author | Tanguy Pruvot <tanguy.pruvot@gmail.com> | 2014-08-05 08:52:43 (GMT) |
---|---|---|
committer | Tanguy Pruvot <tanguy.pruvot@gmail.com> | 2014-08-05 09:27:04 (GMT) |
commit | 76616e359f5a18ab1a26d0cbd8bdf03411036fcc (patch) | |
tree | c0545537272e755655be6055d2d2318b9c094f48 | |
parent | 57da4a8052a09fd7f9ade2db3896b5ec14fc88f2 (diff) | |
download | busybox-76616e359f5a18ab1a26d0cbd8bdf03411036fcc.zip busybox-76616e359f5a18ab1a26d0cbd8bdf03411036fcc.tar.gz busybox-76616e359f5a18ab1a26d0cbd8bdf03411036fcc.tar.bz2 |
selinux: implement missing selinux functions
checkPasswdAccess() is deprecated
http://linux.die.net/man/3/selinux_check_passwd_access
also, ensure context is initialized in run_shell()
Note: these stubs are just compatible with busybox source code
Should be enhanced, or implemented in libselinux...
Change-Id: I22ea2679191d5c0887b6ef8c77f09a032c226876
-rw-r--r-- | android/selinux/android_selinux.h | 13 | ||||
-rw-r--r-- | android/selinux/stubs.c | 38 | ||||
-rw-r--r-- | busybox-full.sources | 2 | ||||
-rw-r--r-- | busybox-minimal.sources | 2 | ||||
-rw-r--r-- | libbb/run_shell.c | 9 | ||||
-rw-r--r-- | libbb/update_passwd.c | 2 |
6 files changed, 60 insertions, 6 deletions
diff --git a/android/selinux/android_selinux.h b/android/selinux/android_selinux.h index 3114a67..c39d87a 100644 --- a/android/selinux/android_selinux.h +++ b/android/selinux/android_selinux.h @@ -93,6 +93,16 @@ extern void matchpathcon_checkmatches(char *str); */ extern int selinux_file_context_verify(const char *path, mode_t mode); +/* Get the default security context for a user session for 'user' + spawned by 'fromcon' and set *newcon to refer to it. The context + will be one of those authorized by the policy, but the selection + of a default is subject to user customizable preferences. + If 'fromcon' is NULL, defaults to current context. + Returns 0 on success or -1 otherwise. + Caller must free via freecon. */ +extern int get_default_context(const char* user, const char* fromcon, + char ** newcon); + #define lgetfilecon_raw(path, context) \ lgetfilecon(path, context) @@ -105,6 +115,9 @@ extern int selinux_file_context_verify(const char *path, mode_t mode); #define security_canonicalize_context_raw(context, newctx) \ security_canonicalize_context(context, newctx) +#define getprevcon_raw(context) \ + getprevcon(context) + #define is_context_customizable(ctx) false #define selinux_log(type, ...) bb_error_msg(__VA_ARGS__) diff --git a/android/selinux/stubs.c b/android/selinux/stubs.c new file mode 100644 index 0000000..c3f442d --- a/dev/null +++ b/android/selinux/stubs.c @@ -0,0 +1,38 @@ +#include <stdio.h> +#include <stdlib.h> +#include <selinux/selinux.h> + +/* create a new context with user name (may be unsafe) */ +int get_default_context(const char* user, const char* fromcon, + char ** newcon) +{ + char fmt[] = "u:r:%s:s0\0"; + int len = strlen(user) + strlen(fmt); + + *newcon = malloc(len); + if (!(*newcon)) + return -1; + snprintf(*newcon, len, fmt, user); + return 0; +} + +/* Compute a relabeling decision and set *newcon to refer to it. + Caller must free via freecon. + Stub not implemented in bionic, but declared in selinux.h */ +int security_compute_relabel(const char *scon, const char *tcon, + security_class_t tclass, + char ** newcon) +{ + if (tcon) + *newcon = strdup(tcon); + if (!(*newcon)) + return -1; + return 0; +} + +/* Check a permission in the passwd class. + Return 0 if granted or -1 otherwise. */ +int selinux_check_passwd_access(access_vector_t requested) +{ + return 0; +}
\ No newline at end of file diff --git a/busybox-full.sources b/busybox-full.sources index dccbbca..773e1fe 100644 --- a/busybox-full.sources +++ b/busybox-full.sources @@ -67,7 +67,7 @@ procps/lsof.c procps/nmeter.c procps/pstree.c procps/pwdx.c procps/smemcap.c shell/ash.c shell/ash_ptr_hack.c shell/math.c shell/random.c shell/shell_common.c -libbb/selinux_common.c android/selinux/matchpathcon.c +libbb/selinux_common.c android/selinux/matchpathcon.c android/selinux/stubs.c selinux/chcon.c selinux/selinuxenabled.c selinux/getenforce.c selinux/sestatus.c selinux/setsebool.c selinux/getsebool.c selinux/runcon.c selinux/setenforce.c selinux/setfiles.c selinux/matchpathcon.c diff --git a/busybox-minimal.sources b/busybox-minimal.sources index 62641f0..5c9b8ec 100644 --- a/busybox-minimal.sources +++ b/busybox-minimal.sources @@ -25,7 +25,7 @@ procps/renice.c procps/sysctl.c procps/top.c procps/uptime.c procps/watch.c shell/ash.c shell/ash_ptr_hack.c shell/math.c shell/random.c shell/shell_common.c -android/selinux/matchpathcon.c +android/selinux/matchpathcon.c android/selinux/stubs.c libbb/selinux_common.c selinux/chcon.c selinux/selinuxenabled.c selinux/getenforce.c selinux/sestatus.c selinux/setsebool.c selinux/getsebool.c selinux/setenforce.c selinux/setfiles.c selinux/matchpathcon.c diff --git a/libbb/run_shell.c b/libbb/run_shell.c index 4d92c3c..9494f27 100644 --- a/libbb/run_shell.c +++ b/libbb/run_shell.c @@ -34,16 +34,18 @@ #endif #if ENABLE_SELINUX -static security_context_t current_sid; +static security_context_t current_sid = NULL; void FAST_FUNC renew_current_security_context(void) { - freecon(current_sid); /* Release old context */ + if (current_sid) + freecon(current_sid); /* Release old context */ getcon(¤t_sid); /* update */ } void FAST_FUNC set_current_security_context(security_context_t sid) { - freecon(current_sid); /* Release old context */ + if (current_sid) + freecon(current_sid); /* Release old context */ current_sid = sid; } @@ -82,6 +84,7 @@ void FAST_FUNC run_shell(const char *shell, int loginshell, const char *command, args[argno] = NULL; #if ENABLE_SELINUX + renew_current_security_context(); if (current_sid) setexeccon(current_sid); if (ENABLE_FEATURE_CLEAN_UP) diff --git a/libbb/update_passwd.c b/libbb/update_passwd.c index a30af6f..b2d0464 100644 --- a/libbb/update_passwd.c +++ b/libbb/update_passwd.c @@ -30,7 +30,7 @@ static void check_selinux_update_passwd(const char *username) if (!seuser) bb_error_msg_and_die("invalid context '%s'", context); if (strcmp(seuser, username) != 0) { - if (checkPasswdAccess(PASSWD__PASSWD) != 0) + if (selinux_check_passwd_access(PASSWD__PASSWD) != 0) bb_error_msg_and_die("SELinux: access denied"); } if (ENABLE_FEATURE_CLEAN_UP) |