#include <stddef.h>
#include <string.h>
#include <unistd.h>
-#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include "pathnames.h"
#ifndef lint
-__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.2.2.4 2008/02/22 20:33:10 millert Exp $";
+__unused static const char rcsid[] = "$Sudo: selinux.c,v 1.5 2008/02/22 20:33:00 millert Exp $";
#endif /* lint */
/*
/* Verify that the tty still has the context set by sudo. */
if ((rc = fgetfilecon(fd, &chk_tty_context)) < 0) {
- warn("unable to fgetfilecon %s", ttyn);
+ warning("unable to fgetfilecon %s", ttyn);
goto skip_relabel;
}
if ((rc = strcmp(chk_tty_context, new_tty_context))) {
- warnx("%s changed labels.", ttyn);
+ warningx("%s changed labels.", ttyn);
goto skip_relabel;
}
if ((rc = fsetfilecon(fd, tty_context)) < 0)
- warn("unable to restore context for %s", ttyn);
+ warning("unable to restore context for %s", ttyn);
skip_relabel:
freecon(chk_tty_context);
/* Re-open TTY descriptor */
fd = open(ttyn, O_RDWR | O_NONBLOCK);
if (fd == -1) {
- warn("unable to open %s", ttyn);
+ warning("unable to open %s", ttyn);
return(-1);
}
(void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
if (fgetfilecon(fd, &tty_con) < 0) {
- warn("unable to get current context for %s, not relabeling tty",
+ warning("unable to get current context for %s, not relabeling tty",
ttyn);
if (enforcing)
goto error;
if (tty_con && (security_compute_relabel(new_context, tty_con,
SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
- warn("unable to get new context for %s, not relabeling tty", ttyn);
+ warning("unable to get new context for %s, not relabeling tty", ttyn);
if (enforcing)
goto error;
}
if (new_tty_con != NULL) {
if (fsetfilecon(fd, new_tty_con) < 0) {
- warn("unable to set new context for %s", ttyn);
+ warning("unable to set new context for %s", ttyn);
if (enforcing)
goto error;
}
/* We must have a role, the type is optional (we can use the default). */
if (!role) {
- warnx("you must specify a role.");
+ warningx("you must specify a role.");
return(NULL);
}
if (!type) {
if (get_default_type(role, &typebuf)) {
- warnx("unable to get default type");
+ warningx("unable to get default type");
return(NULL);
}
type = typebuf;
* type we will be running the command as.
*/
if (context_role_set(context, role)) {
- warnx("failed to set new role %s", role);
+ warningx("failed to set new role %s", role);
goto error;
}
if (context_type_set(context, type)) {
- warnx("failed to set new type %s", type);
+ warningx("failed to set new type %s", type);
goto error;
}
*/
new_context = estrdup(context_str(context));
if (security_check_context(new_context) < 0) {
- warnx("%s is not a valid context", new_context);
+ warningx("%s is not a valid context", new_context);
goto error;
}
#ifdef DEBUG
- warnx("Your new context is %s", new_context);
+ warningx("Your new context is %s", new_context);
#endif
context_free(context);
* will simply execute the command pass to it on the command line.
*/
void
-selinux_exec(char *role, char *type, char **argv, char **envp, int login_shell)
+selinux_exec(char *role, char *type, char **argv, int login_shell)
{
security_context_t old_context = NULL;
security_context_t new_context = NULL;
/* Must have a tty. */
if (user_ttypath == NULL || *user_ttypath == '\0')
- err(EXIT_FAILURE, "unable to determine tty");
+ error(EXIT_FAILURE, "unable to determine tty");
/* Store the caller's SID in old_context. */
if (getprevcon(&old_context))
- err(EXIT_FAILURE, "failed to get old_context");
+ error(EXIT_FAILURE, "failed to get old_context");
enforcing = security_getenforce();
if (enforcing < 0)
- err(EXIT_FAILURE, "unable to determine enforcing mode.");
+ error(EXIT_FAILURE, "unable to determine enforcing mode.");
#ifdef DEBUG
- warnx("your old context was %s", old_context);
+ warningx("your old context was %s", old_context);
#endif
new_context = get_exec_context(old_context, role, type);
if (!new_context)
ttyfd = relabel_tty(user_ttypath, new_context, &tty_context,
&new_tty_context, enforcing);
if (ttyfd < 0)
- err(EXIT_FAILURE, "unable to setup tty context for %s", new_context);
+ error(EXIT_FAILURE, "unable to setup tty context for %s", new_context);
#ifdef DEBUG
- warnx("your old tty context is %s", tty_context);
- warnx("your new tty context is %s", new_tty_context);
+ warningx("your old tty context is %s", tty_context);
+ warningx("your new tty context is %s", new_tty_context);
#endif
childPid = fork();
if (childPid < 0) {
/* fork failed, no child to worry about */
- warn("unable to fork");
+ warning("unable to fork");
if (restore_tty_label(ttyfd, user_ttypath, tty_context, new_tty_context))
- warnx("unable to restore tty label");
+ warningx("unable to restore tty label");
exit(EXIT_FAILURE);
} else if (childPid) {
pid_t pid;
} while (pid == -1 && errno == EINTR);
if (pid == -1)
- err(EXIT_FAILURE, "waitpid");
+ error(EXIT_FAILURE, "waitpid");
if (restore_tty_label(ttyfd, user_ttypath, tty_context, new_tty_context))
- errx(EXIT_FAILURE, "unable to restore tty label");
+ errorx(EXIT_FAILURE, "unable to restore tty label");
/* Preserve child exit status. */
if (WIFEXITED(status))
/* Close the tty and reopen descriptors 0 through 2 */
if (close(ttyfd) || close(STDIN_FILENO) || close(STDOUT_FILENO) ||
close(STDERR_FILENO)) {
- warn("could not close descriptors");
+ warning("could not close descriptors");
goto error;
}
ttyfd = open(user_ttypath, O_RDONLY | O_NONBLOCK);
goto error;
if (setexeccon(new_context)) {
- warn("unable to set exec context to %s", new_context);
+ warning("unable to set exec context to %s", new_context);
if (enforcing)
goto error;
}
if (setkeycreatecon(new_context)) {
- warn("unable to set key creation context to %s", new_context);
+ warning("unable to set key creation context to %s", new_context);
if (enforcing)
goto error;
}
argv[0] = login_shell ? "-sesh" : "sesh";
argv[1] = safe_cmnd;
- execve(_PATH_SUDO_SESH, argv, envp);
- warn("%s", safe_cmnd);
+ execv(_PATH_SUDO_SESH, argv);
+ warning("%s", safe_cmnd);
error:
_exit(EXIT_FAILURE);
projects / debian / sudo / blobdiff