ALT Linux Bugzilla
– Attachment 5969 Details for
Bug 29477
Падает при приёме удалённого Untitled задания
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
[patch]
Слегка поправленный патч из FC
cups-1.6.2-fc-lspp.patch (text/plain), 63.52 KB, created by
Fr. Br. George
on 2013-10-15 00:51:26 MSK
(
hide
)
Description:
Слегка поправленный патч из FC
Filename:
MIME Type:
Creator:
Fr. Br. George
Created:
2013-10-15 00:51:26 MSK
Size:
63.52 KB
patch
obsolete
>diff -up cups-1.6.2/config.h.in.lspp cups-1.6.2/config.h.in >--- cups-1.6.2/config.h.in.lspp 2013-03-18 19:00:30.704448157 +0100 >+++ cups-1.6.2/config.h.in 2013-03-18 19:00:30.724447879 +0100 >@@ -746,6 +746,13 @@ static __inline int _cups_abs(int i) { r > # endif /* __GNUC__ || __STDC_VERSION__ */ > #endif /* !HAVE_ABS && !abs */ > >+/* >+ * Are we trying to meet LSPP requirements? >+ */ >+ >+#undef WITH_LSPP >+ >+ > #endif /* !_CUPS_CONFIG_H_ */ > > /* >diff -up cups-1.6.2/config-scripts/cups-lspp.m4.lspp cups-1.6.2/config-scripts/cups-lspp.m4 >--- cups-1.6.2/config-scripts/cups-lspp.m4.lspp 2013-03-18 19:00:30.724447879 +0100 >+++ cups-1.6.2/config-scripts/cups-lspp.m4 2013-03-18 19:00:30.724447879 +0100 >@@ -0,0 +1,36 @@ >+dnl >+dnl LSPP code for the Common UNIX Printing System (CUPS). >+dnl >+dnl Copyright 2005-2006 by Hewlett-Packard Development Company, L.P. >+dnl >+dnl This program is free software; you can redistribute it and/or modify >+dnl it under the terms of the GNU General Public License as published by >+dnl the Free Software Foundation; version 2. >+dnl >+dnl This program is distributed in the hope that it will be useful, but >+dnl WITHOUT ANY WARRANTY; without even the implied warranty of >+dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >+dnl General Public License for more details. >+dnl >+dnl You should have received a copy of the GNU General Public License >+dnl along with this program; if not, write to the Free Software Foundation, >+dnl Inc., 51 Franklin Street, Fifth Floor Boston, MA 02110-1301 USA >+dnl >+ >+dnl Are we trying to meet LSPP requirements >+AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no]) >+ >+if test x"$enable_lspp" != xno; then >+ case "$uname" in >+ Linux) >+ AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)]) >+ AC_CHECK_HEADER(libaudit.h) >+ AC_CHECK_LIB(selinux,getpeercon, [LIBSELINUX="-lselinux" AC_SUBST(LIBSELINUX)]) >+ AC_CHECK_HEADER(selinux/selinux.h) >+ AC_DEFINE(WITH_LSPP) >+ ;; >+ *) >+ # All others >+ ;; >+ esac >+fi >diff -up cups-1.6.2/configure.in.lspp cups-1.6.2/configure.in >--- cups-1.6.2/configure.in.lspp 2013-03-18 19:00:30.705448143 +0100 >+++ cups-1.6.2/configure.in 2013-03-18 19:00:30.724447879 +0100 >@@ -37,6 +37,8 @@ sinclude(config-scripts/cups-systemd.m4) > sinclude(config-scripts/cups-defaults.m4) > sinclude(config-scripts/cups-scripting.m4) > >+sinclude(config-scripts/cups-lspp.m4) >+ > INSTALL_LANGUAGES="" > UNINSTALL_LANGUAGES="" > LANGFILES="" >diff -up cups-1.6.2/filter/common.c.lspp cups-1.6.2/filter/common.c >--- cups-1.6.2/filter/common.c.lspp 2011-05-20 05:49:49.000000000 +0200 >+++ cups-1.6.2/filter/common.c 2013-03-18 19:00:30.725447865 +0100 >@@ -30,6 +30,12 @@ > * Include necessary headers... > */ > >+#include "config.h" >+#ifdef WITH_LSPP >+#define _GNU_SOURCE >+#include <string.h> >+#endif /* WITH_LSPP */ >+ > #include "common.h" > #include <locale.h> > >@@ -312,6 +318,18 @@ WriteLabelProlog(const char *label, /* I > { > const char *classification; /* CLASSIFICATION environment variable */ > const char *ptr; /* Temporary string pointer */ >+#ifdef WITH_LSPP >+ int i, /* counter */ >+ n, /* counter */ >+ lines, /* number of lines needed */ >+ line_len, /* index into tmp_label */ >+ label_len, /* length of the label in characters */ >+ label_index, /* index into the label */ >+ longest, /* length of the longest line */ >+ longest_line, /* index to the longest line */ >+ max_width; /* maximum width in characters */ >+ char **wrapped_label; /* label with line breaks */ >+#endif /* WITH_LSPP */ > > > /* >@@ -334,6 +352,124 @@ WriteLabelProlog(const char *label, /* I > return; > } > >+#ifdef WITH_LSPP >+ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL) >+ { >+ /* >+ * Based on the 12pt fixed width font below determine the max_width >+ */ >+ max_width = width / 8; >+ longest_line = 0; >+ longest = 0; >+ classification += 5; // Skip the "LSPP:" >+ label_len = strlen(classification); >+ >+ if (label_len > max_width) >+ { >+ lines = 1 + (int)(label_len / max_width); >+ line_len = (int)(label_len / lines); >+ wrapped_label = malloc(sizeof(*wrapped_label) * lines); >+ label_index = i = n = 0; >+ while (classification[label_index]) >+ { >+ if ((label_index + line_len) > label_len) >+ break; >+ switch (classification[label_index + line_len + i]) >+ { >+ case ':': >+ case ',': >+ case '-': >+ i++; >+ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i)); >+ label_index += line_len + i; >+ i = 0; >+ break; >+ default: >+ i++; >+ break; >+ } >+ if ((i + line_len) == max_width) >+ { >+ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i)); >+ label_index = label_index + line_len + i; >+ i = 0; >+ } >+ } >+ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index); >+ } >+ else >+ { >+ lines = 1; >+ wrapped_label = malloc(sizeof(*wrapped_label)); >+ wrapped_label[0] = (char*)classification; >+ } >+ >+ for (n = 0; n < lines; n++ ) >+ { >+ printf("userdict/ESPp%c(", ('a' + n)); >+ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++) >+ if (*ptr < 32 || *ptr > 126) >+ printf("\\%03o", *ptr); >+ else >+ { >+ if (*ptr == '(' || *ptr == ')' || *ptr == '\\') >+ putchar('\\'); >+ >+ printf("%c", *ptr); >+ } >+ if (i > longest) >+ { >+ longest = i; >+ longest_line = n; >+ } >+ printf(")put\n"); >+ } >+ >+ /* >+ * For LSPP use a fixed width font so that line wrapping can be calculated >+ */ >+ >+ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put"); >+ >+ /* >+ * Finally, the procedure to write the labels on the page... >+ */ >+ >+ printf("userdict/ESPwl{\n" >+ " ESPlf setfont\n"); >+ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ", >+ 'a' + longest_line, width * 0.5f); >+ for (n = 1; n < lines; n++) >+ printf(" dup"); >+ printf("\n 1 setgray\n"); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", >+ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", >+ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); >+ printf(" 0 setgray\n"); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", >+ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", >+ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); >+ for (n = 0; n < lines; n ++) >+ { >+ printf(" dup %.0f moveto ESPp%c show\n", >+ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n); >+ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n); >+ } >+ printf(" pop\n" >+ "}bind put\n"); >+ >+ /* >+ * Do some clean up at the end of the LSPP special case >+ */ >+ free(wrapped_label); >+ >+ } >+ else >+ { >+#endif /* !WITH_LSPP */ >+ > /* > * Set the classification + page label string... > */ >@@ -414,7 +550,10 @@ WriteLabelProlog(const char *label, /* I > printf(" %.0f moveto ESPpl show\n", top - 14.0); > puts("pop"); > puts("}bind put"); >+ } >+#ifdef WITH_LSPP > } >+#endif /* WITH_LSPP */ > > > /* >diff -up cups-1.6.2/filter/pstops.c.lspp cups-1.6.2/filter/pstops.c >--- cups-1.6.2/filter/pstops.c.lspp 2012-04-23 21:19:19.000000000 +0200 >+++ cups-1.6.2/filter/pstops.c 2013-03-18 19:00:30.726447852 +0100 >@@ -3202,6 +3202,18 @@ write_label_prolog(pstops_doc_t *doc, /* > { > const char *classification; /* CLASSIFICATION environment variable */ > const char *ptr; /* Temporary string pointer */ >+#ifdef WITH_LSPP >+ int i, /* counter */ >+ n, /* counter */ >+ lines, /* number of lines needed */ >+ line_len, /* index into tmp_label */ >+ label_len, /* length of the label in characters */ >+ label_index, /* index into the label */ >+ longest, /* length of the longest line */ >+ longest_line, /* index to the longest line */ >+ max_width; /* maximum width in characters */ >+ char **wrapped_label; /* label with line breaks */ >+#endif /* WITH_LSPP */ > > > /* >@@ -3224,6 +3236,124 @@ write_label_prolog(pstops_doc_t *doc, /* > return; > } > >+#ifdef WITH_LSPP >+ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL) >+ { >+ /* >+ * Based on the 12pt fixed width font below determine the max_width >+ */ >+ max_width = width / 8; >+ longest_line = 0; >+ longest = 0; >+ classification += 5; // Skip the "LSPP:" >+ label_len = strlen(classification); >+ >+ if (label_len > max_width) >+ { >+ lines = 1 + (int)(label_len / max_width); >+ line_len = (int)(label_len / lines); >+ wrapped_label = malloc(sizeof(*wrapped_label) * lines); >+ label_index = i = n = 0; >+ while (classification[label_index]) >+ { >+ if ((label_index + line_len) > label_len) >+ break; >+ switch (classification[label_index + line_len + i]) >+ { >+ case ':': >+ case ',': >+ case '-': >+ i++; >+ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i)); >+ label_index += line_len + i; >+ i = 0; >+ break; >+ default: >+ i++; >+ break; >+ } >+ if ((i + line_len) == max_width) >+ { >+ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i)); >+ label_index = label_index + line_len + i; >+ i = 0; >+ } >+ } >+ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index); >+ } >+ else >+ { >+ lines = 1; >+ wrapped_label = malloc(sizeof(*wrapped_label)); >+ wrapped_label[0] = (char*)classification; >+ } >+ >+ for (n = 0; n < lines; n++ ) >+ { >+ printf("userdict/ESPp%c(", ('a' + n)); >+ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++) >+ if (*ptr < 32 || *ptr > 126) >+ printf("\\%03o", *ptr); >+ else >+ { >+ if (*ptr == '(' || *ptr == ')' || *ptr == '\\') >+ putchar('\\'); >+ >+ printf("%c", *ptr); >+ } >+ if (i > longest) >+ { >+ longest = i; >+ longest_line = n; >+ } >+ printf(")put\n"); >+ } >+ >+ /* >+ * For LSPP use a fixed width font so that line wrapping can be calculated >+ */ >+ >+ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put"); >+ >+ /* >+ * Finally, the procedure to write the labels on the page... >+ */ >+ >+ printf("userdict/ESPwl{\n" >+ " ESPlf setfont\n"); >+ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ", >+ 'a' + longest_line, width * 0.5f); >+ for (n = 1; n < lines; n++) >+ printf(" dup"); >+ printf("\n 1 setgray\n"); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", >+ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n", >+ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); >+ printf(" 0 setgray\n"); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", >+ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines)); >+ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n", >+ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines)); >+ for (n = 0; n < lines; n ++) >+ { >+ printf(" dup %.0f moveto ESPp%c show\n", >+ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n); >+ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n); >+ } >+ printf(" pop\n" >+ "}bind put\n"); >+ >+ /* >+ * Do some clean up at the end of the LSPP special case >+ */ >+ free(wrapped_label); >+ >+ } >+ else >+ { >+#endif /* !WITH_LSPP */ >+ > /* > * Set the classification + page label string... > */ >@@ -3302,7 +3432,10 @@ write_label_prolog(pstops_doc_t *doc, /* > doc_printf(doc, " %.0f moveto ESPpl show\n", top - 14.0); > doc_puts(doc, "pop\n"); > doc_puts(doc, "}bind put\n"); >+ } >+#ifdef WITH_LSPP > } >+#endif /* WITH_LSPP */ > > > /* >diff -up cups-1.6.2/Makedefs.in.lspp cups-1.6.2/Makedefs.in >--- cups-1.6.2/Makedefs.in.lspp 2013-03-18 19:00:30.706448129 +0100 >+++ cups-1.6.2/Makedefs.in 2013-03-18 19:00:30.726447852 +0100 >@@ -146,7 +146,7 @@ LDFLAGS = -L../cgi-bin -L../cups -L../f > @LDFLAGS@ @RELROFLAGS@ @PIEFLAGS@ $(OPTIM) > LINKCUPS = @LINKCUPS@ $(LIBGSSAPI) $(SSLLIBS) $(DNSSDLIBS) $(LIBZ) > LINKCUPSIMAGE = @LINKCUPSIMAGE@ >-LIBS = $(LINKCUPS) $(COMMONLIBS) >+LIBS = $(LINKCUPS) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@ > OPTIM = @OPTIM@ > OPTIONS = > PAMLIBS = @PAMLIBS@ >diff -up cups-1.6.2/scheduler/client.c.lspp cups-1.6.2/scheduler/client.c >--- cups-1.6.2/scheduler/client.c.lspp 2013-01-21 16:29:47.000000000 +0100 >+++ cups-1.6.2/scheduler/client.c 2013-03-18 19:00:30.727447838 +0100 >@@ -41,6 +41,7 @@ > * valid_host() - Is the Host: field valid? > * write_file() - Send a file via HTTP. > * write_pipe() - Flag that data is available on the CGI pipe. >+ * client_pid_to_auid() - Get the audit login uid of the client. > */ > > /* >@@ -49,10 +50,16 @@ > > #include "cupsd.h" > >+#define _GNU_SOURCE > #ifdef HAVE_TCPD_H > # include <tcpd.h> > #endif /* HAVE_TCPD_H */ > >+#ifdef WITH_LSPP >+#include <selinux/selinux.h> >+#include <selinux/context.h> >+#include <fcntl.h> >+#endif /* WITH_LSPP */ > > /* > * Local globals... >@@ -371,6 +378,57 @@ cupsdAcceptClient(cupsd_listener_t *lis) > } > #endif /* HAVE_TCPD_H */ > >+#ifdef WITH_LSPP >+ if (is_lspp_config()) >+ { >+ struct ucred cr; >+ unsigned int cl=sizeof(cr); >+ >+ if (getsockopt(con->http.fd, SOL_SOCKET, SO_PEERCRED, &cr, &cl) == 0) >+ { >+ /* >+ * client_pid_to_auid() can be racey >+ * In this case the pid is based on a socket connected to the client >+ */ >+ if ((con->auid = client_pid_to_auid(cr.pid)) == -1) >+ { >+ close(con->http.fd); >+ cupsdLogMessage(CUPSD_LOG_ERROR, "cupsdAcceptClient: " >+ "unable to determine client auid for client pid=%d", cr.pid); >+ free(con); >+ return; >+ } >+ cupsdLogMessage(CUPSD_LOG_INFO, "cupsdAcceptClient: peer's pid=%d, uid=%d, gid=%d, auid=%d", >+ cr.pid, cr.uid, cr.gid, con->auid); >+ } >+ else >+ { >+ close(con->http.fd); >+ cupsdLogMessage(CUPSD_LOG_ERROR, "cupsdAcceptClient: getsockopt() failed"); >+ free(con); >+ return; >+ } >+ >+ /* >+ * get the context of the peer connection >+ */ >+ if (getpeercon(con->http.fd, &con->scon)) >+ { >+ close(con->http.fd); >+ cupsdLogMessage(CUPSD_LOG_ERROR, "cupsdAcceptClient: getpeercon() failed"); >+ free(con); >+ return; >+ } >+ >+ cupsdLogMessage(CUPSD_LOG_INFO, "cupsdAcceptClient: client context=%s", con->scon); >+ } >+ else >+ { >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdAcceptClient: skipping getpeercon()"); >+ cupsdSetString(&con->scon, UNKNOWN_SL); >+ } >+#endif /* WITH_LSPP */ >+ > #ifdef AF_LOCAL > if (con->http.hostaddr->addr.sa_family == AF_LOCAL) > cupsdLogMessage(CUPSD_LOG_DEBUG, "[Client %d] Accepted from %s (Domain)", >@@ -678,6 +736,13 @@ cupsdReadClient(cupsd_client_t *con) /* > mime_type_t *type; /* MIME type of file */ > cupsd_printer_t *p; /* Printer */ > static unsigned request_id = 0; /* Request ID for temp files */ >+#ifdef WITH_LSPP >+ security_context_t spoolcon; /* context of the job file */ >+ context_t clicon; /* contex_t container for con->scon */ >+ context_t tmpcon; /* temp context to swap the level */ >+ char *clirange; /* SELinux sensitivity range */ >+ char *cliclearance; /* SELinux low end clearance */ >+#endif /* WITH_LSPP */ > > > status = HTTP_CONTINUE; >@@ -2134,6 +2199,67 @@ cupsdReadClient(cupsd_client_t *con) /* > fchmod(con->file, 0640); > fchown(con->file, RunUser, Group); > fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC); >+#ifdef WITH_LSPP >+ if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) >+ { >+ if (getfilecon(con->filename, &spoolcon) == -1) >+ { >+ cupsdSendError(con, HTTP_SERVER_ERROR, CUPSD_AUTH_NONE); >+ return (cupsdCloseClient(con)); >+ } >+ clicon = context_new(con->scon); >+ tmpcon = context_new(spoolcon); >+ freecon(spoolcon); >+ if (!clicon || !tmpcon) >+ { >+ cupsdSendError(con, HTTP_SERVER_ERROR, CUPSD_AUTH_NONE); >+ if (clicon) >+ context_free(clicon); >+ if (tmpcon) >+ context_free(tmpcon); >+ return (cupsdCloseClient(con)); >+ } >+ clirange = context_range_get(clicon); >+ if (clirange) >+ { >+ clirange = strdup(clirange); >+ if ((cliclearance = strtok(clirange, "-")) != NULL) >+ { >+ if (context_range_set(tmpcon, cliclearance) == -1) >+ { >+ cupsdSendError(con, HTTP_SERVER_ERROR, CUPSD_AUTH_NONE); >+ free(clirange); >+ context_free(tmpcon); >+ context_free(clicon); >+ return (cupsdCloseClient(con)); >+ } >+ } >+ else >+ { >+ if (context_range_set(tmpcon, (context_range_get(clicon))) == -1) >+ { >+ cupsdSendError(con, HTTP_SERVER_ERROR, CUPSD_AUTH_NONE); >+ free(clirange); >+ context_free(tmpcon); >+ context_free(clicon); >+ return (cupsdCloseClient(con)); >+ } >+ } >+ free(clirange); >+ } >+ if (setfilecon(con->filename, context_str(tmpcon)) == -1) >+ { >+ cupsdSendError(con, HTTP_SERVER_ERROR, CUPSD_AUTH_NONE); >+ context_free(tmpcon); >+ context_free(clicon); >+ return (cupsdCloseClient(con)); >+ } >+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdReadClient: %s set to %s", >+ con->filename, context_str(tmpcon)); >+ context_free(tmpcon); >+ context_free(clicon); >+ } >+#endif /* WITH_LSPP */ > } > > if (con->http.state != HTTP_POST_SEND) >@@ -3572,6 +3698,49 @@ is_path_absolute(const char *path) /* I > return (1); > } > >+#ifdef WITH_LSPP >+/* >+ * 'client_pid_to_auid()' - Using the client's pid, read /proc and determine the loginuid. >+ */ >+ >+uid_t client_pid_to_auid(pid_t clipid) >+{ >+ uid_t uid; >+ int len, in; >+ char buf[16] = {0}; >+ char fname[32] = {0}; >+ >+ >+ /* >+ * Hopefully this pid is still the one we are interested in. >+ */ >+ snprintf(fname, 32, "/proc/%d/loginuid", clipid); >+ in = open(fname, O_NOFOLLOW|O_RDONLY); >+ >+ if (in < 0) >+ return -1; >+ >+ errno = 0; >+ >+ do { >+ len = read(in, buf, sizeof(buf)); >+ } while (len < 0 && errno == EINTR); >+ >+ close(in); >+ >+ if (len < 0 || len >= sizeof(buf)) >+ return -1; >+ >+ errno = 0; >+ buf[len] = 0; >+ uid = strtol(buf, 0, 10); >+ >+ if (errno != 0) >+ return -1; >+ else >+ return uid; >+} >+#endif /* WITH_LSPP */ > > /* > * 'pipe_command()' - Pipe the output of a command to the remote client. >diff -up cups-1.6.2/scheduler/client.h.lspp cups-1.6.2/scheduler/client.h >--- cups-1.6.2/scheduler/client.h.lspp 2013-03-18 19:00:30.706448129 +0100 >+++ cups-1.6.2/scheduler/client.h 2013-03-18 19:00:30.727447838 +0100 >@@ -18,6 +18,13 @@ > #endif /* HAVE_AUTHORIZATION_H */ > > >+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ >+#ifdef WITH_LSPP >+#include <selinux/selinux.h> >+#endif /* WITH_LSPP */ >+ > /* > * HTTP client structure... > */ >@@ -63,6 +70,10 @@ struct cupsd_client_s > #ifdef HAVE_AUTHORIZATION_H > AuthorizationRef authref; /* Authorization ref */ > #endif /* HAVE_AUTHORIZATION_H */ >+#ifdef WITH_LSPP >+ security_context_t scon; /* Security context of connection */ >+ uid_t auid; /* Audit loginuid of the client */ >+#endif /* WITH_LSPP */ > }; > > #define HTTP(con) &((con)->http) >@@ -135,6 +146,9 @@ extern void cupsdStartListening(void); > extern void cupsdStopListening(void); > extern void cupsdUpdateCGI(void); > extern void cupsdWriteClient(cupsd_client_t *con); >+#ifdef WITH_LSPP >+extern uid_t client_pid_to_auid(pid_t clipid); >+#endif /* WITH_LSPP */ > > #ifdef HAVE_SSL > extern int cupsdEndTLS(cupsd_client_t *con); >diff -up cups-1.6.2/scheduler/conf.c.lspp cups-1.6.2/scheduler/conf.c >--- cups-1.6.2/scheduler/conf.c.lspp 2013-03-18 19:00:30.643449003 +0100 >+++ cups-1.6.2/scheduler/conf.c 2013-03-18 19:00:30.728447824 +0100 >@@ -34,6 +34,7 @@ > * read_location() - Read a <Location path> definition. > * read_policy() - Read a <Policy name> definition. > * set_policy_defaults() - Set default policy values as needed. >+ * is_lspp_config() - Is the system configured for LSPP > */ > > /* >@@ -59,6 +60,9 @@ > # define INADDR_NONE 0xffffffff > #endif /* !INADDR_NONE */ > >+#ifdef WITH_LSPP >+# include <libaudit.h> >+#endif /* WITH_LSPP */ > > /* > * Configuration variable structure... >@@ -164,6 +168,10 @@ static const cupsd_var_t variables[] = > # if defined(HAVE_LIBSSL) || defined(HAVE_GNUTLS) > { "ServerKey", &ServerKey, CUPSD_VARTYPE_PATHNAME }, > # endif /* HAVE_LIBSSL || HAVE_GNUTLS */ >+#ifdef WITH_LSPP >+ { "AuditLog", &AuditLog, CUPSD_VARTYPE_INTEGER }, >+ { "PerPageLabels", &PerPageLabels, CUPSD_VARTYPE_BOOLEAN }, >+#endif /* WITH_LSPP */ > #endif /* HAVE_SSL */ > { "ServerName", &ServerName, CUPSD_VARTYPE_STRING }, > { "ServerRoot", &ServerRoot, CUPSD_VARTYPE_PATHNAME }, >@@ -537,6 +545,9 @@ cupsdReadConfiguration(void) > const char *tmpdir; /* TMPDIR environment variable */ > struct stat tmpinfo; /* Temporary directory info */ > cupsd_policy_t *p; /* Policy */ >+#ifdef WITH_LSPP >+ char *audit_message; /* Audit message string */ >+#endif /* WITH_LSPP */ > > > /* >@@ -851,6 +862,25 @@ cupsdReadConfiguration(void) > > RunUser = getuid(); > >+#ifdef WITH_LSPP >+ if (AuditLog != -1) >+ { >+ /* >+ * ClassifyOverride is set during read_configuration, if its ON, report it now >+ */ >+ if (ClassifyOverride) >+ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG, >+ "[Config] ClassifyOverride=enabled Users can override print banners", >+ ServerName, NULL, NULL, 1); >+ /* >+ * PerPageLabel is set during read_configuration, if its OFF, report it now >+ */ >+ if (!PerPageLabels) >+ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG, >+ "[Config] PerPageLabels=disabled", ServerName, NULL, NULL, 1); >+ } >+#endif /* WITH_LSPP */ >+ > cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.", > RemotePort ? "enabled" : "disabled"); > >@@ -1253,7 +1283,19 @@ cupsdReadConfiguration(void) > cupsdClearString(&Classification); > > if (Classification) >+ { > cupsdLogMessage(CUPSD_LOG_INFO, "Security set to \"%s\"", Classification); >+#ifdef WITH_LSPP >+ if (AuditLog != -1) >+ { >+ audit_message = NULL; >+ cupsdSetStringf(&audit_message, "[Config] Classification=%s", Classification); >+ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message, >+ ServerName, NULL, NULL, 1); >+ cupsdClearString(&audit_message); >+ } >+#endif /* WITH_LSPP */ >+ } > > /* > * Check the MaxClients setting, and then allocate memory for it... >@@ -3639,6 +3681,18 @@ read_location(cups_file_t *fp, /* I - C > return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum); > } > >+#ifdef WITH_LSPP >+int is_lspp_config() >+{ >+ if (Classification != NULL) >+ return ((_cups_strcasecmp(Classification, MLS_CONFIG) == 0) >+ || (_cups_strcasecmp(Classification, TE_CONFIG) == 0) >+ || (_cups_strcasecmp(Classification, SELINUX_CONFIG) == 0)); >+ else >+ return 0; >+} >+#endif /* WITH_LSPP */ >+ > > /* > * 'read_policy()' - Read a <Policy name> definition. >diff -up cups-1.6.2/scheduler/conf.h.lspp cups-1.6.2/scheduler/conf.h >--- cups-1.6.2/scheduler/conf.h.lspp 2013-03-18 19:00:30.643449003 +0100 >+++ cups-1.6.2/scheduler/conf.h 2013-03-18 19:00:30.729447810 +0100 >@@ -249,6 +249,13 @@ VAR int SSLOptions VALUE(CUPSD_SSL_NO > /* SSL/TLS options */ > #endif /* HAVE_SSL */ > >+#ifdef WITH_LSPP >+VAR int AuditLog VALUE(-1), >+ /* File descriptor for audit */ >+ PerPageLabels VALUE(TRUE); >+ /* Put the label on each page */ >+#endif /* WITH_LSPP */ >+ > #ifdef HAVE_LAUNCHD > VAR int LaunchdTimeout VALUE(10); > /* Time after which an idle cupsd will exit */ >@@ -267,6 +274,9 @@ int HaveServerCreds VALUE(0); > gss_cred_id_t ServerCreds; /* Server's GSS credentials */ > #endif /* HAVE_GSSAPI */ > >+#ifdef WITH_LSPP >+extern int is_lspp_config(void); >+#endif /* WITH_LSPP */ > > /* > * Prototypes... >diff -up cups-1.6.2/scheduler/cupsd.h.lspp cups-1.6.2/scheduler/cupsd.h >--- cups-1.6.2/scheduler/cupsd.h.lspp 2012-12-17 23:17:08.000000000 +0100 >+++ cups-1.6.2/scheduler/cupsd.h 2013-03-18 19:00:30.729447810 +0100 >@@ -13,6 +13,8 @@ > * file is missing or damaged, see the license at "http://www.cups.org/". > */ > >+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ > > /* > * Include necessary headers. >@@ -37,13 +39,20 @@ > # include <unistd.h> > #endif /* WIN32 */ > >+#include "config.h" >+#ifdef WITH_LSPP >+# define MLS_CONFIG "mls" >+# define TE_CONFIG "te" >+# define SELINUX_CONFIG "SELinux" >+# define UNKNOWN_SL "UNKNOWN SL" >+#endif /* WITH_LSPP */ >+ > #include "mime.h" > > #if defined(HAVE_CDSASSL) > # include <CoreFoundation/CoreFoundation.h> > #endif /* HAVE_CDSASSL */ > >- > /* > * Some OS's don't have hstrerror(), most notably Solaris... > */ >diff -up cups-1.6.2/scheduler/ipp.c.lspp cups-1.6.2/scheduler/ipp.c >--- cups-1.6.2/scheduler/ipp.c.lspp 2013-03-18 19:00:30.668448656 +0100 >+++ cups-1.6.2/scheduler/ipp.c 2013-03-18 19:05:00.416706472 +0100 >@@ -35,6 +35,7 @@ > * cancel_all_jobs() - Cancel all or selected print jobs. > * cancel_job() - Cancel a print job. > * cancel_subscription() - Cancel a subscription. >+ * check_context() - Check the SELinux context for a user and job > * check_rss_recipient() - Check that we do not have a duplicate RSS > * feed URI. > * check_quotas() - Check quotas for a printer and user. >@@ -99,6 +100,9 @@ > * validate_user() - Validate the user for the request. > */ > >+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ > /* > * Include necessary headers... > */ >@@ -122,6 +126,14 @@ extern int mbr_check_membership_by_id(uu > # endif /* HAVE_MEMBERSHIPPRIV_H */ > #endif /* __APPLE__ */ > >+#ifdef WITH_LSPP >+#include <libaudit.h> >+#include <selinux/selinux.h> >+#include <selinux/context.h> >+#include <selinux/avc.h> >+#include <selinux/flask.h> >+#include <selinux/av_permissions.h> >+#endif /* WITH_LSPP */ > > /* > * Local functions... >@@ -146,6 +158,9 @@ static void cancel_all_jobs(cupsd_client > static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri); > static void cancel_subscription(cupsd_client_t *con, int id); > static int check_rss_recipient(const char *recipient); >+#ifdef WITH_LSPP >+static int check_context(cupsd_client_t *con, cupsd_job_t *job); >+#endif /* WITH_LSPP */ > static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p); > static void close_job(cupsd_client_t *con, ipp_attribute_t *uri); > static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra, >@@ -1300,6 +1315,21 @@ add_job(cupsd_client_t *con, /* I - Cl > "time-at-creation", > "time-at-processing" > }; >+#ifdef WITH_LSPP >+ char *audit_message; /* Audit message string */ >+ char *printerfile; /* device file pointed to by the printer */ >+ char *userheader = NULL; /* User supplied job-sheets[0] */ >+ char *userfooter = NULL; /* User supplied job-sheets[1] */ >+ int override = 0; /* Was a banner overrode on a job */ >+ security_id_t clisid; /* SELinux SID for the client */ >+ security_id_t psid; /* SELinux SID for the printer */ >+ context_t printercon; /* Printer's context string */ >+ struct stat printerstat; /* Printer's stat buffer */ >+ security_context_t devcon; /* Printer's SELinux context */ >+ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ >+ security_class_t tclass; /* Object class for the SELinux check */ >+ access_vector_t avr; /* Access method being requested */ >+#endif /* WITH_LSPP */ > > > cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))", >@@ -1640,6 +1670,106 @@ add_job(cupsd_client_t *con, /* I - Cl > } > } > >+#ifdef WITH_LSPP >+ if (is_lspp_config()) >+ { >+ if (!con->scon || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "add_job: missing classification for connection \'%s\'!", printer->name); >+ send_ipp_status(con, IPP_INTERNAL_ERROR, _("Missing required security attributes.")); >+ return (NULL); >+ } >+ >+ /* >+ * Perform an access check so that if the user gets feedback at enqueue time >+ */ >+ >+ printerfile = strstr(printer->device_uri, "/dev/"); >+ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0)) >+ printerfile = printer->device_uri + strlen("file:"); >+ >+ if (printerfile != NULL) >+ { >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: Attempting an access check on printer device %s", >+ printerfile); >+ >+ if (lstat(printerfile, &printerstat) < 0) >+ { >+ if (errno != ENOENT) >+ { >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to stat the printer")); >+ return (NULL); >+ } >+ /* >+ * The printer does not exist, so for now assume it's a FileDevice >+ */ >+ tclass = SECCLASS_FILE; >+ avr = FILE__WRITE; >+ } >+ else if (S_ISCHR(printerstat.st_mode)) >+ { >+ tclass = SECCLASS_CHR_FILE; >+ avr = CHR_FILE__WRITE; >+ } >+ else if (S_ISREG(printerstat.st_mode)) >+ { >+ tclass = SECCLASS_FILE; >+ avr = FILE__WRITE; >+ } >+ else >+ { >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Printer is not a character device or regular file")); >+ return (NULL); >+ } >+ static avc_initialized = 0; >+ if (!avc_initialized++) >+ avc_init("cupsd_enqueue_", NULL, NULL, NULL, NULL); >+ avc_entry_ref_init(&avcref); >+ if (avc_context_to_sid(con->scon, &clisid) != 0) >+ { >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the client")); >+ return (NULL); >+ } >+ if (getfilecon(printerfile, &devcon) == -1) >+ { >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux context of the printer")); >+ return (NULL); >+ } >+ printercon = context_new(devcon); >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: printer context %s client context %s", >+ context_str(printercon), con->scon); >+ context_free(printercon); >+ >+ if (avc_context_to_sid(devcon, &psid) != 0) >+ { >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the printer")); >+ freecon(devcon); >+ return (NULL); >+ } >+ freecon(devcon); >+ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0) >+ { >+ /* >+ * The access check failed, so cancel the job and send an audit message >+ */ >+ if (AuditLog != -1) >+ { >+ audit_message = NULL; >+ cupsdSetStringf(&audit_message, "job=? auid=%u acct=%s obj=%s refused" >+ " unable to access printer=%s", con->auid, >+ con->username, con->scon, printer->name); >+ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, >+ ServerName, NULL, NULL, 0); >+ cupsdClearString(&audit_message); >+ } >+ >+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux prohibits access to the printer")); >+ return (NULL); >+ } >+ } >+ } >+#endif /* WITH_LSPP */ >+ > if ((job = cupsdAddJob(priority, printer->name)) == NULL) > { > send_ipp_status(con, IPP_INTERNAL_ERROR, >@@ -1648,6 +1778,32 @@ add_job(cupsd_client_t *con, /* I - Cl > return (NULL); > } > >+#ifdef WITH_LSPP >+ if (is_lspp_config()) >+ { >+ /* >+ * duplicate the security context and auid of the connection into the job structure >+ */ >+ job->scon = strdup(con->scon); >+ job->auid = con->auid; >+ >+ /* >+ * add the security context to the request so that on a restart the security >+ * attributes will be able to be restored >+ */ >+ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "security-context", >+ NULL, job->scon); >+ } >+ else >+ { >+ /* >+ * Fill in the security context of the job as unlabeled >+ */ >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: setting context of job to %s", UNKNOWN_SL); >+ cupsdSetString(&job->scon, UNKNOWN_SL); >+ } >+#endif /* WITH_LSPP */ >+ > job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE); > job->attrs = con->request; > job->dirty = 1; >@@ -1857,6 +2013,29 @@ add_job(cupsd_client_t *con, /* I - Cl > attr->values[0].string.text = _cupsStrRetain(printer->job_sheets[0]); > attr->values[1].string.text = _cupsStrRetain(printer->job_sheets[1]); > } >+#ifdef WITH_LSPP >+ else >+ { >+ /* >+ * The option was present, so capture the user supplied strings >+ */ >+ userheader = strdup(attr->values[0].string.text); >+ >+ if (attr->num_values > 1) >+ userfooter = strdup(attr->values[1].string.text); >+ >+ if (Classification != NULL && (strcmp(userheader, Classification) == 0) >+ && userfooter &&(strcmp(userfooter, Classification) == 0)) >+ { >+ /* >+ * Since both values are Classification, the user is not trying to Override >+ */ >+ free(userheader); >+ if (userfooter) free(userfooter); >+ userheader = userfooter = NULL; >+ } >+ } >+#endif /* WITH_LSPP */ > > job->job_sheets = attr; > >@@ -1887,6 +2066,9 @@ add_job(cupsd_client_t *con, /* I - Cl > "job-sheets=\"%s,none\", " > "job-originating-user-name=\"%s\"", > Classification, job->username); >+#ifdef WITH_LSPP >+ override = 1; >+#endif /* WITH_LSPP */ > } > else if (attr->num_values == 2 && > strcmp(attr->values[0].string.text, >@@ -1905,6 +2087,9 @@ add_job(cupsd_client_t *con, /* I - Cl > "job-originating-user-name=\"%s\"", > attr->values[0].string.text, > attr->values[1].string.text, job->username); >+#ifdef WITH_LSPP >+ override = 1; >+#endif /* WITH_LSPP */ > } > else if (strcmp(attr->values[0].string.text, Classification) && > strcmp(attr->values[0].string.text, "none") && >@@ -1925,6 +2110,9 @@ add_job(cupsd_client_t *con, /* I - Cl > "job-originating-user-name=\"%s\"", > attr->values[0].string.text, > attr->values[1].string.text, job->username); >+#ifdef WITH_LSPP >+ override = 1; >+#endif /* WITH_LSPP */ > } > } > else if (strcmp(attr->values[0].string.text, Classification) && >@@ -1965,8 +2153,52 @@ add_job(cupsd_client_t *con, /* I - Cl > "job-sheets=\"%s\", " > "job-originating-user-name=\"%s\"", > Classification, job->username); >+#ifdef WITH_LSPP >+ override = 1; >+#endif /* WITH_LSPP */ >+ } >+#ifdef WITH_LSPP >+ if (is_lspp_config() && AuditLog != -1) >+ { >+ audit_message = NULL; >+ >+ if (userheader || userfooter) >+ { >+ if (!override) >+ { >+ /* >+ * The user overrode the banner, so audit it >+ */ >+ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s" >+ " using banners=%s,%s", job->id, userheader, >+ userfooter, attr->values[0].string.text, >+ (attr->num_values > 1) ? attr->values[1].string.text : "(null)"); >+ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message, >+ ServerName, NULL, NULL, 1); >+ } >+ else >+ { >+ /* >+ * The user tried to override the banner, audit the failure >+ */ >+ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s" >+ " ignored banners=%s,%s", job->id, userheader, >+ userfooter, attr->values[0].string.text, >+ (attr->num_values > 1) ? attr->values[1].string.text : "(null)"); >+ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message, >+ ServerName, NULL, NULL, 0); >+ } >+ cupsdClearString(&audit_message); >+ } > } >+ >+ if (userheader) >+ free(userheader); >+ if (userfooter) >+ free(userfooter); >+#endif /* WITH_LSPP */ > } >+ > > /* > * See if we need to add the starting sheet... >@@ -3730,6 +3962,111 @@ check_rss_recipient( > } > > >+#ifdef WITH_LSPP >+/* >+ * 'check_context()' - Check SELinux security context of a user and job >+ */ >+ >+static int /* O - 1 if OK, 0 if not, -1 on error */ >+check_context(cupsd_client_t *con, /* I - Client connection */ >+ cupsd_job_t *job) /* I - Job */ >+{ >+ int enforcing; /* is SELinux in enforcing mode */ >+ char filename[1024]; /* Filename of the spool file */ >+ security_id_t clisid; /* SELinux SID of the client */ >+ security_id_t jobsid; /* SELinux SID of the job */ >+ security_id_t filesid; /* SELinux SID of the spool file */ >+ struct avc_entry_ref avcref; /* AVC entry cache pointer */ >+ security_class_t tclass; /* SELinux security class */ >+ access_vector_t avr; /* SELinux access being queried */ >+ security_context_t spoolfilecon; /* SELinux context of the spool file */ >+ >+ >+ /* >+ * Validate the input to be sure there are contexts to work with... >+ */ >+ >+ if (con->scon == NULL || job->scon == NULL >+ || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0 >+ || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) >+ return -1; >+ >+ if ((enforcing = security_getenforce()) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "Error while determining SELinux enforcement"); >+ return -1; >+ } >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "check_context: client context %s job context %s", con->scon, job->scon); >+ >+ >+ /* >+ * Initialize the avc engine... >+ */ >+ >+ static avc_initialized = 0; >+ if (! avc_initialized++) >+ { >+ if (avc_init("cupsd", NULL, NULL, NULL, NULL) < 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "check_context: unable avc_init"); >+ return -1; >+ } >+ } >+ if (avc_context_to_sid(con->scon, &clisid) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "check_context: unable to convert %s to SELinux sid", con->scon); >+ return -1; >+ } >+ if (avc_context_to_sid(job->scon, &jobsid) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "check_context: unable to convert %s to SELinux sid", job->scon); >+ return -1; >+ } >+ avc_entry_ref_init(&avcref); >+ tclass = SECCLASS_FILE; >+ avr = FILE__READ; >+ >+ /* >+ * Perform the check with the client as the subject, first with the job as the object >+ * if that fails then with the spool file as the object... >+ */ >+ >+ if (avc_has_perm_noaudit(clisid, jobsid, tclass, avr, &avcref, NULL) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_INFO, "check_context: SELinux denied access based on the client context"); >+ >+ snprintf(filename, sizeof(filename), "%s/c%05d", RequestRoot, job->id); >+ if (getfilecon(filename, &spoolfilecon) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "check_context: Unable to get spoolfile context"); >+ return -1; >+ } >+ if (avc_context_to_sid(spoolfilecon, &filesid) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "check_context: Unable to determine the SELinux sid for the spool file"); >+ freecon(spoolfilecon); >+ return -1; >+ } >+ freecon(spoolfilecon); >+ if (avc_has_perm_noaudit(clisid, filesid, tclass, avr, &avcref, NULL) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_INFO, "check_context: SELinux denied access to the spool file"); >+ return 0; >+ } >+ cupsdLogMessage(CUPSD_LOG_INFO, "check_context: SELinux allowed access to the spool file"); >+ return 1; >+ } >+ else >+ if (enforcing == 0) >+ cupsdLogMessage(CUPSD_LOG_INFO, "check_context: allowing operation due to permissive mode"); >+ else >+ cupsdLogMessage(CUPSD_LOG_INFO, "check_context: SELinux allowed access based on the client context"); >+ >+ return 1; >+} >+#endif /* WITH_LSPP */ >+ >+ > /* > * 'check_quotas()' - Check quotas for a printer and user. > */ >@@ -4182,6 +4519,15 @@ copy_banner(cupsd_client_t *con, /* I - > char attrname[255], /* Name of attribute */ > *s; /* Pointer into name */ > ipp_attribute_t *attr; /* Attribute */ >+#ifdef WITH_LSPP >+ const char *mls_label; /* SL of print job */ >+ char *jobrange; /* SELinux sensitivity range */ >+ char *jobclearance; /* SELinux low end clearance */ >+ context_t jobcon; /* SELinux context of the job */ >+ context_t tmpcon; /* Temp context to set the level */ >+ security_context_t spoolcon; /* Context of the file in the spool */ >+#endif /* WITH_LSPP */ >+ > > > cupsdLogMessage(CUPSD_LOG_DEBUG2, >@@ -4217,6 +4563,82 @@ copy_banner(cupsd_client_t *con, /* I - > > fchmod(cupsFileNumber(out), 0640); > fchown(cupsFileNumber(out), RunUser, Group); >+#ifdef WITH_LSPP >+ if (job->scon != NULL && >+ strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) >+ { >+ if (getfilecon(filename, &spoolcon) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "copy_banner: Unable to get the context of the banner file %s - %s", >+ filename, strerror(errno)); >+ job->num_files --; >+ return (0); >+ } >+ tmpcon = context_new(spoolcon); >+ jobcon = context_new(job->scon); >+ freecon(spoolcon); >+ if (!tmpcon || !jobcon) >+ { >+ if (tmpcon) >+ context_free(tmpcon); >+ if (jobcon) >+ context_free(jobcon); >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "copy_banner: Unable to get the SELinux contexts"); >+ job->num_files --; >+ return (0); >+ } >+ jobrange = context_range_get(jobcon); >+ if (jobrange) >+ { >+ jobrange = strdup(jobrange); >+ if ((jobclearance = strtok(jobrange, "-")) != NULL) >+ { >+ if (context_range_set(tmpcon, jobclearance) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "copy_banner: Unable to set the level of the context for file %s - %s", >+ filename, strerror(errno)); >+ free(jobrange); >+ context_free(jobcon); >+ context_free(tmpcon); >+ job->num_files --; >+ return (0); >+ } >+ } >+ else >+ { >+ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "copy_banner: Unable to set the level of the context for file %s - %s", >+ filename, strerror(errno)); >+ free(jobrange); >+ context_free(jobcon); >+ context_free(tmpcon); >+ job->num_files --; >+ return (0); >+ } >+ } >+ free(jobrange); >+ } >+ if (setfilecon(filename, context_str(tmpcon)) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "copy_banner: Unable to set the context of the banner file %s - %s", >+ filename, strerror(errno)); >+ context_free(jobcon); >+ context_free(tmpcon); >+ job->num_files --; >+ return (0); >+ } >+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "copy_banner: %s set to %s", >+ filename, context_str(tmpcon)); >+ context_free(jobcon); >+ context_free(tmpcon); >+ } >+#endif /* WITH_LSPP */ > > /* > * Try the localized banner file under the subdirectory... >@@ -4311,6 +4733,24 @@ copy_banner(cupsd_client_t *con, /* I - > else > s = attrname; > >+#ifdef WITH_LSPP >+ if (strcmp(s, "mls-label") == 0) >+ { >+ if (job->scon != NULL && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) >+ { >+ jobcon = context_new(job->scon); >+ if (_cups_strcasecmp(name, MLS_CONFIG) == 0) >+ mls_label = context_range_get(jobcon); >+ else if (_cups_strcasecmp(name, TE_CONFIG) == 0) >+ mls_label = context_type_get(jobcon); >+ else // default to using the whole context string >+ mls_label = context_str(jobcon); >+ cupsFilePuts(out, mls_label); >+ context_free(jobcon); >+ } >+ continue; >+ } >+#endif /* WITH_LSPP */ > if (!strcmp(s, "printer-name")) > { > cupsFilePuts(out, job->dest); >@@ -6388,6 +6828,22 @@ get_job_attrs(cupsd_client_t *con, /* I > > exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username); > >+ >+#ifdef WITH_LSPP >+ /* >+ * Check SELinux... >+ */ >+ if (is_lspp_config() && check_context(con, job) != 1) >+ { >+ /* >+ * Unfortunately we have to lie to the user... >+ */ >+ send_ipp_status(con, IPP_NOT_FOUND, _("Job #%d does not exist!"), jobid); >+ return; >+ } >+#endif /* WITH_LSPP */ >+ >+ > /* > * Copy attributes... > */ >@@ -6741,6 +7197,11 @@ get_jobs(cupsd_client_t *con, /* I - C > if (username[0] && _cups_strcasecmp(username, job->username)) > continue; > >+#ifdef WITH_LSPP >+ if (is_lspp_config() && check_context(con, job) != 1) >+ continue; >+#endif /* WITH_LSPP */ >+ > if (count > 0) > ippAddSeparator(con->response); > >@@ -11303,6 +11764,11 @@ validate_user(cupsd_job_t *job, /* I > > strlcpy(username, get_username(con), userlen); > >+#ifdef WITH_LSPP >+ if (is_lspp_config() && check_context(con, job) != 1) >+ return 0; >+#endif /* WITH_LSPP */ >+ > /* > * Check the username against the owner... > */ >diff -up cups-1.6.2/scheduler/job.c.lspp cups-1.6.2/scheduler/job.c >--- cups-1.6.2/scheduler/job.c.lspp 2013-03-18 19:00:30.686448406 +0100 >+++ cups-1.6.2/scheduler/job.c 2013-03-18 19:00:30.735447727 +0100 >@@ -68,6 +68,9 @@ > * update_job_attrs() - Update the job-printer-* attributes. > */ > >+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ > /* > * Include necessary headers... > */ >@@ -83,6 +86,14 @@ > # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */ > #endif /* __APPLE__ */ > >+#ifdef WITH_LSPP >+#include <libaudit.h> >+#include <selinux/selinux.h> >+#include <selinux/context.h> >+#include <selinux/avc.h> >+#include <selinux/flask.h> >+#include <selinux/av_permissions.h> >+#endif /* WITH_LSPP */ > > /* > * Design Notes for Job Management >@@ -580,6 +591,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I > /* PRINTER_STATE_REASONS env var */ > rip_max_cache[255]; > /* RIP_MAX_CACHE env variable */ >+#ifdef WITH_LSPP >+ char *audit_message = NULL; /* Audit message string */ >+ context_t jobcon; /* SELinux context of the job */ >+ char *label_template = NULL; /* SL to put in classification >+ env var */ >+ const char *mls_label = NULL; /* SL to put in classification >+ env var */ >+#endif /* WITH_LSPP */ > > > cupsdLogMessage(CUPSD_LOG_DEBUG2, >@@ -1071,6 +1090,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I > } > } > >+#ifdef WITH_LSPP >+ if (is_lspp_config()) >+ { >+ if (!job->scon || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0) >+ { >+ if (AuditLog != -1) >+ { >+ audit_message = NULL; >+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s", >+ job->id, job->auid, job->username, job->printer->name, title); >+ audit_log_user_message(AuditLog, AUDIT_USER_UNLABELED_EXPORT, audit_message, >+ ServerName, NULL, NULL, 1); >+ cupsdClearString(&audit_message); >+ } >+ } >+ else >+ { >+ jobcon = context_new(job->scon); >+ >+ if ((attr = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME)) == NULL) >+ label_template = strdup(Classification); >+ else if (attr->num_values > 1 && >+ strcmp(attr->values[1].string.text, "none") != 0) >+ label_template = strdup(attr->values[1].string.text); >+ else >+ label_template = strdup(attr->values[0].string.text); >+ >+ if (_cups_strcasecmp(label_template, MLS_CONFIG) == 0) >+ mls_label = context_range_get(jobcon); >+ else if (_cups_strcasecmp(label_template, TE_CONFIG) == 0) >+ mls_label = context_type_get(jobcon); >+ else if (_cups_strcasecmp(label_template, SELINUX_CONFIG) == 0) >+ mls_label = context_str(jobcon); >+ else >+ mls_label = label_template; >+ >+ if (mls_label && (PerPageLabels || banner_page)) >+ { >+ snprintf(classification, sizeof(classification), "CLASSIFICATION=LSPP:%s", mls_label); >+ envp[envc ++] = classification; >+ } >+ >+ if ((AuditLog != -1) && !banner_page) >+ { >+ audit_message = NULL; >+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s" >+ " obj=%s label=%s", job->id, job->auid, job->username, >+ job->printer->name, title, job->scon, mls_label?mls_label:"none"); >+ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, >+ ServerName, NULL, NULL, 1); >+ cupsdClearString(&audit_message); >+ } >+ context_free(jobcon); >+ free(label_template); >+ } >+ } >+ else >+ /* >+ * Fall through to the non-LSPP behavior >+ */ >+#endif /* WITH_LSPP */ > if (Classification && !banner_page) > { > if ((attr = ippFindAttribute(job->attrs, "job-sheets", >@@ -1845,6 +1925,20 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J > ippSetString(job->attrs, &job->reasons, 0, "none"); > } > >+#ifdef WITH_LSPP >+ if ((attr = ippFindAttribute(job->attrs, "security-context", IPP_TAG_NAME)) != NULL) >+ cupsdSetString(&job->scon, attr->values[0].string.text); >+ else if (is_lspp_config()) >+ { >+ /* >+ * There was no security context so delete the job >+ */ >+ cupsdLogMessage(CUPSD_LOG_ERROR, "LoadAllJobs: Missing or bad security-context attribute in control file \"%s\"!", >+ jobfile); >+ goto error; >+ } >+#endif /* WITH_LSPP */ >+ > job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", > IPP_TAG_INTEGER); > job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME); >@@ -2235,6 +2329,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J > { > char filename[1024]; /* Job control filename */ > cups_file_t *fp; /* Job file */ >+#ifdef WITH_LSPP >+ security_context_t spoolcon; /* context of the job control file */ >+ context_t jobcon; /* contex_t container for job->scon */ >+ context_t tmpcon; /* Temp context to swap the level */ >+ char *jobclearance; /* SELinux low end clearance */ >+ const char *jobrange; /* SELinux sensitivity range */ >+ char *jobrange_copy; /* SELinux sensitivity range */ >+#endif /* WITH_LSPP */ > > > cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p", >@@ -2247,6 +2349,76 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J > > fchown(cupsFileNumber(fp), RunUser, Group); > >+#ifdef WITH_LSPP >+ if (job->scon && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0) >+ { >+ if (getfilecon(filename, &spoolcon) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "Unable to get context of job control file \"%s\" - %s.", >+ filename, strerror(errno)); >+ return; >+ } >+ jobcon = context_new(job->scon); >+ tmpcon = context_new(spoolcon); >+ freecon(spoolcon); >+ if (!jobcon || !tmpcon) >+ { >+ if (jobcon) >+ context_free(jobcon); >+ if (tmpcon) >+ context_free(tmpcon); >+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to get SELinux contexts"); >+ return; >+ } >+ jobrange = context_range_get(jobcon); >+ if (jobrange) >+ { >+ jobrange_copy = strdup(jobrange); >+ if ((jobclearance = strtok(jobrange_copy, "-")) != NULL) >+ { >+ if (context_range_set(tmpcon, jobclearance) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "Unable to set the range for job control file \"%s\" - %s.", >+ filename, strerror(errno)); >+ free(jobrange_copy); >+ context_free(tmpcon); >+ context_free(jobcon); >+ return; >+ } >+ } >+ else >+ { >+ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "Unable to set the range for job control file \"%s\" - %s.", >+ filename, strerror(errno)); >+ free(jobrange_copy); >+ context_free(tmpcon); >+ context_free(jobcon); >+ return; >+ } >+ } >+ free(jobrange_copy); >+ } >+ if (setfilecon(filename, context_str(tmpcon)) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "Unable to set context of job control file \"%s\" - %s.", >+ filename, strerror(errno)); >+ context_free(tmpcon); >+ context_free(jobcon); >+ return; >+ } >+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p): new spool file context=%s", >+ job, context_str(tmpcon)); >+ context_free(tmpcon); >+ context_free(jobcon); >+ } >+#endif /* WITH_LSPP */ >+ > job->attrs->state = IPP_IDLE; > > if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL, >@@ -3756,6 +3928,18 @@ get_options(cupsd_job_t *job, /* I - Jo > banner_page) > continue; > >+#ifdef WITH_LSPP >+ /* >+ * In LSPP mode refuse to honor the page-label >+ */ >+ if (is_lspp_config() && >+ !strcmp(attr->name, "page-label")) >+ { >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "Ignoring page-label option due to LSPP mode"); >+ continue; >+ } >+#endif /* WITH_LSPP */ >+ > /* > * Otherwise add them to the list... > */ >@@ -4480,6 +4664,19 @@ static void > start_job(cupsd_job_t *job, /* I - Job ID */ > cupsd_printer_t *printer) /* I - Printer to print job */ > { >+#ifdef WITH_LSPP >+ char *audit_message = NULL; /* Audit message string */ >+ char *printerfile = NULL; /* Device file pointed to by the printer */ >+ security_id_t clisid; /* SELinux SID for the client */ >+ security_id_t psid; /* SELinux SID for the printer */ >+ context_t printercon; /* Printer's context string */ >+ struct stat printerstat; /* Printer's stat buffer */ >+ security_context_t devcon; /* Printer's SELinux context */ >+ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ >+ security_class_t tclass; /* Object class for the SELinux check */ >+ access_vector_t avr; /* Access method being requested */ >+#endif /* WITH_LSPP */ >+ > cupsdLogMessage(CUPSD_LOG_DEBUG2, "start_job(job=%p(%d), printer=%p(%s))", > job, job->id, printer, printer->name); > >@@ -4622,6 +4819,108 @@ start_job(cupsd_job_t *job, /* I - > fcntl(job->side_pipes[1], F_SETFD, > fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC); > >+#ifdef WITH_LSPP >+ if (is_lspp_config()) >+ { >+ /* >+ * Perform an access check before printing, but only if the printer starts with /dev/ >+ */ >+ printerfile = strstr(printer->device_uri, "/dev/"); >+ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0)) >+ printerfile = printer->device_uri + strlen("file:"); >+ >+ if (printerfile != NULL) >+ { >+ cupsdLogMessage(CUPSD_LOG_DEBUG, >+ "StartJob: Attempting to check access on printer device %s", printerfile); >+ if (lstat(printerfile, &printerstat) < 0) >+ { >+ if (errno != ENOENT) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "StartJob: Unable to stat the printer"); >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ return ; >+ } >+ /* >+ * The printer does not exist, so for now assume it's a FileDevice >+ */ >+ tclass = SECCLASS_FILE; >+ avr = FILE__WRITE; >+ } >+ else if (S_ISCHR(printerstat.st_mode)) >+ { >+ tclass = SECCLASS_CHR_FILE; >+ avr = CHR_FILE__WRITE; >+ } >+ else if (S_ISREG(printerstat.st_mode)) >+ { >+ tclass = SECCLASS_FILE; >+ avr = FILE__WRITE; >+ } >+ else >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "StartJob: Printer is not a character device or regular file"); >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ return ; >+ } >+ static avc_initialized = 0; >+ if (!avc_initialized++) >+ avc_init("cupsd_dequeue_", NULL, NULL, NULL, NULL); >+ avc_entry_ref_init(&avcref); >+ if (avc_context_to_sid(job->scon, &clisid) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "StartJob: Unable to determine the SELinux sid for the job"); >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ return ; >+ } >+ if (getfilecon(printerfile, &devcon) == -1) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "StartJob: Unable to get the SELinux context of %s", >+ printerfile); >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ return ; >+ } >+ printercon = context_new(devcon); >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "StartJob: printer context %s client context %s", >+ context_str(printercon), job->scon); >+ context_free(printercon); >+ >+ if (avc_context_to_sid(devcon, &psid) != 0) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, >+ "StartJob: Unable to determine the SELinux sid for the printer"); >+ freecon(devcon); >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ return ; >+ } >+ freecon(devcon); >+ >+ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0) >+ { >+ /* >+ * The access check failed, so cancel the job and send an audit message >+ */ >+ if (AuditLog != -1) >+ { >+ audit_message = NULL; >+ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s obj=%s canceled" >+ " unable to access printer=%s", job->id, >+ job->auid, (job->username)?job->username:"?", job->scon, printer->name); >+ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message, >+ ServerName, NULL, NULL, 0); >+ cupsdClearString(&audit_message); >+ } >+ >+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); >+ >+ return ; >+ } >+ } >+ } >+#endif /* WITH_LSPP */ >+ > /* > * Now start the first file in the job... > */ >diff -up cups-1.6.2/scheduler/job.h.lspp cups-1.6.2/scheduler/job.h >--- cups-1.6.2/scheduler/job.h.lspp 2012-05-23 03:36:50.000000000 +0200 >+++ cups-1.6.2/scheduler/job.h 2013-03-18 19:00:30.736447713 +0100 >@@ -13,6 +13,13 @@ > * file is missing or damaged, see the license at "http://www.cups.org/". > */ > >+/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */ >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ >+#ifdef WITH_LSPP >+#include <selinux/selinux.h> >+#endif /* WITH_LSPP */ >+ > /* > * Constants... > */ >@@ -82,6 +89,10 @@ struct cupsd_job_s /**** Job request * > int progress; /* Printing progress */ > int num_keywords; /* Number of PPD keywords */ > cups_option_t *keywords; /* PPD keywords */ >+#ifdef WITH_LSPP >+ security_context_t scon; /* Security context of job */ >+ uid_t auid; /* Audit loginuid for this job */ >+#endif /* WITH_LSPP */ > }; > > typedef struct cupsd_joblog_s /**** Job log message ****/ >diff -up cups-1.6.2/scheduler/main.c.lspp cups-1.6.2/scheduler/main.c >--- cups-1.6.2/scheduler/main.c.lspp 2013-03-18 19:00:30.708448101 +0100 >+++ cups-1.6.2/scheduler/main.c 2013-03-18 19:05:36.422206888 +0100 >@@ -38,6 +38,8 @@ > * usage() - Show scheduler usage. > */ > >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ > /* > * Include necessary headers... > */ >@@ -80,6 +82,9 @@ > # include <sys/param.h> > #endif /* HAVE_SYS_PARAM_H */ > >+#ifdef WITH_LSPP >+# include <libaudit.h> >+#endif /* WITH_LSPP */ > > /* > * Local functions... >@@ -143,6 +148,9 @@ main(int argc, /* I - Number of comm > #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET) > struct sigaction action; /* Actions for POSIX signals */ > #endif /* HAVE_SIGACTION && !HAVE_SIGSET */ >+#if WITH_LSPP >+ auditfail_t failmode; /* Action for audit_open failure */ >+#endif /* WITH_LSPP */ > #ifdef __sgi > cups_file_t *fp; /* Fake lpsched lock file */ > struct stat statbuf; /* Needed for checking lpsched FIFO */ >@@ -522,6 +530,25 @@ main(int argc, /* I - Number of comm > #endif /* DEBUG */ > } > >+#ifdef WITH_LSPP >+ if ((AuditLog = audit_open()) < 0 ) >+ { >+ if (get_auditfail_action(&failmode) == 0) >+ { >+ if (failmode == FAIL_LOG) >+ { >+ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to connect to audit subsystem."); >+ AuditLog = -1; >+ } >+ else if (failmode == FAIL_TERMINATE) >+ { >+ fprintf(stderr, "cupsd: unable to start auditing, terminating"); >+ return -1; >+ } >+ } >+ } >+#endif /* WITH_LSPP */ >+ > /* > * Set the timezone info... > */ >@@ -1216,6 +1243,11 @@ main(int argc, /* I - Number of comm > > cupsdStopSelect(); > >+#ifdef WITH_LSPP >+ if (AuditLog != -1) >+ audit_close(AuditLog); >+#endif /* WITH_LSPP */ >+ > return (!stop_scheduler); > } > >diff -up cups-1.6.2/scheduler/printers.c.lspp cups-1.6.2/scheduler/printers.c >--- cups-1.6.2/scheduler/printers.c.lspp 2013-03-18 19:00:30.649448920 +0100 >+++ cups-1.6.2/scheduler/printers.c 2013-03-18 19:07:48.244377673 +0100 >@@ -56,6 +56,8 @@ > * write_xml_string() - Write a string with XML escaping. > */ > >+/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */ >+ > /* > * Include necessary headers... > */ >@@ -80,6 +82,10 @@ > # include <asl.h> > #endif /* __APPLE__ */ > >+#ifdef WITH_LSPP >+# include <libaudit.h> >+# include <selinux/context.h> >+#endif /* WITH_LSPP */ > > /* > * Local functions... >@@ -2090,6 +2096,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) > ipp_attribute_t *attr; /* Attribute data */ > char *name, /* Current user/group name */ > *filter; /* Current filter */ >+#ifdef WITH_LSPP >+ char *audit_message; /* Audit message string */ >+ char *printerfile; /* Path to a local printer dev */ >+ char *rangestr; /* Printer's range if its available */ >+ security_context_t devcon; /* Printer SELinux context */ >+ context_t printercon; /* context_t for the printer */ >+#endif /* WITH_LSPP */ > > > DEBUG_printf(("cupsdSetPrinterAttrs: entering name = %s, type = %x\n", p->name, >@@ -2212,6 +2225,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p) > attr->values[1].string.text = _cupsStrAlloc(Classification ? > Classification : p->job_sheets[1]); > } >+#ifdef WITH_LSPP >+ if (AuditLog != -1) >+ { >+ audit_message = NULL; >+ rangestr = NULL; >+ printercon = 0; >+ printerfile = strstr(p->device_uri, "/dev/"); >+ if (printerfile == NULL && (strncmp(p->device_uri, "file:/", 6) == 0)) >+ printerfile = p->device_uri + strlen("file:"); >+ >+ if (printerfile != NULL) >+ { >+ if (getfilecon(printerfile, &devcon) == -1) >+ { >+ if(is_selinux_enabled()) >+ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdSetPrinterAttrs: Unable to get printer context"); >+ } >+ else >+ { >+ printercon = context_new(devcon); >+ freecon(devcon); >+ } >+ } >+ >+ if (printercon && context_range_get(printercon)) >+ rangestr = strdup(context_range_get(printercon)); >+ else >+ rangestr = strdup("unknown"); >+ >+ cupsdSetStringf(&audit_message, "printer=%s uri=%s banners=%s,%s range=%s", >+ p->name, p->sanitized_device_uri, p->job_sheets[0], p->job_sheets[1], rangestr); >+ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message, >+ ServerName, NULL, NULL, 1); >+ if (printercon) >+ context_free(printercon); >+ free(rangestr); >+ cupsdClearString(&audit_message); >+ } >+#endif /* WITH_LSPP */ > } > > p->raw = 0; >@@ -5298,7 +5350,6 @@ write_irix_state(cupsd_printer_t *p) /* > } > #endif /* __sgi */ > >- > /* > * 'write_xml_string()' - Write a string with XML escaping. > */
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=5969">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 29477
: 5969
