mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/changehat/pam_apparmor/pam_apparmor.c
Steve Beattie 598f7a0b5b mod_apparmor/pam_apparmor: fix libapparmor search path and add USE_SYSTEM support 
This patch adds support for the USE_SYSTEM make flag and adjusts
search paths for mod_apparmor and pam_apparmor, as well as fixing up
a couple of the (probably ought to be deprecated) tomcat locations
where apparmor.h is included.

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-01-09 11:57:13 -08:00

230 lines
5.6 KiB
C
Raw Blame History

/* pam_apparmor module */
/*
* Copyright (c) 2006
* NOVELL (All rights reserved)
*
* Copyright (c) 2010
* Canonical, Ltd. (All rights reserved)
*
* Written by Jesse Michael <jmichael@suse.de> 2006/08/24
* and Steve Beattie <sbeattie@ubuntu.com> 2006/10/25
*
* Based off of pam_motd by:
* Ben Collins <bcollins@debian.org> 2005/10/04
* Michael K. Johnson <johnsonm@redhat.com> 1996/10/24
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <grp.h>
#include <syslog.h>
#include <errno.h>
#include <sys/apparmor.h>
#include <security/pam_ext.h>
#include <security/pam_modutil.h>
/*
* here, we make a definition for the externally accessible function
* in this file (this definition is required for static a module
* but strongly encouraged generally) it is used to instruct the
* modules include file to define the function prototypes.
*/
#define PAM_SM_SESSION
#include <security/pam_modules.h>
#include "pam_apparmor.h"
int debug_flag = 0;
static struct config default_config = {
.hat_type[0] = eGroupname,
.hat_type[1] = eDefault,
.hat_type[2] = eNoEntry,
};
/* --- session management functions (only) --- */
PAM_EXTERN int
pam_sm_close_session (pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
return PAM_IGNORE;
}
PAM_EXTERN
int pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
int fd, retval, pam_retval = PAM_SUCCESS;
unsigned int magic_token;
const char *user;
struct passwd *pw;
struct group *gr;
struct config *config = NULL;
int i;
if ((retval = get_options(pamh, &config, argc, argv)) != 0)
return retval;
if (!config)
config = &default_config;
/* grab the target user name */
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS || user == NULL || *user == '\0') {
pam_syslog(pamh, LOG_ERR, "Can't determine user\n");
return PAM_USER_UNKNOWN;
}
pw = pam_modutil_getpwnam(pamh, user);
if (!pw) {
pam_syslog(pamh, LOG_ERR, "Can't determine group for user %s\n", user);
return PAM_PERM_DENIED;
}
gr = pam_modutil_getgrgid(pamh, pw->pw_gid);
if (!gr || !gr->gr_name) {
pam_syslog(pamh, LOG_ERR, "Can't read info for group %d\n", pw->pw_gid);
return PAM_PERM_DENIED;
}
fd = open("/dev/urandom", O_RDONLY);
if (fd < 0) {
pam_syslog(pamh, LOG_ERR, "Can't open /dev/urandom\n");
return PAM_PERM_DENIED;
}
/* the magic token needs to be non-zero otherwise, we won't be able
* to probe for hats */
do {
retval = pam_modutil_read(fd,
(void *)&magic_token,
sizeof(magic_token));
if (retval < 0) {
pam_syslog(pamh, LOG_ERR, "Can't read from /dev/urandom\n");
return PAM_PERM_DENIED;
}
} while ((magic_token == 0) || (retval != sizeof(magic_token)));
close(fd);
pam_retval = PAM_SUCCESS;
for (i = 0; i < MAX_HAT_TYPES && config->hat_type[i] != eNoEntry; i++) {
const char *hat = NULL;
switch (config->hat_type[i]) {
case eGroupname:
hat = gr->gr_name;
if (debug_flag)
pam_syslog(pamh, LOG_DEBUG, "Using groupname '%s'\n", hat);
break;
case eUsername:
hat = user;
if (debug_flag)
pam_syslog(pamh, LOG_DEBUG, "Using username '%s'\n", hat);
break;
case eDefault:
if (debug_flag)
pam_syslog(pamh, LOG_DEBUG, "Using DEFAULT\n");
hat = "DEFAULT";
break;
default:
pam_syslog(pamh, LOG_ERR, "Unknown value in hat table: %x\n",
config->hat_type[i]);
goto nodefault;
break;
}
retval = change_hat(hat, magic_token);
if (retval == 0) {
/* success, let's bail */
if (debug_flag)
pam_syslog(pamh, LOG_DEBUG, "Successfully changed to hat '%s'\n", hat);
goto out;
}
switch (errno) {
/* case EPERM: */ /* Can't enable until ECHILD patch gets accepted, and we can
* distinguish between unconfined and confined-but-no-hats */
case EINVAL:
/* apparmor is not loaded or application is unconfined,
* stop attempting to use change_hat */
if (debug_flag)
pam_syslog(pamh, LOG_DEBUG,
"AppArmor not loaded, or application is unconfined\n");
pam_retval = PAM_SUCCESS;
goto out;
break;
case ECHILD:
/* application is confined but has no hats,
* stop attempting to use change_hat */
goto nodefault;
break;
case EACCES:
case ENOENT:
/* failed to change into attempted hat, so we'll
* jump back out and try the next one */
break;
default:
pam_syslog(pamh, LOG_ERR, "Unknown error occurred changing to %s hat: %s\n",
hat, strerror(errno));
/* give up? */
pam_retval = PAM_SYSTEM_ERR;
goto out;
}
retval = change_hat(NULL, magic_token);
if (retval != 0) {
/* changing into the specific hat and attempting to
* jump back out both failed. that most likely
* means that either apparmor is not loaded or we
* don't have a profile loaded for this application.
* in this case, we want to allow the pam operation
* to succeed. */
goto out;
}
}
nodefault:
/* if we got here, we were unable to change into any of the hats
* we attempted. */
pam_syslog(pamh, LOG_ERR, "Can't change to any hat\n");
pam_retval = PAM_SESSION_ERR;
out:
/* zero out the magic token so an attacker wouldn't be able to
* just grab it out of process memory and instead would need to
* brute force it */
memset(&magic_token, 0, sizeof(magic_token));
if (config && config != &default_config)
free(config);
return pam_retval;
}
#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_apparmor_modstruct = {
"pam_apparmor",
NULL,
NULL,
NULL,
pam_sm_open_session,
pam_sm_close_session,
NULL,
};
#endif
/* end of module definition */
Reference in a new issue View git blame Copy permalink