From 84333872d83f830bd84559cf2e16dfc6bdde15df Mon Sep 17 00:00:00 2001 From: Robert Watson Date: Wed, 23 Oct 2002 03:17:22 +0000 Subject: [PATCH] If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see if the user has a 'label' entry in their login class. If so, attempt to set that label on the process as part of the credential setup. If we're unable to parse the label, or unable to set the label, fail. In the future, we may also want to warn if a label is set but the kernel doesn't support MAC. Approved by: re Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories --- lib/libutil/login_class.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c index 3930c03032da..219db5881856 100644 --- a/lib/libutil/login_class.c +++ b/lib/libutil/login_class.c @@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include static struct login_res { @@ -317,6 +318,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in #ifndef __NETBSD_SYSCALLS struct rtprio rtp; #endif + int error; if (lc == NULL) { if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL) @@ -374,6 +376,31 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in } } + /* Set up the user's MAC label. */ + if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) { + const char *label_string; + mac_t label; + + label_string = login_getcapstr(lc, "label", NULL, NULL); + if (label_string != NULL) { + if (mac_from_text(&label, label_string) == -1) { + syslog(LOG_ERR, "mac_from_text('%s') for %s: %m", + pwd->pw_name, label_string); + return -1; + } + if (mac_set_proc(label) == -1) + error = errno; + else + error = 0; + mac_free(label); + if (error != 0) { + syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s", + label_string, pwd->pw_name, strerror(error)); + return -1; + } + } + } + /* Set the sessions login */ if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) { syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);