If LOGIN_SETMAC is set and MAC is enabled in the kernel, then see

if the user has a 'label' entry in their login class.  If so, attempt
to set that label on the process as part of the credential setup.  If
we're unable to parse the label, or unable to set the label, fail.
In the future, we may also want to warn if a label is set but the
kernel doesn't support MAC.

Approved by:	re
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories

1 files changed, 27 insertions, 0 deletions

diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
index 3930c03..219db58 100644
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
 #include <login_cap.h>
 #include <paths.h>
 #include <sys/rtprio.h>
+#include <sys/mac.h>
 
 
 static struct login_res {
@@ -317,6 +318,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 #ifndef __NETBSD_SYSCALLS
     struct rtprio rtp;
 #endif
+    int error;
 
     if (lc == NULL) {
 	if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL)
@@ -374,6 +376,31 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 	}
     }
 
+    /* Set up the user's MAC label. */
+    if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) {
+	const char *label_string;
+	mac_t label;
+
+	label_string = login_getcapstr(lc, "label", NULL, NULL);
+	if (label_string != NULL) {
+	    if (mac_from_text(&label, label_string) == -1) {
+		syslog(LOG_ERR, "mac_from_text('%s') for %s: %m",
+		    pwd->pw_name, label_string);
+		    return -1;
+	    }
+	    if (mac_set_proc(label) == -1)
+		error = errno;
+	    else
+		error = 0;
+	    mac_free(label);
+	    if (error != 0) {
+		syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s",
+		    label_string, pwd->pw_name, strerror(error));
+		return -1;
+	    }
+	}
+    }
+
     /* Set the sessions login */
     if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
 	syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);