new file mode 100644

@@ -0,0 +1,215 @@

+From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001

+From: Sumit Bose <sbose@redhat.com>

+Date: Wed, 8 Nov 2023 14:50:24 +0100

+Subject: [PATCH] ad-gpo: use hash to store intermediate results

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+Currently after the evaluation of a single GPO file the intermediate

+results are stored in the cache and this cache entry is updated until

+all applicable GPO files are evaluated. Finally the data in the cache is

+used to make the decision of access is granted or rejected.

+

+If there are two or more access-control request running in parallel one

+request might overwrite the cache object with intermediate data while

+another request reads the cached data for the access decision and as a

+result will do this decision based on intermediate data.

+

+To avoid this the intermediate results are not stored in the cache

+anymore but in hash tables which are specific to the request. Only the

+final result is written to the cache to have it available for offline

+authentication.

+

+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

+Reviewed-by: Tomáš Halman <thalman@redhat.com>

+(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)

+---

+ src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----

+ 1 file changed, 102 insertions(+), 14 deletions(-)

+

+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c

+index 4d12ef7806..f272131059 100644

+--- a/src/providers/ad/ad_gpo.c

+@@ -1356,6 +1356,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,

+     return ret;

+ }

+ 

++static errno_t

++add_result_to_hash(hash_table_t *hash, const char *key, char *value)

++{

++    int hret;

++    hash_key_t k;

++    hash_value_t v;

++

++    if (hash == NULL || key == NULL || value == NULL) {

++        return EINVAL;

++    }

++

++    k.type = HASH_KEY_CONST_STRING;

++    k.c_str = key;

++

++    v.type = HASH_VALUE_PTR;

++    v.ptr = value;

++

++    hret = hash_enter(hash, &k, &v);

++    if (hret != HASH_SUCCESS) {

++        DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",

++                                 key, value, hash_error_string(hret));

++        return EIO;

++    }

++

++    return EOK;

++}

++

+ /*

+  * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,

+  * and stores the allow_key and deny_key of all of the gpo_map_types present

+@@ -1363,6 +1390,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,

+  */

+ static errno_t

+ ad_gpo_store_policy_settings(struct sss_domain_info *domain,

++                             hash_table_t *allow_maps, hash_table_t *deny_maps,

+                              const char *filename)

+ {

+     struct ini_cfgfile *file_ctx = NULL;

+@@ -1496,14 +1524,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,

+                 goto done;

+             } else if (ret != ENOENT) {

+                 const char *value = allow_value ? allow_value : empty_val;

+-                ret = sysdb_gpo_store_gpo_result_setting(domain,

+-                                                         allow_key,

+-                                                         value);

++                ret = add_result_to_hash(allow_maps, allow_key,

++                                         talloc_strdup(allow_maps, value));

+                 if (ret != EOK) {

+-                    DEBUG(SSSDBG_CRIT_FAILURE,

+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"

+-                          "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,

+-                          ret, sss_strerror(ret));

++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "

++                                               "value: [%s] to allow maps "

++                                               "[%d][%s].\n",

++                                               allow_key, value, ret,

++                                               sss_strerror(ret));

+                     goto done;

+                 }

+             }

+@@ -1523,14 +1551,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,

+                 goto done;

+             } else if (ret != ENOENT) {

+                 const char *value = deny_value ? deny_value : empty_val;

+-                ret = sysdb_gpo_store_gpo_result_setting(domain,

+-                                                         deny_key,

+-                                                         value);

++                ret = add_result_to_hash(deny_maps, deny_key,

++                                         talloc_strdup(deny_maps, value));

+                 if (ret != EOK) {

+-                    DEBUG(SSSDBG_CRIT_FAILURE,

+-                          "sysdb_gpo_store_gpo_result_setting failed for key:"

+-                          "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,

+-                          ret, sss_strerror(ret));

++                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "

++                                               "value: [%s] to deny maps "

++                                               "[%d][%s].\n",

++                                               deny_key, value, ret,

++                                               sss_strerror(ret));

+                     goto done;

+                 }

+             }

+@@ -1825,6 +1853,8 @@ struct ad_gpo_access_state {

+     int num_cse_filtered_gpos;

+     int cse_gpo_index;

+     const char *ad_domain;

++    hash_table_t *allow_maps;

++    hash_table_t *deny_maps;

+ };

+ 

+ static void ad_gpo_connect_done(struct tevent_req *subreq);

+@@ -1946,6 +1976,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,

+         goto immediately;

+     }

+ 

++    ret = sss_hash_create(state, 0, &state->allow_maps);

++    if (ret != EOK) {

++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "

++              "hash table [%d]: %s\n", ret, sss_strerror(ret));

++        goto immediately;

++    }

++

++    ret = sss_hash_create(state, 0, &state->deny_maps);

++    if (ret != EOK) {

++        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "

++              "hash table [%d]: %s\n", ret, sss_strerror(ret));

++        goto immediately;

++    }

+ 

+     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);

+     if (subreq == NULL) {

+@@ -2632,6 +2675,43 @@ ad_gpo_cse_step(struct tevent_req *req)

+     return EAGAIN;

+ }

+ 

++static errno_t

++store_hash_maps_in_cache(struct sss_domain_info *domain,

++                         hash_table_t *allow_maps, hash_table_t *deny_maps)

++{

++    int ret;

++    struct hash_iter_context_t *iter;

++    hash_entry_t *entry;

++    size_t c;

++    hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};

++

++

++    for (c = 0; hash_list[c] != NULL; c++) {

++        iter = new_hash_iter_context(hash_list[c]);

++        if (iter == NULL) {

++            DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");

++            return EINVAL;

++        }

++

++        while ((entry = iter->next(iter)) != NULL) {

++            ret = sysdb_gpo_store_gpo_result_setting(domain,

++                                                     entry->key.c_str,

++                                                     entry->value.ptr);

++            if (ret != EOK) {

++                free(iter);

++                DEBUG(SSSDBG_OP_FAILURE,

++                      "sysdb_gpo_store_gpo_result_setting failed for key:"

++                      "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,

++                      (char *) entry->value.ptr, ret, sss_strerror(ret));

++                return ret;

++            }

++        }

++        talloc_free(iter);

++    }

++

++    return EOK;

++}

++

+ /*

+  * This cse-specific function (GP_EXT_GUID_SECURITY) increments the

+  * cse_gpo_index until the policy settings for all applicable GPOs have been

+@@ -2673,6 +2753,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)

+      * (as part of the GPO Result object in the sysdb cache).

+      */

+     ret = ad_gpo_store_policy_settings(state->host_domain,

++                                       state->allow_maps, state->deny_maps,

+                                        cse_filtered_gpo->policy_filename);

+     if (ret != EOK && ret != ENOENT) {

+         DEBUG(SSSDBG_OP_FAILURE,

+@@ -2686,6 +2767,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)

+ 

+     if (ret == EOK) {

+         /* ret is EOK only after all GPO policy files have been downloaded */

++        ret = store_hash_maps_in_cache(state->host_domain,

++                                       state->allow_maps, state->deny_maps);

++        if (ret != EOK) {

++            DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "

++                                     "[%d][%s].\n", ret, sss_strerror(ret));

++            goto done;

++        }

+         ret = ad_gpo_perform_hbac_processing(state,

+                                              state->gpo_mode,

+                                              state->gpo_map_type,

@@ -24,8 +24,8 @@

 Name:           sssd

 Summary:        System Security Services Daemon

-Version:        2.8.2

-Release:        13%{?dist}

+Version:        2.9.4

+Release:        1%{?dist}

 URL:            http://github.com/SSSD/sssd

 License:        GPLv3+

 Group:          System Environment/Kernel

@@ -33,11 +33,12 @@ Vendor:         VMware, Inc.

 Distribution:   Photon

 Source0: https://github.com/SSSD/sssd/releases/download/%{version}/%{name}-%{version}.tar.gz

-%define sha512 sssd=10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55

+%define sha512 sssd=9546cf074628f32137b16ca0c763988785271124244b645d1e786762e8578f10d983793a29bffcc004b064452fe8d465476a3041688d2f3c11c2751fb5bec3e2

 Source1: sssd.conf

 Patch0: 0001-replace-python-with-python3-in-sss_obfuscate.patch

+Patch1: CVE-2023-3758.patch

 Requires: sssd-ad = %{version}-%{release}

 Requires: sssd-common = %{version}-%{release}

@@ -128,6 +129,9 @@ the existing back ends.

 %package common

 Summary: Common files for the SSSD

 License: GPLv3+

+# libsss_simpleifp is removed starting 2.9.0

+Obsoletes: libsss_simpleifp < 2.9.0

+Obsoletes: libsss_simpleifp-debuginfo < 2.9.0

 # Requires

 Requires: samba-client >= %{ldb_version}

 Requires: sssd-client = %{version}-%{release}

@@ -316,6 +320,7 @@ identity data from and authenticate against an Active Directory server.

 Summary: The proxy back end of the SSSD

 License: GPLv3+

 Requires: sssd-common = %{version}-%{release}

+Requires: libsss_certmap = %{version}-%{release}

 %description proxy

 Provides the proxy back end which can be used to wrap an existing NSS and/or

@@ -407,24 +412,6 @@ Requires: sssd-common = %{version}-%{release}

 Provides rules for polkit integration with SSSD. This is required

 for smartcard support.

-%package -n libsss_simpleifp

-Summary: The SSSD D-Bus responder helper library

-License: GPLv3+

-Requires: sssd-dbus = %{version}-%{release}

-Requires: libcap

-

-%description -n libsss_simpleifp

-Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.

-

-%package -n libsss_simpleifp-devel

-Summary: The SSSD D-Bus responder helper library

-License: GPLv3+

-Requires: dbus-devel

-Requires: libsss_simpleifp = %{version}-%{release}

-

-%description -n libsss_simpleifp-devel

-Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.

-

 %package winbind_idmap

 Summary: SSSD's idmap_sss Backend for Winbind

 License: GPLv3+ and LGPLv3+

@@ -728,8 +715,6 @@ fi

 %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders

 %dir %{_libdir}/%{name}

-# The files provider is intentionally packaged in -common

-%{_libdir}/%{name}/libsss_files.so

 %{_libdir}/%{name}/libsss_simple.so

 #Internal shared libraries

@@ -785,7 +770,6 @@ fi

 %{_mandir}/man1/sss_ssh_authorizedkeys.1*

 %{_mandir}/man1/sss_ssh_knownhostsproxy.1*

 %{_mandir}/man5/sssd.conf.5*

-%{_mandir}/man5/sssd-files.5*

 %{_mandir}/man5/sssd-simple.5*

 %{_mandir}/man5/sssd-sudo.5*

 %{_mandir}/man5/sssd-session-recording.5*

@@ -862,20 +846,9 @@ fi

 %{_mandir}/man5/sssd-ifp.5*

 %{_unitdir}/sssd-ifp.service

 # InfoPipe DBus plumbing

-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf

+%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf

 %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service

-%files -n libsss_simpleifp

-%defattr(-,root,root)

-%{_libdir}/libsss_simpleifp.so.*

-

-%files -n libsss_simpleifp-devel

-%defattr(-,root,root)

-%{_includedir}/sss_sifp.h

-%{_includedir}/sss_sifp_dbus.h

-%{_libdir}/libsss_simpleifp.so

-%{_libdir}/pkgconfig/sss_simpleifp.pc

-

 %files client -f sssd_client.lang

 %defattr(-,root,root)

 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER

@@ -1024,6 +997,8 @@ fi

 %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp

 %changelog

+* Fri Apr 26 2024 Brennan Lamoreaux <brennan.lamoreaux@broadcom.com> 2.9.4-1

+- Upgrade to latest 2.9.4 and add patch for CVE-2023-3758

 * Tue Apr 16 2024 Shreenidhi Shedi <shreenidhi.shedi@broadcom.com> 2.8.2-13

 - Bump version as a part of dbus upgrade

 * Tue Apr 02 2024 Brennan Lamoreaux <brennan.lamoreaux@broadcom.com> 2.8.2-12