gss-proxy.git, branch impersonate

Fix resource leak in gpm_accept_sec_context().

2013-10-14T15:30:22+00:00

Resolves Coverity CID #12027.

Work around MIT 1.11 issues with delegated creds

2013-09-12T22:06:35+00:00

For some reason directly exporting crdentials will result in a non
functional st when reimported later before the init_sec_context call.
However storing them and then reacquiring before the export seem to
work.

Wrap around defines so that eventually we may be able to avoid these
operations.

Add impersonation support

2013-09-10T06:01:06+00:00

By setting the impersonate flag to true, the acquisition of credentials will
be done using constrained delegation (s4uself + s4u2proxy).

Move uid to name resolution in its own function.

2013-09-07T19:35:52+00:00

Fix selinux option check

2013-08-26T15:05:32+00:00

Found by coverity (CID 11894)

Reviewed-by: Günther Deschner

Add service match using SeLinux Context

2013-07-02T14:17:23+00:00

Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.

Signed-off-by: Simo Sorce 
Reviewed-by: Günther Deschner

Coverity fixes.

2013-06-27T16:07:23+00:00

Fix a 4 coverity issues, ranging from memory leaks, to uninitialized
variables, to potential NULL derefernce.
Also a TOCTOU report that is in one of the accessory test scripts.
The bug itself is not reallya TOCTOU, but the check done in the script is
unecessary, so I just removed it.

Signed-off-by: Simo Sorce 
Reviewed-by: Günther Deschner

Further improve debugging, mention servicename, socket and euid.

2013-06-24T15:51:39+00:00

Signed-off-by: Günther Deschner 
Reviewed-by: Simo Sorce

Properly check socket for connection matching.

2013-06-21T15:04:45+00:00

We always need to chekc if the socket matches otherwise the worng service may
be selected if a specific socket is being used but a service allowing the same
euid is confgured to use the deault socket as well.

Signed-off-by: Simo Sorce 
Reviewed-by: Günther Deschner

Split nfs server and client services

2013-06-21T14:26:38+00:00

The NFS server uses a special socket for the kernel communication.
Split configuration in 2 distinct services so we can use specific options that
may be different between server and client.

The 3 main differences so far are:
1. socket: default for client, custom for server
2. kernel_nfd option only for server
3. ccache and client keytab options only for client

Signed-off-by: Simo Sorce 
Reviewed-by: Günther Deschner