Dne středa 25 července 2012 10:19:04, Simo Sorce napsal(a): > On Wed, 2012-07-25 at 08:54 +0200, Jan Zelený wrote: > > #161 - Rename session provider to selinux provider > > #162 - Move SELinux provider processing right after PAM_ACCT_MGMT > > > > These patches are a proof of concept solving following ticket: > > > > https://fedorahosted.org/sssd/ticket/1439 > > > > I realize that there might be some rough edges to sand off but right now > > the important thing for me is to know whether the approach implemented in > > patch #162 and described in the comment #1 in the ticket is valid. > > NACK, we discussed a better approach on IRC. > > Simo.
Here it is. I re-numbered the patch set because there is a new patch #163 bringing a simple fix that should be applied before patch #165. I also extended the commit message. Now it explains the entire idea behind the patch. Thanks Jan
>From 589b49115e3eb8321f70f5adfa3cc89a6d88d6d0 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Thu, 26 Jul 2012 04:46:53 -0400
Subject: [PATCH 1/4] Always free request in data provider PAM callback
In case of error the request wasn't freed and the callback just ended.
---
src/providers/data_provider_be.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 5d51f2fabfec29627d851d385ee930ed5bf2a0e5..3b9010970eaaee92e83d2a287d33b06bd517223c 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -770,13 +770,13 @@ static void be_pam_handler_callback(struct be_req *req,
if (!dbret) {
DEBUG(1, ("Failed to generate dbus reply\n"));
dbus_message_unref(reply);
- return;
+ goto done;
}
dbus_conn = sbus_get_connection(req->becli->conn);
if (!dbus_conn) {
DEBUG(SSSDBG_CRIT_FAILURE, ("D-BUS not connected\n"));
- return;
+ goto done;
}
dbus_connection_send(dbus_conn, reply, NULL);
@@ -784,6 +784,7 @@ static void be_pam_handler_callback(struct be_req *req,
DEBUG(4, ("Sent result [%d][%s]\n", pd->pam_status, pd->domain));
+done:
talloc_free(req);
}
--
1.7.7.6
>From a59165ee41dc558f979d8f4f6c4d7d77de6bb779 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Tue, 24 Jul 2012 12:31:19 -0400
Subject: [PATCH 2/4] Renamed session provider to selinux provider
---
Makefile.am | 4 +-
src/confdb/confdb.h | 2 +-
src/man/sssd.conf.5.xml | 15 +++---
src/providers/data_provider_be.c | 14 ++---
src/providers/dp_backend.h | 2 +-
src/providers/ipa/ipa_autofs.c | 2 +-
src/providers/ipa/ipa_init.c | 30 ++++++------
src/providers/ipa/{ipa_session.c => ipa_selinux.c} | 52 ++++++++++----------
src/providers/ipa/{ipa_session.h => ipa_selinux.h} | 10 ++--
9 files changed, 65 insertions(+), 66 deletions(-)
rename src/providers/ipa/{ipa_session.c => ipa_selinux.c} (92%)
rename src/providers/ipa/{ipa_session.h => ipa_selinux.h} (85%)
diff --git a/Makefile.am b/Makefile.am
index 3c66b6cfe0715395aeb06039ad1bea4cb9298fab..15e34720a0f13b19b237dc709ddd080b3a6b1bed 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -413,7 +413,7 @@ dist_noinst_HEADERS = \
src/providers/ipa/ipa_common.h \
src/providers/ipa/ipa_config.h \
src/providers/ipa/ipa_access.h \
- src/providers/ipa/ipa_session.h \
+ src/providers/ipa/ipa_selinux.h \
src/providers/ipa/ipa_hosts.h \
src/providers/ipa/ipa_selinux_common.h \
src/providers/ipa/ipa_selinux_maps.h \
@@ -1327,7 +1327,7 @@ libsss_ipa_la_SOURCES = \
src/providers/ipa/ipa_hbac_services.c \
src/providers/ipa/ipa_hbac_users.c \
src/providers/ipa/ipa_hbac_common.c \
- src/providers/ipa/ipa_session.c \
+ src/providers/ipa/ipa_selinux.c \
src/providers/ipa/ipa_selinux_maps.c \
src/providers/ipa/ipa_selinux_common.c \
src/util/user_info_msg.c \
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
index d06ec7a35f7a25e56c85a99118334b11038e74be..c6611f273e6a47edde8aab2504c4fa8450209110 100644
--- a/src/confdb/confdb.h
+++ b/src/confdb/confdb.h
@@ -136,7 +136,7 @@
#define CONFDB_DOMAIN_CHPASS_PROVIDER "chpass_provider"
#define CONFDB_DOMAIN_SUDO_PROVIDER "sudo_provider"
#define CONFDB_DOMAIN_AUTOFS_PROVIDER "autofs_provider"
-#define CONFDB_DOMAIN_SESSION_PROVIDER "session_provider"
+#define CONFDB_DOMAIN_SELINUX_PROVIDER "selinux_provider"
#define CONFDB_DOMAIN_HOSTID_PROVIDER "hostid_provider"
#define CONFDB_DOMAIN_SUBDOMAINS_PROVIDER "subdomains_provider"
#define CONFDB_DOMAIN_COMMAND "command"
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a6e5e82b93e8cca299ca5b517f85cd7b03dd5d60..918715a2f682206f177b4f98ae826e94f63de7ad 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1328,15 +1328,16 @@ override_homedir = /home/%u
</listitem>
</varlistentry>
<varlistentry>
- <term>session_provider (string)</term>
+ <term>selinux_provider (string)</term>
<listitem>
<para>
- The provider which should handle loading of session
- settings.
- Supported session providers are:
+ The provider which should handle loading of selinux
+ settings. Note that this provider will be called right
+ after access provider ends.
+ Supported selinux providers are:
</para>
<para>
- <quote>ipa</quote> to load session settings
+ <quote>ipa</quote> to load selinux settings
from an IPA server. See
<citerefentry>
<refentrytitle>sssd-ipa</refentrytitle>
@@ -1344,11 +1345,11 @@ override_homedir = /home/%u
</citerefentry> for more information on configuring IPA.
</para>
<para>
- <quote>none</quote> disallows fetching session settings explicitly.
+ <quote>none</quote> disallows fetching selinux settings explicitly.
</para>
<para>
Default: <quote>id_provider</quote> is used if it
- is set and can handle session loading requests.
+ is set and can handle selinux loading requests.
</para>
</listitem>
</varlistentry>
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 3b9010970eaaee92e83d2a287d33b06bd517223c..114fde52940687d5bbe34bf60529cb6dfee3a428 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -113,7 +113,7 @@ static struct bet_data bet_data[] = {
{BET_CHPASS, CONFDB_DOMAIN_CHPASS_PROVIDER, "sssm_%s_chpass_init"},
{BET_SUDO, CONFDB_DOMAIN_SUDO_PROVIDER, "sssm_%s_sudo_init"},
{BET_AUTOFS, CONFDB_DOMAIN_AUTOFS_PROVIDER, "sssm_%s_autofs_init"},
- {BET_SESSION, CONFDB_DOMAIN_SESSION_PROVIDER, "sssm_%s_session_init"},
+ {BET_SELINUX, CONFDB_DOMAIN_SELINUX_PROVIDER, "sssm_%s_selinux_init"},
{BET_HOSTID, CONFDB_DOMAIN_HOSTID_PROVIDER, "sssm_%s_hostid_init"},
{BET_SUBDOMAINS, CONFDB_DOMAIN_SUBDOMAINS_PROVIDER, "sssm_%s_subdomains_init"},
{BET_MAX, NULL, NULL}
@@ -858,8 +858,6 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn)
target = BET_CHPASS;
break;
case SSS_PAM_OPEN_SESSION:
- target = BET_SESSION;
- break;
case SSS_PAM_SETCRED:
case SSS_PAM_CLOSE_SESSION:
pd->pam_status = PAM_SUCCESS;
@@ -2170,19 +2168,19 @@ int be_process_init(TALLOC_CTX *mem_ctx,
"from provider [%s].\n", ctx->bet_info[BET_AUTOFS].mod_name));
}
- ret = load_backend_module(ctx, BET_SESSION,
- &ctx->bet_info[BET_SESSION],
+ ret = load_backend_module(ctx, BET_SELINUX,
+ &ctx->bet_info[BET_SELINUX],
ctx->bet_info[BET_ID].mod_name);
if (ret != EOK) {
if (ret != ENOENT) {
DEBUG(SSSDBG_FATAL_FAILURE, ("fatal error initializing data providers\n"));
return ret;
}
- DEBUG(SSSDBG_CRIT_FAILURE, ("No Session module provided for [%s] !!\n",
+ DEBUG(SSSDBG_CRIT_FAILURE, ("No selinux module provided for [%s] !!\n",
be_domain));
} else {
- DEBUG(SSSDBG_TRACE_ALL, ("Session backend target successfully loaded "
- "from provider [%s].\n", ctx->bet_info[BET_SESSION].mod_name));
+ DEBUG(SSSDBG_TRACE_ALL, ("selinux backend target successfully loaded "
+ "from provider [%s].\n", ctx->bet_info[BET_SELINUX].mod_name));
}
ret = load_backend_module(ctx, BET_HOSTID,
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 6e5c6e1a6923f97912c128759871502e4f68e1bf..4c703326fb54d472aa5b7c234e6a64276a84ea90 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -51,7 +51,7 @@ enum bet_type {
BET_CHPASS,
BET_SUDO,
BET_AUTOFS,
- BET_SESSION,
+ BET_SELINUX,
BET_HOSTID,
BET_SUBDOMAINS,
BET_MAX
diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c
index a050f07078741e22a11ebc3473286bfe5899e2f6..de343212fcc9ee17174368a3463b51ebe86ace9e 100644
--- a/src/providers/ipa/ipa_autofs.c
+++ b/src/providers/ipa/ipa_autofs.c
@@ -29,7 +29,7 @@
#include "providers/ipa/ipa_auth.h"
#include "providers/ipa/ipa_access.h"
#include "providers/ipa/ipa_dyndns.h"
-#include "providers/ipa/ipa_session.h"
+#include "providers/ipa/ipa_selinux.h"
struct bet_ops ipa_autofs_ops = {
.handler = sdap_autofs_handler,
diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c
index 4fb662c26b90fd5526d1ef5344acc8bf912cda95..670e00fa89d47a4fd0060bdc9e17edca6c717c51 100644
--- a/src/providers/ipa/ipa_init.c
+++ b/src/providers/ipa/ipa_init.c
@@ -36,7 +36,7 @@
#include "providers/ipa/ipa_access.h"
#include "providers/ipa/ipa_hostid.h"
#include "providers/ipa/ipa_dyndns.h"
-#include "providers/ipa/ipa_session.h"
+#include "providers/ipa/ipa_selinux.h"
#include "providers/ldap/sdap_access.h"
#include "providers/ipa/ipa_subdomains.h"
@@ -64,8 +64,8 @@ struct bet_ops ipa_access_ops = {
.finalize = NULL
};
-struct bet_ops ipa_session_ops = {
- .handler = ipa_session_handler,
+struct bet_ops ipa_selinux_ops = {
+ .handler = ipa_selinux_handler,
.finalize = NULL
};
@@ -386,38 +386,38 @@ done:
return ret;
}
-int sssm_ipa_session_init(struct be_ctx *bectx,
+int sssm_ipa_selinux_init(struct be_ctx *bectx,
struct bet_ops **ops,
void **pvt_data)
{
int ret;
- struct ipa_session_ctx *session_ctx;
+ struct ipa_selinux_ctx *selinux_ctx;
struct ipa_options *opts;
- session_ctx = talloc_zero(bectx, struct ipa_session_ctx);
- if (session_ctx == NULL) {
+ selinux_ctx = talloc_zero(bectx, struct ipa_selinux_ctx);
+ if (selinux_ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, ("talloc_zero failed.\n"));
return ENOMEM;
}
- ret = sssm_ipa_id_init(bectx, ops, (void **) &session_ctx->id_ctx);
+ ret = sssm_ipa_id_init(bectx, ops, (void **) &selinux_ctx->id_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, ("sssm_ipa_id_init failed.\n"));
goto done;
}
- opts = session_ctx->id_ctx->ipa_options;
+ opts = selinux_ctx->id_ctx->ipa_options;
- session_ctx->hbac_search_bases = opts->hbac_search_bases;
- session_ctx->host_search_bases = opts->host_search_bases;
- session_ctx->selinux_search_bases = opts->selinux_search_bases;
+ selinux_ctx->hbac_search_bases = opts->hbac_search_bases;
+ selinux_ctx->host_search_bases = opts->host_search_bases;
+ selinux_ctx->selinux_search_bases = opts->selinux_search_bases;
- *ops = &ipa_session_ops;
- *pvt_data = session_ctx;
+ *ops = &ipa_selinux_ops;
+ *pvt_data = selinux_ctx;
done:
if (ret != EOK) {
- talloc_free(session_ctx);
+ talloc_free(selinux_ctx);
}
return ret;
}
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_selinux.c
similarity index 92%
rename from src/providers/ipa/ipa_session.c
rename to src/providers/ipa/ipa_selinux.c
index 9032a8d1c29a4cc403c5022e878e08c448c00e10..03b7eb459a9838f331d515fd99394001565e1c1b 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -1,7 +1,7 @@
/*
SSSD
- IPA Backend Module -- session loading
+ IPA Backend Module -- selinux loading
Authors:
Jan Zeleny <jzel...@redhat.com>
@@ -29,7 +29,7 @@
#include "providers/ldap/sdap_async.h"
#include "providers/ipa/ipa_common.h"
#include "providers/ipa/ipa_config.h"
-#include "providers/ipa/ipa_session.h"
+#include "providers/ipa/ipa_selinux.h"
#include "providers/ipa/ipa_hosts.h"
#include "providers/ipa/ipa_hbac_rules.h"
#include "providers/ipa/ipa_hbac_private.h"
@@ -39,7 +39,7 @@
struct ipa_get_selinux_state {
struct be_req *be_req;
struct pam_data *pd;
- struct ipa_session_ctx *session_ctx;
+ struct ipa_selinux_ctx *selinux_ctx;
struct sdap_id_op *op;
const char *hostname;
@@ -57,8 +57,8 @@ struct ipa_get_selinux_state {
static struct
tevent_req *ipa_get_selinux_send(struct be_req *breq,
struct pam_data *pd,
- struct ipa_session_ctx *session_ctx);
-static void ipa_session_handler_done(struct tevent_req *subreq);
+ struct ipa_selinux_ctx *selinux_ctx);
+static void ipa_selinux_handler_done(struct tevent_req *subreq);
static errno_t ipa_get_selinux_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
size_t *count,
@@ -73,25 +73,25 @@ static void ipa_get_selinux_config_done(struct tevent_req *subreq);
static void ipa_get_selinux_maps_done(struct tevent_req *subreq);
static void ipa_get_selinux_hbac_done(struct tevent_req *subreq);
-void ipa_session_handler(struct be_req *be_req)
+void ipa_selinux_handler(struct be_req *be_req)
{
- struct ipa_session_ctx *session_ctx;
+ struct ipa_selinux_ctx *selinux_ctx;
struct tevent_req *req;
struct pam_data *pd;
pd = talloc_get_type(be_req->req_data, struct pam_data);
- session_ctx = talloc_get_type(
- be_req->be_ctx->bet_info[BET_SESSION].pvt_bet_data,
- struct ipa_session_ctx);
+ selinux_ctx = talloc_get_type(
+ be_req->be_ctx->bet_info[BET_SELINUX].pvt_bet_data,
+ struct ipa_selinux_ctx);
- req = ipa_get_selinux_send(be_req, pd, session_ctx);
+ req = ipa_get_selinux_send(be_req, pd, selinux_ctx);
if (req == NULL) {
goto fail;
}
- tevent_req_set_callback(req, ipa_session_handler_done, be_req);
+ tevent_req_set_callback(req, ipa_selinux_handler_done, be_req);
return;
@@ -99,7 +99,7 @@ fail:
be_req->fn(be_req, DP_ERR_FATAL, PAM_SYSTEM_ERR, NULL);
}
-static void ipa_session_handler_done(struct tevent_req *req)
+static void ipa_selinux_handler_done(struct tevent_req *req)
{
struct be_req *breq = tevent_req_callback_data(req, struct be_req);
struct sysdb_ctx *sysdb = breq->be_ctx->sysdb;
@@ -172,7 +172,7 @@ fail:
static struct tevent_req *ipa_get_selinux_send(struct be_req *breq,
struct pam_data *pd,
- struct ipa_session_ctx *session_ctx)
+ struct ipa_selinux_ctx *selinux_ctx)
{
struct tevent_req *req;
struct tevent_req *subreq;
@@ -189,14 +189,14 @@ static struct tevent_req *ipa_get_selinux_send(struct be_req *breq,
state->be_req = breq;
state->pd = pd;
- state->session_ctx = session_ctx;
+ state->selinux_ctx = selinux_ctx;
offline = be_is_offline(bctx);
DEBUG(SSSDBG_TRACE_INTERNAL, ("Connection status is [%s].\n",
offline ? "offline" : "online"));
if (!offline) {
- state->op = sdap_id_op_create(state, session_ctx->id_ctx->sdap_id_ctx->conn_cache);
+ state->op = sdap_id_op_create(state, selinux_ctx->id_ctx->sdap_id_ctx->conn_cache);
if (!state->op) {
DEBUG(SSSDBG_OP_FAILURE, ("sdap_id_op_create failed\n"));
ret = ENOMEM;
@@ -237,7 +237,7 @@ static void ipa_get_selinux_connect_done(struct tevent_req *subreq)
struct ipa_get_selinux_state);
int dp_error = DP_ERR_FATAL;
int ret;
- struct ipa_id_ctx *id_ctx = state->session_ctx->id_ctx;
+ struct ipa_id_ctx *id_ctx = state->selinux_ctx->id_ctx;
struct be_ctx *bctx = state->be_req->be_ctx;
ret = sdap_id_op_connect_recv(subreq, &dp_error);
@@ -252,7 +252,7 @@ static void ipa_get_selinux_connect_done(struct tevent_req *subreq)
goto fail;
}
- state->hostname = dp_opt_get_string(state->session_ctx->id_ctx->ipa_options->basic,
+ state->hostname = dp_opt_get_string(state->selinux_ctx->id_ctx->ipa_options->basic,
IPA_HOSTNAME);
/* FIXME: detect if HBAC is configured
@@ -265,7 +265,7 @@ static void ipa_get_selinux_connect_done(struct tevent_req *subreq)
state->hostname,
id_ctx->ipa_options->host_map,
NULL,
- state->session_ctx->host_search_bases);
+ state->selinux_ctx->host_search_bases);
if (subreq == NULL) {
ret = ENOMEM;
goto fail;
@@ -320,9 +320,9 @@ static void ipa_get_config_step(struct tevent_req *req)
struct ipa_get_selinux_state *state = tevent_req_data(req,
struct ipa_get_selinux_state);
struct be_ctx *bctx = state->be_req->be_ctx;
- struct ipa_id_ctx *id_ctx = state->session_ctx->id_ctx;
+ struct ipa_id_ctx *id_ctx = state->selinux_ctx->id_ctx;
- domain = dp_opt_get_string(state->session_ctx->id_ctx->ipa_options->basic,
+ domain = dp_opt_get_string(state->selinux_ctx->id_ctx->ipa_options->basic,
IPA_KRB5_REALM);
subreq = ipa_get_config_send(state, bctx->ev,
sdap_id_op_handle(state->op),
@@ -341,7 +341,7 @@ static void ipa_get_selinux_config_done(struct tevent_req *subreq)
struct ipa_get_selinux_state *state = tevent_req_data(req,
struct ipa_get_selinux_state);
struct be_ctx *bctx = state->be_req->be_ctx;
- struct sdap_id_ctx *id_ctx = state->session_ctx->id_ctx->sdap_id_ctx;
+ struct sdap_id_ctx *id_ctx = state->selinux_ctx->id_ctx->sdap_id_ctx;
errno_t ret;
ret = ipa_get_config_recv(subreq, state, &state->defaults);
@@ -354,8 +354,8 @@ static void ipa_get_selinux_config_done(struct tevent_req *subreq)
subreq = ipa_selinux_get_maps_send(state, bctx->ev, bctx->sysdb,
sdap_id_op_handle(state->op),
id_ctx->opts,
- state->session_ctx->id_ctx->ipa_options,
- state->session_ctx->selinux_search_bases);
+ state->selinux_ctx->id_ctx->ipa_options,
+ state->selinux_ctx->selinux_search_bases);
if (!subreq) {
ret = ENOMEM;
goto done;
@@ -387,7 +387,7 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq)
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ipa_get_selinux_state);
bctx = state->be_req->be_ctx;
- id_ctx = state->session_ctx->id_ctx;
+ id_ctx = state->selinux_ctx->id_ctx;
ret = ipa_selinux_get_maps_recv(subreq, state,
&state->nmaps, &state->selinuxmaps);
@@ -445,7 +445,7 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq)
subreq = ipa_hbac_rule_info_send(state, false, bctx->ev,
sdap_id_op_handle(state->op),
id_ctx->sdap_id_ctx->opts,
- state->session_ctx->hbac_search_bases,
+ state->selinux_ctx->hbac_search_bases,
state->host);
if (subreq == NULL) {
ret = ENOMEM;
diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_selinux.h
similarity index 85%
rename from src/providers/ipa/ipa_session.h
rename to src/providers/ipa/ipa_selinux.h
index e185799f763e8d60b3c209060ca14d757b40f468..60c221109c25a8b1395e570f6e41b8a8ddfafcc2 100644
--- a/src/providers/ipa/ipa_session.h
+++ b/src/providers/ipa/ipa_selinux.h
@@ -1,7 +1,7 @@
/*
SSSD
- IPA Backend Module -- session loading
+ IPA Backend Module -- selinux loading
Authors:
Jan Zeleny <jzel...@redhat.com>
@@ -22,12 +22,12 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#ifndef _IPA_SESSION_H_
-#define _IPA_SESSION_H_
+#ifndef _IPA_SELINUX_H_
+#define _IPA_SELINUX_H_
#include "providers/ldap/ldap_common.h"
-struct ipa_session_ctx {
+struct ipa_selinux_ctx {
struct ipa_id_ctx *id_ctx;
struct sdap_search_base **selinux_search_bases;
@@ -35,6 +35,6 @@ struct ipa_session_ctx {
struct sdap_search_base **hbac_search_bases;
};
-void ipa_session_handler(struct be_req *be_req);
+void ipa_selinux_handler(struct be_req *be_req);
#endif
--
1.7.7.6
>From 8e392ddd3fdf59ef47c22c48b5ec051c23c8b28e Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Tue, 24 Jul 2012 15:36:10 -0400
Subject: [PATCH 3/4] Move SELinux processing from session to account PAM
stack
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
---
src/providers/data_provider_be.c | 25 ++++++++
src/providers/dp_backend.h | 8 +++
src/responder/pam/pamsrv_cmd.c | 3 +-
src/sss_client/pam_sss.c | 124 +++++++++++++++++++-------------------
4 files changed, 97 insertions(+), 63 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 114fde52940687d5bbe34bf60529cb6dfee3a428..9571d095659ee4c4c75d9023de85906c4e5f4dde 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -753,10 +753,12 @@ static void be_pam_handler_callback(struct be_req *req,
int errnum,
const char *errstr)
{
+ struct be_client *becli = req->becli;
struct pam_data *pd;
DBusMessage *reply;
DBusConnection *dbus_conn;
dbus_bool_t dbret;
+ errno_t ret;
DEBUG(4, ("Backend returned: (%d, %d, %s) [%s]\n",
dp_err_type, errnum, errstr?errstr:"<NULL>",
@@ -764,6 +766,28 @@ static void be_pam_handler_callback(struct be_req *req,
pd = talloc_get_type(req->req_data, struct pam_data);
+ if (pd->cmd == SSS_PAM_ACCT_MGMT &&
+ req->phase == REQ_PHASE_ACCESS &&
+ dp_err_type == DP_ERR_OK) {
+ if (!becli->bectx->bet_info[BET_SELINUX].bet_ops) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ ("SELinux provider doesn't exist, "
+ "not sending the request to it.\n"));
+ } else {
+ req->phase = REQ_PHASE_SELINUX;
+
+ /* Now is the time to call SELinux provider */
+ ret = be_file_request(becli->bectx->bet_info[BET_SELINUX].pvt_bet_data,
+ req,
+ becli->bectx->bet_info[BET_SELINUX].bet_ops->handler);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("be_file_request failed.\n"));
+ goto done;
+ }
+ return;
+ }
+ }
+
DEBUG(4, ("Sending result [%d][%s]\n", pd->pam_status, pd->domain));
reply = (DBusMessage *)req->pvt;
dbret = dp_pack_pam_response(reply, pd);
@@ -852,6 +876,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn)
break;
case SSS_PAM_ACCT_MGMT:
target = BET_ACCESS;
+ be_req->phase = REQ_PHASE_ACCESS;
break;
case SSS_PAM_CHAUTHTOK:
case SSS_PAM_CHAUTHTOK_PRELIM:
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 4c703326fb54d472aa5b7c234e6a64276a84ea90..53a382ac42606503e8d5ff594f13f2ec732b41d5 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -132,6 +132,8 @@ struct bet_ops {
};
#define MAX_BE_REQ_RESTARTS 2
+#define REQ_PHASE_ACCESS 0
+#define REQ_PHASE_SELINUX 1
struct be_req {
struct be_client *becli;
@@ -143,6 +145,12 @@ struct be_req {
int restarts;
+ /* This is utilized in access provider
+ * request handling to indicate if access or
+ * selinux provider is calling the callback.
+ */
+ int phase;
+
struct sss_domain_info *domain;
struct sysdb_ctx *sysdb;
};
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 006edcd36988ebae808613031bc7bd51c76be960..9c4c77060b1289352f58113ab221a6ae3acfb3e1 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -582,6 +582,7 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
pam_reply(preq);
}
+static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
time_t expire_date, time_t delayed_until);
@@ -700,7 +701,7 @@ static void pam_reply(struct pam_auth_req *preq)
return;
}
- if (pd->cmd == SSS_PAM_OPEN_SESSION &&
+ if (pd->cmd == SSS_PAM_ACCT_MGMT &&
pd->pam_status == PAM_SUCCESS) {
/* Try to fetch data from sysdb
* (auth already passed -> we should have them) */
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 50c5048bf0da674a1b8cae76f23ddf180ad00da3..3fecfabe24c9e119c0989602562d73e5938f2d3e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1180,71 +1180,71 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
pi->pam_user, pam_status,
pam_strerror(pamh,pam_status));
}
+ } else {
+ if (pi->selinux_user == NULL) {
+ pam_status = PAM_SUCCESS;
+ break;
+ }
+
+#ifdef HAVE_SELINUX
+ if (asprintf(&path, "%s/logins/%s", selinux_policy_root(),
+ pi->pam_user) < 0 ||
+ asprintf(&tmp_path, "%sXXXXXX", path) < 0) {
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ oldmask = umask(022);
+ fd = mkstemp(tmp_path);
+ umask(oldmask);
+ if (fd < 0) {
+ logger(pamh, LOG_ERR, "creating the temp file for SELinux "
+ "data failed. %s", tmp_path);
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ /* First write filter for all services */
+ services = strdup(ALL_SERVICES);
+ if (services == NULL) {
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ errno = 0;
+ written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
+ if (written == -1) {
+ ret = errno;
+ logger(pamh, LOG_ERR, "writing to SELinux data file %s"
+ "failed [%d]: %s", tmp_path, ret, strerror(ret));
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+ len = strlen(pi->selinux_user);
+
+ errno = 0;
+ written = sss_atomic_write_s(fd, pi->selinux_user, len);
+ if (written == -1) {
+ ret = errno;
+ logger(pamh, LOG_ERR, "writing to SELinux data file %s"
+ "failed [%d]: %s", tmp_path, ret, strerror(ret));
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ if (written != len) {
+ logger(pamh, LOG_ERR, "Expected to write %d bytes, wrote %d",
+ written, len);
+ goto done;
+ }
+
+ close(fd);
+
+ rename(tmp_path, path);
+#endif /* HAVE_SELINUX */
}
break;
case SSS_PAM_OPEN_SESSION:
- if (pi->selinux_user == NULL) {
- pam_status = PAM_SUCCESS;
- break;
- }
-
-#ifdef HAVE_SELINUX
- if (asprintf(&path, "%s/logins/%s", selinux_policy_root(),
- pi->pam_user) < 0 ||
- asprintf(&tmp_path, "%sXXXXXX", path) < 0) {
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- oldmask = umask(022);
- fd = mkstemp(tmp_path);
- umask(oldmask);
- if (fd < 0) {
- logger(pamh, LOG_ERR, "creating the temp file for SELinux "
- "data failed. %s", tmp_path);
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- /* First write filter for all services */
- services = strdup(ALL_SERVICES);
- if (services == NULL) {
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- errno = 0;
- written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
- if (written == -1) {
- ret = errno;
- logger(pamh, LOG_ERR, "writing to SELinux data file %s"
- "failed [%d]: %s", tmp_path, ret, strerror(ret));
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
- len = strlen(pi->selinux_user);
-
- errno = 0;
- written = sss_atomic_write_s(fd, pi->selinux_user, len);
- if (written == -1) {
- ret = errno;
- logger(pamh, LOG_ERR, "writing to SELinux data file %s"
- "failed [%d]: %s", tmp_path, ret, strerror(ret));
- pam_status = PAM_SYSTEM_ERR;
- goto done;
- }
-
- if (written != len) {
- logger(pamh, LOG_ERR, "Expected to write %d bytes, wrote %d",
- written, len);
- goto done;
- }
-
- close(fd);
-
- rename(tmp_path, path);
-#endif /* HAVE_SELINUX */
- break;
case SSS_PAM_SETCRED:
case SSS_PAM_CLOSE_SESSION:
break;
--
1.7.7.6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
