On (18/01/16 18:06), Simo Sorce wrote:
I will needed selinux support later on in the secrets work, so I
looked
into how we were getting peercreds and found it could be improved by
making it a little more abstract.
This patch also uncovered issues with header inclusion (patch sent
earlier).
(I did not open a bug for this one)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
From 7cc82eff48dabc4b15e119146f36597f4cd75827 Mon Sep 17 00:00:00
2001
From: Simo Sorce <simo(a)redhat.com>
Date: Mon, 18 Jan 2016 15:21:57 -0500
Subject: [PATCH] Util: Improve code to get connection credentials
Adds support to get SELINUX context and make code more abstract so
that struct ucred (if availale) can be used w/o redefining uid,gid,pid to
int32. Also givces a layer of indirection that may come handy if we want
to imrpove the code further in the future.
Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
---
Makefile.am | 2 +
src/responder/common/responder.h | 25 ++++++++++--
src/responder/common/responder_common.c | 50 +++++++++++++++---------
src/responder/pam/pamsrv_cmd.c | 23 +++++------
src/util/util_selinux.h | 68 +++++++++++++++++++++++++++++++++
5 files changed, 133 insertions(+), 35 deletions(-)
create mode 100644 src/util/util_selinux.h
diff --git a/Makefile.am b/Makefile.am
index 407053b1a6dcd0255be76ae7f9252a671b965ea2..2a02add0dc1942c57dec03f4762444c48a710a10
100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -496,6 +496,7 @@ SSSD_LIBS = \
$(COLLECTION_LIBS) \
$(DHASH_LIBS) \
$(OPENLDAP_LIBS) \
+ $(SELINUX_LIBS) \
$(TDB_LIBS)
PYTHON_BINDINGS_LIBS = \
@@ -556,6 +557,7 @@ dist_noinst_HEADERS = \
src/util/authtok-utils.h \
src/util/util_safealign.h \
src/util/util_sss_idmap.h \
+ src/util/util_selinux.h \
src/monitor/monitor.h \
src/monitor/monitor_interfaces.h \
src/responder/common/responder.h \
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 6b511368c9b08d1cfc828d16f57a2cde902dc82b..4735eb7af7d65c1e822d662e7200a8a7418e191e
100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -36,6 +36,7 @@
#include "sbus/sssd_dbus.h"
#include "responder/common/negcache.h"
#include "sss_client/sss_cli.h"
+#include "util/util_selinux.h"
extern hash_table_t *dp_requests;
@@ -123,6 +124,21 @@ struct resp_ctx {
bool shutting_down;
};
+#ifdef HAVE_UCRED
+typedef struct ucred UCRED_CTX;
+#define UCRED_get_uid(x) x.uid
+
+#else /* not HAVE_UCRED */
+struct ucred_ctx { int none; };
+typedef struct ucred_ctx UCRED_CTX;
+#define UCRED_get_uid(x) -1
+#endif /* done HAVE_UCRED */
+
+struct cli_creds {
+ UCRED_CTX ucred;
+ SELINUX_CTX selinux_ctx;
+};
+
Here is a small issue.
The header file "src/responder/common/responder.h" create typedef
for "struct ucred". This structure is defined only for "__USE_GNU"
in heder file "bits/socket.h". This system header file can
be included by any other system file. e.g. sys/time.h
Therefore it will work for you if you include "util/util.h"
as the first header file. Because it includes config.h
which enable GNU features. But you need to do in all
implementation modules which inlcude directly or indirectly
"src/responder/common/responder.h". The main problem is than
most of responder modules does not use cli_creds.
sh$ $git grep cli_creds
src/responder/common/responder.h:struct cli_creds {
src/responder/common/responder.h: struct cli_creds creds;
src/responder/common/responder.h:uid_t client_euid(struct cli_creds *creds);
src/responder/common/responder.h:errno_t check_allowed_uids(struct cli_creds *creds,
src/responder/common/responder_common.c:uid_t client_euid(struct cli_creds *creds)
src/responder/common/responder_common.c:errno_t check_allowed_uids(struct cli_creds
*creds,
src/responder/pam/pamsrv_cmd.c:static bool is_uid_trusted(struct cli_creds *creds,
sh$ git grep client_euid
src/responder/common/responder.h:uid_t client_euid(struct cli_creds *creds);
src/responder/common/responder_common.c:uid_t client_euid(struct cli_creds *creds)
src/responder/common/responder_common.c: if (client_euid(&cctx->creds) ==
-1) {
src/responder/common/responder_common.c:
(int)client_euid(&cctx->creds));
src/responder/pam/pamsrv_cmd.c: if (client_euid(creds) == 0) {
src/responder/pam/pamsrv_cmd.c: (int)client_euid(&cctx->creds));
src/responder/pam/pamsrv_cmd.c:
(int)client_euid(&preq->cctx->creds), preq->pd->domain);
sh$ grep check_allowed_uids
src/responder/common/responder.h:errno_t check_allowed_uids(struct cli_creds *creds,
src/responder/common/responder_common.c:errno_t check_allowed_uids(struct cli_creds
*creds,
src/responder/common/responder_common.c: ret =
check_allowed_uids(&cctx->creds, rctx->allowed_uids_count,
src/responder/common/responder_common.c: DEBUG(SSSDBG_OP_FAILURE,
"check_allowed_uids failed.\n");
src/responder/ifp/ifpsrv_util.c: ret = check_allowed_uids(dbus_req->client,
src/responder/pam/pamsrv_cmd.c: ret = check_allowed_uids(creds, trusted_uids_count,
trusted_uids);
src/tests/responder_socket_access-tests.c:START_TEST(check_allowed_uids_test)
src/tests/responder_socket_access-tests.c: ret =
check_allowed_uids(uid_check_data[c].uid,
src/tests/responder_socket_access-tests.c: "check_allowed_uids
failed [%d][%s].", ret, strerror(ret));
src/tests/responder_socket_access-tests.c: tcase_add_test(tc_utils,
check_allowed_uids_test);
responder_common.c contains implemetation of client_euid and check_allowed_uids
and it's used only in pamsrv_cmd.c, ifpsrv_util.c and unit test
responder_socket_access-tests.c.
Much simpler solution would be to make "struct cli_creds creds" opaque
and does not rely on the order of included header files and wheter macro
__USE_GNU is defined or no.
LS