New upstream version 1.1.5

author: Steve Langasek <steve.langasek@ubuntu.com> 2019-01-03 21:13:04 -0800
committer: Steve Langasek <steve.langasek@ubuntu.com> 2019-01-03 21:13:04 -0800
commit: c55c14c5c6762139ec6695d84ea0e2e917da5264 (patch)
tree: 9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_selinux/pam_selinux.c
parent: f3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff)
parent: fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff)
download: pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.gz
pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.bz2
pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.zip
1 files changed, 38 insertions, 14 deletions
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index 64fabafd..f99d433a 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -196,6 +196,7 @@ manual_context (pam_handle_t *pamh, const char *user, int debug)
               goto fail_set;
 	   if (context_type_set (new_context, type)) 
               goto fail_set;
+	   _pam_drop(type);
 	}
 	_pam_drop(response);
 
@@ -236,19 +237,35 @@ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, securit
 {
   struct av_decision avd;
   int retval;
-  unsigned int bit = CONTEXT__CONTAINS;
-  context_t src_context = context_new (src);
-  context_t dst_context = context_new (dst);
+  security_class_t class;
+  access_vector_t bit;
+  context_t src_context;
+  context_t dst_context;
+
+  class = string_to_security_class("context");
+  if (!class) {
+    pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m");
+    return 0;
+  }
+
+  bit = string_to_av_perm(class, "contains");
+  if (!bit) {
+    pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m");
+    return 0;
+  }
+
+  src_context = context_new (src);
+  dst_context = context_new (dst);
   context_range_set(dst_context, context_range_get(src_context));
   if (debug)
     pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for  %s", dst, context_str(dst_context));
 
-  retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd);
+  retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd);
   context_free(src_context);
   context_free(dst_context);
   if (retval || ((bit & avd.allowed) != bit))
     return 0;
-  
+
   return 1;
 }
 
@@ -290,6 +307,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
 	      goto fail_set;
 	    if (context_type_set (new_context, type))
 	      goto fail_set;
+	    _pam_drop(type);
 	  } 
 	}
 	_pam_drop(response);
@@ -374,6 +392,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
   int mls_enabled = is_selinux_mls_enabled();
   const char *env = NULL;
   char *type = NULL;
+  int fail = 1;
 
   if ((new_context = context_new(defaultcon)) == NULL)
     goto fail_set;
@@ -434,9 +453,6 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
   /* Get the string value of the context and see if it is valid. */
   if (security_check_context(newcon)) {
     pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon);
-    send_audit_message(pamh, 0, defaultcon, newcon);
-    freecon(newcon);
-    newcon = NULL;
 
     goto fail_set;
   }
@@ -446,16 +462,21 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
      be checked at setexeccon time */
   if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
     pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
-    send_audit_message(pamh, 0, defaultcon, newcon);
-    freecon(newcon);
-    newcon = NULL;
+
+    goto fail_set;
   }
 
+  fail = 0;
+
  fail_set:
   free(type);
   context_free(my_context);
   context_free(new_context);
-  send_audit_message(pamh, 0, defaultcon, NULL);
+  if (fail) {
+    send_audit_message(pamh, 0, defaultcon, newcon);
+    freecon(newcon);
+    newcon = NULL;
+  }
   return newcon;
 }
 
@@ -642,10 +663,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
 	  if (debug)
 		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
                              username, seuser, level);
-	  free(seuser);
 	  free(level);
   }
   if (num_contexts > 0) {
+    free(seuser);
     default_user_context=strdup(contextlist[0]);
     freeconary(contextlist);
     if (default_user_context == NULL) {
@@ -672,7 +693,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
     }
   }
   else { 
-      user_context = manual_context(pamh,seuser,debug);
+      if (seuser != NULL) {
+	user_context = manual_context(pamh,seuser,debug);
+	free(seuser);
+      }
       if (user_context == NULL) {
 	pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
 		    username);
author	Steve Langasek <steve.langasek@ubuntu.com>	2019-01-03 21:13:04 -0800
committer	Steve Langasek <steve.langasek@ubuntu.com>	2019-01-03 21:13:04 -0800
commit	c55c14c5c6762139ec6695d84ea0e2e917da5264 (patch)
tree	9e6119760c93841b2bc3e05680ac9e4e15ae9c25 /modules/pam_selinux/pam_selinux.c
parent	f3c0273b7bd2d7fdcac3fe3604cedd82afc57f49 (diff)
parent	fc772e7236a7aea9c9c26b0be2ee6f3ed8ae444a (diff)
download	pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.gz pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.tar.bz2 pam-c55c14c5c6762139ec6695d84ea0e2e917da5264.zip