From e9fdd38aa536be354b972b74e4fef8f961e7c73d Mon Sep 17 00:00:00 2001
From: Michael Leibowitz <michael.leibowitz@intel.com>
Date: Thu, 20 Feb 2014 16:49:35 -0800
Subject: [PATCH] Add a pam module to set smack label (PTREL-549)

After some back and forth, this was deemed to be sufficient for now, as
other solutions where wrong in an equal number of cases, but where
substantially more complicated.

Adds a session module that just sets context to "User"

Change-Id: I5a72fee29519d89d6b8ea60cd970d0438a0cb7cd
Signed-off-by: Michael Leibowitz <michael.leibowitz@intel.com>
---
 configure.in                  |  4 ++++
 modules/Makefile.am           |  2 +-
 modules/pam_smack/Makefile.am | 11 +++++++++++
 modules/pam_smack/pam_smack.c | 31 +++++++++++++++++++++++++++++++
 packaging/pam.spec            |  2 ++
 5 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 modules/pam_smack/Makefile.am
 create mode 100644 modules/pam_smack/pam_smack.c

diff --git a/configure.in b/configure.in
index ae762a2..2749f0c 100644
--- a/configure.in
+++ b/configure.in
@@ -498,6 +498,9 @@ if test ! -z "$LIBSELINUX" ; then
     LIBS=$BACKUP_LIBS
 fi
 
+dnl hacks for pam_smack
+PKG_CHECK_MODULES([LIBSMACK], [libsmack])
+
 dnl Checks for header files.
 AC_HEADER_DIRENT
 AC_HEADER_STDC
@@ -625,6 +628,7 @@ AC_CONFIG_FILES([Makefile libpam/Makefile libpamc/Makefile libpamc/test/Makefile
 	modules/pam_unix/Makefile modules/pam_userdb/Makefile \
 	modules/pam_warn/Makefile modules/pam_wheel/Makefile \
 	modules/pam_xauth/Makefile doc/Makefile doc/specs/Makefile \
+	modules/pam_smack/Makefile \
 	doc/man/Makefile doc/sag/Makefile doc/adg/Makefile \
 	doc/mwg/Makefile examples/Makefile tests/Makefile \
 	xtests/Makefile])
diff --git a/modules/Makefile.am b/modules/Makefile.am
index 0c80cea..885a4ad 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -11,7 +11,7 @@ SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
 	pam_selinux pam_sepermit pam_shells pam_stress \
 	pam_succeed_if pam_tally pam_tally2 pam_time pam_timestamp \
 	pam_tty_audit pam_umask \
-	pam_unix pam_userdb pam_warn pam_wheel pam_xauth
+	pam_unix pam_userdb pam_warn pam_wheel pam_xauth pam_smack
 
 CLEANFILES = *~
 
diff --git a/modules/pam_smack/Makefile.am b/modules/pam_smack/Makefile.am
new file mode 100644
index 0000000..4a415d9
--- /dev/null
+++ b/modules/pam_smack/Makefile.am
@@ -0,0 +1,11 @@
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include @LIBSMACK_CFLAGS@
+AM_LDFLAGS = -no-undefined -avoid-version -module
+if HAVE_VERSIONING
+  AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+securelib_LTLIBRARIES = pam_smack.la
+pam_smack_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSMACK_LIBS@
+pam_smack_la_SOURCES = pam_smack.c
diff --git a/modules/pam_smack/pam_smack.c b/modules/pam_smack/pam_smack.c
new file mode 100644
index 0000000..4fde36e
--- /dev/null
+++ b/modules/pam_smack/pam_smack.c
@@ -0,0 +1,31 @@
+#define _GNU_SOURCE
+#include <syslog.h>
+#include <sys/smack.h>
+
+#define PAM_SM_SESSION
+#include <security/pam_modules.h>
+#include <security/pam_modutil.h>
+
+
+PAM_EXTERN int 
+pam_sm_open_session (pam_handle_t *pamh,
+		     int flags,
+		     int argc,
+		     const char **argv)
+{
+  if (smack_smackfs_path ()) {
+    int rc = smack_set_label_for_self ("User");
+    if (rc) {
+      pam_syslog (pamh, LOG_WARNING, "couldn't set label");
+    }
+  }
+
+  return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_close_session (pam_handle_t *pamh, int flags,
+                      int argc, const char **argv)
+{
+  return PAM_IGNORE;
+}
diff --git a/packaging/pam.spec b/packaging/pam.spec
index c18b282..e7f679b 100644
--- a/packaging/pam.spec
+++ b/packaging/pam.spec
@@ -25,6 +25,7 @@ BuildRequires:  libtool
 BuildRequires:  net-tools
 BuildRequires:  zlib-devel
 BuildRequires:  gettext-tools
+BuildRequires:  smack-devel
 Requires(post): /sbin/ldconfig
 Requires(post): /usr/bin/install
 Requires(postun): /sbin/ldconfig
@@ -181,6 +182,7 @@ fi
 %{_moduledir}/pam_unix_passwd.so
 %{_moduledir}/pam_unix_session.so
 %{_moduledir}/pam_warn.so
+%{_moduledir}/pam_smack.so
 
 %files devel
 %manifest %{name}.manifest
-- 
2.7.4