mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Unifdef parser support for SELinux, AppArmor and Solaris privileges.

Browse Source
This commit is contained in:
Todd C. Miller 2024-05-01 08:04:00 -06:00
parent 38b98b4174
commit 389c8550c9
17 changed files with 267 additions and 524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
plugins/sudoers/check.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1993-1996,1998-2005, 2007-2018 * Copyright (c) 1993-1996,1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -139,16 +139,9 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid && if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid &&
(ctx->runas.gr == NULL || (ctx->runas.gr == NULL ||
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) { user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
#ifdef HAVE_SELINUX if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
if (ctx->runas.role == NULL && ctx->runas.type == NULL) ctx->runas.apparmor_profile == NULL &&
#endif ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) {
#ifdef HAVE_APPARMOR
if (ctx->runas.apparmor_profile == NULL)
#endif
#ifdef HAVE_PRIV_SET
if (ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL)
#endif
{
sudo_debug_printf(SUDO_DEBUG_INFO, sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: user running command as self", __func__); "%s: user running command as self", __func__);
ret = AUTH_SUCCESS; ret = AUTH_SUCCESS;

14
plugins/sudoers/cvtsudoers_csv.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2021-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2021-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -574,24 +574,19 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
need_comma = true; need_comma = true;
} }
#ifdef HAVE_SELINUX
/* Print SELinux role/type */ /* Print SELinux role/type */
if (cs->role != NULL && cs->type != NULL) { if (cs->role != NULL && cs->type != NULL) {
fprintf(fp, "%srole=%s,type=%s", need_comma ? "," : "", fprintf(fp, "%srole=%s,type=%s", need_comma ? "," : "",
cs->role, cs->type); cs->role, cs->type);
need_comma = true; need_comma = true;
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) { if (cs->apparmor_profile != NULL) {
fprintf(fp, "%sapparmor_profile=%s,", need_comma ? "," : "", fprintf(fp, "%sapparmor_profile=%s,", need_comma ? "," : "",
cs->apparmor_profile); cs->apparmor_profile);
need_comma = true; need_comma = true;
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Print Solaris privs/limitprivs */ /* Print Solaris privs/limitprivs */
if (cs->privs != NULL || cs->limitprivs != NULL) { if (cs->privs != NULL || cs->limitprivs != NULL) {
if (cs->privs != NULL) { if (cs->privs != NULL) {
@ -603,7 +598,6 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
need_comma = true; need_comma = true;
} }
} }
#endif /* HAVE_PRIV_SET */
#ifdef __clang_analyzer__ #ifdef __clang_analyzer__
(void)&need_comma; (void)&need_comma;
#endif #endif
@ -620,15 +614,9 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
/* XXX - TAG_SET does not account for implied SETENV */ /* XXX - TAG_SET does not account for implied SETENV */
last_one = next == NULL || last_one = next == NULL ||
RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags) RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
|| cs->privs != next->privs || cs->limitprivs != next->limitprivs || cs->privs != next->privs || cs->limitprivs != next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
|| cs->role != next->role || cs->type != next->type || cs->role != next->role || cs->type != next->type
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
|| cs->apparmor_profile != next->apparmor_profile || cs->apparmor_profile != next->apparmor_profile
#endif /* HAVE_APPARMOR */
|| cs->runchroot != next->runchroot || cs->runcwd != next->runcwd; || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
if (!quoted && !last_one) { if (!quoted && !last_one) {

30
plugins/sudoers/cvtsudoers_json.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2013-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2013-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -667,15 +667,9 @@ cmndspec_continues(struct cmndspec *cs, struct cmndspec *next)
{ {
bool ret = next != NULL && bool ret = next != NULL &&
!RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags) !RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
&& cs->privs == next->privs && cs->limitprivs == next->limitprivs && cs->privs == next->privs && cs->limitprivs == next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
&& cs->role == next->role && cs->type == next->type && cs->role == next->role && cs->type == next->type
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
&& cs->apparmor_profile == next->apparmor_profile && cs->apparmor_profile == next->apparmor_profile
#endif /* HAVE_APPARMOR */
&& cs->runchroot == next->runchroot && cs->runcwd == next->runcwd; && cs->runchroot == next->runchroot && cs->runcwd == next->runcwd;
return ret; return ret;
} }
@ -734,19 +728,9 @@ print_cmndspec_json(struct json_container *jsonc,
/* Print options and tags */ /* Print options and tags */
has_options = TAGS_SET(cs->tags) || !TAILQ_EMPTY(options) || has_options = TAGS_SET(cs->tags) || !TAILQ_EMPTY(options) ||
cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC || cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC ||
cs->runchroot != NULL || cs->runcwd != NULL; cs->runchroot != NULL || cs->runcwd != NULL ||
#ifdef HAVE_SELINUX (cs->role != NULL && cs->type != NULL) || cs->apparmor_profile != NULL
if (cs->role != NULL && cs->type != NULL) || cs->privs != NULL || cs->limitprivs != NULL;
has_options = true;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL)
has_options = true;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL || cs->limitprivs != NULL)
has_options = true;
#endif /* HAVE_PRIV_SET */
if (has_options) { if (has_options) {
struct cmndtag tag = cs->tags; struct cmndtag tag = cs->tags;
@ -873,7 +857,6 @@ print_cmndspec_json(struct json_container *jsonc,
goto oom; goto oom;
} }
} }
#ifdef HAVE_SELINUX
if (cs->role != NULL && cs->type != NULL) { if (cs->role != NULL && cs->type != NULL) {
value.type = JSON_STRING; value.type = JSON_STRING;
value.u.string = cs->role; value.u.string = cs->role;
@ -883,16 +866,12 @@ print_cmndspec_json(struct json_container *jsonc,
if (!sudo_json_add_value_as_object(jsonc, "type", &value)) if (!sudo_json_add_value_as_object(jsonc, "type", &value))
goto oom; goto oom;
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) { if (cs->apparmor_profile != NULL) {
value.type = JSON_STRING; value.type = JSON_STRING;
value.u.string = cs->apparmor_profile; value.u.string = cs->apparmor_profile;
if (!sudo_json_add_value_as_object(jsonc, "apparmor_profile", &value)) if (!sudo_json_add_value_as_object(jsonc, "apparmor_profile", &value))
goto oom; goto oom;
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL) { if (cs->privs != NULL) {
value.type = JSON_STRING; value.type = JSON_STRING;
value.u.string = cs->privs; value.u.string = cs->privs;
@ -905,7 +884,6 @@ print_cmndspec_json(struct json_container *jsonc,
if (!sudo_json_add_value_as_object(jsonc, "limitprivs", &value)) if (!sudo_json_add_value_as_object(jsonc, "limitprivs", &value))
goto oom; goto oom;
} }
#endif /* HAVE_PRIV_SET */
if (!sudo_json_close_array(jsonc)) if (!sudo_json_close_array(jsonc))
goto oom; goto oom;
} }

12
plugins/sudoers/cvtsudoers_ldif.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2018-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2018-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -492,7 +492,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
} }
} }
#ifdef HAVE_SELINUX
/* Print SELinux role/type */ /* Print SELinux role/type */
if (cs->role != NULL && cs->type != NULL) { if (cs->role != NULL && cs->type != NULL) {
if (!printf_attribute_ldif(fp, "sudoOption", "role=%s", cs->role) || if (!printf_attribute_ldif(fp, "sudoOption", "role=%s", cs->role) ||
@ -500,9 +499,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
debug_return_bool(false); debug_return_bool(false);
} }
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Print AppArmor profile */ /* Print AppArmor profile */
if (cs->apparmor_profile != NULL) { if (cs->apparmor_profile != NULL) {
if (!printf_attribute_ldif(fp, "sudoOption", "apparmor_profile=%s", if (!printf_attribute_ldif(fp, "sudoOption", "apparmor_profile=%s",
@ -510,9 +507,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
debug_return_bool(false); debug_return_bool(false);
} }
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Print Solaris privs/limitprivs */ /* Print Solaris privs/limitprivs */
if (cs->privs != NULL || cs->limitprivs != NULL) { if (cs->privs != NULL || cs->limitprivs != NULL) {
if (cs->privs != NULL) { if (cs->privs != NULL) {
@ -528,7 +523,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
} }
} }
} }
#endif /* HAVE_PRIV_SET */
/* /*
* Merge adjacent commands with matching tags, runas, SELinux * Merge adjacent commands with matching tags, runas, SELinux
@ -540,12 +534,8 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
/* XXX - TAG_SET does not account for implied SETENV */ /* XXX - TAG_SET does not account for implied SETENV */
last_one = next == NULL || last_one = next == NULL ||
RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags) RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
|| cs->privs != next->privs || cs->limitprivs != next->limitprivs || cs->privs != next->privs || cs->limitprivs != next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
|| cs->role != next->role || cs->type != next->type || cs->role != next->role || cs->type != next->type
#endif /* HAVE_SELINUX */
|| cs->runchroot != next->runchroot || cs->runcwd != next->runcwd; || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
if (!print_member_ldif(fp, parse_tree, cs->cmnd->name, cs->cmnd->type, if (!print_member_ldif(fp, parse_tree, cs->cmnd->name, cs->cmnd->type,

8
plugins/sudoers/cvtsudoers_merge.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2021-2022 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2021-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -1008,7 +1008,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->runchroot != cs2->runchroot) { } else if (cs1->runchroot != cs2->runchroot) {
debug_return_bool(false); debug_return_bool(false);
} }
#ifdef HAVE_SELINUX
if (cs1->role != NULL && cs2->role != NULL) { if (cs1->role != NULL && cs2->role != NULL) {
if (strcmp(cs1->role, cs2->role) != 0) if (strcmp(cs1->role, cs2->role) != 0)
debug_return_bool(false); debug_return_bool(false);
@ -1021,16 +1020,12 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->type != cs2->type) { } else if (cs1->type != cs2->type) {
debug_return_bool(false); debug_return_bool(false);
} }
#endif
#ifdef HAVE_APPARMOR
if (cs1->apparmor_profile != NULL && cs2->apparmor_profile != NULL) { if (cs1->apparmor_profile != NULL && cs2->apparmor_profile != NULL) {
if (strcmp(cs1->apparmor_profile, cs2->apparmor_profile) != 0) if (strcmp(cs1->apparmor_profile, cs2->apparmor_profile) != 0)
debug_return_bool(false); debug_return_bool(false);
} else if (cs1->apparmor_profile != cs2->apparmor_profile) { } else if (cs1->apparmor_profile != cs2->apparmor_profile) {
debug_return_bool(false); debug_return_bool(false);
} }
#endif
#ifdef HAVE_PRIV_SET
if (cs1->privs != NULL && cs2->privs != NULL) { if (cs1->privs != NULL && cs2->privs != NULL) {
if (strcmp(cs1->privs, cs2->privs) != 0) if (strcmp(cs1->privs, cs2->privs) != 0)
debug_return_bool(false); debug_return_bool(false);
@ -1043,7 +1038,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->limitprivs != cs2->limitprivs) { } else if (cs1->limitprivs != cs2->limitprivs) {
debug_return_bool(false); debug_return_bool(false);
} }
#endif
debug_return_bool(true); debug_return_bool(true);
} }

14
plugins/sudoers/display.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -112,22 +112,16 @@ new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs)
debug_return_bool(true); debug_return_bool(true);
if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags)) if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
debug_return_bool(true); debug_return_bool(true);
#ifdef HAVE_PRIV_SET
if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0)) if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
debug_return_bool(true); debug_return_bool(true);
if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0)) if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
debug_return_bool(true); debug_return_bool(true);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0)) if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
debug_return_bool(true); debug_return_bool(true);
if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0)) if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
debug_return_bool(true); debug_return_bool(true);
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0)) if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0))
debug_return_bool(true); debug_return_bool(true);
#endif /* HAVE_APPARMOR */
if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0)) if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0))
debug_return_bool(true); debug_return_bool(true);
if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0)) if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0))
@ -211,24 +205,18 @@ display_cmndspec_long(const struct sudoers_parse_tree *parse_tree,
} else { } else {
lbuf->len = olen; /* no options */ lbuf->len = olen; /* no options */
} }
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) { if (cs->apparmor_profile != NULL) {
sudo_lbuf_append(lbuf, " ApparmorProfile: %s\n", sudo_lbuf_append(lbuf, " ApparmorProfile: %s\n",
cs->apparmor_profile); cs->apparmor_profile);
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL) if (cs->privs != NULL)
sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs); sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs);
if (cs->limitprivs != NULL) if (cs->limitprivs != NULL)
sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs); sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role != NULL) if (cs->role != NULL)
sudo_lbuf_append(lbuf, " Role: %s\n", cs->role); sudo_lbuf_append(lbuf, " Role: %s\n", cs->role);
if (cs->type != NULL) if (cs->type != NULL)
sudo_lbuf_append(lbuf, " Type: %s\n", cs->type); sudo_lbuf_append(lbuf, " Type: %s\n", cs->type);
#endif /* HAVE_SELINUX */
if (cs->runchroot != NULL) if (cs->runchroot != NULL)
sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot); sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot);
if (cs->runcwd != NULL) if (cs->runcwd != NULL)

8
plugins/sudoers/fmtsudoers.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -234,22 +234,16 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
/* Merge privilege-level tags with cmndspec tags. */ /* Merge privilege-level tags with cmndspec tags. */
TAGS_MERGE(tags, cs->tags); TAGS_MERGE(tags, cs->tags);
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs)) if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs))
sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs); sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
if (cs->limitprivs != NULL && FIELD_CHANGED(prev_cs, cs, limitprivs)) if (cs->limitprivs != NULL && FIELD_CHANGED(prev_cs, cs, limitprivs))
sudo_lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs); sudo_lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role != NULL && FIELD_CHANGED(prev_cs, cs, role)) if (cs->role != NULL && FIELD_CHANGED(prev_cs, cs, role))
sudo_lbuf_append(lbuf, "ROLE=%s ", cs->role); sudo_lbuf_append(lbuf, "ROLE=%s ", cs->role);
if (cs->type != NULL && FIELD_CHANGED(prev_cs, cs, type)) if (cs->type != NULL && FIELD_CHANGED(prev_cs, cs, type))
sudo_lbuf_append(lbuf, "TYPE=%s ", cs->type); sudo_lbuf_append(lbuf, "TYPE=%s ", cs->type);
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL && FIELD_CHANGED(prev_cs, cs, apparmor_profile)) if (cs->apparmor_profile != NULL && FIELD_CHANGED(prev_cs, cs, apparmor_profile))
sudo_lbuf_append(lbuf, "APPARMOR_PROFILE=%s ", cs->apparmor_profile); sudo_lbuf_append(lbuf, "APPARMOR_PROFILE=%s ", cs->apparmor_profile);
#endif /* HAVE_APPARMOR */
if (cs->runchroot != NULL && FIELD_CHANGED(prev_cs, cs, runchroot)) if (cs->runchroot != NULL && FIELD_CHANGED(prev_cs, cs, runchroot))
sudo_lbuf_append(lbuf, "CHROOT=%s ", cs->runchroot); sudo_lbuf_append(lbuf, "CHROOT=%s ", cs->runchroot);
if (cs->runcwd != NULL && FIELD_CHANGED(prev_cs, cs, runcwd)) if (cs->runcwd != NULL && FIELD_CHANGED(prev_cs, cs, runcwd))

458
plugins/sudoers/gram.c
View File

File diff suppressed because it is too large Load Diff

48
plugins/sudoers/gram.y
View File

@ -2,7 +2,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2023 * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -446,25 +446,19 @@ cmndspeclist : cmndspec
$3->runcwd = prev->runcwd; $3->runcwd = prev->runcwd;
if ($3->runchroot == NULL) if ($3->runchroot == NULL)
$3->runchroot = prev->runchroot; $3->runchroot = prev->runchroot;
#ifdef HAVE_SELINUX
/* propagate role and type */ /* propagate role and type */
if ($3->role == NULL && $3->type == NULL) { if ($3->role == NULL && $3->type == NULL) {
$3->role = prev->role; $3->role = prev->role;
$3->type = prev->type; $3->type = prev->type;
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* propagate apparmor_profile */ /* propagate apparmor_profile */
if ($3->apparmor_profile == NULL) if ($3->apparmor_profile == NULL)
$3->apparmor_profile = prev->apparmor_profile; $3->apparmor_profile = prev->apparmor_profile;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* propagate privs & limitprivs */ /* propagate privs & limitprivs */
if ($3->privs == NULL && $3->limitprivs == NULL) { if ($3->privs == NULL && $3->limitprivs == NULL) {
$3->privs = prev->privs; $3->privs = prev->privs;
$3->limitprivs = prev->limitprivs; $3->limitprivs = prev->limitprivs;
} }
#endif /* HAVE_PRIV_SET */
/* propagate command time restrictions */ /* propagate command time restrictions */
if ($3->notbefore == UNSPEC) if ($3->notbefore == UNSPEC)
$3->notbefore = prev->notbefore; $3->notbefore = prev->notbefore;
@ -537,22 +531,16 @@ cmndspec : runasspec options cmndtag digcmnd {
parser_leak_remove(LEAK_RUNAS, $1); parser_leak_remove(LEAK_RUNAS, $1);
free($1); free($1);
} }
#ifdef HAVE_SELINUX
cs->role = $2.role; cs->role = $2.role;
parser_leak_remove(LEAK_PTR, $2.role); parser_leak_remove(LEAK_PTR, $2.role);
cs->type = $2.type; cs->type = $2.type;
parser_leak_remove(LEAK_PTR, $2.type); parser_leak_remove(LEAK_PTR, $2.type);
#endif
#ifdef HAVE_APPARMOR
cs->apparmor_profile = $2.apparmor_profile; cs->apparmor_profile = $2.apparmor_profile;
parser_leak_remove(LEAK_PTR, $2.apparmor_profile); parser_leak_remove(LEAK_PTR, $2.apparmor_profile);
#endif
#ifdef HAVE_PRIV_SET
cs->privs = $2.privs; cs->privs = $2.privs;
parser_leak_remove(LEAK_PTR, $2.privs); parser_leak_remove(LEAK_PTR, $2.privs);
cs->limitprivs = $2.limitprivs; cs->limitprivs = $2.limitprivs;
parser_leak_remove(LEAK_PTR, $2.limitprivs); parser_leak_remove(LEAK_PTR, $2.limitprivs);
#endif
cs->notbefore = $2.notbefore; cs->notbefore = $2.notbefore;
cs->notafter = $2.notafter; cs->notafter = $2.notafter;
cs->timeout = $2.timeout; cs->timeout = $2.timeout;
@ -868,39 +856,29 @@ options : /* empty */ {
} }
} }
| options rolespec { | options rolespec {
#ifdef HAVE_SELINUX
parser_leak_remove(LEAK_PTR, $$.role); parser_leak_remove(LEAK_PTR, $$.role);
free($$.role); free($$.role);
$$.role = $2; $$.role = $2;
#endif
} }
| options typespec { | options typespec {
#ifdef HAVE_SELINUX
parser_leak_remove(LEAK_PTR, $$.type); parser_leak_remove(LEAK_PTR, $$.type);
free($$.type); free($$.type);
$$.type = $2; $$.type = $2;
#endif
} }
| options apparmor_profilespec { | options apparmor_profilespec {
#ifdef HAVE_APPARMOR
parser_leak_remove(LEAK_PTR, $$.apparmor_profile); parser_leak_remove(LEAK_PTR, $$.apparmor_profile);
free($$.apparmor_profile); free($$.apparmor_profile);
$$.apparmor_profile = $2; $$.apparmor_profile = $2;
#endif
} }
| options privsspec { | options privsspec {
#ifdef HAVE_PRIV_SET
parser_leak_remove(LEAK_PTR, $$.privs); parser_leak_remove(LEAK_PTR, $$.privs);
free($$.privs); free($$.privs);
$$.privs = $2; $$.privs = $2;
#endif
} }
| options limitprivsspec { | options limitprivsspec {
#ifdef HAVE_PRIV_SET
parser_leak_remove(LEAK_PTR, $$.limitprivs); parser_leak_remove(LEAK_PTR, $$.limitprivs);
free($$.limitprivs); free($$.limitprivs);
$$.limitprivs = $2; $$.limitprivs = $2;
#endif
} }
; ;
@ -1593,7 +1571,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->runchroot != next->runchroot)) { (next == NULL || cs->runchroot != next->runchroot)) {
free(cs->runchroot); free(cs->runchroot);
} }
#ifdef HAVE_SELINUX
/* Don't free root/type that are in use by other entries. */ /* Don't free root/type that are in use by other entries. */
if ((prev == NULL || cs->role != prev->role) && if ((prev == NULL || cs->role != prev->role) &&
(next == NULL || cs->role != next->role)) { (next == NULL || cs->role != next->role)) {
@ -1603,8 +1580,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->type != next->type)) { (next == NULL || cs->type != next->type)) {
free(cs->type); free(cs->type);
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* Don't free privs/limitprivs that are in use by other entries. */ /* Don't free privs/limitprivs that are in use by other entries. */
if ((prev == NULL || cs->privs != prev->privs) && if ((prev == NULL || cs->privs != prev->privs) &&
(next == NULL || cs->privs != next->privs)) { (next == NULL || cs->privs != next->privs)) {
@ -1614,7 +1589,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->limitprivs != next->limitprivs)) { (next == NULL || cs->limitprivs != next->limitprivs)) {
free(cs->limitprivs); free(cs->limitprivs);
} }
#endif /* HAVE_PRIV_SET */
/* Don't free user/group lists that are in use by other entries. */ /* Don't free user/group lists that are in use by other entries. */
if (cs->runasuserlist != NULL) { if (cs->runasuserlist != NULL) {
if ((prev == NULL || cs->runasuserlist != prev->runasuserlist) && if ((prev == NULL || cs->runasuserlist != prev->runasuserlist) &&
@ -1641,15 +1615,9 @@ free_cmndspecs(struct cmndspec_list *csl)
{ {
struct member_list *runasuserlist = NULL, *runasgrouplist = NULL; struct member_list *runasuserlist = NULL, *runasgrouplist = NULL;
char *runcwd = NULL, *runchroot = NULL; char *runcwd = NULL, *runchroot = NULL;
#ifdef HAVE_SELINUX
char *role = NULL, *type = NULL; char *role = NULL, *type = NULL;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
char *apparmor_profile = NULL; char *apparmor_profile = NULL;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
char *privs = NULL, *limitprivs = NULL; char *privs = NULL, *limitprivs = NULL;
#endif /* HAVE_PRIV_SET */
struct cmndspec *cs; struct cmndspec *cs;
debug_decl(free_cmndspecs, SUDOERS_DEBUG_PARSER); debug_decl(free_cmndspecs, SUDOERS_DEBUG_PARSER);
@ -1665,7 +1633,6 @@ free_cmndspecs(struct cmndspec_list *csl)
runchroot = cs->runchroot; runchroot = cs->runchroot;
free(cs->runchroot); free(cs->runchroot);
} }
#ifdef HAVE_SELINUX
/* Only free the first instance of a role/type. */ /* Only free the first instance of a role/type. */
if (cs->role != role) { if (cs->role != role) {
role = cs->role; role = cs->role;
@ -1675,15 +1642,11 @@ free_cmndspecs(struct cmndspec_list *csl)
type = cs->type; type = cs->type;
free(cs->type); free(cs->type);
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Only free the first instance of apparmor_profile. */ /* Only free the first instance of apparmor_profile. */
if (cs->apparmor_profile != apparmor_profile) { if (cs->apparmor_profile != apparmor_profile) {
apparmor_profile = cs->apparmor_profile; apparmor_profile = cs->apparmor_profile;
free(cs->apparmor_profile); free(cs->apparmor_profile);
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Only free the first instance of privs/limitprivs. */ /* Only free the first instance of privs/limitprivs. */
if (cs->privs != privs) { if (cs->privs != privs) {
privs = cs->privs; privs = cs->privs;
@ -1693,7 +1656,6 @@ free_cmndspecs(struct cmndspec_list *csl)
limitprivs = cs->limitprivs; limitprivs = cs->limitprivs;
free(cs->limitprivs); free(cs->limitprivs);
} }
#endif /* HAVE_PRIV_SET */
/* Only free the first instance of runas user/group lists. */ /* Only free the first instance of runas user/group lists. */
if (cs->runasuserlist && cs->runasuserlist != runasuserlist) { if (cs->runasuserlist && cs->runasuserlist != runasuserlist) {
runasuserlist = cs->runasuserlist; runasuserlist = cs->runasuserlist;
@ -1879,17 +1841,11 @@ init_options(struct command_options *opts)
opts->timeout = UNSPEC; opts->timeout = UNSPEC;
opts->runchroot = NULL; opts->runchroot = NULL;
opts->runcwd = NULL; opts->runcwd = NULL;
#ifdef HAVE_SELINUX
opts->role = NULL; opts->role = NULL;
opts->type = NULL; opts->type = NULL;
#endif opts->apparmor_profile = NULL;
#ifdef HAVE_PRIV_SET
opts->privs = NULL; opts->privs = NULL;
opts->limitprivs = NULL; opts->limitprivs = NULL;
#endif
#ifdef HAVE_APPARMOR
opts->apparmor_profile = NULL;
#endif
} }
uid_t uid_t

14
plugins/sudoers/ldap_util.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2013, 2016, 2018-2018 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2013, 2016, 2018-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* This code is derived from software contributed by Aaron Spangler. * This code is derived from software contributed by Aaron Spangler.
* *
@ -439,17 +439,11 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
cmndspec->timeout = prev_cmndspec->timeout; cmndspec->timeout = prev_cmndspec->timeout;
cmndspec->runchroot = prev_cmndspec->runchroot; cmndspec->runchroot = prev_cmndspec->runchroot;
cmndspec->runcwd = prev_cmndspec->runcwd; cmndspec->runcwd = prev_cmndspec->runcwd;
#ifdef HAVE_SELINUX
cmndspec->role = prev_cmndspec->role; cmndspec->role = prev_cmndspec->role;
cmndspec->type = prev_cmndspec->type; cmndspec->type = prev_cmndspec->type;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
cmndspec->apparmor_profile = prev_cmndspec->apparmor_profile; cmndspec->apparmor_profile = prev_cmndspec->apparmor_profile;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
cmndspec->privs = prev_cmndspec->privs; cmndspec->privs = prev_cmndspec->privs;
cmndspec->limitprivs = prev_cmndspec->limitprivs; cmndspec->limitprivs = prev_cmndspec->limitprivs;
#endif /* HAVE_PRIV_SET */
cmndspec->tags = prev_cmndspec->tags; cmndspec->tags = prev_cmndspec->tags;
if (cmndspec->tags.setenv == IMPLIED) if (cmndspec->tags.setenv == IMPLIED)
cmndspec->tags.setenv = UNSPEC; cmndspec->tags.setenv = UNSPEC;
@ -519,7 +513,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
} }
if ((cmndspec->runcwd = strdup(val)) == NULL) if ((cmndspec->runcwd = strdup(val)) == NULL)
break; break;
#ifdef HAVE_SELINUX
} else if (strcmp(var, "role") == 0 && val != NULL) { } else if (strcmp(var, "role") == 0 && val != NULL) {
if (cmndspec->role != NULL) { if (cmndspec->role != NULL) {
free(cmndspec->role); free(cmndspec->role);
@ -536,8 +529,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
} }
if ((cmndspec->type = strdup(val)) == NULL) if ((cmndspec->type = strdup(val)) == NULL)
break; break;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
} else if (strcmp(var, "apparmor_profile") == 0 && val != NULL) { } else if (strcmp(var, "apparmor_profile") == 0 && val != NULL) {
if (cmndspec->apparmor_profile != NULL) { if (cmndspec->apparmor_profile != NULL) {
free(cmndspec->apparmor_profile); free(cmndspec->apparmor_profile);
@ -546,8 +537,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
} }
if ((cmndspec->apparmor_profile = strdup(val)) == NULL) if ((cmndspec->apparmor_profile = strdup(val)) == NULL)
break; break;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
} else if (strcmp(var, "privs") == 0 && val != NULL) { } else if (strcmp(var, "privs") == 0 && val != NULL) {
if (cmndspec->privs != NULL) { if (cmndspec->privs != NULL) {
free(cmndspec->privs); free(cmndspec->privs);
@ -564,7 +553,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
} }
if ((cmndspec->limitprivs = strdup(val)) == NULL) if ((cmndspec->limitprivs = strdup(val)) == NULL)
break; break;
#endif /* HAVE_PRIV_SET */
} else if (store_options) { } else if (store_options) {
if (!append_default(var, val, op, source, if (!append_default(var, val, op, source,
&priv->defaults)) { &priv->defaults)) {

8
plugins/sudoers/lookup.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -322,7 +322,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER); debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER);
if (cs != NULL) { if (cs != NULL) {
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */ /* Set role and type if not specified on command line. */
if (ctx->runas.role == NULL) { if (ctx->runas.role == NULL) {
if (cs->role != NULL) { if (cs->role != NULL) {
@ -358,8 +357,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
"ctx->runas.type -> %s", ctx->runas.type); "ctx->runas.type -> %s", ctx->runas.type);
} }
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Set AppArmor profile, if specified */ /* Set AppArmor profile, if specified */
if (cs->apparmor_profile != NULL) { if (cs->apparmor_profile != NULL) {
ctx->runas.apparmor_profile = strdup(cs->apparmor_profile); ctx->runas.apparmor_profile = strdup(cs->apparmor_profile);
@ -376,8 +373,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"ctx->runas.apparmor_profile -> %s", ctx->runas.apparmor_profile); "ctx->runas.apparmor_profile -> %s", ctx->runas.apparmor_profile);
} }
#endif
#ifdef HAVE_PRIV_SET
/* Set Solaris privilege sets */ /* Set Solaris privilege sets */
if (ctx->runas.privs == NULL) { if (ctx->runas.privs == NULL) {
if (cs->privs != NULL) { if (cs->privs != NULL) {
@ -413,7 +408,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
"ctx->runas.limitprivs -> %s", ctx->runas.limitprivs); "ctx->runas.limitprivs -> %s", ctx->runas.limitprivs);
} }
} }
#endif /* HAVE_PRIV_SET */
if (cs->timeout > 0) { if (cs->timeout > 0) {
def_command_timeout = cs->timeout; def_command_timeout = cs->timeout;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,

14
plugins/sudoers/parse.h
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2000, 2004, 2007-2023 * Copyright (c) 1996, 1998-2000, 2004, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -159,15 +159,9 @@ struct command_options {
int timeout; /* command timeout */ int timeout; /* command timeout */
char *runcwd; /* working directory */ char *runcwd; /* working directory */
char *runchroot; /* root directory */ char *runchroot; /* root directory */
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */ char *role, *type; /* SELinux role and type */
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile; /* AppArmor profile */ char *apparmor_profile; /* AppArmor profile */
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs; /* Solaris privilege sets */ char *privs, *limitprivs; /* Solaris privilege sets */
#endif
}; };
/* /*
@ -246,15 +240,9 @@ struct cmndspec {
time_t notafter; /* time restriction */ time_t notafter; /* time restriction */
char *runcwd; /* working directory */ char *runcwd; /* working directory */
char *runchroot; /* root directory */ char *runchroot; /* root directory */
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */ char *role, *type; /* SELinux role and type */
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile; /* AppArmor profile */ char *apparmor_profile; /* AppArmor profile */
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs; /* Solaris privilege sets */ char *privs, *limitprivs; /* Solaris privilege sets */
#endif
}; };
/* /*

20
plugins/sudoers/policy.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2010-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -317,7 +317,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto bad; goto bad;
continue; continue;
} }
#ifdef HAVE_SELINUX
if (MATCHES(*cur, "selinux_role=")) { if (MATCHES(*cur, "selinux_role=")) {
CHECK(*cur, "selinux_role="); CHECK(*cur, "selinux_role=");
free(ctx->runas.role); free(ctx->runas.role);
@ -334,8 +333,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto oom; goto oom;
continue; continue;
} }
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (MATCHES(*cur, "apparmor_profile=")) { if (MATCHES(*cur, "apparmor_profile=")) {
CHECK(*cur, "apparmor_profile="); CHECK(*cur, "apparmor_profile=");
free(ctx->runas.apparmor_profile); free(ctx->runas.apparmor_profile);
@ -344,7 +341,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto oom; goto oom;
continue; continue;
} }
#endif /* HAVE_APPARMOR */
#ifdef HAVE_BSD_AUTH_H #ifdef HAVE_BSD_AUTH_H
if (MATCHES(*cur, "bsdauth_type=")) { if (MATCHES(*cur, "bsdauth_type=")) {
CHECK(*cur, "bsdauth_type="); CHECK(*cur, "bsdauth_type=");
@ -1040,7 +1036,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
goto oom; goto oom;
} }
#endif /* HAVE_LOGIN_CAP_H */ #endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_SELINUX
if (def_selinux && ctx->runas.role != NULL) { if (def_selinux && ctx->runas.role != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", ctx->runas.role)) == NULL) if ((command_info[info_len++] = sudo_new_key_val("selinux_role", ctx->runas.role)) == NULL)
goto oom; goto oom;
@ -1049,14 +1044,10 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
if ((command_info[info_len++] = sudo_new_key_val("selinux_type", ctx->runas.type)) == NULL) if ((command_info[info_len++] = sudo_new_key_val("selinux_type", ctx->runas.type)) == NULL)
goto oom; goto oom;
} }
#endif /* HAVE_SELINUX */ if (ctx->runas.apparmor_profile != NULL) {
#ifdef HAVE_APPARMOR if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx->runas.apparmor_profile)) == NULL)
if (ctx->runas.apparmor_profile != NULL) { goto oom;
if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx->runas.apparmor_profile)) == NULL) }
goto oom;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (ctx->runas.privs != NULL) { if (ctx->runas.privs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("runas_privs", ctx->runas.privs)) == NULL) if ((command_info[info_len++] = sudo_new_key_val("runas_privs", ctx->runas.privs)) == NULL)
goto oom; goto oom;
@ -1065,7 +1056,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
if ((command_info[info_len++] = sudo_new_key_val("runas_limitprivs", ctx->runas.limitprivs)) == NULL) if ((command_info[info_len++] = sudo_new_key_val("runas_limitprivs", ctx->runas.limitprivs)) == NULL)
goto oom; goto oom;
} }
#endif /* HAVE_PRIV_SET */
/* Set command start time (monotonic) for the first accepted command. */ /* Set command start time (monotonic) for the first accepted command. */
if (accepted && !ISSET(ctx->mode, MODE_POLICY_INTERCEPTED)) { if (accepted && !ISSET(ctx->mode, MODE_POLICY_INTERCEPTED)) {

8
plugins/sudoers/sudoers.h
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1993-1996, 1998-2005, 2007-2023 * Copyright (c) 1993-1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -174,17 +174,11 @@ struct sudoers_runas_context {
char *host; char *host;
char *shost; char *shost;
char *user; char *user;
#ifdef HAVE_SELINUX
char *role; char *role;
char *type; char *type;
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile; char *apparmor_profile;
#endif
#ifdef HAVE_PRIV_SET
char *privs; char *privs;
char *limitprivs; char *limitprivs;
#endif
}; };
/* /*

8
plugins/sudoers/sudoers_ctx_free.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2023-2024 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@ -73,17 +73,11 @@ sudoers_ctx_free(struct sudoers_context *ctx)
if (ctx->runas.shost != ctx->runas.host) if (ctx->runas.shost != ctx->runas.host)
free(ctx->runas.shost); free(ctx->runas.shost);
free(ctx->runas.host); free(ctx->runas.host);
#ifdef HAVE_SELINUX
free(ctx->runas.role); free(ctx->runas.role);
free(ctx->runas.type); free(ctx->runas.type);
#endif
#ifdef HAVE_APPARMOR
free(ctx->runas.apparmor_profile); free(ctx->runas.apparmor_profile);
#endif
#ifdef HAVE_PRIV_SET
free(ctx->runas.privs); free(ctx->runas.privs);
free(ctx->runas.limitprivs); free(ctx->runas.limitprivs);
#endif
/* Free dynamic contents of ctx. */ /* Free dynamic contents of ctx. */
free(ctx->source); free(ctx->source);

89
plugins/sudoers/toke.c
View File

@ -3262,7 +3262,7 @@ char *yytext;
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2023 * Copyright (c) 1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -4359,67 +4359,46 @@ case 59:
YY_RULE_SETUP YY_RULE_SETUP
#line 660 "toke.l" #line 660 "toke.l"
{ {
#ifdef HAVE_SELINUX
LEXTRACE("ROLE "); LEXTRACE("ROLE ");
return ROLE; return ROLE;
#else
goto got_alias;
#endif
} }
YY_BREAK YY_BREAK
case 60: case 60:
YY_RULE_SETUP YY_RULE_SETUP
#line 669 "toke.l" #line 665 "toke.l"
{ {
#ifdef HAVE_SELINUX
LEXTRACE("TYPE "); LEXTRACE("TYPE ");
return TYPE; return TYPE;
#else
goto got_alias;
#endif
} }
YY_BREAK YY_BREAK
case 61: case 61:
YY_RULE_SETUP YY_RULE_SETUP
#line 677 "toke.l" #line 669 "toke.l"
{ {
#ifdef HAVE_APPARMOR
LEXTRACE("APPARMOR_PROFILE "); LEXTRACE("APPARMOR_PROFILE ");
return APPARMOR_PROFILE; return APPARMOR_PROFILE;
#else
goto got_alias;
#endif
} }
YY_BREAK YY_BREAK
case 62: case 62:
YY_RULE_SETUP YY_RULE_SETUP
#line 685 "toke.l" #line 673 "toke.l"
{ {
#ifdef HAVE_PRIV_SET
LEXTRACE("PRIVS "); LEXTRACE("PRIVS ");
return PRIVS; return PRIVS;
#else
goto got_alias;
#endif
} }
YY_BREAK YY_BREAK
case 63: case 63:
YY_RULE_SETUP YY_RULE_SETUP
#line 694 "toke.l" #line 678 "toke.l"
{ {
#ifdef HAVE_PRIV_SET
LEXTRACE("LIMITPRIVS "); LEXTRACE("LIMITPRIVS ");
return LIMITPRIVS; return LIMITPRIVS;
#else
goto got_alias;
#endif
} }
YY_BREAK YY_BREAK
case 64: case 64:
YY_RULE_SETUP YY_RULE_SETUP
#line 703 "toke.l" #line 683 "toke.l"
{ {
got_alias:
if (!fill(sudoerstext, sudoersleng)) if (!fill(sudoerstext, sudoersleng))
yyterminate(); yyterminate();
LEXTRACE("ALIAS "); LEXTRACE("ALIAS ");
@ -4428,7 +4407,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 65: case 65:
YY_RULE_SETUP YY_RULE_SETUP
#line 711 "toke.l" #line 690 "toke.l"
{ {
/* XXX - no way to specify digest for command */ /* XXX - no way to specify digest for command */
/* no command args allowed for Defaults!/path */ /* no command args allowed for Defaults!/path */
@ -4440,7 +4419,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 66: case 66:
YY_RULE_SETUP YY_RULE_SETUP
#line 720 "toke.l" #line 699 "toke.l"
{ {
digest_type = SUDO_DIGEST_SHA224; digest_type = SUDO_DIGEST_SHA224;
BEGIN WANTDIGEST; BEGIN WANTDIGEST;
@ -4450,7 +4429,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 67: case 67:
YY_RULE_SETUP YY_RULE_SETUP
#line 727 "toke.l" #line 706 "toke.l"
{ {
digest_type = SUDO_DIGEST_SHA256; digest_type = SUDO_DIGEST_SHA256;
BEGIN WANTDIGEST; BEGIN WANTDIGEST;
@ -4460,7 +4439,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 68: case 68:
YY_RULE_SETUP YY_RULE_SETUP
#line 734 "toke.l" #line 713 "toke.l"
{ {
digest_type = SUDO_DIGEST_SHA384; digest_type = SUDO_DIGEST_SHA384;
BEGIN WANTDIGEST; BEGIN WANTDIGEST;
@ -4470,7 +4449,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 69: case 69:
YY_RULE_SETUP YY_RULE_SETUP
#line 741 "toke.l" #line 720 "toke.l"
{ {
digest_type = SUDO_DIGEST_SHA512; digest_type = SUDO_DIGEST_SHA512;
BEGIN WANTDIGEST; BEGIN WANTDIGEST;
@ -4480,7 +4459,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 70: case 70:
YY_RULE_SETUP YY_RULE_SETUP
#line 748 "toke.l" #line 727 "toke.l"
{ {
BEGIN GOTCMND; BEGIN GOTCMND;
LEXTRACE("COMMAND "); LEXTRACE("COMMAND ");
@ -4490,7 +4469,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 71: case 71:
YY_RULE_SETUP YY_RULE_SETUP
#line 755 "toke.l" #line 734 "toke.l"
{ {
BEGIN prev_state; BEGIN prev_state;
if (!fill(sudoerstext, sudoersleng)) if (!fill(sudoerstext, sudoersleng))
@ -4501,7 +4480,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 72: case 72:
YY_RULE_SETUP YY_RULE_SETUP
#line 763 "toke.l" #line 742 "toke.l"
{ {
/* directories can't have args... */ /* directories can't have args... */
if (sudoerstext[sudoersleng - 1] == '/') { if (sudoerstext[sudoersleng - 1] == '/') {
@ -4518,7 +4497,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 73: case 73:
YY_RULE_SETUP YY_RULE_SETUP
#line 777 "toke.l" #line 756 "toke.l"
{ {
if (sudoers_strict()) { if (sudoers_strict()) {
if (!sudo_regex_compile(NULL, sudoerstext, &sudoers_errstr)) { if (!sudo_regex_compile(NULL, sudoerstext, &sudoers_errstr)) {
@ -4534,7 +4513,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 74: case 74:
YY_RULE_SETUP YY_RULE_SETUP
#line 790 "toke.l" #line 769 "toke.l"
{ {
LEXTRACE("BEGINSTR "); LEXTRACE("BEGINSTR ");
sudoerslval.string = NULL; sudoerslval.string = NULL;
@ -4544,7 +4523,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 75: case 75:
YY_RULE_SETUP YY_RULE_SETUP
#line 797 "toke.l" #line 776 "toke.l"
{ {
/* a word */ /* a word */
if (!fill(sudoerstext, sudoersleng)) if (!fill(sudoerstext, sudoersleng))
@ -4556,7 +4535,7 @@ YY_RULE_SETUP
case 76: case 76:
YY_RULE_SETUP YY_RULE_SETUP
#line 806 "toke.l" #line 785 "toke.l"
{ {
/* include file/directory */ /* include file/directory */
if (!fill(sudoerstext, sudoersleng)) if (!fill(sudoerstext, sudoersleng))
@ -4568,7 +4547,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 77: case 77:
YY_RULE_SETUP YY_RULE_SETUP
#line 815 "toke.l" #line 794 "toke.l"
{ {
LEXTRACE("BEGINSTR "); LEXTRACE("BEGINSTR ");
sudoerslval.string = NULL; sudoerslval.string = NULL;
@ -4579,7 +4558,7 @@ YY_RULE_SETUP
case 78: case 78:
YY_RULE_SETUP YY_RULE_SETUP
#line 823 "toke.l" #line 802 "toke.l"
{ {
LEXTRACE("( "); LEXTRACE("( ");
return '('; return '(';
@ -4587,7 +4566,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 79: case 79:
YY_RULE_SETUP YY_RULE_SETUP
#line 828 "toke.l" #line 807 "toke.l"
{ {
LEXTRACE(") "); LEXTRACE(") ");
return ')'; return ')';
@ -4595,7 +4574,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 80: case 80:
YY_RULE_SETUP YY_RULE_SETUP
#line 833 "toke.l" #line 812 "toke.l"
{ {
LEXTRACE(", "); LEXTRACE(", ");
return ','; return ',';
@ -4603,7 +4582,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 81: case 81:
YY_RULE_SETUP YY_RULE_SETUP
#line 838 "toke.l" #line 817 "toke.l"
{ {
LEXTRACE("= "); LEXTRACE("= ");
return '='; return '=';
@ -4611,7 +4590,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 82: case 82:
YY_RULE_SETUP YY_RULE_SETUP
#line 843 "toke.l" #line 822 "toke.l"
{ {
LEXTRACE(": "); LEXTRACE(": ");
return ':'; return ':';
@ -4619,7 +4598,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 83: case 83:
YY_RULE_SETUP YY_RULE_SETUP
#line 848 "toke.l" #line 827 "toke.l"
{ {
if (sudoersleng & 1) { if (sudoersleng & 1) {
LEXTRACE("!"); LEXTRACE("!");
@ -4630,7 +4609,7 @@ YY_RULE_SETUP
case 84: case 84:
/* rule 84 can match eol */ /* rule 84 can match eol */
YY_RULE_SETUP YY_RULE_SETUP
#line 855 "toke.l" #line 834 "toke.l"
{ {
if (YY_START == INSTR) { if (YY_START == INSTR) {
/* throw away old string */ /* throw away old string */
@ -4652,7 +4631,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 85: case 85:
YY_RULE_SETUP YY_RULE_SETUP
#line 874 "toke.l" #line 853 "toke.l"
{ /* throw away space/tabs */ { /* throw away space/tabs */
sawspace = true; /* but remember for fill_args */ sawspace = true; /* but remember for fill_args */
} }
@ -4660,7 +4639,7 @@ YY_RULE_SETUP
case 86: case 86:
/* rule 86 can match eol */ /* rule 86 can match eol */
YY_RULE_SETUP YY_RULE_SETUP
#line 878 "toke.l" #line 857 "toke.l"
{ {
sawspace = true; /* remember for fill_args */ sawspace = true; /* remember for fill_args */
sudolineno++; sudolineno++;
@ -4670,7 +4649,7 @@ YY_RULE_SETUP
case 87: case 87:
/* rule 87 can match eol */ /* rule 87 can match eol */
YY_RULE_SETUP YY_RULE_SETUP
#line 884 "toke.l" #line 863 "toke.l"
{ {
if (sudoerstext[sudoersleng - 1] == '\n') { if (sudoerstext[sudoersleng - 1] == '\n') {
/* comment ending in a newline */ /* comment ending in a newline */
@ -4688,7 +4667,7 @@ YY_RULE_SETUP
YY_BREAK YY_BREAK
case 88: case 88:
YY_RULE_SETUP YY_RULE_SETUP
#line 899 "toke.l" #line 878 "toke.l"
{ {
LEXTRACE("NOMATCH "); LEXTRACE("NOMATCH ");
return NOMATCH; return NOMATCH;
@ -4704,7 +4683,7 @@ case YY_STATE_EOF(INSTR):
case YY_STATE_EOF(WANTDIGEST): case YY_STATE_EOF(WANTDIGEST):
case YY_STATE_EOF(GOTINC): case YY_STATE_EOF(GOTINC):
case YY_STATE_EOF(EXPECTPATH): case YY_STATE_EOF(EXPECTPATH):
#line 904 "toke.l" #line 883 "toke.l"
{ {
if (!pop_include()) if (!pop_include())
yyterminate(); yyterminate();
@ -4712,10 +4691,10 @@ case YY_STATE_EOF(EXPECTPATH):
YY_BREAK YY_BREAK
case 89: case 89:
YY_RULE_SETUP YY_RULE_SETUP
#line 909 "toke.l" #line 888 "toke.l"
ECHO; ECHO;
YY_BREAK YY_BREAK
#line 4713 "toke.c" #line 4692 "toke.c"
case YY_END_OF_BUFFER: case YY_END_OF_BUFFER:
{ {
@ -5684,7 +5663,7 @@ void yyfree (void * ptr )
#define YYTABLES_NAME "yytables" #define YYTABLES_NAME "yytables"
#line 909 "toke.l" #line 888 "toke.l"
struct path_list { struct path_list {
SLIST_ENTRY(path_list) entries; SLIST_ENTRY(path_list) entries;

23
plugins/sudoers/toke.l
View File

@ -2,7 +2,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2023 * Copyright (c) 1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -658,50 +658,29 @@ ALL {
} }
<INITIAL>ROLE { <INITIAL>ROLE {
#ifdef HAVE_SELINUX
LEXTRACE("ROLE "); LEXTRACE("ROLE ");
return ROLE; return ROLE;
#else
goto got_alias;
#endif
} }
<INITIAL>TYPE { <INITIAL>TYPE {
#ifdef HAVE_SELINUX
LEXTRACE("TYPE "); LEXTRACE("TYPE ");
return TYPE; return TYPE;
#else
goto got_alias;
#endif
} }
<INITIAL>APPARMOR_PROFILE { <INITIAL>APPARMOR_PROFILE {
#ifdef HAVE_APPARMOR
LEXTRACE("APPARMOR_PROFILE "); LEXTRACE("APPARMOR_PROFILE ");
return APPARMOR_PROFILE; return APPARMOR_PROFILE;
#else
goto got_alias;
#endif
} }
<INITIAL>PRIVS { <INITIAL>PRIVS {
#ifdef HAVE_PRIV_SET
LEXTRACE("PRIVS "); LEXTRACE("PRIVS ");
return PRIVS; return PRIVS;
#else
goto got_alias;
#endif
} }
<INITIAL>LIMITPRIVS { <INITIAL>LIMITPRIVS {
#ifdef HAVE_PRIV_SET
LEXTRACE("LIMITPRIVS "); LEXTRACE("LIMITPRIVS ");
return LIMITPRIVS; return LIMITPRIVS;
#else
goto got_alias;
#endif
} }
[[:upper:]][[:upper:][:digit:]_]* { [[:upper:]][[:upper:][:digit:]_]* {
got_alias:
if (!fill(sudoerstext, sudoersleng)) if (!fill(sudoerstext, sudoersleng))
yyterminate(); yyterminate();
LEXTRACE("ALIAS "); LEXTRACE("ALIAS ");