[redhat-lspp] [Fwd: pam_namespace patch]

Wed, 24 Jan 2007 07:26:05 -0800 

Forwarding this for comment on the redhat-lspp list.

-------- Original Message --------
Subject:        pam_namespace patch
Date:   Wed, 24 Jan 2007 08:45:27 -0600
From:   Xavier Toth <[EMAIL PROTECTED]>
To:     [EMAIL PROTECTED]



Dan,
I'm not sure who to send this to because I haven't submitted a patch
before but you seemed to be a good candidate. The CAPCO security
labeling standard allows for characters that are both illegal (for
instance '/') and unsightly in filenames. This patch processes the
context to generate a more viable filename. It does so by replacing
unwanted characters with '_'. I put together a list of character to be
replaced but feel free to alter it. I created the patch against
Rawhide but hopefully it will work its way into RHEL5.

Ted



--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c	2007-01-23 17:37:38.000000000 -0600
+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.polydir-name	2007-01-23 17:39:08.000000000 -0600
@@ -530,6 +530,21 @@
 #endif
 
 /*
+ valid_filename_from_context replaces character in the context that are not
+ valid in a filename with '_'. This can occur with CAPCO standard security 
+ labels which can contain '/' characters.
+ */
+#ifdef WITH_SELINUX
+static void valid_filename_from_context(security_context_t *i_context, char *o_filename) {
+  char *ptr = NULL;
+  strcpy(o_filename, (char *)*i_context);
+  while ((ptr = strpbrk(o_filename, " \\'/?\"<>|*\t")) != NULL) {
+    *ptr = '_';
+  }
+}
+#endif
+
+/*
  * poly_name returns the name of the polyinstantiated instance directory
  * based on the method used for polyinstantiation (user, context or both)
  * In addition, the function also returns the security contexts of the
@@ -548,6 +563,7 @@
     int rc;
 
 # ifdef WITH_SELINUX
+    char *filename = NULL;
     rc = form_context(polyptr, i_context, origcon, idata);
 #endif
     rc = PAM_SUCCESS;
@@ -567,10 +583,13 @@
 #ifdef WITH_SELINUX
     	case LEVEL:
         case CONTEXT:
-	    if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
+	    filename = (char *)malloc(strlen((char *)*i_context) + 1);
+            valid_filename_from_context(i_context, filename);
+	    if (asprintf(i_name, "%s_%s", filename, idata->user) < 0) {
 		*i_name = NULL;
 		rc = PAM_SESSION_ERR;
 	    }
+	    free(filename);
     	    break;
 
 #endif /* WITH_SELINUX */

--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp

Reply via email to