Updated to fedora-glibc-20060102T1045

4 files changed, 45 insertions, 58 deletions

diff --git a/nscd/connections.c b/nscd/connections.c
index 632635845b..9c096e2e05 100644
--- a/nscd/connections.c
+++ b/nscd/connections.c
@@ -431,7 +431,7 @@ void
 nscd_init (void)
 {
   /* Secure mode and unprivileged mode are incompatible */
-  if (server_user != NULL && secure_in_use)
+  if (server_user != NULL)
     {
       dbg_log (_("Cannot run nscd in secure mode as unprivileged user"));
       exit (4);
@@ -1060,29 +1060,28 @@ cannot handle old request version %d; current version is %d"),
     case GETSTAT:
     case SHUTDOWN:
     case INVALIDATE:
-      if (! secure_in_use)
-	{
-	  /* Get the callers credentials.  */
+      {
+	/* Get the callers credentials.  */
 #ifdef SO_PEERCRED
-	  struct ucred caller;
-	  socklen_t optlen = sizeof (caller);
+	struct ucred caller;
+	socklen_t optlen = sizeof (caller);
 
-	  if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
-	    {
-	      char buf[256];
+	if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
+	  {
+	    char buf[256];
 
-	      dbg_log (_("error getting callers id: %s"),
-		       strerror_r (errno, buf, sizeof (buf)));
-	      break;
-	    }
+	    dbg_log (_("error getting callers id: %s"),
+		     strerror_r (errno, buf, sizeof (buf)));
+	    break;
+	  }
 
-	  uid = caller.uid;
+	uid = caller.uid;
 #else
-	  /* Some systems have no SO_PEERCRED implementation.  They don't
-	     care about security so we don't as well.  */
-	  uid = 0;
+	/* Some systems have no SO_PEERCRED implementation.  They don't
+	   care about security so we don't as well.  */
+	uid = 0;
 #endif
-	}
+      }
 
       /* Accept shutdown, getstat and invalidate only from root.  For
 	 the stat call also allow the user specified in the config file.  */
@@ -1376,25 +1375,7 @@ nscd_run (void *p)
 #ifdef SO_PEERCRED
       pid_t pid = 0;
 
-      if (secure_in_use)
-	{
-	  struct ucred caller;
-	  socklen_t optlen = sizeof (caller);
-
-	  if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &caller, &optlen) < 0)
-	    {
-	      dbg_log (_("error getting callers id: %s"),
-		       strerror_r (errno, buf, sizeof (buf)));
-	      goto close_and_out;
-	    }
-
-	  if (req.type < GETPWBYNAME || req.type > LASTDBREQ
-	      || serv2db[req.type]->secure)
-	    uid = caller.uid;
-
-	  pid = caller.pid;
-	}
-      else if (__builtin_expect (debug_level > 0, 0))
+      if (__builtin_expect (debug_level > 0, 0))
 	{
 	  struct ucred caller;
 	  socklen_t optlen = sizeof (caller);
diff --git a/nscd/nscd.c b/nscd/nscd.c
index 3c65e20a60..2941cbdc15 100644
--- a/nscd/nscd.c
+++ b/nscd/nscd.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 1998-2003, 2004, 2005 Free Software Foundation, Inc.
+/* Copyright (c) 1998-2003, 2004, 2005, 2006 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Thorsten Kukuk <kukuk@suse.de>, 1998.
 
@@ -70,7 +70,6 @@ int disabled_passwd;
 int disabled_group;
 int go_background = 1;
 
-int secure_in_use;
 static const char *conffile = _PATH_NSCDCONF;
 
 time_t start_time;
@@ -370,16 +369,7 @@ parse_opt (int key, char *arg, struct argp_state *state)
       break;
 
     case 'S':
-#if 0
-      if (strcmp (arg, "passwd,yes") == 0)
-	secure_in_use = dbs[pwddb].secure = 1;
-      else if (strcmp (arg, "group,yes") == 0)
-	secure_in_use = dbs[grpdb].secure = 1;
-      else if (strcmp (arg, "hosts,yes") == 0)
-	secure_in_use = dbs[hstdb].secure = 1;
-#else
       error (0, 0, _("secure services not implemented anymore"));
-#endif
       break;
 
     default:
@@ -398,7 +388,7 @@ print_version (FILE *stream, struct argp_state *state)
 Copyright (C) %s Free Software Foundation, Inc.\n\
 This is free software; see the source for copying conditions.  There is NO\n\
 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n\
-"), "2005");
+"), "2006");
   fprintf (stream, gettext ("Written by %s.\n"),
 	   "Thorsten Kukuk and Ulrich Drepper");
 }
diff --git a/nscd/nscd.h b/nscd/nscd.h
index 3859d95d01..ed686bea7e 100644
--- a/nscd/nscd.h
+++ b/nscd/nscd.h
@@ -68,7 +68,6 @@ struct database_dyn
   const char *db_filename;
   time_t file_mtime;
   size_t suggested_module;
-  int secure;
 
   unsigned long int postimeout;	/* In seconds.  */
   unsigned long int negtimeout;	/* In seconds.  */
@@ -122,9 +121,6 @@ extern int nthreads;
 /* Maximum number of threads to use.  */
 extern int max_nthreads;
 
-/* Tables for which we cache data with uid.  */
-extern int secure_in_use; /* Is one of the above 1?  */
-
 /* User name to run server processes as.  */
 extern const char *server_user;
 
diff --git a/nscd/selinux.c b/nscd/selinux.c
index a15e522958..138d96d23a 100644
--- a/nscd/selinux.c
+++ b/nscd/selinux.c
@@ -27,6 +27,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <syslog.h>
+#include <unistd.h>
 #include <selinux/av_permissions.h>
 #include <selinux/avc.h>
 #include <selinux/flask.h>
@@ -114,11 +115,28 @@ static int audit_fd = -1;
 static void
 log_callback (const char *fmt, ...)
 {
-  va_list ap;
+  if (audit_fd >= 0)
+    {
+      va_list ap;
+      va_start (ap, fmt);
+
+      char *buf;
+      int e = vasprintf (&buf, fmt, ap);
+      if (e < 0)
+	{
+	  buf = alloca (BUFSIZ);
+	  vsnprintf (buf, BUFSIZ, fmt, ap);
+	}
+
+      /* FIXME: need to attribute this to real user, using getuid for now */
+      audit_log_user_avc_message (audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+				  NULL, getuid ());
 
-  va_start (ap, fmt);
-  audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap);
-  va_end (ap);
+      if (e >= 0)
+	free (buf);
+
+      va_end (ap);
+    }
 }
 
 /* Initialize the connection to the audit system */
@@ -126,7 +144,9 @@ static void
 audit_init (void)
 {
   audit_fd = audit_open ();
-  if (audit_fd < 0)
+  if (audit_fd < 0
+      /* If kernel doesn't support audit, bail out */
+      && errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT)
     dbg_log (_("Failed opening connection to the audit subsystem: %m"));
 }
 #endif /* HAVE_LIBAUDIT */