mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

Unifdef parser support for SELinux, AppArmor and Solaris privileges.

Browse Source
This commit is contained in:
Todd C. Miller 2024-05-01 08:04:00 -06:00
parent 38b98b4174
commit 389c8550c9
17 changed files with 267 additions and 524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
plugins/sudoers/check.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1993-1996,1998-2005, 2007-2018
* Copyright (c) 1993-1996,1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -139,16 +139,9 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid &&
(ctx->runas.gr == NULL ||
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
#ifdef HAVE_SELINUX
if (ctx->runas.role == NULL && ctx->runas.type == NULL)
#endif
#ifdef HAVE_APPARMOR
if (ctx->runas.apparmor_profile == NULL)
#endif
#ifdef HAVE_PRIV_SET
if (ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL)
#endif
{
if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
ctx->runas.apparmor_profile == NULL &&
ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) {
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: user running command as self", __func__);
ret = AUTH_SUCCESS;

14
plugins/sudoers/cvtsudoers_csv.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2021-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2021-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -574,24 +574,19 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
need_comma = true;
}
#ifdef HAVE_SELINUX
/* Print SELinux role/type */
if (cs->role != NULL && cs->type != NULL) {
fprintf(fp, "%srole=%s,type=%s", need_comma ? "," : "",
cs->role, cs->type);
need_comma = true;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) {
fprintf(fp, "%sapparmor_profile=%s,", need_comma ? "," : "",
cs->apparmor_profile);
need_comma = true;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Print Solaris privs/limitprivs */
if (cs->privs != NULL || cs->limitprivs != NULL) {
if (cs->privs != NULL) {
@ -603,7 +598,6 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
need_comma = true;
}
}
#endif /* HAVE_PRIV_SET */
#ifdef __clang_analyzer__
(void)&need_comma;
#endif
@ -620,15 +614,9 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
/* XXX - TAG_SET does not account for implied SETENV */
last_one = next == NULL ||
RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
|| cs->privs != next->privs || cs->limitprivs != next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
|| cs->role != next->role || cs->type != next->type
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
|| cs->apparmor_profile != next->apparmor_profile
#endif /* HAVE_APPARMOR */
|| cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
if (!quoted && !last_one) {

30
plugins/sudoers/cvtsudoers_json.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2013-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2013-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -667,15 +667,9 @@ cmndspec_continues(struct cmndspec *cs, struct cmndspec *next)
{
bool ret = next != NULL &&
!RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
&& cs->privs == next->privs && cs->limitprivs == next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
&& cs->role == next->role && cs->type == next->type
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
&& cs->apparmor_profile == next->apparmor_profile
#endif /* HAVE_APPARMOR */
&& cs->runchroot == next->runchroot && cs->runcwd == next->runcwd;
return ret;
}
@ -734,19 +728,9 @@ print_cmndspec_json(struct json_container *jsonc,
/* Print options and tags */
has_options = TAGS_SET(cs->tags) || !TAILQ_EMPTY(options) ||
cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC ||
cs->runchroot != NULL || cs->runcwd != NULL;
#ifdef HAVE_SELINUX
if (cs->role != NULL && cs->type != NULL)
has_options = true;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL)
has_options = true;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL || cs->limitprivs != NULL)
has_options = true;
#endif /* HAVE_PRIV_SET */
cs->runchroot != NULL || cs->runcwd != NULL ||
(cs->role != NULL && cs->type != NULL) || cs->apparmor_profile != NULL
|| cs->privs != NULL || cs->limitprivs != NULL;
if (has_options) {
struct cmndtag tag = cs->tags;
@ -873,7 +857,6 @@ print_cmndspec_json(struct json_container *jsonc,
goto oom;
}
}
#ifdef HAVE_SELINUX
if (cs->role != NULL && cs->type != NULL) {
value.type = JSON_STRING;
value.u.string = cs->role;
@ -883,16 +866,12 @@ print_cmndspec_json(struct json_container *jsonc,
if (!sudo_json_add_value_as_object(jsonc, "type", &value))
goto oom;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) {
value.type = JSON_STRING;
value.u.string = cs->apparmor_profile;
if (!sudo_json_add_value_as_object(jsonc, "apparmor_profile", &value))
goto oom;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL) {
value.type = JSON_STRING;
value.u.string = cs->privs;
@ -905,7 +884,6 @@ print_cmndspec_json(struct json_container *jsonc,
if (!sudo_json_add_value_as_object(jsonc, "limitprivs", &value))
goto oom;
}
#endif /* HAVE_PRIV_SET */
if (!sudo_json_close_array(jsonc))
goto oom;
}

12
plugins/sudoers/cvtsudoers_ldif.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2018-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2018-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -492,7 +492,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
}
}
#ifdef HAVE_SELINUX
/* Print SELinux role/type */
if (cs->role != NULL && cs->type != NULL) {
if (!printf_attribute_ldif(fp, "sudoOption", "role=%s", cs->role) ||
@ -500,9 +499,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
debug_return_bool(false);
}
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Print AppArmor profile */
if (cs->apparmor_profile != NULL) {
if (!printf_attribute_ldif(fp, "sudoOption", "apparmor_profile=%s",
@ -510,9 +507,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
debug_return_bool(false);
}
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Print Solaris privs/limitprivs */
if (cs->privs != NULL || cs->limitprivs != NULL) {
if (cs->privs != NULL) {
@ -528,7 +523,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
}
}
}
#endif /* HAVE_PRIV_SET */
/*
* Merge adjacent commands with matching tags, runas, SELinux
@ -540,12 +534,8 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
/* XXX - TAG_SET does not account for implied SETENV */
last_one = next == NULL ||
RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
#ifdef HAVE_PRIV_SET
|| cs->privs != next->privs || cs->limitprivs != next->limitprivs
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
|| cs->role != next->role || cs->type != next->type
#endif /* HAVE_SELINUX */
|| cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
if (!print_member_ldif(fp, parse_tree, cs->cmnd->name, cs->cmnd->type,

8
plugins/sudoers/cvtsudoers_merge.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2021-2022 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2021-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -1008,7 +1008,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->runchroot != cs2->runchroot) {
debug_return_bool(false);
}
#ifdef HAVE_SELINUX
if (cs1->role != NULL && cs2->role != NULL) {
if (strcmp(cs1->role, cs2->role) != 0)
debug_return_bool(false);
@ -1021,16 +1020,12 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->type != cs2->type) {
debug_return_bool(false);
}
#endif
#ifdef HAVE_APPARMOR
if (cs1->apparmor_profile != NULL && cs2->apparmor_profile != NULL) {
if (strcmp(cs1->apparmor_profile, cs2->apparmor_profile) != 0)
debug_return_bool(false);
} else if (cs1->apparmor_profile != cs2->apparmor_profile) {
debug_return_bool(false);
}
#endif
#ifdef HAVE_PRIV_SET
if (cs1->privs != NULL && cs2->privs != NULL) {
if (strcmp(cs1->privs, cs2->privs) != 0)
debug_return_bool(false);
@ -1043,7 +1038,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
} else if (cs1->limitprivs != cs2->limitprivs) {
debug_return_bool(false);
}
#endif
debug_return_bool(true);
}

14
plugins/sudoers/display.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -112,22 +112,16 @@ new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs)
debug_return_bool(true);
if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
debug_return_bool(true);
#ifdef HAVE_PRIV_SET
if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
debug_return_bool(true);
if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
debug_return_bool(true);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
debug_return_bool(true);
if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
debug_return_bool(true);
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0))
debug_return_bool(true);
#endif /* HAVE_APPARMOR */
if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0))
debug_return_bool(true);
if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0))
@ -211,24 +205,18 @@ display_cmndspec_long(const struct sudoers_parse_tree *parse_tree,
} else {
lbuf->len = olen; /* no options */
}
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL) {
sudo_lbuf_append(lbuf, " ApparmorProfile: %s\n",
cs->apparmor_profile);
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL)
sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs);
if (cs->limitprivs != NULL)
sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role != NULL)
sudo_lbuf_append(lbuf, " Role: %s\n", cs->role);
if (cs->type != NULL)
sudo_lbuf_append(lbuf, " Type: %s\n", cs->type);
#endif /* HAVE_SELINUX */
if (cs->runchroot != NULL)
sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot);
if (cs->runcwd != NULL)

8
plugins/sudoers/fmtsudoers.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -234,22 +234,16 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
/* Merge privilege-level tags with cmndspec tags. */
TAGS_MERGE(tags, cs->tags);
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs))
sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
if (cs->limitprivs != NULL && FIELD_CHANGED(prev_cs, cs, limitprivs))
sudo_lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role != NULL && FIELD_CHANGED(prev_cs, cs, role))
sudo_lbuf_append(lbuf, "ROLE=%s ", cs->role);
if (cs->type != NULL && FIELD_CHANGED(prev_cs, cs, type))
sudo_lbuf_append(lbuf, "TYPE=%s ", cs->type);
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (cs->apparmor_profile != NULL && FIELD_CHANGED(prev_cs, cs, apparmor_profile))
sudo_lbuf_append(lbuf, "APPARMOR_PROFILE=%s ", cs->apparmor_profile);
#endif /* HAVE_APPARMOR */
if (cs->runchroot != NULL && FIELD_CHANGED(prev_cs, cs, runchroot))
sudo_lbuf_append(lbuf, "CHROOT=%s ", cs->runchroot);
if (cs->runcwd != NULL && FIELD_CHANGED(prev_cs, cs, runcwd))

458
plugins/sudoers/gram.c
View File

File diff suppressed because it is too large Load Diff

48
plugins/sudoers/gram.y
View File

@ -2,7 +2,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2023
* Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -446,25 +446,19 @@ cmndspeclist : cmndspec
$3->runcwd = prev->runcwd;
if ($3->runchroot == NULL)
$3->runchroot = prev->runchroot;
#ifdef HAVE_SELINUX
/* propagate role and type */
if ($3->role == NULL && $3->type == NULL) {
$3->role = prev->role;
$3->type = prev->type;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* propagate apparmor_profile */
if ($3->apparmor_profile == NULL)
$3->apparmor_profile = prev->apparmor_profile;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* propagate privs & limitprivs */
if ($3->privs == NULL && $3->limitprivs == NULL) {
$3->privs = prev->privs;
$3->limitprivs = prev->limitprivs;
}
#endif /* HAVE_PRIV_SET */
/* propagate command time restrictions */
if ($3->notbefore == UNSPEC)
$3->notbefore = prev->notbefore;
@ -537,22 +531,16 @@ cmndspec : runasspec options cmndtag digcmnd {
parser_leak_remove(LEAK_RUNAS, $1);
free($1);
}
#ifdef HAVE_SELINUX
cs->role = $2.role;
parser_leak_remove(LEAK_PTR, $2.role);
cs->type = $2.type;
parser_leak_remove(LEAK_PTR, $2.type);
#endif
#ifdef HAVE_APPARMOR
cs->apparmor_profile = $2.apparmor_profile;
parser_leak_remove(LEAK_PTR, $2.apparmor_profile);
#endif
#ifdef HAVE_PRIV_SET
cs->privs = $2.privs;
parser_leak_remove(LEAK_PTR, $2.privs);
cs->limitprivs = $2.limitprivs;
parser_leak_remove(LEAK_PTR, $2.limitprivs);
#endif
cs->notbefore = $2.notbefore;
cs->notafter = $2.notafter;
cs->timeout = $2.timeout;
@ -868,39 +856,29 @@ options : /* empty */ {
}
}
| options rolespec {
#ifdef HAVE_SELINUX
parser_leak_remove(LEAK_PTR, $$.role);
free($$.role);
$$.role = $2;
#endif
}
| options typespec {
#ifdef HAVE_SELINUX
parser_leak_remove(LEAK_PTR, $$.type);
free($$.type);
$$.type = $2;
#endif
}
| options apparmor_profilespec {
#ifdef HAVE_APPARMOR
parser_leak_remove(LEAK_PTR, $$.apparmor_profile);
free($$.apparmor_profile);
$$.apparmor_profile = $2;
#endif
}
| options privsspec {
#ifdef HAVE_PRIV_SET
parser_leak_remove(LEAK_PTR, $$.privs);
free($$.privs);
$$.privs = $2;
#endif
}
| options limitprivsspec {
#ifdef HAVE_PRIV_SET
parser_leak_remove(LEAK_PTR, $$.limitprivs);
free($$.limitprivs);
$$.limitprivs = $2;
#endif
}
;
@ -1593,7 +1571,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->runchroot != next->runchroot)) {
free(cs->runchroot);
}
#ifdef HAVE_SELINUX
/* Don't free root/type that are in use by other entries. */
if ((prev == NULL || cs->role != prev->role) &&
(next == NULL || cs->role != next->role)) {
@ -1603,8 +1580,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->type != next->type)) {
free(cs->type);
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* Don't free privs/limitprivs that are in use by other entries. */
if ((prev == NULL || cs->privs != prev->privs) &&
(next == NULL || cs->privs != next->privs)) {
@ -1614,7 +1589,6 @@ free_cmndspec(struct cmndspec *cs, struct cmndspec_list *csl)
(next == NULL || cs->limitprivs != next->limitprivs)) {
free(cs->limitprivs);
}
#endif /* HAVE_PRIV_SET */
/* Don't free user/group lists that are in use by other entries. */
if (cs->runasuserlist != NULL) {
if ((prev == NULL || cs->runasuserlist != prev->runasuserlist) &&
@ -1641,15 +1615,9 @@ free_cmndspecs(struct cmndspec_list *csl)
{
struct member_list *runasuserlist = NULL, *runasgrouplist = NULL;
char *runcwd = NULL, *runchroot = NULL;
#ifdef HAVE_SELINUX
char *role = NULL, *type = NULL;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
char *apparmor_profile = NULL;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
char *privs = NULL, *limitprivs = NULL;
#endif /* HAVE_PRIV_SET */
struct cmndspec *cs;
debug_decl(free_cmndspecs, SUDOERS_DEBUG_PARSER);
@ -1665,7 +1633,6 @@ free_cmndspecs(struct cmndspec_list *csl)
runchroot = cs->runchroot;
free(cs->runchroot);
}
#ifdef HAVE_SELINUX
/* Only free the first instance of a role/type. */
if (cs->role != role) {
role = cs->role;
@ -1675,15 +1642,11 @@ free_cmndspecs(struct cmndspec_list *csl)
type = cs->type;
free(cs->type);
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Only free the first instance of apparmor_profile. */
if (cs->apparmor_profile != apparmor_profile) {
apparmor_profile = cs->apparmor_profile;
free(cs->apparmor_profile);
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
/* Only free the first instance of privs/limitprivs. */
if (cs->privs != privs) {
privs = cs->privs;
@ -1693,7 +1656,6 @@ free_cmndspecs(struct cmndspec_list *csl)
limitprivs = cs->limitprivs;
free(cs->limitprivs);
}
#endif /* HAVE_PRIV_SET */
/* Only free the first instance of runas user/group lists. */
if (cs->runasuserlist && cs->runasuserlist != runasuserlist) {
runasuserlist = cs->runasuserlist;
@ -1879,17 +1841,11 @@ init_options(struct command_options *opts)
opts->timeout = UNSPEC;
opts->runchroot = NULL;
opts->runcwd = NULL;
#ifdef HAVE_SELINUX
opts->role = NULL;
opts->type = NULL;
#endif
#ifdef HAVE_PRIV_SET
opts->apparmor_profile = NULL;
opts->privs = NULL;
opts->limitprivs = NULL;
#endif
#ifdef HAVE_APPARMOR
opts->apparmor_profile = NULL;
#endif
}
uid_t

14
plugins/sudoers/ldap_util.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2013, 2016, 2018-2018 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2013, 2016, 2018-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* This code is derived from software contributed by Aaron Spangler.
*
@ -439,17 +439,11 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
cmndspec->timeout = prev_cmndspec->timeout;
cmndspec->runchroot = prev_cmndspec->runchroot;
cmndspec->runcwd = prev_cmndspec->runcwd;
#ifdef HAVE_SELINUX
cmndspec->role = prev_cmndspec->role;
cmndspec->type = prev_cmndspec->type;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
cmndspec->apparmor_profile = prev_cmndspec->apparmor_profile;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
cmndspec->privs = prev_cmndspec->privs;
cmndspec->limitprivs = prev_cmndspec->limitprivs;
#endif /* HAVE_PRIV_SET */
cmndspec->tags = prev_cmndspec->tags;
if (cmndspec->tags.setenv == IMPLIED)
cmndspec->tags.setenv = UNSPEC;
@ -519,7 +513,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
}
if ((cmndspec->runcwd = strdup(val)) == NULL)
break;
#ifdef HAVE_SELINUX
} else if (strcmp(var, "role") == 0 && val != NULL) {
if (cmndspec->role != NULL) {
free(cmndspec->role);
@ -536,8 +529,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
}
if ((cmndspec->type = strdup(val)) == NULL)
break;
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
} else if (strcmp(var, "apparmor_profile") == 0 && val != NULL) {
if (cmndspec->apparmor_profile != NULL) {
free(cmndspec->apparmor_profile);
@ -546,8 +537,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
}
if ((cmndspec->apparmor_profile = strdup(val)) == NULL)
break;
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
} else if (strcmp(var, "privs") == 0 && val != NULL) {
if (cmndspec->privs != NULL) {
free(cmndspec->privs);
@ -564,7 +553,6 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
}
if ((cmndspec->limitprivs = strdup(val)) == NULL)
break;
#endif /* HAVE_PRIV_SET */
} else if (store_options) {
if (!append_default(var, val, op, source,
&priv->defaults)) {

8
plugins/sudoers/lookup.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -322,7 +322,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER);
if (cs != NULL) {
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */
if (ctx->runas.role == NULL) {
if (cs->role != NULL) {
@ -358,8 +357,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
"ctx->runas.type -> %s", ctx->runas.type);
}
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
/* Set AppArmor profile, if specified */
if (cs->apparmor_profile != NULL) {
ctx->runas.apparmor_profile = strdup(cs->apparmor_profile);
@ -376,8 +373,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"ctx->runas.apparmor_profile -> %s", ctx->runas.apparmor_profile);
}
#endif
#ifdef HAVE_PRIV_SET
/* Set Solaris privilege sets */
if (ctx->runas.privs == NULL) {
if (cs->privs != NULL) {
@ -413,7 +408,6 @@ apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
"ctx->runas.limitprivs -> %s", ctx->runas.limitprivs);
}
}
#endif /* HAVE_PRIV_SET */
if (cs->timeout > 0) {
def_command_timeout = cs->timeout;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,

14
plugins/sudoers/parse.h
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1996, 1998-2000, 2004, 2007-2023
* Copyright (c) 1996, 1998-2000, 2004, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -159,15 +159,9 @@ struct command_options {
int timeout; /* command timeout */
char *runcwd; /* working directory */
char *runchroot; /* root directory */
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile; /* AppArmor profile */
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs; /* Solaris privilege sets */
#endif
};
/*
@ -246,15 +240,9 @@ struct cmndspec {
time_t notafter; /* time restriction */
char *runcwd; /* working directory */
char *runchroot; /* root directory */
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile; /* AppArmor profile */
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs; /* Solaris privilege sets */
#endif
};
/*

12
plugins/sudoers/policy.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2010-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -317,7 +317,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto bad;
continue;
}
#ifdef HAVE_SELINUX
if (MATCHES(*cur, "selinux_role=")) {
CHECK(*cur, "selinux_role=");
free(ctx->runas.role);
@ -334,8 +333,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto oom;
continue;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (MATCHES(*cur, "apparmor_profile=")) {
CHECK(*cur, "apparmor_profile=");
free(ctx->runas.apparmor_profile);
@ -344,7 +341,6 @@ sudoers_policy_deserialize_info(struct sudoers_context *ctx, void *v,
goto oom;
continue;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_BSD_AUTH_H
if (MATCHES(*cur, "bsdauth_type=")) {
CHECK(*cur, "bsdauth_type=");
@ -1040,7 +1036,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
goto oom;
}
#endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_SELINUX
if (def_selinux && ctx->runas.role != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", ctx->runas.role)) == NULL)
goto oom;
@ -1049,14 +1044,10 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
if ((command_info[info_len++] = sudo_new_key_val("selinux_type", ctx->runas.type)) == NULL)
goto oom;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (ctx->runas.apparmor_profile != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx->runas.apparmor_profile)) == NULL)
goto oom;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (ctx->runas.privs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("runas_privs", ctx->runas.privs)) == NULL)
goto oom;
@ -1065,7 +1056,6 @@ sudoers_policy_store_result(struct sudoers_context *ctx, bool accepted,
if ((command_info[info_len++] = sudo_new_key_val("runas_limitprivs", ctx->runas.limitprivs)) == NULL)
goto oom;
}
#endif /* HAVE_PRIV_SET */
/* Set command start time (monotonic) for the first accepted command. */
if (accepted && !ISSET(ctx->mode, MODE_POLICY_INTERCEPTED)) {

8
plugins/sudoers/sudoers.h
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1993-1996, 1998-2005, 2007-2023
* Copyright (c) 1993-1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -174,17 +174,11 @@ struct sudoers_runas_context {
char *host;
char *shost;
char *user;
#ifdef HAVE_SELINUX
char *role;
char *type;
#endif
#ifdef HAVE_APPARMOR
char *apparmor_profile;
#endif
#ifdef HAVE_PRIV_SET
char *privs;
char *limitprivs;
#endif
};
/*

8
plugins/sudoers/sudoers_ctx_free.c
View File

@ -1,7 +1,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 2023 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2023-2024 Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@ -73,17 +73,11 @@ sudoers_ctx_free(struct sudoers_context *ctx)
if (ctx->runas.shost != ctx->runas.host)
free(ctx->runas.shost);
free(ctx->runas.host);
#ifdef HAVE_SELINUX
free(ctx->runas.role);
free(ctx->runas.type);
#endif
#ifdef HAVE_APPARMOR
free(ctx->runas.apparmor_profile);
#endif
#ifdef HAVE_PRIV_SET
free(ctx->runas.privs);
free(ctx->runas.limitprivs);
#endif
/* Free dynamic contents of ctx. */
free(ctx->source);

89
plugins/sudoers/toke.c
View File

@ -3262,7 +3262,7 @@ char *yytext;
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1996, 1998-2005, 2007-2023
* Copyright (c) 1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -4359,67 +4359,46 @@ case 59:
YY_RULE_SETUP
#line 660 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("ROLE ");
return ROLE;
#else
goto got_alias;
#endif
}
YY_BREAK
case 60:
YY_RULE_SETUP
#line 669 "toke.l"
#line 665 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("TYPE ");
return TYPE;
#else
goto got_alias;
#endif
}
YY_BREAK
case 61:
YY_RULE_SETUP
#line 677 "toke.l"
#line 669 "toke.l"
{
#ifdef HAVE_APPARMOR
LEXTRACE("APPARMOR_PROFILE ");
return APPARMOR_PROFILE;
#else
goto got_alias;
#endif
}
YY_BREAK
case 62:
YY_RULE_SETUP
#line 685 "toke.l"
#line 673 "toke.l"
{
#ifdef HAVE_PRIV_SET
LEXTRACE("PRIVS ");
return PRIVS;
#else
goto got_alias;
#endif
}
YY_BREAK
case 63:
YY_RULE_SETUP
#line 694 "toke.l"
#line 678 "toke.l"
{
#ifdef HAVE_PRIV_SET
LEXTRACE("LIMITPRIVS ");
return LIMITPRIVS;
#else
goto got_alias;
#endif
}
YY_BREAK
case 64:
YY_RULE_SETUP
#line 703 "toke.l"
#line 683 "toke.l"
{
got_alias:
if (!fill(sudoerstext, sudoersleng))
yyterminate();
LEXTRACE("ALIAS ");
@ -4428,7 +4407,7 @@ YY_RULE_SETUP
YY_BREAK
case 65:
YY_RULE_SETUP
#line 711 "toke.l"
#line 690 "toke.l"
{
/* XXX - no way to specify digest for command */
/* no command args allowed for Defaults!/path */
@ -4440,7 +4419,7 @@ YY_RULE_SETUP
YY_BREAK
case 66:
YY_RULE_SETUP
#line 720 "toke.l"
#line 699 "toke.l"
{
digest_type = SUDO_DIGEST_SHA224;
BEGIN WANTDIGEST;
@ -4450,7 +4429,7 @@ YY_RULE_SETUP
YY_BREAK
case 67:
YY_RULE_SETUP
#line 727 "toke.l"
#line 706 "toke.l"
{
digest_type = SUDO_DIGEST_SHA256;
BEGIN WANTDIGEST;
@ -4460,7 +4439,7 @@ YY_RULE_SETUP
YY_BREAK
case 68:
YY_RULE_SETUP
#line 734 "toke.l"
#line 713 "toke.l"
{
digest_type = SUDO_DIGEST_SHA384;
BEGIN WANTDIGEST;
@ -4470,7 +4449,7 @@ YY_RULE_SETUP
YY_BREAK
case 69:
YY_RULE_SETUP
#line 741 "toke.l"
#line 720 "toke.l"
{
digest_type = SUDO_DIGEST_SHA512;
BEGIN WANTDIGEST;
@ -4480,7 +4459,7 @@ YY_RULE_SETUP
YY_BREAK
case 70:
YY_RULE_SETUP
#line 748 "toke.l"
#line 727 "toke.l"
{
BEGIN GOTCMND;
LEXTRACE("COMMAND ");
@ -4490,7 +4469,7 @@ YY_RULE_SETUP
YY_BREAK
case 71:
YY_RULE_SETUP
#line 755 "toke.l"
#line 734 "toke.l"
{
BEGIN prev_state;
if (!fill(sudoerstext, sudoersleng))
@ -4501,7 +4480,7 @@ YY_RULE_SETUP
YY_BREAK
case 72:
YY_RULE_SETUP
#line 763 "toke.l"
#line 742 "toke.l"
{
/* directories can't have args... */
if (sudoerstext[sudoersleng - 1] == '/') {
@ -4518,7 +4497,7 @@ YY_RULE_SETUP
YY_BREAK
case 73:
YY_RULE_SETUP
#line 777 "toke.l"
#line 756 "toke.l"
{
if (sudoers_strict()) {
if (!sudo_regex_compile(NULL, sudoerstext, &sudoers_errstr)) {
@ -4534,7 +4513,7 @@ YY_RULE_SETUP
YY_BREAK
case 74:
YY_RULE_SETUP
#line 790 "toke.l"
#line 769 "toke.l"
{
LEXTRACE("BEGINSTR ");
sudoerslval.string = NULL;
@ -4544,7 +4523,7 @@ YY_RULE_SETUP
YY_BREAK
case 75:
YY_RULE_SETUP
#line 797 "toke.l"
#line 776 "toke.l"
{
/* a word */
if (!fill(sudoerstext, sudoersleng))
@ -4556,7 +4535,7 @@ YY_RULE_SETUP
case 76:
YY_RULE_SETUP
#line 806 "toke.l"
#line 785 "toke.l"
{
/* include file/directory */
if (!fill(sudoerstext, sudoersleng))
@ -4568,7 +4547,7 @@ YY_RULE_SETUP
YY_BREAK
case 77:
YY_RULE_SETUP
#line 815 "toke.l"
#line 794 "toke.l"
{
LEXTRACE("BEGINSTR ");
sudoerslval.string = NULL;
@ -4579,7 +4558,7 @@ YY_RULE_SETUP
case 78:
YY_RULE_SETUP
#line 823 "toke.l"
#line 802 "toke.l"
{
LEXTRACE("( ");
return '(';
@ -4587,7 +4566,7 @@ YY_RULE_SETUP
YY_BREAK
case 79:
YY_RULE_SETUP
#line 828 "toke.l"
#line 807 "toke.l"
{
LEXTRACE(") ");
return ')';
@ -4595,7 +4574,7 @@ YY_RULE_SETUP
YY_BREAK
case 80:
YY_RULE_SETUP
#line 833 "toke.l"
#line 812 "toke.l"
{
LEXTRACE(", ");
return ',';
@ -4603,7 +4582,7 @@ YY_RULE_SETUP
YY_BREAK
case 81:
YY_RULE_SETUP
#line 838 "toke.l"
#line 817 "toke.l"
{
LEXTRACE("= ");
return '=';
@ -4611,7 +4590,7 @@ YY_RULE_SETUP
YY_BREAK
case 82:
YY_RULE_SETUP
#line 843 "toke.l"
#line 822 "toke.l"
{
LEXTRACE(": ");
return ':';
@ -4619,7 +4598,7 @@ YY_RULE_SETUP
YY_BREAK
case 83:
YY_RULE_SETUP
#line 848 "toke.l"
#line 827 "toke.l"
{
if (sudoersleng & 1) {
LEXTRACE("!");
@ -4630,7 +4609,7 @@ YY_RULE_SETUP
case 84:
/* rule 84 can match eol */
YY_RULE_SETUP
#line 855 "toke.l"
#line 834 "toke.l"
{
if (YY_START == INSTR) {
/* throw away old string */
@ -4652,7 +4631,7 @@ YY_RULE_SETUP
YY_BREAK
case 85:
YY_RULE_SETUP
#line 874 "toke.l"
#line 853 "toke.l"
{ /* throw away space/tabs */
sawspace = true; /* but remember for fill_args */
}
@ -4660,7 +4639,7 @@ YY_RULE_SETUP
case 86:
/* rule 86 can match eol */
YY_RULE_SETUP
#line 878 "toke.l"
#line 857 "toke.l"
{
sawspace = true; /* remember for fill_args */
sudolineno++;
@ -4670,7 +4649,7 @@ YY_RULE_SETUP
case 87:
/* rule 87 can match eol */
YY_RULE_SETUP
#line 884 "toke.l"
#line 863 "toke.l"
{
if (sudoerstext[sudoersleng - 1] == '\n') {
/* comment ending in a newline */
@ -4688,7 +4667,7 @@ YY_RULE_SETUP
YY_BREAK
case 88:
YY_RULE_SETUP
#line 899 "toke.l"
#line 878 "toke.l"
{
LEXTRACE("NOMATCH ");
return NOMATCH;
@ -4704,7 +4683,7 @@ case YY_STATE_EOF(INSTR):
case YY_STATE_EOF(WANTDIGEST):
case YY_STATE_EOF(GOTINC):
case YY_STATE_EOF(EXPECTPATH):
#line 904 "toke.l"
#line 883 "toke.l"
{
if (!pop_include())
yyterminate();
@ -4712,10 +4691,10 @@ case YY_STATE_EOF(EXPECTPATH):
YY_BREAK
case 89:
YY_RULE_SETUP
#line 909 "toke.l"
#line 888 "toke.l"
ECHO;
YY_BREAK
#line 4713 "toke.c"
#line 4692 "toke.c"
case YY_END_OF_BUFFER:
{
@ -5684,7 +5663,7 @@ void yyfree (void * ptr )
#define YYTABLES_NAME "yytables"
#line 909 "toke.l"
#line 888 "toke.l"
struct path_list {
SLIST_ENTRY(path_list) entries;

23
plugins/sudoers/toke.l
View File

@ -2,7 +2,7 @@
/*
* SPDX-License-Identifier: ISC
*
* Copyright (c) 1996, 1998-2005, 2007-2023
* Copyright (c) 1996, 1998-2005, 2007-2024
* Todd C. Miller <Todd.Miller@sudo.ws>
*
* Permission to use, copy, modify, and distribute this software for any
@ -658,50 +658,29 @@ ALL {
}
<INITIAL>ROLE {
#ifdef HAVE_SELINUX
LEXTRACE("ROLE ");
return ROLE;
#else
goto got_alias;
#endif
}
<INITIAL>TYPE {
#ifdef HAVE_SELINUX
LEXTRACE("TYPE ");
return TYPE;
#else
goto got_alias;
#endif
}
<INITIAL>APPARMOR_PROFILE {
#ifdef HAVE_APPARMOR
LEXTRACE("APPARMOR_PROFILE ");
return APPARMOR_PROFILE;
#else
goto got_alias;
#endif
}
<INITIAL>PRIVS {
#ifdef HAVE_PRIV_SET
LEXTRACE("PRIVS ");
return PRIVS;
#else
goto got_alias;
#endif
}
<INITIAL>LIMITPRIVS {
#ifdef HAVE_PRIV_SET
LEXTRACE("LIMITPRIVS ");
return LIMITPRIVS;
#else
goto got_alias;
#endif
}
[[:upper:]][[:upper:][:digit:]_]* {
got_alias:
if (!fill(sudoerstext, sudoersleng))
yyterminate();
LEXTRACE("ALIAS ");