Add service match using SeLinux Context

Using getpeercon we can know the elinux context of the process talking to
gssproxy. Use this information as an optional additional filter to match
processes to service definitions.
If a selinux_context option with a full user;role;type context is specified
into a service section, then the connecting process must also be running under
the specified selinux context in order to be allowed to connect.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

1 files changed, 12 insertions, 0 deletions

diff --git a/proxy/src/gp_config.c b/proxy/src/gp_config.c
index 5051a91..ee218b4 100644
--- a/proxy/src/gp_config.c
+++ b/proxy/src/gp_config.c
@@ -30,6 +30,7 @@
 #include <errno.h>
 #include "gp_proxy.h"
 #include "gp_config.h"
+#include "gp_selinux.h"
 
 static void free_str_array(const char ***a, int *count)
 {
@@ -62,6 +63,7 @@ static void gp_service_free(struct gp_service *svc)
                        &svc->krb5.cred_count);
     }
     gp_free_creds_handle(&svc->creds_handle);
+    SELINUX_context_free(svc->selinux_ctx);
     memset(svc, 0, sizeof(struct gp_service));
 }
 
@@ -252,6 +254,16 @@ static int load_services(struct gp_config *cfg, struct gp_ini_context *ctx)
                 safefree(secname);
                 continue;
             }
+
+            ret = gp_config_get_string(ctx, secname,
+                                       "selinux_context", &value);
+            if (ret == 0) {
+                cfg->svcs[n]->selinux_ctx = SELINUX_context_new(value);
+                if (!cfg->svcs[n]->selinux_ctx) {
+                    ret = EINVAL;
+                    goto done;
+                }
+            }
         }
         safefree(secname);
     }