LCOV - code coverage report
Current view: top level - util - sss_selinux.c (source / functions) Hit Total Coverage
Test: coverage.info Lines: 0 121 0.0 %
Date: 2016-06-29 Functions: 0 4 0.0 %

          Line data    Source code
       1             : /*
       2             :     SSSD
       3             : 
       4             :     SELinux-related utility functions
       5             : 
       6             :     Authors:
       7             :         Jan Zeleny <jzeleny@redhat.com>
       8             : 
       9             :     Copyright (C) 2012 Red Hat
      10             : 
      11             :     This program is free software; you can redistribute it and/or modify
      12             :     it under the terms of the GNU General Public License as published by
      13             :     the Free Software Foundation; either version 3 of the License, or
      14             :     (at your option) any later version.
      15             : 
      16             :     This program is distributed in the hope that it will be useful,
      17             :     but WITHOUT ANY WARRANTY; without even the implied warranty of
      18             :     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
      19             :     GNU General Public License for more details.
      20             : 
      21             :     You should have received a copy of the GNU General Public License
      22             :     along with this program.  If not, see <http://www.gnu.org/licenses/>.
      23             : */
      24             : 
      25             : #include "util/sss_selinux.h"
      26             : #include "util/sss_utf8.h"
      27             : #include "db/sysdb_selinux.h"
      28             : 
      29           0 : static bool match_entity(struct ldb_message_element *values,
      30             :                          struct ldb_message_element *sought_values)
      31             : {
      32             :     int i, j;
      33             : 
      34           0 :     for (i = 0; i < values->num_values; i++) {
      35           0 :         for (j = 0; j < sought_values->num_values; j++) {
      36           0 :             if (values->values[i].length != sought_values->values[j].length) {
      37           0 :                 continue;
      38             :             }
      39             : 
      40           0 :             if (strncasecmp((char *)values->values[i].data,
      41           0 :                             (char *)sought_values->values[j].data,
      42           0 :                             values->values[i].length) == 0)
      43           0 :                 return true;
      44             :         }
      45             :     }
      46             : 
      47           0 :     return false;
      48             : }
      49             : 
      50           0 : bool sss_selinux_match(struct sysdb_attrs *usermap,
      51             :                        struct sysdb_attrs *user,
      52             :                        struct sysdb_attrs *host,
      53             :                        uint32_t *_priority)
      54             : {
      55           0 :     struct ldb_message_element *users_el = NULL;
      56           0 :     struct ldb_message_element *usercat = NULL;
      57           0 :     struct ldb_message_element *hosts_el = NULL;
      58           0 :     struct ldb_message_element *hostcat = NULL;
      59             :     struct ldb_message_element *dn;
      60             :     struct ldb_message_element *memberof;
      61             :     int i;
      62           0 :     uint32_t priority = 0;
      63             :     bool matched_name;
      64             :     bool matched_group;
      65             :     bool matched_category;
      66             :     errno_t ret;
      67             : 
      68           0 :     if (usermap == NULL) {
      69           0 :         DEBUG(SSSDBG_MINOR_FAILURE, "NULL given as usermap! Skipping ...\n");
      70           0 :         return false;
      71             :     }
      72             : 
      73             :     /* Search for user and host related elements */
      74           0 :     for (i = 0; i < usermap->num; i++) {
      75           0 :         if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_USER)) {
      76           0 :             users_el = &usermap->a[i];
      77           0 :         } else if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_HOST)) {
      78           0 :             hosts_el = &usermap->a[i];
      79           0 :         } else if (!strcasecmp(usermap->a[i].name, SYSDB_USER_CATEGORY)) {
      80           0 :             usercat = &usermap->a[i];
      81           0 :         } else if (!strcasecmp(usermap->a[i].name, SYSDB_HOST_CATEGORY)) {
      82           0 :             hostcat = &usermap->a[i];
      83             :         }
      84             :     }
      85             : 
      86           0 :     if (user) {
      87           0 :         ret = sysdb_attrs_get_el(user, SYSDB_ORIG_DN, &dn);
      88           0 :         if (ret != EOK) {
      89           0 :             DEBUG(SSSDBG_MINOR_FAILURE, "User does not have origDN\n");
      90           0 :             return false;
      91             :         }
      92           0 :         ret = sysdb_attrs_get_el(user, SYSDB_ORIG_MEMBEROF, &memberof);
      93           0 :         if (ret != EOK) {
      94           0 :             DEBUG(SSSDBG_TRACE_ALL,
      95             :                   "User does not have orig memberof, "
      96             :                    "therefore it can't match to any rule\n");
      97           0 :             return false;
      98             :         }
      99             : 
     100             :         /**
     101             :          * The rule won't match if user category != "all" and user map doesn't
     102             :          * contain neither user nor any of his groups in memberUser attribute
     103             :          */
     104           0 :         matched_category = false;
     105           0 :         if (usercat != NULL) {
     106           0 :             for (i = 0; i < usercat->num_values; i++) {
     107           0 :                 if (strcasecmp((char *)usercat->values[i].data, "all") == 0) {
     108           0 :                     matched_category = true;
     109           0 :                     break;
     110             :                 }
     111             :             }
     112             :         }
     113             : 
     114           0 :         if (!matched_category) {
     115           0 :             if (users_el == NULL) {
     116           0 :                 DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n");
     117           0 :                 return false;
     118             :             } else {
     119           0 :                 matched_name = match_entity(users_el, dn);
     120           0 :                 matched_group = match_entity(users_el, memberof);
     121           0 :                 if (matched_name) {
     122           0 :                     priority |= SELINUX_PRIORITY_USER_NAME;
     123           0 :                 } else if (matched_group) {
     124           0 :                     priority |= SELINUX_PRIORITY_USER_GROUP;
     125             :                 } else {
     126           0 :                     DEBUG(SSSDBG_TRACE_ALL, "User did not match\n");
     127           0 :                     return false;
     128             :                 }
     129             :             }
     130             :         } else {
     131           0 :             priority |= SELINUX_PRIORITY_USER_CAT;
     132             :         }
     133             :     }
     134             : 
     135           0 :     if (host) {
     136           0 :         ret = sysdb_attrs_get_el(host, SYSDB_ORIG_DN, &dn);
     137           0 :         if (ret != EOK) {
     138           0 :             DEBUG(SSSDBG_MINOR_FAILURE, "Host does not have origDN\n");
     139           0 :             return false;
     140             :         }
     141           0 :         ret = sysdb_attrs_get_el(host, SYSDB_ORIG_MEMBEROF, &memberof);
     142           0 :         if (ret != EOK) {
     143           0 :             DEBUG(SSSDBG_TRACE_ALL,
     144             :                   "Host does not have orig memberof, "
     145             :                    "therefore it can't match to any rule\n");
     146           0 :             return false;
     147             :         }
     148             : 
     149             :         /**
     150             :          * The rule won't match if host category != "all" and user map doesn't
     151             :          * contain neither host nor any of its groups in memberHost attribute
     152             :          */
     153           0 :         matched_category = false;
     154           0 :         if (hostcat != NULL) {
     155           0 :             for (i = 0; i < hostcat->num_values; i++) {
     156           0 :                 if (strcasecmp((char *)hostcat->values[i].data, "all") == 0) {
     157           0 :                     matched_category = true;
     158           0 :                     break;
     159             :                 }
     160             :             }
     161             :         }
     162           0 :         if (!matched_category) {
     163           0 :             if (hosts_el == NULL) {
     164           0 :                 DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n");
     165           0 :                 return false;
     166             :             } else {
     167           0 :                 matched_name = match_entity(hosts_el, dn);
     168           0 :                 matched_group = match_entity(hosts_el, memberof);
     169           0 :                 if (matched_name) {
     170           0 :                     priority |= SELINUX_PRIORITY_HOST_NAME;
     171           0 :                 } else if (matched_group) {
     172           0 :                     priority |= SELINUX_PRIORITY_HOST_GROUP;
     173             :                 } else {
     174           0 :                     DEBUG(SSSDBG_TRACE_ALL, "Host did not match\n");
     175           0 :                     return false;
     176             :                 }
     177             :             }
     178             :         } else {
     179           0 :             priority |= SELINUX_PRIORITY_HOST_CAT;
     180             :         }
     181             :     }
     182             : 
     183           0 :     if (_priority != NULL) {
     184           0 :         *_priority = priority;
     185             :     }
     186             : 
     187           0 :     return true;
     188             : }
     189             : 
     190           0 : errno_t sss_selinux_extract_user(TALLOC_CTX *mem_ctx,
     191             :                                  struct sss_domain_info *domain,
     192             :                                  const char *username,
     193             :                                  struct sysdb_attrs **_user_attrs)
     194             : {
     195             :     TALLOC_CTX *tmp_ctx;
     196             :     const char **attrs;
     197             :     struct sysdb_attrs *user_attrs;
     198             :     struct ldb_message *user_msg;
     199             : 
     200             :     errno_t ret;
     201             : 
     202           0 :     tmp_ctx = talloc_new(NULL);
     203           0 :     if (tmp_ctx == NULL) {
     204           0 :         ret = ENOMEM;
     205           0 :         goto done;
     206             :     }
     207             : 
     208           0 :     attrs = talloc_array(tmp_ctx, const char *, 3);
     209           0 :     if (attrs == NULL) {
     210           0 :         DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n");
     211           0 :         ret = ENOMEM;
     212           0 :         goto done;
     213             :     }
     214           0 :     attrs[0] = SYSDB_ORIG_DN;
     215           0 :     attrs[1] = SYSDB_ORIG_MEMBEROF;
     216           0 :     attrs[2] = NULL;
     217             : 
     218           0 :     ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs,
     219             :                                     &user_msg);
     220           0 :     if (ret != EOK) {
     221           0 :         DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
     222           0 :         goto done;
     223             :     }
     224             : 
     225           0 :     user_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs);
     226           0 :     if (user_attrs == NULL) {
     227           0 :         ret = ENOMEM;
     228           0 :         goto done;
     229             :     }
     230           0 :     user_attrs->a = talloc_steal(user_attrs, user_msg->elements);
     231           0 :     user_attrs->num = user_msg->num_elements;
     232             : 
     233           0 :     *_user_attrs = talloc_steal(mem_ctx, user_attrs);
     234           0 :     ret = EOK;
     235             : 
     236             : done:
     237           0 :     talloc_free(tmp_ctx);
     238           0 :     return ret;
     239             : }
     240             : 
     241           0 : const char *sss_selinux_map_get_seuser(struct sysdb_attrs *usermap)
     242             : {
     243             :     int i;
     244             :     const uint8_t *name;
     245           0 :     const uint8_t *template = (const uint8_t *)SYSDB_SELINUX_USER;
     246             : 
     247           0 :     for (i = 0; i < usermap->num; i++) {
     248           0 :         name = (const uint8_t *)usermap->a[i].name;
     249           0 :         if (sss_utf8_case_eq(name, template) == 0) {
     250           0 :             return (const char *)usermap->a[i].values[0].data;
     251             :         }
     252             :     }
     253             : 
     254           0 :     return NULL;
     255             : }

Generated by: LCOV version 1.10