diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-07-24 15:36:10 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-27 10:37:06 +0200 |
commit | 7016947229edcaa268a82bf69fde37e521b13233 (patch) | |
tree | 0e763d33622f8173b8c2e89986707a3ae7d0e6e4 /src/providers | |
parent | 38e2ec1c757955ab557fd95807afa58042d09482 (diff) | |
download | sssd-7016947229edcaa268a82bf69fde37e521b13233.tar.gz sssd-7016947229edcaa268a82bf69fde37e521b13233.tar.xz sssd-7016947229edcaa268a82bf69fde37e521b13233.zip |
Move SELinux processing from session to account PAM stack
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/data_provider_be.c | 25 | ||||
-rw-r--r-- | src/providers/dp_backend.h | 8 |
2 files changed, 33 insertions, 0 deletions
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index 114fde529..9571d0956 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -753,10 +753,12 @@ static void be_pam_handler_callback(struct be_req *req, int errnum, const char *errstr) { + struct be_client *becli = req->becli; struct pam_data *pd; DBusMessage *reply; DBusConnection *dbus_conn; dbus_bool_t dbret; + errno_t ret; DEBUG(4, ("Backend returned: (%d, %d, %s) [%s]\n", dp_err_type, errnum, errstr?errstr:"<NULL>", @@ -764,6 +766,28 @@ static void be_pam_handler_callback(struct be_req *req, pd = talloc_get_type(req->req_data, struct pam_data); + if (pd->cmd == SSS_PAM_ACCT_MGMT && + req->phase == REQ_PHASE_ACCESS && + dp_err_type == DP_ERR_OK) { + if (!becli->bectx->bet_info[BET_SELINUX].bet_ops) { + DEBUG(SSSDBG_TRACE_FUNC, + ("SELinux provider doesn't exist, " + "not sending the request to it.\n")); + } else { + req->phase = REQ_PHASE_SELINUX; + + /* Now is the time to call SELinux provider */ + ret = be_file_request(becli->bectx->bet_info[BET_SELINUX].pvt_bet_data, + req, + becli->bectx->bet_info[BET_SELINUX].bet_ops->handler); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("be_file_request failed.\n")); + goto done; + } + return; + } + } + DEBUG(4, ("Sending result [%d][%s]\n", pd->pam_status, pd->domain)); reply = (DBusMessage *)req->pvt; dbret = dp_pack_pam_response(reply, pd); @@ -852,6 +876,7 @@ static int be_pam_handler(DBusMessage *message, struct sbus_connection *conn) break; case SSS_PAM_ACCT_MGMT: target = BET_ACCESS; + be_req->phase = REQ_PHASE_ACCESS; break; case SSS_PAM_CHAUTHTOK: case SSS_PAM_CHAUTHTOK_PRELIM: diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h index 4c703326f..53a382ac4 100644 --- a/src/providers/dp_backend.h +++ b/src/providers/dp_backend.h @@ -132,6 +132,8 @@ struct bet_ops { }; #define MAX_BE_REQ_RESTARTS 2 +#define REQ_PHASE_ACCESS 0 +#define REQ_PHASE_SELINUX 1 struct be_req { struct be_client *becli; @@ -143,6 +145,12 @@ struct be_req { int restarts; + /* This is utilized in access provider + * request handling to indicate if access or + * selinux provider is calling the callback. + */ + int phase; + struct sss_domain_info *domain; struct sysdb_ctx *sysdb; }; |