diff options
author | Colin Watson <cjwatson@debian.org> | 2018-08-24 12:49:36 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2018-08-30 00:57:27 +0100 |
commit | 816386e17654ca36834bebbf351419e460fad8f6 (patch) | |
tree | 3dc79d831cb73bc25b92f5a4d18f8e328c0c570a /debian/patches/selinux-role.patch | |
parent | 3e6f76c7039d3df22b1d0a3a5f30150efb09b69d (diff) | |
parent | 16a47fc4b04977a14f44dd433c8da1499fa80671 (diff) |
New upstream release (7.8p1)
Closes: #907534
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 177 |
1 files changed, 88 insertions, 89 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 5c0bad093..95d582067 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 7da968d97beba5fb80a5488516563ea1376db907 Mon Sep 17 00:00:00 2001 | 1 | From 03979f2e0768e146d179c66f2d2e33afe61c1be3 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -9,17 +9,17 @@ SELinux maintainer, so we'll keep it until we have something better. | |||
9 | 9 | ||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 |
11 | Bug-Debian: http://bugs.debian.org/394795 | 11 | Bug-Debian: http://bugs.debian.org/394795 |
12 | Last-Update: 2017-10-04 | 12 | Last-Update: 2018-08-24 |
13 | 13 | ||
14 | Patch-Name: selinux-role.patch | 14 | Patch-Name: selinux-role.patch |
15 | --- | 15 | --- |
16 | auth.h | 1 + | 16 | auth.h | 1 + |
17 | auth2.c | 10 ++++++++-- | 17 | auth2.c | 10 ++++++++-- |
18 | monitor.c | 32 +++++++++++++++++++++++++++++--- | 18 | monitor.c | 37 +++++++++++++++++++++++++++++++++---- |
19 | monitor.h | 2 ++ | 19 | monitor.h | 2 ++ |
20 | monitor_wrap.c | 22 ++++++++++++++++++++-- | 20 | monitor_wrap.c | 27 ++++++++++++++++++++++++--- |
21 | monitor_wrap.h | 3 ++- | 21 | monitor_wrap.h | 3 ++- |
22 | openbsd-compat/port-linux.c | 27 ++++++++++++++++++++------- | 22 | openbsd-compat/port-linux.c | 21 ++++++++++++++------- |
23 | openbsd-compat/port-linux.h | 4 ++-- | 23 | openbsd-compat/port-linux.h | 4 ++-- |
24 | platform.c | 4 ++-- | 24 | platform.c | 4 ++-- |
25 | platform.h | 2 +- | 25 | platform.h | 2 +- |
@@ -28,10 +28,10 @@ Patch-Name: selinux-role.patch | |||
28 | sshd.c | 2 +- | 28 | sshd.c | 2 +- |
29 | sshpty.c | 4 ++-- | 29 | sshpty.c | 4 ++-- |
30 | sshpty.h | 2 +- | 30 | sshpty.h | 2 +- |
31 | 15 files changed, 97 insertions(+), 30 deletions(-) | 31 | 15 files changed, 99 insertions(+), 32 deletions(-) |
32 | 32 | ||
33 | diff --git a/auth.h b/auth.h | 33 | diff --git a/auth.h b/auth.h |
34 | index 23ce67caf..15ba7073e 100644 | 34 | index 977562f0a..90802a5eb 100644 |
35 | --- a/auth.h | 35 | --- a/auth.h |
36 | +++ b/auth.h | 36 | +++ b/auth.h |
37 | @@ -65,6 +65,7 @@ struct Authctxt { | 37 | @@ -65,6 +65,7 @@ struct Authctxt { |
@@ -43,19 +43,19 @@ index 23ce67caf..15ba7073e 100644 | |||
43 | /* Method lists for multiple authentication */ | 43 | /* Method lists for multiple authentication */ |
44 | char **auth_methods; /* modified from server config */ | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index c34f58c45..be5e9f15f 100644 | 46 | index 96efe164c..90a247c1c 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -218,7 +218,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 49 | @@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
50 | { | 50 | { |
51 | Authctxt *authctxt = ssh->authctxt; | 51 | Authctxt *authctxt = ssh->authctxt; |
52 | Authmethod *m = NULL; | 52 | Authmethod *m = NULL; |
53 | - char *user, *service, *method, *style = NULL; | 53 | - char *user, *service, *method, *style = NULL; |
54 | + char *user, *service, *method, *style = NULL, *role = NULL; | 54 | + char *user, *service, *method, *style = NULL, *role = NULL; |
55 | int authenticated = 0; | 55 | int authenticated = 0; |
56 | double tstart = monotime_double(); | ||
56 | 57 | ||
57 | if (authctxt == NULL) | 58 | @@ -270,8 +270,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
58 | @@ -230,8 +230,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | ||
59 | debug("userauth-request for user %s service %s method %s", user, service, method); | 59 | debug("userauth-request for user %s service %s method %s", user, service, method); |
60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
61 | 61 | ||
@@ -69,7 +69,7 @@ index c34f58c45..be5e9f15f 100644 | |||
69 | 69 | ||
70 | if (authctxt->attempt++ == 0) { | 70 | if (authctxt->attempt++ == 0) { |
71 | /* setup auth context */ | 71 | /* setup auth context */ |
72 | @@ -258,8 +263,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 72 | @@ -298,8 +303,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
73 | use_privsep ? " [net]" : ""); | 73 | use_privsep ? " [net]" : ""); |
74 | authctxt->service = xstrdup(service); | 74 | authctxt->service = xstrdup(service); |
75 | authctxt->style = style ? xstrdup(style) : NULL; | 75 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -81,18 +81,18 @@ index c34f58c45..be5e9f15f 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | packet_disconnect("no authentication methods enabled"); | 82 | packet_disconnect("no authentication methods enabled"); |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index 868fb0d2d..ed37458fb 100644 | 84 | index 4e574a2ae..c1e7e9b80 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *); | 87 | @@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *); |
88 | int mm_answer_pwnamallow(int, Buffer *); | 88 | int mm_answer_pwnamallow(int, struct sshbuf *); |
89 | int mm_answer_auth2_read_banner(int, Buffer *); | 89 | int mm_answer_auth2_read_banner(int, struct sshbuf *); |
90 | int mm_answer_authserv(int, Buffer *); | 90 | int mm_answer_authserv(int, struct sshbuf *); |
91 | +int mm_answer_authrole(int, Buffer *); | 91 | +int mm_answer_authrole(int, struct sshbuf *); |
92 | int mm_answer_authpassword(int, Buffer *); | 92 | int mm_answer_authpassword(int, struct sshbuf *); |
93 | int mm_answer_bsdauthquery(int, Buffer *); | 93 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
94 | int mm_answer_bsdauthrespond(int, Buffer *); | 94 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
95 | @@ -206,6 +207,7 @@ struct mon_table mon_dispatch_proto20[] = { | 95 | @@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { |
96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -100,7 +100,7 @@ index 868fb0d2d..ed37458fb 100644 | |||
100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
102 | #ifdef USE_PAM | 102 | #ifdef USE_PAM |
103 | @@ -806,6 +808,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 103 | @@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) |
104 | 104 | ||
105 | /* Allow service/style information on the auth context */ | 105 | /* Allow service/style information on the auth context */ |
106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -108,13 +108,16 @@ index 868fb0d2d..ed37458fb 100644 | |||
108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
109 | 109 | ||
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -836,14 +839,37 @@ mm_answer_authserv(int sock, Buffer *m) | 111 | @@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) |
112 | 112 | monitor_permit_authentications(1); | |
113 | authctxt->service = buffer_get_string(m, NULL); | 113 | |
114 | authctxt->style = buffer_get_string(m, NULL); | 114 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || |
115 | - (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0) | ||
116 | + (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 || | ||
117 | + (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) | ||
118 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
115 | - debug3("%s: service=%s, style=%s", | 119 | - debug3("%s: service=%s, style=%s", |
116 | - __func__, authctxt->service, authctxt->style); | 120 | - __func__, authctxt->service, authctxt->style); |
117 | + authctxt->role = buffer_get_string(m, NULL); | ||
118 | + debug3("%s: service=%s, style=%s, role=%s", | 121 | + debug3("%s: service=%s, style=%s, role=%s", |
119 | + __func__, authctxt->service, authctxt->style, authctxt->role); | 122 | + __func__, authctxt->service, authctxt->style, authctxt->role); |
120 | 123 | ||
@@ -132,11 +135,14 @@ index 868fb0d2d..ed37458fb 100644 | |||
132 | +} | 135 | +} |
133 | + | 136 | + |
134 | +int | 137 | +int |
135 | +mm_answer_authrole(int sock, Buffer *m) | 138 | +mm_answer_authrole(int sock, struct sshbuf *m) |
136 | +{ | 139 | +{ |
140 | + int r; | ||
141 | + | ||
137 | + monitor_permit_authentications(1); | 142 | + monitor_permit_authentications(1); |
138 | + | 143 | + |
139 | + authctxt->role = buffer_get_string(m, NULL); | 144 | + if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) |
145 | + fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
140 | + debug3("%s: role=%s", | 146 | + debug3("%s: role=%s", |
141 | + __func__, authctxt->role); | 147 | + __func__, authctxt->role); |
142 | + | 148 | + |
@@ -148,20 +154,20 @@ index 868fb0d2d..ed37458fb 100644 | |||
148 | return (0); | 154 | return (0); |
149 | } | 155 | } |
150 | 156 | ||
151 | @@ -1497,7 +1523,7 @@ mm_answer_pty(int sock, Buffer *m) | 157 | @@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m) |
152 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
153 | if (res == 0) | 159 | if (res == 0) |
154 | goto error; | 160 | goto error; |
155 | - pty_setowner(authctxt->pw, s->tty); | 161 | - pty_setowner(authctxt->pw, s->tty); |
156 | + pty_setowner(authctxt->pw, s->tty, authctxt->role); | 162 | + pty_setowner(authctxt->pw, s->tty, authctxt->role); |
157 | 163 | ||
158 | buffer_put_int(m, 1); | 164 | if ((r = sshbuf_put_u32(m, 1)) != 0 || |
159 | buffer_put_cstring(m, s->tty); | 165 | (r = sshbuf_put_cstring(m, s->tty)) != 0) |
160 | diff --git a/monitor.h b/monitor.h | 166 | diff --git a/monitor.h b/monitor.h |
161 | index ec41404c7..4c7955d7a 100644 | 167 | index 44fbed589..8f65e684d 100644 |
162 | --- a/monitor.h | 168 | --- a/monitor.h |
163 | +++ b/monitor.h | 169 | +++ b/monitor.h |
164 | @@ -68,6 +68,8 @@ enum monitor_reqtype { | 170 | @@ -66,6 +66,8 @@ enum monitor_reqtype { |
165 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, | 171 | MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151, |
166 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, | 172 | MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153, |
167 | 173 | ||
@@ -171,10 +177,10 @@ index ec41404c7..4c7955d7a 100644 | |||
171 | 177 | ||
172 | struct monitor { | 178 | struct monitor { |
173 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 179 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
174 | index e749efc18..7b2d06c65 100644 | 180 | index 1865a122a..fd4d7eb3b 100644 |
175 | --- a/monitor_wrap.c | 181 | --- a/monitor_wrap.c |
176 | +++ b/monitor_wrap.c | 182 | +++ b/monitor_wrap.c |
177 | @@ -331,10 +331,10 @@ mm_auth2_read_banner(void) | 183 | @@ -369,10 +369,10 @@ mm_auth2_read_banner(void) |
178 | return (banner); | 184 | return (banner); |
179 | } | 185 | } |
180 | 186 | ||
@@ -185,17 +191,20 @@ index e749efc18..7b2d06c65 100644 | |||
185 | -mm_inform_authserv(char *service, char *style) | 191 | -mm_inform_authserv(char *service, char *style) |
186 | +mm_inform_authserv(char *service, char *style, char *role) | 192 | +mm_inform_authserv(char *service, char *style, char *role) |
187 | { | 193 | { |
188 | Buffer m; | 194 | struct sshbuf *m; |
189 | 195 | int r; | |
190 | @@ -343,12 +343,30 @@ mm_inform_authserv(char *service, char *style) | 196 | @@ -382,7 +382,8 @@ mm_inform_authserv(char *service, char *style) |
191 | buffer_init(&m); | 197 | if ((m = sshbuf_new()) == NULL) |
192 | buffer_put_cstring(&m, service); | 198 | fatal("%s: sshbuf_new failed", __func__); |
193 | buffer_put_cstring(&m, style ? style : ""); | 199 | if ((r = sshbuf_put_cstring(m, service)) != 0 || |
194 | + buffer_put_cstring(&m, role ? role : ""); | 200 | - (r = sshbuf_put_cstring(m, style ? style : "")) != 0) |
195 | 201 | + (r = sshbuf_put_cstring(m, style ? style : "")) != 0 || | |
196 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | 202 | + (r = sshbuf_put_cstring(m, role ? role : "")) != 0) |
197 | 203 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | |
198 | buffer_free(&m); | 204 | |
205 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); | ||
206 | @@ -390,6 +391,26 @@ mm_inform_authserv(char *service, char *style) | ||
207 | sshbuf_free(m); | ||
199 | } | 208 | } |
200 | 209 | ||
201 | +/* Inform the privileged process about role */ | 210 | +/* Inform the privileged process about role */ |
@@ -203,29 +212,32 @@ index e749efc18..7b2d06c65 100644 | |||
203 | +void | 212 | +void |
204 | +mm_inform_authrole(char *role) | 213 | +mm_inform_authrole(char *role) |
205 | +{ | 214 | +{ |
206 | + Buffer m; | 215 | + struct sshbuf *m; |
216 | + int r; | ||
207 | + | 217 | + |
208 | + debug3("%s entering", __func__); | 218 | + debug3("%s entering", __func__); |
209 | + | 219 | + |
210 | + buffer_init(&m); | 220 | + if ((m = sshbuf_new()) == NULL) |
211 | + buffer_put_cstring(&m, role ? role : ""); | 221 | + fatal("%s: sshbuf_new failed", __func__); |
222 | + if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) | ||
223 | + fatal("%s: buffer error: %s", __func__, ssh_err(r)); | ||
212 | + | 224 | + |
213 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | 225 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); |
214 | + | 226 | + |
215 | + buffer_free(&m); | 227 | + sshbuf_free(m); |
216 | +} | 228 | +} |
217 | + | 229 | + |
218 | /* Do the password authentication */ | 230 | /* Do the password authentication */ |
219 | int | 231 | int |
220 | mm_auth_password(struct ssh *ssh, char *password) | 232 | mm_auth_password(struct ssh *ssh, char *password) |
221 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 233 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
222 | index 0970d1f87..492de5c85 100644 | 234 | index 7f93144ff..79e78cc90 100644 |
223 | --- a/monitor_wrap.h | 235 | --- a/monitor_wrap.h |
224 | +++ b/monitor_wrap.h | 236 | +++ b/monitor_wrap.h |
225 | @@ -43,7 +43,8 @@ int mm_is_monitor(void); | 237 | @@ -43,7 +43,8 @@ int mm_is_monitor(void); |
226 | DH *mm_choose_dh(int, int, int); | 238 | DH *mm_choose_dh(int, int, int); |
227 | int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int, | 239 | int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, |
228 | const char *); | 240 | const char *, u_int compat); |
229 | -void mm_inform_authserv(char *, char *); | 241 | -void mm_inform_authserv(char *, char *); |
230 | +void mm_inform_authserv(char *, char *, char *); | 242 | +void mm_inform_authserv(char *, char *, char *); |
231 | +void mm_inform_authrole(char *); | 243 | +void mm_inform_authrole(char *); |
@@ -233,23 +245,10 @@ index 0970d1f87..492de5c85 100644 | |||
233 | char *mm_auth2_read_banner(void); | 245 | char *mm_auth2_read_banner(void); |
234 | int mm_auth_password(struct ssh *, char *); | 246 | int mm_auth_password(struct ssh *, char *); |
235 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c | 247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
236 | index 8c5325cc3..8a3e5c68d 100644 | 248 | index 8c5325cc3..9fdda664f 100644 |
237 | --- a/openbsd-compat/port-linux.c | 249 | --- a/openbsd-compat/port-linux.c |
238 | +++ b/openbsd-compat/port-linux.c | 250 | +++ b/openbsd-compat/port-linux.c |
239 | @@ -27,6 +27,12 @@ | 251 | @@ -55,7 +55,7 @@ ssh_selinux_enabled(void) |
240 | #include <string.h> | ||
241 | #include <stdio.h> | ||
242 | |||
243 | +#ifdef WITH_SELINUX | ||
244 | +#include "key.h" | ||
245 | +#include "hostfile.h" | ||
246 | +#include "auth.h" | ||
247 | +#endif | ||
248 | + | ||
249 | #include "log.h" | ||
250 | #include "xmalloc.h" | ||
251 | #include "port-linux.h" | ||
252 | @@ -55,7 +61,7 @@ ssh_selinux_enabled(void) | ||
253 | 252 | ||
254 | /* Return the default security context for the given username */ | 253 | /* Return the default security context for the given username */ |
255 | static security_context_t | 254 | static security_context_t |
@@ -258,7 +257,7 @@ index 8c5325cc3..8a3e5c68d 100644 | |||
258 | { | 257 | { |
259 | security_context_t sc = NULL; | 258 | security_context_t sc = NULL; |
260 | char *sename = NULL, *lvl = NULL; | 259 | char *sename = NULL, *lvl = NULL; |
261 | @@ -70,9 +76,16 @@ ssh_selinux_getctxbyname(char *pwname) | 260 | @@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname) |
262 | #endif | 261 | #endif |
263 | 262 | ||
264 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 263 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
@@ -277,7 +276,7 @@ index 8c5325cc3..8a3e5c68d 100644 | |||
277 | #endif | 276 | #endif |
278 | 277 | ||
279 | if (r != 0) { | 278 | if (r != 0) { |
280 | @@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname) | 279 | @@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname) |
281 | 280 | ||
282 | /* Set the execution context to the default for the specified user */ | 281 | /* Set the execution context to the default for the specified user */ |
283 | void | 282 | void |
@@ -286,7 +285,7 @@ index 8c5325cc3..8a3e5c68d 100644 | |||
286 | { | 285 | { |
287 | security_context_t user_ctx = NULL; | 286 | security_context_t user_ctx = NULL; |
288 | 287 | ||
289 | @@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 288 | @@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
290 | 289 | ||
291 | debug3("%s: setting execution context", __func__); | 290 | debug3("%s: setting execution context", __func__); |
292 | 291 | ||
@@ -295,7 +294,7 @@ index 8c5325cc3..8a3e5c68d 100644 | |||
295 | if (setexeccon(user_ctx) != 0) { | 294 | if (setexeccon(user_ctx) != 0) { |
296 | switch (security_getenforce()) { | 295 | switch (security_getenforce()) { |
297 | case -1: | 296 | case -1: |
298 | @@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 297 | @@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
299 | 298 | ||
300 | /* Set the TTY context for the specified user */ | 299 | /* Set the TTY context for the specified user */ |
301 | void | 300 | void |
@@ -304,7 +303,7 @@ index 8c5325cc3..8a3e5c68d 100644 | |||
304 | { | 303 | { |
305 | security_context_t new_tty_ctx = NULL; | 304 | security_context_t new_tty_ctx = NULL; |
306 | security_context_t user_ctx = NULL; | 305 | security_context_t user_ctx = NULL; |
307 | @@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | 306 | @@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) |
308 | 307 | ||
309 | debug3("%s: setting TTY context on %s", __func__, tty); | 308 | debug3("%s: setting TTY context on %s", __func__, tty); |
310 | 309 | ||
@@ -329,10 +328,10 @@ index 3c22a854d..c88129428 100644 | |||
329 | void ssh_selinux_setfscreatecon(const char *); | 328 | void ssh_selinux_setfscreatecon(const char *); |
330 | #endif | 329 | #endif |
331 | diff --git a/platform.c b/platform.c | 330 | diff --git a/platform.c b/platform.c |
332 | index 18c7751de..380ee3a41 100644 | 331 | index 41acc9370..35654ea51 100644 |
333 | --- a/platform.c | 332 | --- a/platform.c |
334 | +++ b/platform.c | 333 | +++ b/platform.c |
335 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) | 334 | @@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) |
336 | * called if sshd is running as root. | 335 | * called if sshd is running as root. |
337 | */ | 336 | */ |
338 | void | 337 | void |
@@ -341,7 +340,7 @@ index 18c7751de..380ee3a41 100644 | |||
341 | { | 340 | { |
342 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 341 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
343 | /* | 342 | /* |
344 | @@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | 343 | @@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) |
345 | } | 344 | } |
346 | #endif /* HAVE_SETPCRED */ | 345 | #endif /* HAVE_SETPCRED */ |
347 | #ifdef WITH_SELINUX | 346 | #ifdef WITH_SELINUX |
@@ -364,19 +363,19 @@ index ea4f9c584..60d72ffe7 100644 | |||
364 | char *platform_krb5_get_principal_name(const char *); | 363 | char *platform_krb5_get_principal_name(const char *); |
365 | int platform_sys_dir_uid(uid_t); | 364 | int platform_sys_dir_uid(uid_t); |
366 | diff --git a/session.c b/session.c | 365 | diff --git a/session.c b/session.c |
367 | index 58826db16..ff301c983 100644 | 366 | index f2cf52006..d5d2e94b0 100644 |
368 | --- a/session.c | 367 | --- a/session.c |
369 | +++ b/session.c | 368 | +++ b/session.c |
370 | @@ -1322,7 +1322,7 @@ safely_chroot(const char *path, uid_t uid) | 369 | @@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid) |
371 | 370 | ||
372 | /* Set login name, uid, gid, and groups. */ | 371 | /* Set login name, uid, gid, and groups. */ |
373 | void | 372 | void |
374 | -do_setusercontext(struct passwd *pw) | 373 | -do_setusercontext(struct passwd *pw) |
375 | +do_setusercontext(struct passwd *pw, const char *role) | 374 | +do_setusercontext(struct passwd *pw, const char *role) |
376 | { | 375 | { |
377 | char *chroot_path, *tmp; | 376 | char uidstr[32], *chroot_path, *tmp; |
378 | 377 | ||
379 | @@ -1350,7 +1350,7 @@ do_setusercontext(struct passwd *pw) | 378 | @@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw) |
380 | endgrent(); | 379 | endgrent(); |
381 | #endif | 380 | #endif |
382 | 381 | ||
@@ -385,7 +384,7 @@ index 58826db16..ff301c983 100644 | |||
385 | 384 | ||
386 | if (!in_chroot && options.chroot_directory != NULL && | 385 | if (!in_chroot && options.chroot_directory != NULL && |
387 | strcasecmp(options.chroot_directory, "none") != 0) { | 386 | strcasecmp(options.chroot_directory, "none") != 0) { |
388 | @@ -1487,7 +1487,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 387 | @@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
389 | 388 | ||
390 | /* Force a password change */ | 389 | /* Force a password change */ |
391 | if (s->authctxt->force_pwchange) { | 390 | if (s->authctxt->force_pwchange) { |
@@ -394,7 +393,7 @@ index 58826db16..ff301c983 100644 | |||
394 | child_close_fds(ssh); | 393 | child_close_fds(ssh); |
395 | do_pwchange(s); | 394 | do_pwchange(s); |
396 | exit(1); | 395 | exit(1); |
397 | @@ -1505,7 +1505,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 396 | @@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
398 | /* When PAM is enabled we rely on it to do the nologin check */ | 397 | /* When PAM is enabled we rely on it to do the nologin check */ |
399 | if (!options.use_pam) | 398 | if (!options.use_pam) |
400 | do_nologin(pw); | 399 | do_nologin(pw); |
@@ -403,8 +402,8 @@ index 58826db16..ff301c983 100644 | |||
403 | /* | 402 | /* |
404 | * PAM session modules in do_setusercontext may have | 403 | * PAM session modules in do_setusercontext may have |
405 | * generated messages, so if this in an interactive | 404 | * generated messages, so if this in an interactive |
406 | @@ -1897,7 +1897,7 @@ session_pty_req(struct ssh *ssh, Session *s) | 405 | @@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s) |
407 | tty_parse_modes(s->ttyfd, &n_bytes); | 406 | ssh_tty_parse_modes(ssh, s->ttyfd); |
408 | 407 | ||
409 | if (!use_privsep) | 408 | if (!use_privsep) |
410 | - pty_setowner(s->pw, s->tty); | 409 | - pty_setowner(s->pw, s->tty); |
@@ -426,10 +425,10 @@ index 54dd1f0ca..8535ebcef 100644 | |||
426 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
427 | 426 | ||
428 | diff --git a/sshd.c b/sshd.c | 427 | diff --git a/sshd.c b/sshd.c |
429 | index 4ed0364f2..6d911c19a 100644 | 428 | index 71c360da0..92d15c82d 100644 |
430 | --- a/sshd.c | 429 | --- a/sshd.c |
431 | +++ b/sshd.c | 430 | +++ b/sshd.c |
432 | @@ -679,7 +679,7 @@ privsep_postauth(Authctxt *authctxt) | 431 | @@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt) |
433 | reseed_prngs(); | 432 | reseed_prngs(); |
434 | 433 | ||
435 | /* Drop privileges */ | 434 | /* Drop privileges */ |