Security plugin: Adding configuration option --disable-dchecks

author: Elena Reshetova <elena.reshetova@intel.com> 2013-05-31 15:52:22 +0300
committer: Elena Reshetova <elena.reshetova@intel.com> 2013-05-31 15:52:22 +0300
commit: 8fe34defba338cf0e3bdef8a27ec9bd91550d332 (patch)
tree: 7b35325de64674090e06d102c2e9222e24b6be2b
parent: a157e55f5042c9733d524ef7484fc65eae36c0f7 (diff)
download: rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.tar.gz
rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.tar.bz2
rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.zip
3 files changed, 40 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac
index e5a11e7cc..c64923906 100644
--- a/configure.ac
+++ b/configure.ac
@@ -719,6 +719,13 @@ AC_SUBST(WITH_MSM_LIB)
 AC_SUBST(WITH_MSM_INCLUDE)
 AM_CONDITIONAL(MSM,[test "$with_msm" = yes])
 
+#domain checks enabling/disabling for security plugin
+AC_ARG_ENABLE(dchecks, [AS_HELP_STRING([--disable-dchecks],[build without domain checks])],,[enable_dchecks=yes])
+AS_IF([test "$enable_dchecks" = yes],[
+  AC_DEFINE(ENABLE_DCHECKS, 1, [Build with domain checks])
+])
+AM_CONDITIONAL(ENABLE_DCHECKS,[test "$enable_dchecks" = yes])
+
 
 # libcap
 WITH_CAP_LIB=
diff --git a/plugins/msm-plugin.c b/plugins/msm-plugin.c
index 405a19597..cc79bd00e 100644
--- a/plugins/msm-plugin.c
+++ b/plugins/msm-plugin.c
@@ -109,6 +109,12 @@ rpmRC PLUGINHOOK_INIT_FUNC(rpmts _ts, const char *name, const char *opts)
         return RPMRC_FAIL;
     }
 
+#ifndef ENABLE_DCHECKS
+    rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is undefined!\n");
+#else
+    rpmlog(RPMLOG_DEBUG, "ENABLE_DCHECKS is defined!\n");
+#endif
+
     rpmlog(RPMLOG_DEBUG, "reading device security policy from %s\n", fullPath);
     root = msmProcessDevSecPolicyXml(fullPath);
 
diff --git a/plugins/msmxattr.c b/plugins/msmxattr.c
index 146481a92..fc8af6b4f 100644
--- a/plugins/msmxattr.c
+++ b/plugins/msmxattr.c
@@ -720,7 +720,11 @@ int msmSetupRequests(manifest_x *mfx)
     HASH_FIND(hh, all_ac_domains, mfx->request->ac_domain, strlen(mfx->request->ac_domain), defined_ac_domain);
     if (!defined_ac_domain){ // request for a undefined domain. 
         rpmlog(RPMLOG_ERR, "Request for a domain name %s that hasn't been yet defined by any package\n", mfx->request->ac_domain);
+#ifdef ENABLE_DCHECKS
         return -1;
+#else
+        return 0;
+#endif
     }
     //now check that the package can join the requested AC domain
     if (mfx->define){
@@ -730,15 +734,24 @@ int msmSetupRequests(manifest_x *mfx)
             return 0;		
     } 
     //need to check if developer allowed other packages to join this domain
-    if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0 )
-        return -1;	
+    if (msmCheckDomainJoinPossibility(mfx, defined_ac_domain) < 0) {
+#ifdef ENABLE_DCHECKS
+        return -1;
+#else
+        return 0;
+#endif
+    }
     // now checking if security policy allows to join this domain
     if (msmIsRequestAllowed(mfx, defined_ac_domain)) {
         rpmlog(RPMLOG_DEBUG, "Request for a domain name %s is allowed based on package sw source\n", mfx->request->ac_domain);
         return 0;		
     } else {
         rpmlog(RPMLOG_ERR, "Request for a domain name %s isn't allowed based on package sw source\n", mfx->request->ac_domain);
+#ifdef ENABLE_DCHECKS
         return -1;
+#else
+        return 0;
+#endif
     }
 }
 
@@ -875,8 +888,11 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx)
     if (mfx->define->d_requests) {
         for (d_request = mfx->define->d_requests; d_request; d_request = d_request->prev) {
             // first check if the current's package sw source can grant access to requested domain
-            if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0)
+            if (msmCheckDomainRequestOrPermit(mfx, d_request->label_name) < 0) {
+#ifdef ENABLE_DCHECKS
                 return -1;
+#endif
+            }
             if (smack_accesses_add(smack_accesses, mfx->define->name, d_request->label_name, d_request->ac_type) < 0) {
                 rpmlog(RPMLOG_ERR, "Failed to set smack rules for domain requests\n");
                 return -1;
@@ -887,13 +903,19 @@ int msmSetupDefine(struct smack_accesses *smack_accesses, manifest_x *mfx)
     if (mfx->define->d_permits) {
         for (d_permit = mfx->define->d_permits; d_permit; d_permit = d_permit->prev) {
             // first check if the current's package sw source can grant access to permited domain
-            if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0)
+            if (msmCheckDomainRequestOrPermit(mfx, d_permit->label_name) < 0) {
+#ifdef ENABLE_DCHECKS
                 return -1;
+#endif
+            }
             if (!d_permit->to_label_name)
                 ret = smack_accesses_add(smack_accesses, d_permit->label_name, mfx->define->name, d_permit->ac_type);
             else {
-                if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0)
+                if (msmCheckLabelProvisioning(mfx, d_permit->to_label_name) < 0) {
+#ifdef ENABLE_DCHECKS
                     return -1;
+#endif
+                }
                 ret = smack_accesses_add(smack_accesses, d_permit->label_name, d_permit->to_label_name, d_permit->ac_type);
             }
             if (ret < 0) {
author	Elena Reshetova <elena.reshetova@intel.com>	2013-05-31 15:52:22 +0300
committer	Elena Reshetova <elena.reshetova@intel.com>	2013-05-31 15:52:22 +0300
commit	8fe34defba338cf0e3bdef8a27ec9bd91550d332 (patch)
tree	7b35325de64674090e06d102c2e9222e24b6be2b
parent	a157e55f5042c9733d524ef7484fc65eae36c0f7 (diff)
download	rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.tar.gz rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.tar.bz2 rpm-8fe34defba338cf0e3bdef8a27ec9bd91550d332.zip