Commit Graph

48 Commits

Author SHA1 Message Date
Christian Göttsche
c71d14e824 newrole: ensure password memory erasure
Compiler can optimize calls to memset(3), due to the as-if rule, away if
the object is not accessed later on.  Use a wrapper using volatile
pointers to ensure the memory is guaranteed to be erased.  Also erase
the encrypted password.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:12:47 -05:00
Christian Göttsche
1af8089824 newrole: check for crypt(3) failure
Depending on the implementation crypt(3) can fail either by returning
NULL, or returning a pointer to an invalid hash and setting errno.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:12:44 -05:00
Christian Göttsche
29e167a448 newrole: silence compiler warnings
newrole.c:636:12: warning: function declaration isn’t a prototype [-Wstrict-prototypes]
      636 | static int transition_to_caller_uid()
          |            ^~~~~~~~~~~~~~~~~~~~~~~~

    newrole.c:103:9: warning: macro is not used [-Wunused-macros]
    #define DEFAULT_CONTEXT_SIZE 255        /* first guess at context size */
            ^

    newrole.c:862:4: warning: 'break' will never be executed [-Wunreachable-code-break]
                            break;
                            ^~~~~

    newrole.c:168:13: warning: no previous extern declaration for non-static variable 'service_name' [-Wmissing-variable-declarations]
    const char *service_name = "newrole";
                ^

    hashtab.c:53:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
            hvalue = h->hash_value(h, key);
                   ~ ^~~~~~~~~~~~~~~~~~~~~
    hashtab.c:92:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
            hvalue = h->hash_value(h, key);
                   ~ ^~~~~~~~~~~~~~~~~~~~~
    hashtab.c:124:11: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
            hvalue = h->hash_value(h, key);
                   ~ ^~~~~~~~~~~~~~~~~~~~~
    hashtab.c:172:10: warning: implicit conversion changes signedness: 'int' to 'unsigned int' [-Wsign-conversion]
                            ret = apply(cur->key, cur->datum, args);
                                ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    hashtab.c:174:12: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversion]
                                    return ret;
                                    ~~~~~~ ^~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:12:41 -05:00
Christian Göttsche
09c994c287 newrole: add Makefile target to test build options
Add a Makefile target which build newrole with all combinations of
supported build options.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2022-03-03 12:12:39 -05:00
Christian Göttsche
081ac391ad policycoreutils: mark local functions static
setfiles.c:50:6: warning: no previous prototype for ‘set_rootpath’ [-Wmissing-prototypes]
       50 | void set_rootpath(const char *arg)
          |      ^~~~~~~~~~~~
    setfiles.c:67:5: warning: no previous prototype for ‘canoncon’ [-Wmissing-prototypes]
       67 | int canoncon(char **contextp)
          |     ^~~~~~~~

    newrole.c:185:5: warning: no previous prototype for ‘authenticate_via_pam’ [-Wmissing-prototypes]
      185 | int authenticate_via_pam(const char *ttyn, pam_handle_t * pam_handle)
          |     ^~~~~~~~~~~~~~~~~~~~

    run_init.c:241:5: warning: no previous prototype for ‘authenticate_user’ [-Wmissing-prototypes]
      241 | int authenticate_user(void)
          |     ^~~~~~~~~~~~~~~~~
    run_init.c:306:5: warning: no previous prototype for ‘get_init_context’ [-Wmissing-prototypes]
      306 | int get_init_context(char **context)
          |     ^~~~~~~~~~~~~~~~

    sestatus.c:38:5: warning: no previous prototype for ‘cmp_cmdline’ [-Wmissing-prototypes]
       38 | int cmp_cmdline(const char *command, int pid)
          |     ^~~~~~~~~~~
    sestatus.c:62:5: warning: no previous prototype for ‘pidof’ [-Wmissing-prototypes]
       62 | int pidof(const char *command)
          |     ^~~~~
    sestatus.c:95:6: warning: no previous prototype for ‘load_checks’ [-Wmissing-prototypes]
       95 | void load_checks(char *pc[], int *npc, char *fc[], int *nfc)
          |      ^~~~~~~~~~~
    sestatus.c:171:6: warning: no previous prototype for ‘printf_tab’ [-Wmissing-prototypes]
      171 | void printf_tab(const char *outp)
          |      ^~~~~~~~~~

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-11-15 16:00:54 -05:00
Christian Göttsche
b1a3c2030c Correct some typos
Found by codespell

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
2021-09-30 15:42:11 -04:00
Christian Göttsche
32611aea65 policycoreutils: free memory of allocated context in newrole
Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2021-07-19 10:42:45 -04:00
Nicolas Iooss
e45bc87094 policycoreutils: silence -Wextra-semi-stmt warning
On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
(which is not the default build configuration), the compiler reports:

      secon.c:686:3: error: empty expression statement has no effect;
      remove unnecessary ';' to silence this warning
      [-Werror,-Wextra-semi-stmt]
              };
               ^

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2021-07-06 11:08:11 -04:00
Dominick Grift
8bc865e1fe newrole: support cross-compilation with PAM and audit
Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-09-04 15:56:38 -04:00
Christian Göttsche
92e7494f42 tree-wide: replace last occurrences of security_context_t
Follow-up of: 9eb9c93275 ("Get rid of security_context_t and fix const declarations.")

Acked-by: William Roberts <william.c.roberts@intel.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-03-25 09:54:21 -05:00
Ondrej Mosnacek
00bdfefcce libsepol, newrole: remove unused hashtab functions
hashtab_replace() and hashtab_map_remove_on_error() aren't used
anywhere, no need to keep them around...

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
2020-02-21 15:15:41 -05:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Aleksei Nikiforov
0445e65d83 Allow installing translated man pages
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Aleksei Nikiforov
e3e3873de7 Add man pages translation by Olesya Gerasimenko
Signed-off-by: Olesya Gerasimenko <gammaray@basealt.ru>
Signed-off-by: Aleksei Nikiforov <darktemplar@basealt.ru>
2019-01-28 12:03:57 +01:00
Laurent Bigonville
c62fe252eb policycoreutils: Fix typo in newrole.1 manpage 2018-05-30 22:05:55 +02:00
Marcus Folkesson
6b901a4fb8 policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
2018-02-14 20:02:01 +01:00
Stephen Smalley
53bb2a11c2 checkpolicy,libselinux,libsepol,policycoreutils: Update my email address
Update my email address since epoch.ncsc.mil no longer exists.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-08-17 14:17:12 -04:00
Jason Zaman
15f2740733 Makefiles: override *FLAGS and *LIBS
There were several places in the makefiles where LDLIBS or CFLAGS were
supposed to include options to build. They were missing the override
keyword so would be skipped if these vars were set on the make cmdline.
Add the override directive to fix this.

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-06-20 12:15:04 -04:00
Jason Zaman
89ce96cac6 policycoreutils: make audit and pam support configurable
Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:32:11 -04:00
Jason Zaman
fcb5d5cc72 Makefiles: drop -L/-I to system paths
The toolchain automatically handles them and they break cross compiling.

LDFLAGS should also come before object files, some flags (eg,
-Wl,as-needed) can break things if they are in the wrong place)

Gentoo-Bug: https://bugs.gentoo.org/500674

Signed-off-by: Jason Zaman <jason@perfinion.com>
2017-04-25 08:27:05 -04:00
Nicolas Iooss
35af459220 policycoreutils: newrole: always initialize pw fields
In extract_pw_data(), if "getpwuid(uid)" fails, the function returns an
error value without initializing main's pw.pw_name. This leads main() to
call "free(pw.pw_name)" on an uninitialized value.

Use memset() to initialize structure pw in main().

This issue has been found using clang's static analyzer.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:48:36 -04:00
Nicolas Iooss
bfe40222e2 policycoreutils: newrole: do not free pw strings twice
In main(), if "extract_pw_data(&pw)" returns a failed value, it has
already freed pw.pw_name, pw.pw_dir and pw.pw_shell. These fields are
freed a second time in main's err_free label, which is incorrect. Work
around this by setting them to NULL after they are freed.

This issue has been found using clang's static analyzer.

While at it, make extract_pw_data() static.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-04-12 14:47:45 -04:00
Nicolas Iooss
fd9e5ef7b7 libsepol: use constant keys in hashtab functions
Even though "hashtab_key_t" is an alias for "char *", "const
hashtab_key_t" is not an alias for "(const char) *" but means "(char *)
const".

Introduce const_hashtab_key_t to map "(const char) *" and use it in
hashtab_search() and hashtab key comparison functions.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2017-01-19 08:46:19 -05:00
Alan Jenkins
62f058980e policycoreutils, python: Fix bad manpage formatting in "SEE ALSO"
Fix missing and surplus commas.  Fix the following formatting errors:

    .BR selinux(8)

renders the the "(8)" in bold as well as the "selinux".  This is wrong.

    .B selinux
    (8)

renders with a space between "selinux" and "(8)", this is wrong.

    .B selinux (8)

commits both of the above mistakes.

    .BR selinux (8), apparmor (8)

omits the space separating "selinux(8)," and "apparmor(8)", this is wrong.
Correct all the above using the following markup:

    .BR selinux (8),
    .BR apparmor (8)

Signed-off-by: Alan Jenkins <alan.christopher.jenkins@gmail.com>
2017-01-12 14:59:31 -05:00
Nicolas Iooss
d977330c98 policycoreutils: Remove LDFLAGS from CFLAGS
Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:

    $ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
    clang -Wl,-as-needed,-no-undefined -I/usr/include
    -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W   -c -o
    seunshare.o seunshare.c
    clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
    unused

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-09-26 11:02:40 -04:00
Nicolas Iooss
d1b49d833e policycoreutils: newrole: add missing defined in #if
When building newrole with gcc 5.3.0 and some warning flags, the
compiler reports:

  newrole.c:77:33: error: "NAMESPACE_PRIV" is not defined [-Werror=undef]
  #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
                                  ^

Indeed, "defined" is missing here.  This nevertheless worked so far
because when NAMESPACE_PRIV was selected in the Makefile, newrole.c was
compiled with "-DNAMESPACE_PRIV", which defined NAMESPACE_PRIV to 1.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2016-02-01 08:54:30 -05:00
Lukas Vrabec
dd7a9363d9 Add description of missing newrole parameter -p in newrole man page.
Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
2016-01-12 08:39:14 -05:00
Sven Vermeulen
8243069211 Open stdin as read/write
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.

See also http://marc.info/?l=selinux&m=136518126930710&w=2

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2015-10-01 15:49:00 -04:00
Stephen Smalley
92eec06ca6 policycoreutils/newrole: Set keepcaps around setresuid calls.
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-10-01 15:47:08 -04:00
Dan Walsh
572f899267 Fix newrole to not drop capabilities from the bounding set.
Stop dropping capabilities from its children.
Add better error messages.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2015-10-01 15:44:11 -04:00
Petr Lautrbach
417cb8d076 Fix -Wformat errors
Fixes two types of errors which appear when building with gcc-5.0.0

- format ‘%d’ expects argument of type ‘int’, but argument X has type ‘unsigned int’
- format ‘%a’ expects argument of type ‘float *’, but argument X has type ‘char **’

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2015-03-13 14:14:23 -04:00
Nicolas Iooss
c4a4a1a7ed Fix gcc -Wstrict-prototypes warnings
In C, defining a function with () means "any number of parameters", not
"no parameter".  Use (void) instead where applicable and add unused
parameters when needed.

Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:38 -04:00
Nicolas Iooss
188a028f74 policycoreutils: fix most gcc -Wwrite-strings warnings
Acked-by: Steve Lawrence <slawrence@tresys.com>
2014-10-02 09:56:34 -04:00
Stephen Smalley
76913d8adb Deprecate use of flask.h and av_permissions.h.
Also remove all internal uses by libselinux.
This requires deleting the old class/perm string lookup tables
and compatibility code for kernels that predate the /sys/fs/selinux/class
tree, i.e. Linux < 2.6.23.

This also fixes a longstanding bug in the stringrep code; it was allocating
NVECTORS (number of vectors in the legacy av_perm_to_string table, i.e.
the total number of legacy permissions) entries in the per-class perms array
rather than MAXVECTORS (the maximum number of permissions in any
access vector).  Ho hum.  I already fixed this in Android but forgot it
here.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-09 13:49:18 -04:00
Stephen Smalley
f458b76076 Merge branch 'fedora' into master-merge
Conflicts:
	libselinux/src/Makefile
	libselinux/src/selinux_config.c
	policycoreutils/audit2allow/audit2allow.1
	policycoreutils/scripts/fixfiles.8
	policycoreutils/semanage/semanage.8
	policycoreutils/sepolicy/Makefile
	policycoreutils/sepolicy/sepolicy/transition.py
	policycoreutils/setsebool/setsebool.8
2013-10-24 15:24:17 -04:00
Dan Walsh
e63a8fa875 Give people who use run_init or newrole an indicator to make it not ask for passwords 2013-10-24 13:58:39 -04:00
Dan Walsh
2540b20096 Laurent Bigonville patch to fix various minor manpage issues and correct section numbering. 2013-10-24 13:58:37 -04:00
Sven Vermeulen
d4209743e9 Open stdin as read/write
As per the discussion on the selinux development mailinglist, the tmux
application expects the stdin to be writeable. Although perhaps not the most
proper way, having newrole opening the descriptor in read/write keeps the
behaviour in line with what applications expect.

See also http://marc.info/?l=selinux&m=136518126930710&w=2

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-10-16 15:24:22 -04:00
Laurent Bigonville
84e085847d policycoreutils: Fix cases where hyphen were used as minus sign in manpages
And also other minor formating issues
2013-10-16 15:12:10 -04:00
Dan Walsh
e23c73a167 policycoreutils: newrole: do not drop capabilities when newrole is run as root
If you run newrole as root and it drops capabilities, the next shell
script does not have any capabilities and can not function.

newrole -L TopSecret

Would end up with a root shell and no capabilities.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-09-12 12:16:01 -04:00
Dan Walsh
40b0cea919 policycoreutils: newrole: Use correct capng calls in newrole
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2012-03-28 14:52:13 -04:00
Eric Paris
468bff0952 tree: Makefiles: syntax, convert all ${VAR} to $(VAR)
This is purely personal preference.  Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}.  Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-02 15:37:08 -04:00
Eric Paris
e3ffa8c31f policycoreutils: newrole retain CAP_SETPCAP
We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.

While we are at it, just add some console whine in case things fail.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-08-03 18:02:36 -04:00
Steve Lawrence
cba027c249 Exit newrole if capabilities can't be dropped
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-12-20 15:13:33 -05:00
Daniel J Walsh
16d1c1cbe5 Move newrole to use libcap-ng
Signed-off-by: Steve Lawrence <slawrence@tresys.com>
2010-12-20 15:13:28 -05:00
Chad Sellers
3084b9a1f9 Fix double free in newrole when it fails to exec.
Signed-off-by: Chad Sellers <csellers@tresys.com>
2009-12-30 16:59:48 -05:00
Joshua Brindle
bcd43e0bf1 Author: Daniel J Walsh
Email: dwalsh@redhat.com
Subject: newrole error message corrections.
Date: Fri, 07 Nov 2008 09:37:52 -0500

Signed-off-by: Joshua Brindle <method@manicmethod.com>
2008-11-07 16:49:04 -05:00
Joshua Brindle
13cd4c8960 initial import from svn trunk revision 2950 2008-08-19 15:30:36 -04:00