Hi,
This is a forward port of for bug
6458563 [tjds] possible to launch applications outside of clearance
using some applets
The general idea is that some applets in JDS allow free form
specification of
command to run from most notably Trusted Path hence by passing the
trustedness of the applets.
These patches modified gnome-panel and also gnome-desktop.
Changes in gnome-panel involves:
- If user is login into Multi-label sesssion but do not have admin_high
as his clearance
disable these applets from showing up in Add to Panel ...
- And also not to add to the panel any of these applets from its
previous saved session
Changes made in gnome-desktop is to define a new function to check that the
user indeed has the admin_high clearance or not.
Below lists the diff only for the changes and the actual patches made to
are:
gnome-desktop-03-trusted-extensions.diff
gnome-panel-11-trusted-extension.diff
on the svn HEAD.
Changes made in gnome-panel
---------------------------------------
diff -u gnome-panel-2.16.2/gnome-panel/panel-addto.c
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-panel-2.16.2/gnome-panel/panel-addto.c
--- gnome-panel-2.16.2/gnome-panel/panel-addto.c 2006-12-04
17:22:33.743452000 +0000
+++
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-panel-2.16.2/gnome-panel/panel-addto.c
2006-12-04 17:10:17.606488000 +0000
@@ -26,6 +26,7 @@
#include <string.h>
#include <libbonobo.h>
+#include <libgnome/gnome-desktop-tsol-extensions.h>
#include "menu.h"
@@ -438,6 +439,18 @@
panel_lockdown_is_applet_disabled (info->iid)) {
continue;
}
+
+ /* TJDS - if MLS and has not admin_high clearance do not
+ * display the following applets in the mnenu list.
+ */
+ if (gnome_desktop_tsol_is_multi_label_session () &&
+ !gnome_desktop_tsol_is_clearance_admin_high() &&
+ (strcmp (info->iid,
"OAFIID:GNOME_StickyNotesApplet")==0 ||
+ strcmp (info->iid,
"OAFIID:Deskbar_Applet_Factory")==0 ||
+ strcmp (info->iid, "OAFIID:GNOME_WebEyes")==0 ||
+ strcmp (info->iid,
"OAFIID:GNOME_MailcheckApplet")==0 ||
+ strcmp (info->iid, "OAFIID:GNOME_PilotApplet")==0))
+ continue;
applet = g_new0 (PanelAddtoItemInfo, 1);
applet->type = PANEL_ADDTO_APPLET;
bash-3.00$ diff -u gnome-panel-2.16.2/gnome-panel/panel-applet-frame.c
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-panel-2.16.2/gnome-panel/panel-applet-frame.c
--- gnome-panel-2.16.2/gnome-panel/panel-applet-frame.c 2006-12-04
17:22:33.758177000 +0000
+++
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-panel-2.16.2/gnome-panel/panel-applet-frame.c
2006-12-05 16:27:23.601448000 +0000
@@ -386,8 +386,20 @@
if (!applet_iid)
return;
- panel_applet_frame_load (applet_iid, panel_widget,
- locked, position, TRUE, id);
+ /* TJDS - This is to make sure that when user is logged into
Multilevel
+ * Trusted session, these applets will not be loaded onto the panel.
+ */
+ if (gnome_desktop_tsol_is_multi_label_session () &&
+ !gnome_desktop_tsol_is_clearance_admin_high() &&
+ (strcmp (info->iid, "OAFIID:GNOME_StickyNotesApplet")==0 ||
+ strcmp (info->iid, "OAFIID:Deskbar_Applet")==0 ||
+ strcmp (info->iid, "OAFIID:GNOME_WebEyes")==0 ||
+ strcmp (info->iid, "OAFIID:GNOME_MailcheckApplet")==0 ||
+ strcmp (info->iid, "OAFIID:GNOME_PilotApplet")==0))
+ /* do nothing */
+ ;
+ else
+ panel_applet_frame_load (applet_iid, panel_widget,
locked, position, TRUE, id);
g_free (applet_iid);
}
Changes made to gnome-desktop
------------------------------------------
bash-3.00$ diff -u gnome-desktop-2.17.2/configure.in
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-desktop-2.17.2/configure.in
--- gnome-desktop-2.17.2/configure.in 2006-12-04 17:22:29.361309000 +0000
+++
/jds/packages/BUILD/SUNWgnome-panel-2.17.1.hacked/gnome-desktop-2.17.2/configure.in
2006-12-04 18:48:47.899545000 +0000
@@ -110,6 +110,24 @@
PKG_CHECK_MODULES(GNOME_DESKTOP, gdk-pixbuf-2.0 >= $GDK_PIXBUF_REQUIRED
gtk+-2.0 >= $GTK_REQUIRED glib-2.0 >= $GLIB_REQUIRED libgnomeui-2.0 >=
$LIBGNOMEUI_REQUIRED gnome-vfs-2.0 >= $GNOME_VFS_REQUIRED
$STARTUP_NOTIFICATION_PACKAGE)
+AC_SUBST(GNOME_DESKTOP_LIBS)
+
+#
+# Solaris Trusted Extensions stuff
+#
+case "$host" in
+*solaris*)
+ AC_CHECK_HEADERS(sys/tsol/label_macro.h,
+ AC_DEFINE(HAVE_TSOL, ,[Building with TSOL support])
found_tsol=yes,)
+ ;;
+*)
+ ;;
+esac
+
+AM_CONDITIONAL(TSOL_DEFINED, test x$found_tsol = xyes)
+if test "x$found_tsol" = "xyes" ; then
+ GNOME_DESKTOP_LIBS="$GNOME_DESKTOP_LIBS -lsecdb"
+fi
PKG_CHECK_MODULES(GNOME_ABOUT, gdk-pixbuf-2.0 >= $GDK_PIXBUF_REQUIRED
gtk+-2.0 >= $GTK_REQUIRED libgnomeui-2.0 >= $LIBGNOMEUI_REQUIRED
libgnomecanvas-2.0 >= $LIBGNOMECANVAS_REQUIRED)
dnl gnome-doc-utils stuff
diff -urN
gnome-desktop-2.17.2/libgnome-desktop/gnome-desktop-tsol-extensions.c
../SUNWgnome-panel-2.17.1.hacked/gnome-desktop-2.17
.2/libgnome-desktop/gnome-desktop-tsol-extensions.c
---
gnome-desktop-2.17.2/libgnome-desktop/gnome-desktop-tsol-extensions.c
1970-01-01 00:00:00.000000000 +0000
+++
../SUNWgnome-panel-2.17.1.hacked/gnome-desktop-2.17.2/libgnome-desktop/gnome-desktop-tsol-extensions.c
2006-12-04 18:15:48
.015045000 +0000
@@ -0,0 +1,77 @@
+/*
+ * Copyright 2005 Sun Microsystems, Inc. All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#include <user_attr.h>
+
+gboolean gnome_desktop_tsol_is_clearance_admin_high (void)
+{
+ userattr_t *uattr;
+ char *value = NULL;
+
+ uattr = getuseruid (getuid ());
+
+ if (uattr) {
+ value = kva_match (uattr->attr, USERATTR_CLEARANCE);
+ if (value)
+ if (strncasecmp ("admin_high", value, 10) == 0 ||
+ strncasecmp ("ADMIN_HIGH", value, 10) == 0)
+ return TRUE;
+ }
+ return FALSE;
+}
+
-Ghee
