- test for setkeycreatecon correctly

- add exclusive login mode of operation to pam_selinux_permit (original patch by Dan Walsh)
2008-01-28 17:59:35 +00:00 · 2008-01-28 17:59:35 +00:00 · b6b1e29706
commit b6b1e29706
parent de90b38383
3 changed files with 360 additions and 1 deletions
--- a/pam-0.99.8.1-sepermit-kill-user.patch
+++ b/pam-0.99.8.1-sepermit-kill-user.patch
@ -0,0 +1,318 @@
+diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c.kill-user Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c
+--- Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c.kill-user	2008-01-28 18:34:18.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c	2008-01-28 18:34:18.000000000 +0100
+@@ -1,7 +1,7 @@
+ /******************************************************************************
+  * A module for Linux-PAM that allows/denies acces based on SELinux state.
+  *
+- * Copyright (c) 2007 Red Hat, Inc.
+ * Copyright (c) 2007, 2008 Red Hat, Inc.
+  * Written by Tomas Mraz <tmraz@redhat.com>
+  *
+  * Redistribution and use in source and binary forms, with or without
+@@ -46,6 +46,14 @@
+ #include <string.h>
+ #include <syslog.h>
+ #include <ctype.h>
+#include <signal.h>
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <dirent.h>
+ 
+ #define PAM_SM_AUTH
+ #define PAM_SM_ACCOUNT
+@@ -57,6 +65,165 @@
+ 
+ #include <selinux/selinux.h>
+ 
+#define MODULE "pam_selinux_permit"
+#define OPT_DELIM ":"
+
+struct lockfd {
+	uid_t uid;
+	int fd;
+        int debug;
+};
+
+#define PROC_BASE "/proc"
+#define MAX_NAMES (int)(sizeof(unsigned long)*8)
+
+static int
+match_process_uid(pid_t pid, uid_t uid)
+{
+	char buf[128];
+	uid_t puid;
+	FILE *f;
+	int re = 0;
+	
+	snprintf (buf, sizeof buf, PROC_BASE "/%d/status", pid);
+	if (!(f = fopen (buf, "r")))
+		return 0;
+	
+	while (fgets(buf, sizeof buf, f)) {
+		if (sscanf (buf, "Uid:\t%d", &puid)) {
+			re = uid == puid;
+			break;
+		}
+	}
+	fclose(f);
+	return re;
+}
+
+static int
+check_running (pam_handle_t *pamh, uid_t uid, int killall, int debug)
+{
+	DIR *dir;
+	struct dirent *de;
+	pid_t *pid_table, pid, self;
+	int i;
+	int pids, max_pids;
+	int running = 0;
+	self = getpid();
+	if (!(dir = opendir(PROC_BASE))) {
+		pam_syslog(pamh, LOG_ERR, "Failed to open proc directory file %s:", PROC_BASE);
+		return -1;
+	}
+	max_pids = 256;
+	pid_table = malloc(max_pids * sizeof (pid_t));
+	if (!pid_table) {
+		pam_syslog(pamh, LOG_CRIT, "Memory allocation error");
+		return -1;
+	}
+	pids = 0;
+	while ((de = readdir (dir)) != NULL) {
+		if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
+			continue;
+
+		if (pids == max_pids) {
+			if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
+				pam_syslog(pamh, LOG_CRIT, "Memory allocation error");
+				return -1;
+			}
+			max_pids *= 2;
+		}
+		pid_table[pids++] = pid;
+	}
+
+	(void)closedir(dir);
+
+	for (i = 0; i < pids; i++) {
+		pid_t id;
+
+		if (match_process_uid(pid_table[i], uid) == 0)
+			continue;
+		id = pid_table[i];
+
+		if (killall) {
+			if (debug)
+				pam_syslog(pamh, LOG_NOTICE, "Attempting to kill %d", id);
+			kill(id, SIGKILL);
+		}
+		running++;
+	}
+
+	free(pid_table);
+	return running;
+}
+
+static void
+sepermit_unlock(pam_handle_t *pamh, void *plockfd, int error_status UNUSED)
+{
+	struct lockfd *lockfd = plockfd;
+	struct flock fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.l_type = F_UNLCK;
+	fl.l_whence = SEEK_SET;
+
+	if (lockfd->debug)
+		pam_syslog(pamh, LOG_ERR, "Unlocking fd: %d uid: %d", lockfd->fd, lockfd->uid);
+
+	/* Don't kill uid==0 */
+	if (lockfd->uid)
+		/* This is a DOS but it prevents an app from forking to prevent killing */
+		while(check_running(pamh, lockfd->uid, 1, lockfd->debug) > 0)
+			continue;
+
+	fcntl(lockfd->fd, F_SETLK, &fl);
+	close(lockfd->fd);
+	free(lockfd);
+}
+
+static int
+sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
+{
+	char buf[PATH_MAX];
+	struct flock fl;
+
+	memset(&fl, 0, sizeof(fl));
+	fl.l_type = F_WRLCK;
+	fl.l_whence = SEEK_SET;
+
+	struct passwd *pw = pam_modutil_getpwnam( pamh, user );
+	if (!pw) {
+		pam_syslog(pamh, LOG_ERR, "Unable to find uid for user %s", user);
+		return -1;
+	}
+	if (check_running(pamh, pw->pw_uid, 0, debug) > 0)  {
+		pam_syslog(pamh, LOG_ERR, "User %s processes are running. Exclusive login not allowed", user);
+		return -1;
+	}
+
+	snprintf(buf, sizeof(buf), "%s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid);
+	int fd = open(buf, O_RDWR | O_CREAT, S_IRUSR | S_IWUSR);
+	if (fd < 0) {
+		pam_syslog(pamh, LOG_ERR, "Unable to open lock file %s/%d.lock", SEPERMIT_LOCKDIR, pw->pw_uid);
+		return -1;
+	}
+
+	if (fcntl(fd, F_SETLK, &fl) == -1) {
+		pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user);
+		close(fd);
+		return -1;
+	}
+	struct lockfd *lockfd=calloc(1, sizeof(struct lockfd));
+	if (!lockfd) {
+		close(fd);
+		pam_syslog(pamh, LOG_CRIT, "Memory allocation error");
+		return -1;
+	}
+	lockfd->uid = pw->pw_uid;
+	lockfd->debug = debug;
+	lockfd->fd=fd;
+        pam_set_data(pamh, "pam_selinux_permit", lockfd, sepermit_unlock);
+	return 0;
+}
+
+ /* return 0 when matched, -1 when unmatched, pam error otherwise */
+ static int
+ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
+@@ -67,6 +234,7 @@ sepermit_match(pam_handle_t *pamh, const
+ 	char *start;
+ 	size_t len = 0;
+ 	int matched = 0;
+	int exclusive = 0;
+ 	
+ 	f = fopen(cfgfile, "r");
+ 	
+@@ -77,6 +245,8 @@ sepermit_match(pam_handle_t *pamh, const
+ 
+ 	while (!matched && getline(&line, &len, f) != -1) {
+ 		size_t n;
+		char *sptr;
+		char *opt;
+ 
+ 		if (line[0] == '#')
+ 			continue;
+@@ -92,6 +262,7 @@ sepermit_match(pam_handle_t *pamh, const
+ 			continue;
+ 
+ 		start[n] = '\0';
+		start = strtok_r(start, OPT_DELIM, &sptr);
+ 
+ 		switch (start[0]) {
+ 			case '@': 
+@@ -117,11 +288,22 @@ sepermit_match(pam_handle_t *pamh, const
+ 					matched = 1;
+ 				}
+ 		}
+		if (matched)
+			while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) {
+				if (strcmp(opt, "exclusive") == 0)
+					exclusive = 1;
+				else if (debug) {
+					pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt);
+				}
+			}
+ 	}
+ 
+ 	free(line);
+ 	fclose(f);
+-	return matched ? 0 : -1;
+	if (matched) 
+		return exclusive ? sepermit_lock(pamh, user, debug) : 0;
+	else
+		return -1;
+ }
+ 
+ PAM_EXTERN int
+diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml.kill-user Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml
+--- Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml.kill-user	2008-01-28 18:34:18.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml	2008-01-28 18:34:18.000000000 +0100
+@@ -30,8 +30,8 @@
+   <refsect1 id="pam_selinux_permit-description">
+     <title>DESCRIPTION</title>
+     <para>
+-      The pam_selinux module allows or denies login depending on SELinux enforcement
+-      state.
+      The pam_selinux_permit module allows or denies login depending on SELinux
+      enforcement state.
+     </para>
+     <para>
+       When the user which is logging in matches an entry in the config file
+@@ -41,14 +41,21 @@
+     </para>
+     <para>
+       The config file contains a simple list of user names one per line. If the
+-      <replaceable>name</replaceable> is prefixed with @ character it means that all
+      <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all
+       users in the group <replaceable>name</replaceable> match. If it is prefixed
+-      with a % character the SELinux user is used to match against the <replaceable>name</replaceable>
+      with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable>
+       instead of the account name. Note that when SELinux is disabled the
+       SELinux user assigned to the account cannot be determined. This means that
+       such entries are never matched when SELinux is disabled and pam_selinux_permit
+       will return PAM_IGNORE.
+     </para>
+    <para>
+      Each user name in the configuration file can have optional arguments separated
+      by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>.
+      The pam_selinux_permit module will allow only single concurrent user session for
+      the user with this argument specified and it will attempt to kill all processes
+      of the user after logout.
+    </para>
+   </refsect1>
+ 
+   <refsect1 id="pam_selinux_permit-options">
+diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.kill-user Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am
+--- Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.kill-user	2008-01-28 18:34:18.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am	2008-01-28 18:35:01.000000000 +0100
+@@ -16,10 +16,13 @@ XMLS = README.xml pam_selinux.8.xml pam_
+ 
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+sepermitlockdir = /var/run/sepermit
+ 
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+ 	-I$(top_srcdir)/libpam_misc/include \
+-	-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\"
+	-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \
+	-D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\"
+
+ AM_LDFLAGS = -no-undefined \
+ 	-L$(top_builddir)/libpam -lpam @LIBSELINUX@
+ 
+@@ -34,6 +37,7 @@ endif
+ pam_selinux_permit_la_LDFLAGS= $(pam_selinux_la_LDFLAGS)
+ 
+ secureconf_DATA = sepermit.conf
+sepermitlock_DATA =
+ 
+ if HAVE_LIBSELINUX
+   securelib_LTLIBRARIES = pam_selinux.la pam_selinux_permit.la
+diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf.kill-user Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf
+--- Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf.kill-user	2008-01-28 18:34:18.000000000 +0100
+++ Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf	2008-01-28 18:34:18.000000000 +0100
+@@ -4,3 +4,8 @@
+ #        - an user name
+ #        - a group name, with @group syntax
+ #        - a SELinux user name, with %seuser syntax
+# Each line can contain optional arguments separated by :
+# The possible arguments are:
+#        - exclusive - only single login session will
+#          be allowed for the user and the user's processes
+#          will be killed on logout
--- a/pam-0.99.8.1-setkeycreatecon.patch
+++ b/pam-0.99.8.1-setkeycreatecon.patch
@ -0,0 +1,31 @@
+diff -up Linux-PAM-0.99.8.1/configure.in.setkeycreatecon Linux-PAM-0.99.8.1/configure.in
+--- Linux-PAM-0.99.8.1/configure.in.setkeycreatecon	2008-01-28 17:22:40.000000000 +0100
+++ Linux-PAM-0.99.8.1/configure.in	2008-01-28 17:26:25.000000000 +0100
+@@ -379,6 +379,7 @@ AC_SUBST(LIBDB)
+ AM_CONDITIONAL([HAVE_LIBDB], [test ! -z "$LIBDB"])
+ 
+ AC_CHECK_LIB([nsl],[yp_get_default_domain], LIBNSL="-lnsl", LIBNSL="")
+BACKUP_LIBS=$LIBS
+ LIBS="$LIBS $LIBNSL"
+ AC_CHECK_FUNCS(yp_get_default_domain)
+ LIBS=$BACKUP_LIBS
+@@ -396,6 +397,10 @@ AC_SUBST(LIBSELINUX)
+ AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+ if test ! -z "$LIBSELINUX" ; then
+     AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+    BACKUP_LIBS=$LIBS
+    LIBS="$LIBS $LIBSELINUX"
+    AC_CHECK_FUNCS(setkeycreatecon)
+    LIBS=$BACKUP_LIBS
+ fi
+ 
+ dnl Checks for header files.
+@@ -428,7 +433,7 @@ AC_CHECK_FUNCS(fseeko gethostname gettim
+ AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
+ AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
+ AC_CHECK_FUNCS(getgrouplist getline getdelim)
+-AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon)
+AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af)
+ 
+ AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
+ AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
--- a/pam.spec
+++ b/pam.spec
@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.8.1
-Release: 16%{?dist}
+Release: 17%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@ -47,6 +47,8 @@ Patch48: pam-0.99.8.1-substack.patch
 Patch49: pam-0.99.8.1-tty-audit.patch
 Patch50: pam-0.99.8.1-tty-audit2.patch
 Patch51: pam-0.99.8.1-audit-failed.patch
+Patch52: pam-0.99.8.1-setkeycreatecon.patch
+Patch53: pam-0.99.8.1-sepermit-kill-user.patch

 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@ -119,6 +121,8 @@ popd
 %patch49 -p1 -b .tty-audit
 %patch50 -p1 -b .tty-audit2
 %patch51 -p1 -b .audit-failed
+%patch52 -p1 -b .setkeycreatecon
+%patch53 -p1 -b .kill-user

 autoreconf

@ -352,6 +356,7 @@ fi
 %dir %{_sysconfdir}/security/console.perms.d
 %config %{_sysconfdir}/security/console.perms.d/50-default.perms
 %dir /var/run/console
+%dir /var/run/sepermit
 %ghost %verify(not md5 size mtime) /var/log/faillog
 %ghost %verify(not md5 size mtime) /var/log/tallylog
 %{_mandir}/man5/*
@ -368,6 +373,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Mon Jan 28 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-17
+- test for setkeycreatecon correctly
+- add exclusive login mode of operation to pam_selinux_permit (original
+  patch by Dan Walsh)
+
 * Tue Jan 22 2008 Tomas Mraz <tmraz@redhat.com> 0.99.8.1-16
 - add auditing to pam_access, pam_limits, and pam_time
 - moved sanity testing code to check script