Add option to specify allowed usage.

Credentials can often be used both to accept and to initiate contexts.
With this option admins can allow a specific usage only.
This is to avoid allowing an unprivileged process to fool a remote
client by allowing it to impersonate a server, when we only want to
allow this service to use credentials to initiate contexts.

Reviewed-by: Günther Deschner <gdeschner@redhat.com

1 files changed, 12 insertions, 2 deletions

diff --git a/proxy/src/gp_creds.c b/proxy/src/gp_creds.c
index b047d8f..28a3d45 100644
--- a/proxy/src/gp_creds.c
+++ b/proxy/src/gp_creds.c
@@ -205,7 +205,7 @@ static void free_cred_store_elements(gss_key_value_set_desc *cs)
 static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
                                    gssx_name *desired_name,
                                    gss_name_t *requested_name,
-                                   gss_cred_usage_t cred_usage,
+                                   gss_cred_usage_t *cred_usage,
                                    gss_key_value_set_desc *cs)
 {
     struct gp_service *svc;
@@ -226,6 +226,16 @@ static int gp_get_cred_environment(struct gp_call_ctx *gpcall,
     target_uid = gp_conn_get_uid(gpcall->connection);
     svc = gpcall->service;
 
+    /* filter based on cred_usage */
+    if (svc->cred_usage != GSS_C_BOTH) {
+        if (*cred_usage == GSS_C_BOTH) {
+            *cred_usage = svc->cred_usage;
+        } else if (svc->cred_usage != *cred_usage) {
+            ret = EACCES;
+            goto done;
+        }
+    }
+
     if (desired_name) {
         gp_conv_gssx_to_oid(&desired_name->name_type, &name_type);
 
@@ -379,7 +389,7 @@ uint32_t gp_add_krb5_creds(uint32_t *min,
     }
 
     ret_min = gp_get_cred_environment(gpcall, desired_name, &req_name,
-                                      cred_usage, &cred_store);
+                                      &cred_usage, &cred_store);
     if (ret_min) {
         ret_maj = GSS_S_CRED_UNAVAIL;
         goto done;