PSARC/2002/762 Layered Trusted Solaris

PSARC/2005/060 TSNET: Trusted Networking with Security Labels
PSARC/2005/259 Layered Trusted Solaris Label Interfaces
PSARC/2005/573 Solaris Trusted Extensions for Printing
PSARC/2005/691 Trusted Extensions for Device Allocation
PSARC/2005/723 Solaris Trusted Extensions Filesystem Labeling
PSARC/2006/009 Labeled Auditing
PSARC/2006/155 Trusted Extensions RBAC Changes
PSARC/2006/191 is_system_labeled
6293271 Zone processes should use zone_kcred instead of kcred
6394554 integrate Solaris Trusted Extensions

--HG--
rename : usr/src/cmd/dminfo/Makefile => deleted_files/usr/src/cmd/dminfo/Makefile
rename : usr/src/cmd/dminfo/dminfo.c => usr/src/cmd/allocate/dminfo.c

7 files changed, 225 insertions, 23 deletions

diff --git a/usr/src/cmd/ldap/Makefile.com b/usr/src/cmd/ldap/Makefile.com
index 824788ffd3..d65d341a22 100644
--- a/usr/src/cmd/ldap/Makefile.com
+++ b/usr/src/cmd/ldap/Makefile.com
@@ -1,4 +1,24 @@
 #
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
 # Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
@@ -33,7 +53,7 @@ LDAPLISTOBJS=	$(LDAPLISTSRCS:%.c=%.o)
 
 # ldapaddent command
 LDAPADDENTPROG=	ldapaddent
-LDAPADDENTSRCS=	ldapaddent.c ldapaddrbac.c
+LDAPADDENTSRCS=	ldapaddent.c ldapaddrbac.c ldapaddtsol.c
 LDAPADDENTOBJS=	$(LDAPADDENTSRCS:%.c=%.o)
 
 # ldapclient command
@@ -74,7 +94,7 @@ clobber:=       TARGET= clobber
 lint:=          TARGET= lint
 
 # C Pre-Processor flags used by C, CC & lint
-CPPFLAGS +=	-DSUN -DSVR4 -D_SYS_STREAM_H -DSOLARIS_LDAP_CMD \
+CPPFLAGS +=	-DSUN -DSVR4 -DSOLARIS_LDAP_CMD \
 		-I ../../../lib/libldap5/include/ldap \
 		-I ../../../lib/libsldap/common \
 		-I ../../../lib/libnsl/include/rpcsvc \
@@ -87,7 +107,7 @@ ldapsearch :=	LDLIBS += -lldap
 ldapdelete :=	LDLIBS += -lldap
 ldapmodify :=	LDLIBS += -lldap
 ldaplist :=	LDLIBS += -lsldap
-ldapaddent :=	LDLIBS += -lsldap -lnsl
+ldapaddent :=	LDLIBS += -lsldap -lnsl -lsecdb
 ldapclient :=	LDLIBS += -lsldap -lscf
 
 lint :=		LDLIBS += -lldap
diff --git a/usr/src/cmd/ldap/ns_ldap/idsconfig.sh b/usr/src/cmd/ldap/ns_ldap/idsconfig.sh
index 645dfb7c73..485c5f9c7e 100644
--- a/usr/src/cmd/ldap/ns_ldap/idsconfig.sh
+++ b/usr/src/cmd/ldap/ns_ldap/idsconfig.sh
@@ -1,11 +1,12 @@
 #!/bin/sh
 #
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -21,11 +22,9 @@
 # CDDL HEADER END
 #
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
-#
 # idsconfig -- script to setup iDS 5.x for Native LDAP II.
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -3146,6 +3145,8 @@ attributetypes:( 1.3.18.0.2.4.1108 NAME 'printer-aliases' DESC 'Site-specific ad
 attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.63 NAME 'sun-printer-bsdaddr' DESC 'Sets the server, print queue destination name and whether the client generates protocol extensions. "Solaris" specifies a Solaris print server extension. The value is represented by the following value: server "," destination ", Solaris".' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
 attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.64 NAME 'sun-printer-kvp' DESC 'This attribute contains a set of key value pairs which may have meaning to the print subsystem or may be user defined. Each value is represented by the following: key "=" value.' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
 attributetypes: ( 1.3.6.1.4.1.42.2.27.5.1.57 NAME 'nisplusTimeZone' DESC 'tzone column from NIS+ timezone table' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.67 NAME 'ipTnetTemplateName' DESC 'Trusted Solaris network template template_name' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.68 NAME 'ipTnetNumber' DESC 'Trusted Solaris network template ip_address' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
 EOF
 ) > ${TMPDIR}/schema_attr
 
@@ -3291,6 +3292,16 @@ dn: cn=schema
 changetype: modify
 add: objectclasses
 objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.12 NAME 'nisplusTimeZoneData' DESC 'NIS+ timezone table data' SUP top STRUCTURAL MUST ( cn ) MAY ( nisplusTimeZone $ description ) )
+
+dn: cn=schema
+changetype: modify
+add: objectclasses
+objectclasses:  ( 1.3.6.1.4.1.42.2.27.5.2.8 NAME 'ipTnetTemplate' DESC 'Object class for TSOL network templates' SUP 'top' MUST ( objectclass $ ipTnetTemplateName ) MAY ( SolarisAttrKeyValue ) )
+
+dn: cn=schema
+changetype: modify
+add: objectclasses
+objectclasses:	( 1.3.6.1.4.1.42.2.27.5.2.9 NAME 'ipTnetHost' DESC 'Associates an IP address or wildcard with a TSOL template_name' SUP 'top' AUXILIARY MUST ( objectclass $ ipTnetNumber ) )
 EOF
 ) > ${TMPDIR}/schema_obj
 
@@ -3612,7 +3623,7 @@ add_new_containers()
 
     for ou in people group rpc protocols networks netgroup \
 	aliases hosts services ethers profile printers \
-	SolarisAuthAttr SolarisProfAttr Timezone ; do
+	SolarisAuthAttr SolarisProfAttr Timezone ipTnet ; do
 
 	# Check if nismaps already exist.
 	eval "${LDAPSEARCH} ${LDAP_ARGS} -b \"ou=${ou},${LDAP_BASEDN}\" -s base \"objectclass=*\" ${VERB}"
diff --git a/usr/src/cmd/ldap/ns_ldap/ldapaddent.c b/usr/src/cmd/ldap/ns_ldap/ldapaddent.c
index a5d420e406..7b30890fde 100644
--- a/usr/src/cmd/ldap/ns_ldap/ldapaddent.c
+++ b/usr/src/cmd/ldap/ns_ldap/ldapaddent.c
@@ -3572,6 +3572,10 @@ static struct ttypelist_t ttypelist[] = {
 		filedbmline_comment, "SolarisAuthAttr" },
 	{ NS_LDAP_TYPE_AUUSER, genent_audit_user, dump_audit_user,
 		filedbmline_comment, "SolarisAuditUser" },
+	{ NS_LDAP_TYPE_TNRHDB, genent_tnrhdb, dump_tnrhdb,
+		filedbmline_comment, "ipTnetHost" },
+	{ NS_LDAP_TYPE_TNRHTP, genent_tnrhtp, dump_tnrhtp,
+		filedbmline_comment, "ipTnetTemplate" },
 	{ 0, 0, 0, 0, 0 }
 };
 
@@ -3641,9 +3645,17 @@ dumptable(char *service)
 		(void) snprintf(filter, sizeof (filter),
 		    "(&(objectclass=%s)(!(objectclass=SolarisExecAttr)))",
 		    tt->objclass);
-	} else
+	} else if (strcmp(tt->ttype, NS_LDAP_TYPE_TNRHDB) == 0) {
+		/*
+		 * tnrhtp entries are ipTnet entries with SolarisAttrKeyValue
+		 */
+		(void) snprintf(filter, sizeof (filter),
+		    "(&(objectclass=%s)(SolarisAttrKeyValue=*)))",
+		    tt->objclass);
+	} else {
 		(void) snprintf(filter, sizeof (filter),
 		    "(objectclass=%s)", tt->objclass);
+	}
 
 	if (flags & F_VERBOSE)
 		(void) fprintf(stdout, gettext("FILTER = %s\n"), filter);
diff --git a/usr/src/cmd/ldap/ns_ldap/ldapaddent.h b/usr/src/cmd/ldap/ns_ldap/ldapaddent.h
index 6da82f1fe9..42973d2c6a 100644
--- a/usr/src/cmd/ldap/ns_ldap/ldapaddent.h
+++ b/usr/src/cmd/ldap/ns_ldap/ldapaddent.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -76,11 +75,16 @@ extern int genent_prof_attr(char *line, int (*cback)());
 extern int genent_exec_attr(char *line, int (*cback)());
 extern int genent_auth_attr(char *line, int (*cback)());
 extern int genent_audit_user(char *line, int (*cback)());
+extern int genent_tnrhdb(char *line, int (*cback)());
+extern int genent_tnrhtp(char *line, int (*cback)());
+
 extern void dump_user_attr(ns_ldap_result_t *res);
 extern void dump_prof_attr(ns_ldap_result_t *res);
 extern void dump_exec_attr(ns_ldap_result_t *res);
 extern void dump_auth_attr(ns_ldap_result_t *res);
 extern void dump_audit_user(ns_ldap_result_t *res);
+extern void dump_tnrhdb(ns_ldap_result_t *res);
+extern void dump_tnrhtp(ns_ldap_result_t *res);
 
 #ifdef	__cplusplus
 }
diff --git a/usr/src/cmd/ldap/ns_ldap/ldapaddrbac.c b/usr/src/cmd/ldap/ns_ldap/ldapaddrbac.c
index 04da2f7b66..63c065ea7d 100644
--- a/usr/src/cmd/ldap/ns_ldap/ldapaddrbac.c
+++ b/usr/src/cmd/ldap/ns_ldap/ldapaddrbac.c
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -66,7 +65,7 @@ extern	char	*_strtok_escape(char *, char *, char **); /* from libnsl */
  * genent_attr:
  *   Generic function for generating entries for all of the *_attr databases.
  */
-static int
+int
 genent_attr(
 	char	*line,		/* entry to parse */
 	int	ncol,		/* number of columns in the database */
diff --git a/usr/src/cmd/ldap/ns_ldap/ldapaddtsol.c b/usr/src/cmd/ldap/ns_ldap/ldapaddtsol.c
new file mode 100644
index 0000000000..985a859173
--- /dev/null
+++ b/usr/src/cmd/ldap/ns_ldap/ldapaddtsol.c
@@ -0,0 +1,142 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * ldapaddtsol.c
+ *
+ * Routines to add tnrhdb and tnrhtp from /etc/security/tsol into LDAP.
+ * Can also be used to dump entries from a ldap container in /etc format.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <libintl.h>
+#include <string.h>
+#include <nss.h>
+#include <secdb.h>
+#include <sys/tsol/tndb.h>
+#include "ldapaddent.h"
+
+extern  int	genent_attr(char *, int, entry_col **);
+
+int
+genent_tnrhdb(char *line, int (*cback)())
+{
+	entry_col	*ecol;
+	tsol_rhstr_t	data;
+	int		res, retval;
+
+	/*
+	 * parse entry into columns
+	 */
+	res = genent_attr(line, TNRHDB_NCOL, &ecol);
+	if (res != GENENT_OK)
+		return (res);
+
+	data.address = _do_unescape(ecol[0].ec_value.ec_value_val);
+	data.template = ecol[1].ec_value.ec_value_val;
+	if (strchr(data.address, ':') == NULL)
+		data.family = AF_INET;
+	else
+		data.family = AF_INET6;
+
+	if (flags & F_VERBOSE)
+		(void) printf(gettext("Adding entry : %s\n"), data.address);
+
+	retval = (*cback)(&data, 1);
+	if (retval)
+		res = GENENT_CBERR;
+
+	free(ecol);
+
+	return (res);
+}
+
+void
+dump_tnrhdb(ns_ldap_result_t *res)
+{
+	char	**value = NULL;
+
+	value = __ns_ldap_getAttr(res->entry, "ipTnetNumber");
+	if (value && value[0])
+		(void) printf("%s", value[0]);
+	else
+		return;
+
+	(void) putchar(':');
+	value = __ns_ldap_getAttr(res->entry, "ipTnetTemplateName");
+	if (value && value[0])
+		(void) printf("%s", value[0]);
+	(void) putchar('\n');
+}
+
+int
+genent_tnrhtp(char *line, int (*cback)())
+{
+	entry_col	*ecol;
+	tsol_tpstr_t	data;
+	int		res, retval;
+
+	/*
+	 * parse entry into columns
+	 */
+	res = genent_attr(line, TNRHTP_NCOL, &ecol);
+	if (res != GENENT_OK)
+		return (res);
+
+	data.template = ecol[0].ec_value.ec_value_val;
+	data.attrs = ecol[1].ec_value.ec_value_val;
+
+	if (flags & F_VERBOSE)
+		(void) printf(gettext("Adding entry : %s\n"), data.template);
+
+	retval = (*cback)(&data, 1);
+	if (retval)
+		res = GENENT_CBERR;
+
+	free(ecol);
+
+	return (res);
+}
+
+void
+dump_tnrhtp(ns_ldap_result_t *res)
+{
+	char	**value = NULL;
+
+	value = __ns_ldap_getAttr(res->entry, "ipTnetTemplateName");
+	if (value && value[0])
+		(void) printf("%s", value[0]);
+	else
+		return;
+
+	(void) putchar(':');
+	value = __ns_ldap_getAttr(res->entry, "SolarisAttrKeyValue");
+	if (value && value[0])
+		(void) printf("%s", value[0]);
+	(void) putchar('\n');
+}
diff --git a/usr/src/cmd/ldap/ns_ldap/mapping.c b/usr/src/cmd/ldap/ns_ldap/mapping.c
index 57827c6f74..470ca20628 100644
--- a/usr/src/cmd/ldap/ns_ldap/mapping.c
+++ b/usr/src/cmd/ldap/ns_ldap/mapping.c
@@ -18,6 +18,7 @@
  *
  * CDDL HEADER END
  */
+
 /*
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
@@ -29,6 +30,7 @@
 #include <libintl.h>
 #include <strings.h>
 #include <stdio.h>
+#include <tsol/label.h>
 #include "../../../lib/libsldap/common/ns_sldap.h"
 
 
@@ -67,6 +69,8 @@ static struct mapping maplist[] = {
 	{"exec_attr", "cn", "SolarisExecAttr", NULL},
 	{"user_attr", "uid", "SolarisUserAttr", NULL},
 	{"audit_user", "uid", "SolarisAuditUser", NULL},
+	{"tnrhtp", "ipTnetTemplateName", "ipTnetTemplate", NULL},
+	{"tnrhdb", "ipTnetNumber", "ipTnetHost", NULL},
 	{NULL, NULL, NULL, NULL}
 };
 
@@ -112,10 +116,20 @@ printMapping()
 		"automountMapName",
 		"automountMap");
 	for (i = 0; maplist[i].database != NULL; i++) {
-	/* skip printing shadow */
-	if (strcasecmp(maplist[i].database, "shadow") != 0)
+		/* skip printing shadow */
+		if (strcasecmp(maplist[i].database, "shadow") == 0)
+			continue;
+		if (!is_system_labeled()) {
+			/*
+			 * do not print tnrhdb and tnrhtp if system is
+			 * not configured with Trusted Extensions
+			 */
+			if ((strcasecmp(maplist[i].database, "tnrhdb") == 0) ||
+			    (strcasecmp(maplist[i].database, "tnrhtp") == 0))
+				continue;
+		}
 		(void) fprintf(stdout, "%-15s%-20s%s\n", maplist[i].database,
-			maplist[i].def_type, maplist[i].objectclass);
+		    maplist[i].def_type, maplist[i].objectclass);
 	}
 }