PSARC 2007/254 - Enabling method for Trusted Extensions

6432114 [tjds] cannot login via gdm unless clearance is set to admin_high
6533113 split install and enabling of Trusted Extensions
6533118 move TX source from TLC to ON gate
6542578 TLC putback requires i.pamconf change similar to the kerberos solution.
6552207 txzonemgr does not configure loopback mounts for /etc/passwd and /etc/shadow when creating zones
6552253 solaris.smf.manage.labels should allow for permanent as well as temporary enable/disable of labeld
6555057 txzonemgr assumes LANG is valid
6557684 pam_tsol_account could use a thorough house cleaning
6561392 txzonemgr should work from Zone Management profile
6565347 txzonemgr failed to add an interface to a zone

6 files changed, 337 insertions, 0 deletions

diff --git a/usr/src/cmd/tsol/demo/Makefile b/usr/src/cmd/tsol/demo/Makefile
new file mode 100644
index 0000000000..a8d28afe21
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/Makefile
@@ -0,0 +1,67 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libexacct/demo/Makefile
+#
+
+include ../../../cmd/Makefile.cmd
+
+.KEEP_STATE:
+
+DEMOFILES = \
+	clonebylabel.sh \
+	getmounts.sh \
+	runinzone.ksh \
+	runwlabel.ksh \
+	waitforzone.ksh
+
+ROOTDEMODIR = $(ROOT)/usr/demo/tsol
+ROOTDEMOFILES = $(DEMOFILES:%=$(ROOTDEMODIR)/%)
+
+all: 
+
+install: all $(ROOTDEMOFILES)
+
+clean:
+
+lint: lint_PROG
+
+$(ROOTDEMODIR):
+	$(INS.dir)
+
+$(ROOTDEMODIR)/%: %
+	$(INS.file)
+
+$(ROOTDEMOFILES): $(ROOTDEMODIR)
+
+$(ROOTDEMODIR) := OWNER = root
+$(ROOTDEMODIR) := GROUP = bin
+$(ROOTDEMODIR) := DIRMODE = 755
+
+$(ROOTDEMOFILES) := OWNER = root
+$(ROOTDEMOFILES) := GROUP = bin
+$(ROOTDEMOFILES) := FILEMODE = 555
+
+include ../../../cmd/Makefile.targ
diff --git a/usr/src/cmd/tsol/demo/clonebylabel.sh b/usr/src/cmd/tsol/demo/clonebylabel.sh
new file mode 100644
index 0000000000..ffbb89018f
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/clonebylabel.sh
@@ -0,0 +1,107 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+# clonebylabel
+#
+# This script installs zones by cloning a zfs snapshot.
+# For each sensitivity label dominated by the clearance
+# a zone is installed if necessary. If the zone name is
+# not already defined in tnzonecfg, the user is prompted
+# to provide a unique zone name.
+#
+# $1 is the label upper bound (clearance)
+#
+# $2 is the zone snaphot to clone for a new zone
+
+ZONECFG=/etc/security/tsol/tnzonecfg
+clearance=$1
+image=$2
+
+#
+# Configure a zone
+#
+
+configure()
+{
+	config=/tmp/zfg.$$
+	echo "create -F -t SUNWtsoldef" > $config
+	echo "set zonepath=/zone/$zonename" >> $config
+	echo "commit" >> $config
+	/usr/sbin/zonecfg -z $zonename -f $config
+	rm $config
+}
+
+#
+# Clone a zone
+#
+
+clone()
+{
+        echo Cloning $zonename from $image ...
+	found=`zoneadm -z $zonename list -p 2>/dev/null`
+        if [ $found ]; then
+		true
+	else
+		echo "$zonename is being configured."
+		configure
+        fi
+        /usr/sbin/zfs clone $image zone/$zonename
+	/usr/sbin/zoneadm -z $zonename attach -F
+}
+
+#
+# Create missing zones for each label dominated by clearance
+#
+
+for label in `lslabels -h "$clearance"`; do
+    zonename=`/bin/grep $label: $ZONECFG | cut -d ":" -f1`
+    if [ $zonename ]; then
+	state=`zoneadm -z $zonename list -p 2>/dev/null | cut -d ":" -f3`
+	if [ $state ]; then
+	    if [ $state != configured ]; then
+		echo $zonename is already installed.
+		continue
+	    fi
+	fi    	
+    else
+    	zonelabel=`hextoalabel $label`
+    	echo Enter zone name for $zonelabel
+    	echo or RETURN to skip this label:
+    	read zonename
+    	if [ $zonename ]; then
+    		nz=`/bin/grep "^$zonename:" $ZONECFG | cut -d ":" -f1`
+    		if [ $nz ]; then
+    	   		echo $zonename is already used for another label.
+    		else
+    	   		echo "$zonename:$label:0::" >> $ZONECFG
+    		fi
+    	else
+    		echo Skipping zone for $zonelabel
+    		continue
+    	fi
+    fi
+    clone
+done
diff --git a/usr/src/cmd/tsol/demo/getmounts.sh b/usr/src/cmd/tsol/demo/getmounts.sh
new file mode 100644
index 0000000000..3f5d18b13f
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/getmounts.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+cut -f2 /etc/mnttab | while read mntpnt; do
+	/usr/bin/getlabel $mntpnt
+done
diff --git a/usr/src/cmd/tsol/demo/runinzone.ksh b/usr/src/cmd/tsol/demo/runinzone.ksh
new file mode 100644
index 0000000000..ed02400d0b
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/runinzone.ksh
@@ -0,0 +1,41 @@
+#!/bin/ksh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+#
+# Usage:
+# runinzone zonename username my-program
+#
+
+zonename=$1
+user=$2
+program=$3
+
+# Boot the specified zone
+zoneadm -z ${zonename} boot
+
+# Run the command in the specified zone
+zlogin ${zonename} /usr/demo/tsol/waitforzone.ksh ${user} ${program} ${DISPLAY}
+
diff --git a/usr/src/cmd/tsol/demo/runwlabel.ksh b/usr/src/cmd/tsol/demo/runwlabel.ksh
new file mode 100644
index 0000000000..6eb0ce235f
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/runwlabel.ksh
@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+#
+# Usage:
+# runwlabel "my-label" my-program
+#
+
+[ ! -x /usr/sbin/zoneadm ] && exit 0    # SUNWzoneu not installed
+
+PATH=/usr/sbin:/usr/bin; export PATH
+
+# Get the zone path associated with the "my-label" zone
+# Remove the trailing "/root"
+zonepath=`getzonepath "$1" | sed -e 's/\/root$//'`
+progname="$2"
+
+# Find the zone name that is associated with this zone path
+for zone in `zoneadm list -pi | nawk -F: -v zonepath=${zonepath} '{
+	if ("$4" == "${zonepath}") {
+		print $2
+	}
+}'`; do
+	# Run the specified command in the matching zone
+	zlogin ${zone} ${progname}
+	done
+exit
diff --git a/usr/src/cmd/tsol/demo/waitforzone.ksh b/usr/src/cmd/tsol/demo/waitforzone.ksh
new file mode 100644
index 0000000000..29e6bec6cd
--- /dev/null
+++ b/usr/src/cmd/tsol/demo/waitforzone.ksh
@@ -0,0 +1,42 @@
+#!/bin/ksh
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+user=$1
+program=$2
+display=$3
+
+# Wait for the local zone automounter to come up
+# by checking for the auto_home trigger being loaded
+
+while [ ! -d /home/${user} ]; do
+sleep 1
+done
+
+# Now, run the command you specified as the specified user
+
+su - ${user} -c "${program} -display ${display}"
+