Unifdef parser support for SELinux, AppArmor and Solaris privileges.

sudo-project · May 1, 2024 · 389c855 · 389c855
1 parent 38b98b4
commit 389c855
Show file tree

Hide file tree

Showing 17 changed files with 267 additions and 524 deletions.
diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1993-1996,1998-2005, 2007-2018
+ * Copyright (c) 1993-1996,1998-2005, 2007-2024
  *	Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -139,16 +139,9 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
     if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid &&
 	(ctx->runas.gr == NULL ||
 	user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
-#ifdef HAVE_SELINUX
-	if (ctx->runas.role == NULL && ctx->runas.type == NULL)
-#endif
-#ifdef HAVE_APPARMOR
-	if (ctx->runas.apparmor_profile == NULL)
-#endif
-#ifdef HAVE_PRIV_SET
-	if (ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL)
-#endif
-	{
+	if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
+	    ctx->runas.apparmor_profile == NULL &&
+	    ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO,
 		"%s: user running command as self", __func__);
 	    ret = AUTH_SUCCESS;

diff --git a/plugins/sudoers/cvtsudoers_csv.c b/plugins/sudoers/cvtsudoers_csv.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2021-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2021-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -574,24 +574,19 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	need_comma = true;
     }
 
-#ifdef HAVE_SELINUX
     /* Print SELinux role/type */
     if (cs->role != NULL && cs->type != NULL) {
 	fprintf(fp, "%srole=%s,type=%s", need_comma ? "," : "",
 	    cs->role, cs->type);
 	need_comma = true;
     }
-#endif /* HAVE_SELINUX */
 
-#ifdef HAVE_APPARMOR
     if (cs->apparmor_profile != NULL) {
 	fprintf(fp, "%sapparmor_profile=%s,", need_comma ? "," : "",
 	    cs->apparmor_profile);
 	need_comma = true;
     }
-#endif /* HAVE_APPARMOR */
 
-#ifdef HAVE_PRIV_SET
     /* Print Solaris privs/limitprivs */
     if (cs->privs != NULL || cs->limitprivs != NULL) {
 	if (cs->privs != NULL) {
@@ -603,7 +598,6 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	    need_comma = true;
 	}
     }
-#endif /* HAVE_PRIV_SET */
 #ifdef __clang_analyzer__
     (void)&need_comma;
 #endif
@@ -620,15 +614,9 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	/* XXX - TAG_SET does not account for implied SETENV */
 	last_one = next == NULL ||
 	    RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
-#ifdef HAVE_PRIV_SET
 	    || cs->privs != next->privs || cs->limitprivs != next->limitprivs
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
 	    || cs->role != next->role || cs->type != next->type
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
 	    || cs->apparmor_profile != next->apparmor_profile
-#endif /* HAVE_APPARMOR  */
 	    || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
 
 	if (!quoted && !last_one) {

diff --git a/plugins/sudoers/cvtsudoers_json.c b/plugins/sudoers/cvtsudoers_json.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2013-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2013-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -667,15 +667,9 @@ cmndspec_continues(struct cmndspec *cs, struct cmndspec *next)
 {
     bool ret = next != NULL &&
 	!RUNAS_CHANGED(cs, next) && !TAGS_CHANGED(cs->tags, next->tags)
-#ifdef HAVE_PRIV_SET
 	&& cs->privs == next->privs && cs->limitprivs == next->limitprivs
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
 	&& cs->role == next->role && cs->type == next->type
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
 	&& cs->apparmor_profile == next->apparmor_profile
-#endif /* HAVE_APPARMOR */
 	&& cs->runchroot == next->runchroot && cs->runcwd == next->runcwd;
     return ret;
 }
@@ -734,19 +728,9 @@ print_cmndspec_json(struct json_container *jsonc,
     /* Print options and tags */
     has_options = TAGS_SET(cs->tags) || !TAILQ_EMPTY(options) ||
 	cs->timeout > 0 || cs->notbefore != UNSPEC || cs->notafter != UNSPEC ||
-	cs->runchroot != NULL || cs->runcwd != NULL;
-#ifdef HAVE_SELINUX
-    if (cs->role != NULL && cs->type != NULL)
-	has_options = true;
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
-    if (cs->apparmor_profile != NULL)
-	has_options = true;
-#endif /* HAVE_APPARMOR */
-#ifdef HAVE_PRIV_SET
-    if (cs->privs != NULL || cs->limitprivs != NULL)
-	has_options = true;
-#endif /* HAVE_PRIV_SET */
+	cs->runchroot != NULL || cs->runcwd != NULL ||
+	(cs->role != NULL && cs->type != NULL) || cs->apparmor_profile != NULL
+	|| cs->privs != NULL || cs->limitprivs != NULL;
     if (has_options) {
 	struct cmndtag tag = cs->tags;
 
@@ -873,7 +857,6 @@ print_cmndspec_json(struct json_container *jsonc,
 		    goto oom;
 	    }
 	}
-#ifdef HAVE_SELINUX
 	if (cs->role != NULL && cs->type != NULL) {
 	    value.type = JSON_STRING;
 	    value.u.string = cs->role;
@@ -883,16 +866,12 @@ print_cmndspec_json(struct json_container *jsonc,
 	    if (!sudo_json_add_value_as_object(jsonc, "type", &value))
 		goto oom;
 	}
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
 	if (cs->apparmor_profile != NULL) {
 	    value.type = JSON_STRING;
 	    value.u.string = cs->apparmor_profile;
 	    if (!sudo_json_add_value_as_object(jsonc, "apparmor_profile", &value))
 		goto oom;
 	}
-#endif /* HAVE_APPARMOR */
-#ifdef HAVE_PRIV_SET
 	if (cs->privs != NULL) {
 	    value.type = JSON_STRING;
 	    value.u.string = cs->privs;
@@ -905,7 +884,6 @@ print_cmndspec_json(struct json_container *jsonc,
 	    if (!sudo_json_add_value_as_object(jsonc, "limitprivs", &value))
 		goto oom;
 	}
-#endif /* HAVE_PRIV_SET */
 	if (!sudo_json_close_array(jsonc))
 	    goto oom;
     }

diff --git a/plugins/sudoers/cvtsudoers_ldif.c b/plugins/sudoers/cvtsudoers_ldif.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2018-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2018-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -492,27 +492,22 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	}
     }
 
-#ifdef HAVE_SELINUX
     /* Print SELinux role/type */
     if (cs->role != NULL && cs->type != NULL) {
 	if (!printf_attribute_ldif(fp, "sudoOption", "role=%s", cs->role) ||
 		!printf_attribute_ldif(fp, "sudoOption", "type=%s", cs->type)) {
 	    debug_return_bool(false);
 	}
     }
-#endif /* HAVE_SELINUX */
 
-#ifdef HAVE_APPARMOR
     /* Print AppArmor profile */
     if (cs->apparmor_profile != NULL) {
 	if (!printf_attribute_ldif(fp, "sudoOption", "apparmor_profile=%s",
 		cs->apparmor_profile)) {
 	    debug_return_bool(false);
 	}
     }
-#endif /* HAVE_APPARMOR */
 
-#ifdef HAVE_PRIV_SET
     /* Print Solaris privs/limitprivs */
     if (cs->privs != NULL || cs->limitprivs != NULL) {
 	if (cs->privs != NULL) {
@@ -528,7 +523,6 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	    }
 	}
     }
-#endif /* HAVE_PRIV_SET */
 
     /*
      * Merge adjacent commands with matching tags, runas, SELinux
@@ -540,12 +534,8 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
 	/* XXX - TAG_SET does not account for implied SETENV */
 	last_one = next == NULL ||
 	    RUNAS_CHANGED(cs, next) || TAGS_CHANGED(cs->tags, next->tags)
-#ifdef HAVE_PRIV_SET
 	    || cs->privs != next->privs || cs->limitprivs != next->limitprivs
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
 	    || cs->role != next->role || cs->type != next->type
-#endif /* HAVE_SELINUX */
 	    || cs->runchroot != next->runchroot || cs->runcwd != next->runcwd;
 
 	if (!print_member_ldif(fp, parse_tree, cs->cmnd->name, cs->cmnd->type,

diff --git a/plugins/sudoers/cvtsudoers_merge.c b/plugins/sudoers/cvtsudoers_merge.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2021-2022 Todd C. Miller <[email protected]>
+ * Copyright (c) 2021-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1008,7 +1008,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
     } else if (cs1->runchroot != cs2->runchroot) {
 	debug_return_bool(false);
     }
-#ifdef HAVE_SELINUX
     if (cs1->role != NULL && cs2->role != NULL) {
 	if (strcmp(cs1->role, cs2->role) != 0)
 	    debug_return_bool(false);
@@ -1021,16 +1020,12 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
     } else if (cs1->type != cs2->type) {
 	debug_return_bool(false);
     }
-#endif
-#ifdef HAVE_APPARMOR
     if (cs1->apparmor_profile != NULL && cs2->apparmor_profile != NULL) {
 	if (strcmp(cs1->apparmor_profile, cs2->apparmor_profile) != 0)
 	    debug_return_bool(false);
     } else if (cs1->apparmor_profile != cs2->apparmor_profile) {
 	debug_return_bool(false);
     }
-#endif
-#ifdef HAVE_PRIV_SET
     if (cs1->privs != NULL && cs2->privs != NULL) {
 	if (strcmp(cs1->privs, cs2->privs) != 0)
 	    debug_return_bool(false);
@@ -1043,7 +1038,6 @@ cmndspec_equivalent(struct cmndspec *cs1, struct cmndspec *cs2, bool check_negat
     } else if (cs1->limitprivs != cs2->limitprivs) {
 	debug_return_bool(false);
     }
-#endif
 
     debug_return_bool(true);
 }

diff --git a/plugins/sudoers/display.c b/plugins/sudoers/display.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -112,22 +112,16 @@ new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs)
 	debug_return_bool(true);
     if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
 	debug_return_bool(true);
-#ifdef HAVE_PRIV_SET
     if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
 	debug_return_bool(true);
     if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
 	debug_return_bool(true);
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
     if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
 	debug_return_bool(true);
     if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
 	debug_return_bool(true);
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
     if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0))
 	debug_return_bool(true);
-#endif /* HAVE_APPARMOR */
     if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0))
 	debug_return_bool(true);
     if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0))
@@ -211,24 +205,18 @@ display_cmndspec_long(const struct sudoers_parse_tree *parse_tree,
 	} else {
 	    lbuf->len = olen;	/* no options */
 	}
-#ifdef HAVE_APPARMOR
 	if (cs->apparmor_profile != NULL) {
 	    sudo_lbuf_append(lbuf, "    ApparmorProfile: %s\n",
 		cs->apparmor_profile);
 	}
-#endif /* HAVE_APPARMOR */
-#ifdef HAVE_PRIV_SET
 	if (cs->privs != NULL)
 	    sudo_lbuf_append(lbuf, "    Privs: %s\n", cs->privs);
 	if (cs->limitprivs != NULL)
 	    sudo_lbuf_append(lbuf, "    Limitprivs: %s\n", cs->limitprivs);
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
 	if (cs->role != NULL)
 	    sudo_lbuf_append(lbuf, "    Role: %s\n", cs->role);
 	if (cs->type != NULL)
 	    sudo_lbuf_append(lbuf, "    Type: %s\n", cs->type);
-#endif /* HAVE_SELINUX */
 	if (cs->runchroot != NULL)
 	    sudo_lbuf_append(lbuf, "    Chroot: %s\n", cs->runchroot);
 	if (cs->runcwd != NULL)

diff --git a/plugins/sudoers/fmtsudoers.c b/plugins/sudoers/fmtsudoers.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <[email protected]>
+ * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -234,22 +234,16 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
     /* Merge privilege-level tags with cmndspec tags. */
     TAGS_MERGE(tags, cs->tags);
 
-#ifdef HAVE_PRIV_SET
     if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs))
 	sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
     if (cs->limitprivs != NULL && FIELD_CHANGED(prev_cs, cs, limitprivs))
 	sudo_lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
-#endif /* HAVE_PRIV_SET */
-#ifdef HAVE_SELINUX
     if (cs->role != NULL && FIELD_CHANGED(prev_cs, cs, role))
 	sudo_lbuf_append(lbuf, "ROLE=%s ", cs->role);
     if (cs->type != NULL && FIELD_CHANGED(prev_cs, cs, type))
 	sudo_lbuf_append(lbuf, "TYPE=%s ", cs->type);
-#endif /* HAVE_SELINUX */
-#ifdef HAVE_APPARMOR
     if (cs->apparmor_profile != NULL && FIELD_CHANGED(prev_cs, cs, apparmor_profile))
 	sudo_lbuf_append(lbuf, "APPARMOR_PROFILE=%s ", cs->apparmor_profile);
-#endif /* HAVE_APPARMOR */
     if (cs->runchroot != NULL && FIELD_CHANGED(prev_cs, cs, runchroot))
 	sudo_lbuf_append(lbuf, "CHROOT=%s ", cs->runchroot);
     if (cs->runcwd != NULL && FIELD_CHANGED(prev_cs, cs, runcwd))