 \
insertions(+), 1 deletion(-)<br> <br>
</div>
<div>diff --git a/loginutils/login.c b/loginutils/login.c<br>
index 4e65b3a19..11a82421b 100644<br>
--- a/loginutils/login.c<br>
+++ b/loginutils/login.c<br>
@@ -178,12 +178,16 @@ static void die_if_nologin(void)<br>
static void initselinux(char *username, char *full_tty,<br>
&n \
bsp; &nbs \
p; \
security_context_t *user_sid)<br> {<br>
+ char *seuser = NULL, *level = NULL;<br>
security_context_t old_tty_sid, \
new_tty_sid;<br> <br>
if (!is_selinux_enabled())<br>
\
return;<br> <br>
- if (get_default_context(username, NULL, \
user_sid)) {<br> + if \
(getseuserbyname(username, &seuser, &level)) {<br> \
+ \
bb_error_msg_and_die("can't get seuser for %s", username);<br> \
+ }<br> \
+ if (get_default_context(seuser, NULL, \
user_sid)) {<br> \
bb_error_msg_and_die("can't get SID for %s", username);<br> \
}<br> \
if (getfilecon(full_tty, &old_tty_sid) \
< 0) {<br> @@ -196,6 +200,11 @@ static void initselinux(char *username, char \
*full_tty,<br> if (setfilecon(full_tty, \
new_tty_sid) != 0) {<br> \
\
bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);<br> \
}<br> +<br>
+ if (ENABLE_FEATURE_CLEAN_UP) {<br>
+ \
free(seuser);<br> + \
free(level);<br> + }<br>
}<br>
#endif<br>
</div>
<div>---<br>
<br>
<em></em></div>
<p><br>
</p>
<br>
<br>
--<br>
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient. </body>
</html>
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
--===============7059389111941992973==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic