8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce/*
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce SSSD
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce SELinux-related utility functions
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce Authors:
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce Jan Zeleny <jzeleny@redhat.com>
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce Copyright (C) 2012 Red Hat
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce This program is free software; you can redistribute it and/or modify
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce it under the terms of the GNU General Public License as published by
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce the Free Software Foundation; either version 3 of the License, or
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce (at your option) any later version.
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce This program is distributed in the hope that it will be useful,
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce but WITHOUT ANY WARRANTY; without even the implied warranty of
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce GNU General Public License for more details.
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce You should have received a copy of the GNU General Public License
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce along with this program. If not, see <http://www.gnu.org/licenses/>.
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce*/
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce#include "util/sss_selinux.h"
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce#include "util/sss_utf8.h"
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce#include "db/sysdb_selinux.h"
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorcestatic bool match_entity(struct ldb_message_element *values,
edaadf8de0c86a2cfff2d29215775d42919476f3Pavel Březina struct ldb_message_element *sought_values)
edaadf8de0c86a2cfff2d29215775d42919476f3Pavel Březina{
4ebab24f65b54720a6672898b76185462015ababPavel Březina int i, j;
75d66aea7accc842e68c88f085f9053112b20eccPavel Březina
c1058e96679c7ed1372825bf5226ce7d28a8e6ffPavel Březina for (i = 0; i < values->num_values; i++) {
dee7a89098b698e756f63e4041734d7322ad8b1ePavel Březina for (j = 0; j < sought_values->num_values; j++) {
ab967283b710dfa05d11ee5b30c7ac916486ceecSimo Sorce if (values->values[i].length != sought_values->values[j].length) {
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce continue;
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce }
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce
2745b0156f12df7a7eb93d57716233243658e4d9Jakub Hrozek if (strncasecmp((char *)values->values[i].data,
22a21e910fd216ec1468fe769dcc29f1621a52a4Ondrej Kos (char *)sought_values->values[j].data,
ab967283b710dfa05d11ee5b30c7ac916486ceecSimo Sorce values->values[i].length) == 0)
b9c563c29243291f40489bb0dcbf3946fca72d58Jakub Hrozek return true;
ab967283b710dfa05d11ee5b30c7ac916486ceecSimo Sorce }
ab967283b710dfa05d11ee5b30c7ac916486ceecSimo Sorce }
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce
233a3c6c48972b177e60d6ef4cecfacd3cf31659Simo Sorce return false;
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce}
c6872e79e8496fd075e20aec0343ade99cca725cSimo Sorce
233a3c6c48972b177e60d6ef4cecfacd3cf31659Simo Sorcebool sss_selinux_match(struct sysdb_attrs *usermap,
233a3c6c48972b177e60d6ef4cecfacd3cf31659Simo Sorce struct sysdb_attrs *user,
7c69221077c780e62f6c536e78675f2dc1c131bcMichal Zidek struct sysdb_attrs *host,
7c69221077c780e62f6c536e78675f2dc1c131bcMichal Zidek uint32_t *_priority)
7c69221077c780e62f6c536e78675f2dc1c131bcMichal Zidek{
aa7202c8ae677becd6c91d6a27a607fe0f3995eePavel Březina struct ldb_message_element *users_el = NULL;
f9961e5f82e0ef474d6492371bfdf9e74e208a99Pavel Březina struct ldb_message_element *usercat = NULL;
f9961e5f82e0ef474d6492371bfdf9e74e208a99Pavel Březina struct ldb_message_element *hosts_el = NULL;
7a4e3e29196e3abc1746714fcf93624edae89f93Lukas Slebodnik struct ldb_message_element *hostcat = NULL;
9cb46bc62f22e0104f1b41a423b014c281ef5fc2Jakub Hrozek struct ldb_message_element *dn;
9cb46bc62f22e0104f1b41a423b014c281ef5fc2Jakub Hrozek struct ldb_message_element *memberof;
9cb46bc62f22e0104f1b41a423b014c281ef5fc2Jakub Hrozek int i;
7caf7ed4f2eae1ec1c0717b4ee6ce78bdacd5926Jakub Hrozek uint32_t priority = 0;
dcc6877aa2e2dd63a9dc9c411a9c58feaeb36b9aStephen Gallagher bool matched_name;
bc30ce9b7d588a17e58012e699986f0d6898b791Pavel Březina bool matched_group;
2a96981a0ac781d01e5bba473409ed2bdf4cd4e0Jakub Hrozek bool matched_category;
e81deec535d11912b87954c81a1edd768c1386c9Jakub Hrozek errno_t ret;
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek
4dd38025efda88f123eac672f87d3cda12f050c8Jakub Hrozek if (usermap == NULL) {
0161a3c5637a0c0092bf54c436bb3d6508d7df26Jakub Hrozek DEBUG(SSSDBG_MINOR_FAILURE, "NULL given as usermap! Skipping ...\n");
0161a3c5637a0c0092bf54c436bb3d6508d7df26Jakub Hrozek return false;
7a4e3e29196e3abc1746714fcf93624edae89f93Lukas Slebodnik }
60cab26b12df9a2153823972cde0c38ca86e01b9Yassir Elley
1319e71fd1680ca4864afe0b1aca2b8c8e4a1ee4Stef Walter /* Search for user and host related elements */
0c1d65998907930678da2d091789446f2c344d5dJakub Hrozek for (i = 0; i < usermap->num; i++) {
a2ea3f5d9ef9f17efbb61e942c2bc6cff7d1ebf2Jakub Hrozek if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_USER)) {
f3a25949de81f80c136bb073e4a8f504b080c20cJakub Hrozek users_el = &usermap->a[i];
78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33Michal Židek } else if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_HOST)) {
8394eddba54b5d3e3fda868145e3751247bdbdb2Michal Zidek hosts_el = &usermap->a[i];
5a5c5cdeb92f4012fc75fd717bfea06598f68f12Pavel Reichl } else if (!strcasecmp(usermap->a[i].name, SYSDB_USER_CATEGORY)) {
7a4e3e29196e3abc1746714fcf93624edae89f93Lukas Slebodnik usercat = &usermap->a[i];
1243e093fd31c5660adf1bb3dd477d6935a755beJakub Hrozek } else if (!strcasecmp(usermap->a[i].name, SYSDB_HOST_CATEGORY)) {
1243e093fd31c5660adf1bb3dd477d6935a755beJakub Hrozek hostcat = &usermap->a[i];
7a4e3e29196e3abc1746714fcf93624edae89f93Lukas Slebodnik }
979e8d8d6ed444007eeff6be5269e8dc5d2bdf68Pavel Reichl }
05d935cc9d04f03522d0bb44598d22d99b085926Jakub Hrozek
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek if (user) {
64ea4127f463798410a2c20e0261c6b15f60257fJakub Hrozek ret = sysdb_attrs_get_el(user, SYSDB_ORIG_DN, &dn);
a8d887323f83984679a7d9b827a70146656bb7b2Sumit Bose if (ret != EOK) {
b42bf6c0c01db08208fb81d8295a2909d307284aPavel Reichl DEBUG(SSSDBG_MINOR_FAILURE, "User does not have origDN\n");
9118a539a5d59f669f551114f880fe91d6bb8741Jakub Hrozek return false;
b5825c74b6bf7a99ae2172392dbecb51179013a6Jakub Hrozek }
19e44537c28f6d5f011cd7ac885c74c1e892605fSimo Sorce ret = sysdb_attrs_get_el(user, SYSDB_ORIG_MEMBEROF, &memberof);
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose if (ret != EOK) {
c30b7a1931211fdcae0564551a7625cc4f6dee9fJakub Hrozek DEBUG(SSSDBG_TRACE_ALL,
e732d23f3ec986a463d757781a334040e03d1f59Jakub Hrozek "User does not have orig memberof, "
e732d23f3ec986a463d757781a334040e03d1f59Jakub Hrozek "therefore it can't match to any rule\n");
dd285415d7a8d8376207960cfa3e977524c3b98cJakub Hrozek return false;
dd285415d7a8d8376207960cfa3e977524c3b98cJakub Hrozek }
beec1ee5799570f34a51ea57674c7291c15f7022Jakub Hrozek
fcbcfa69f9291936f01f24b5fcb5a7672dca46f3Jakub Hrozek /**
4714118890e51b365fbce543d0a042b4b59b2b25Michal Zidek * The rule won't match if user category != "all" and user map doesn't
efc65e78fa4e01e6cecc8690a9899af61213be62Fabiano Fidêncio * contain neither user nor any of his groups in memberUser attribute
41cd6072648bb7a9e14e56ed38004a2947f67657Jakub Hrozek */
65a38b8c9cabde6c46cc0e9868f54cb9bb10afbfFabiano Fidêncio matched_category = false;
7171a7584dda534dde5409f3e7f4657e845ece15Fabiano Fidêncio if (usercat != NULL) {
d4757440418c7b73bbecec7e40baf6dfe8cc9460Sumit Bose for (i = 0; i < usercat->num_values; i++) {
d4757440418c7b73bbecec7e40baf6dfe8cc9460Sumit Bose if (strcasecmp((char *)usercat->values[i].data, "all") == 0) {
b9c563c29243291f40489bb0dcbf3946fca72d58Jakub Hrozek matched_category = true;
b9c563c29243291f40489bb0dcbf3946fca72d58Jakub Hrozek break;
b9c563c29243291f40489bb0dcbf3946fca72d58Jakub Hrozek }
b9c563c29243291f40489bb0dcbf3946fca72d58Jakub Hrozek }
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek }
cac0db2f8004ae88b9263dc3888a11a2d3d3d114Jakub Hrozek
300b9e9217ee1ed8d845ed2370c5ccf5c87afb36Pavel Březina if (!matched_category) {
300b9e9217ee1ed8d845ed2370c5ccf5c87afb36Pavel Březina if (users_el == NULL) {
300b9e9217ee1ed8d845ed2370c5ccf5c87afb36Pavel Březina DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n");
300b9e9217ee1ed8d845ed2370c5ccf5c87afb36Pavel Březina return false;
c0f9f5a0f6d71a1596ee3cef549b4b02295313c3Jakub Hrozek } else {
0a0b34f5fbe8f4a8c533a7d65f0f2961ee264054Jakub Hrozek matched_name = match_entity(users_el, dn);
2af80640f18966d65cf82106059ce3c060df93bfamitkuma matched_group = match_entity(users_el, memberof);
ccd349f0274217e1f0cc118e3a6045e2235ce420Fabiano Fidêncio if (matched_name) {
7650ded4ffa87fcf7ce5adf00920fecf89cffcf5Michal Zidek priority |= SELINUX_PRIORITY_USER_NAME;
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce } else if (matched_group) {
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce priority |= SELINUX_PRIORITY_USER_GROUP;
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce } else {
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce DEBUG(SSSDBG_TRACE_ALL, "User did not match\n");
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce return false;
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce }
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce }
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce } else {
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce priority |= SELINUX_PRIORITY_USER_CAT;
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce }
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce }
8bcabb97d988d1602882a1f036aac2eaf5e09234Simo Sorce
if (host) {
ret = sysdb_attrs_get_el(host, SYSDB_ORIG_DN, &dn);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE, "Host does not have origDN\n");
return false;
}
ret = sysdb_attrs_get_el(host, SYSDB_ORIG_MEMBEROF, &memberof);
if (ret != EOK) {
DEBUG(SSSDBG_TRACE_ALL,
"Host does not have orig memberof, "
"therefore it can't match to any rule\n");
return false;
}
/**
* The rule won't match if host category != "all" and user map doesn't
* contain neither host nor any of its groups in memberHost attribute
*/
matched_category = false;
if (hostcat != NULL) {
for (i = 0; i < hostcat->num_values; i++) {
if (strcasecmp((char *)hostcat->values[i].data, "all") == 0) {
matched_category = true;
break;
}
}
}
if (!matched_category) {
if (hosts_el == NULL) {
DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n");
return false;
} else {
matched_name = match_entity(hosts_el, dn);
matched_group = match_entity(hosts_el, memberof);
if (matched_name) {
priority |= SELINUX_PRIORITY_HOST_NAME;
} else if (matched_group) {
priority |= SELINUX_PRIORITY_HOST_GROUP;
} else {
DEBUG(SSSDBG_TRACE_ALL, "Host did not match\n");
return false;
}
}
} else {
priority |= SELINUX_PRIORITY_HOST_CAT;
}
}
if (_priority != NULL) {
*_priority = priority;
}
return true;
}
errno_t sss_selinux_extract_user(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *username,
struct sysdb_attrs **_user_attrs)
{
TALLOC_CTX *tmp_ctx;
const char **attrs;
struct sysdb_attrs *user_attrs;
struct ldb_message *user_msg;
errno_t ret;
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
ret = ENOMEM;
goto done;
}
attrs = talloc_array(tmp_ctx, const char *, 3);
if (attrs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n");
ret = ENOMEM;
goto done;
}
attrs[0] = SYSDB_ORIG_DN;
attrs[1] = SYSDB_ORIG_MEMBEROF;
attrs[2] = NULL;
ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs,
&user_msg);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n");
goto done;
}
user_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs);
if (user_attrs == NULL) {
ret = ENOMEM;
goto done;
}
user_attrs->a = talloc_steal(user_attrs, user_msg->elements);
user_attrs->num = user_msg->num_elements;
*_user_attrs = talloc_steal(mem_ctx, user_attrs);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
const char *sss_selinux_map_get_seuser(struct sysdb_attrs *usermap)
{
int i;
const uint8_t *name;
const uint8_t *template = (const uint8_t *)SYSDB_SELINUX_USER;
for (i = 0; i < usermap->num; i++) {
name = (const uint8_t *)usermap->a[i].name;
if (sss_utf8_case_eq(name, template) == 0) {
return (const char *)usermap->a[i].values[0].data;
}
}
return NULL;
}