Rearrange selinux-role.patch so that it links properly given this

SELinux build fix.
author: Colin Watson <cjwatson@debian.org> 2011-01-25 12:59:25 +0000
committer: Colin Watson <cjwatson@debian.org> 2011-01-25 12:59:25 +0000
commit: ddf3ca2157b82d609f169eb22706047cbee7d3b4 (patch)
tree: 9ae03508881372c8f22df0e4f7d44df4532f10b0 /debian/patches/selinux-role.patch
parent: 5e750371bb19c8cc58b5faea70278d857acdae0a (diff)
1 files changed, 208 insertions, 18 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 74cd06201..30db352dd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
        return (0);
 }
 
+@@ -1327,7 +1353,7 @@
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
+       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        buffer_put_int(m, 1);
+        buffer_put_cstring(m, s->tty);
 Index: b/monitor.h
 ===================================================================
 --- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
-@@ -38,6 +44,8 @@
+@@ -54,9 +60,9 @@
- #include <selinux/flask.h>
- #include <selinux/get_context_list.h>
 
-+extern Authctxt *the_authctxt;
+ /* Return the default security context for the given username */
-+
- /* Wrapper around is_selinux_enabled() to log its return value once only */
- int
- ssh_selinux_enabled(void)
-@@ -56,8 +64,8 @@
 static security_context_t
- ssh_selinux_getctxbyname(char *pwname)
+-ssh_selinux_getctxbyname(char *pwname)
+ssh_selinux_getctxbyname(char *pwname, const char *role)
 {
 -       security_context_t sc;
-       char *sename = NULL, *lvl = NULL;
 +       security_context_t sc = NULL;
-+       char *sename = NULL, *role = NULL, *lvl = NULL;
+        char *sename = NULL, *lvl = NULL;
        int r;
 
- #ifdef HAVE_GETSEUSERBYNAME
+@@ -69,9 +75,16 @@
-@@ -67,11 +75,20 @@
-        sename = pwname;
-        lvl = NULL;
 #endif
-+       if (the_authctxt)
-+               role = the_authctxt->role;
 
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
 -       r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
 #endif
 
        if (r != 0) {
+@@ -102,7 +115,7 @@
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
+ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -111,7 +124,7 @@
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -133,7 +146,7 @@
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -144,7 +157,7 @@
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
+       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+Index: b/openbsd-compat/port-linux.h
+===================================================================
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -21,8 +21,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+void ssh_selinux_setup_pty(char *, const char *, const char *);
+void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ #endif
+ 
+Index: b/platform.c
+===================================================================
+--- a/platform.c
+++ b/platform.c
+@@ -134,7 +134,7 @@
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -181,7 +181,7 @@
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
+       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+Index: b/platform.h
+===================================================================
+--- a/platform.h
+++ b/platform.h
+@@ -26,7 +26,7 @@
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
+void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ 
+Index: b/session.c
+===================================================================
+--- a/session.c
+++ b/session.c
+@@ -1467,7 +1467,7 @@
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char *chroot_path, *tmp;
+ 
+@@ -1495,7 +1495,7 @@
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
+               platform_setusercontext_post_groups(pw, role);
+ 
+                if (options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1618,7 +1618,7 @@
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds();
+                do_pwchange(s);
+                exit(1);
+@@ -1645,7 +1645,7 @@
+                /* When PAM is enabled we rely on it to do the nologin check */
+                if (!options.use_pam)
+                        do_nologin(pw);
+-               do_setusercontext(pw);
+               do_setusercontext(pw, s->authctxt->role);
+                /*
+                 * PAM session modules in do_setusercontext may have
+                 * generated messages, so if this in an interactive
+@@ -2057,7 +2057,7 @@
+        tty_parse_modes(s->ttyfd, &n_bytes);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
+               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+Index: b/session.h
+===================================================================
+--- a/session.h
+++ b/session.h
+@@ -76,7 +76,7 @@
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(Session *);
+-void    do_setusercontext(struct passwd *);
+void    do_setusercontext(struct passwd *, const char *);
+ void    child_set_env(char ***envp, u_int *envsizep, const char *name,
+                       const char *value);
+ 
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -707,7 +707,7 @@
+        RAND_seed(rnd, sizeof(rnd));
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
+       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+Index: b/sshpty.c
+===================================================================
+--- a/sshpty.c
+++ b/sshpty.c
+@@ -200,7 +200,7 @@
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
+pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -227,7 +227,7 @@
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
+       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+Index: b/sshpty.h
+===================================================================
+--- a/sshpty.h
+++ b/sshpty.h
+@@ -24,4 +24,4 @@
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
+void    pty_setowner(struct passwd *, const char *, const char *);
author	Colin Watson <cjwatson@debian.org>	2011-01-25 12:59:25 +0000
committer	Colin Watson <cjwatson@debian.org>	2011-01-25 12:59:25 +0000
commit	ddf3ca2157b82d609f169eb22706047cbee7d3b4 (patch)
tree	9ae03508881372c8f22df0e4f7d44df4532f10b0 /debian/patches/selinux-role.patch
parent	5e750371bb19c8cc58b5faea70278d857acdae0a (diff)

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 74cd06201..30db352dd 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
156	return (0);	156	return (0);
157	}	157	}
158		158
		159	@@ -1327,7 +1353,7 @@
		160	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
		161	if (res == 0)
		162	goto error;
		163	- pty_setowner(authctxt->pw, s->tty);
		164	+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
		165
		166	buffer_put_int(m, 1);
		167	buffer_put_cstring(m, s->tty);
159	Index: b/monitor.h	168	Index: b/monitor.h
160	===================================================================	169	===================================================================
161	--- a/monitor.h	170	--- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
247	#include "log.h"	256	#include "log.h"
248	#include "xmalloc.h"	257	#include "xmalloc.h"
249	#include "port-linux.h"	258	#include "port-linux.h"
250	@@ -38,6 +44,8 @@	259	@@ -54,9 +60,9 @@
251	#include <selinux/flask.h>
252	#include <selinux/get_context_list.h>
253		260
254	+extern Authctxt *the_authctxt;	261	/* Return the default security context for the given username */
255	+
256	/* Wrapper around is_selinux_enabled() to log its return value once only */
257	int
258	ssh_selinux_enabled(void)
259	@@ -56,8 +64,8 @@
260	static security_context_t	262	static security_context_t
261	ssh_selinux_getctxbyname(char *pwname)	263	-ssh_selinux_getctxbyname(char *pwname)
		264	+ssh_selinux_getctxbyname(char pwname, const char role)
262	{	265	{
263	- security_context_t sc;	266	- security_context_t sc;
264	- char sename = NULL, lvl = NULL;
265	+ security_context_t sc = NULL;	267	+ security_context_t sc = NULL;
266	+ char sename = NULL, role = NULL, *lvl = NULL;	268	char sename = NULL, lvl = NULL;
267	int r;	269	int r;
268		270
269	#ifdef HAVE_GETSEUSERBYNAME	271	@@ -69,9 +75,16 @@
270	@@ -67,11 +75,20 @@
271	sename = pwname;
272	lvl = NULL;
273	#endif	272	#endif
274	+ if (the_authctxt)
275	+ role = the_authctxt->role;
276		273
277	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL	274	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
278	- r = get_default_context_with_level(sename, lvl, NULL, &sc);	275	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
290	#endif	287	#endif
291		288
292	if (r != 0) {	289	if (r != 0) {
		290	@@ -102,7 +115,7 @@
		291
		292	/* Set the execution context to the default for the specified user */
		293	void
		294	-ssh_selinux_setup_exec_context(char *pwname)
		295	+ssh_selinux_setup_exec_context(char pwname, const char role)
		296	{
		297	security_context_t user_ctx = NULL;
		298
		299	@@ -111,7 +124,7 @@
		300
		301	debug3("%s: setting execution context", __func__);
		302
		303	- user_ctx = ssh_selinux_getctxbyname(pwname);
		304	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
		305	if (setexeccon(user_ctx) != 0) {
		306	switch (security_getenforce()) {
		307	case -1:
		308	@@ -133,7 +146,7 @@
		309
		310	/* Set the TTY context for the specified user */
		311	void
		312	-ssh_selinux_setup_pty(char pwname, const char tty)
		313	+ssh_selinux_setup_pty(char pwname, const char tty, const char *role)
		314	{
		315	security_context_t new_tty_ctx = NULL;
		316	security_context_t user_ctx = NULL;
		317	@@ -144,7 +157,7 @@
		318
		319	debug3("%s: setting TTY context on %s", __func__, tty);
		320
		321	- user_ctx = ssh_selinux_getctxbyname(pwname);
		322	+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
		323
		324	/* XXX: should these calls fatal() upon failure in enforcing mode? */
		325
		326	Index: b/openbsd-compat/port-linux.h
		327	===================================================================
		328	--- a/openbsd-compat/port-linux.h
		329	+++ b/openbsd-compat/port-linux.h
		330	@@ -21,8 +21,8 @@
		331
		332	#ifdef WITH_SELINUX
		333	int ssh_selinux_enabled(void);
		334	-void ssh_selinux_setup_pty(char , const char );
		335	-void ssh_selinux_setup_exec_context(char *);
		336	+void ssh_selinux_setup_pty(char , const char , const char *);
		337	+void ssh_selinux_setup_exec_context(char , const char );
		338	void ssh_selinux_change_context(const char *);
		339	#endif
		340
		341	Index: b/platform.c
		342	===================================================================
		343	--- a/platform.c
		344	+++ b/platform.c
		345	@@ -134,7 +134,7 @@
		346	* called if sshd is running as root.
		347	*/
		348	void
		349	-platform_setusercontext_post_groups(struct passwd *pw)
		350	+platform_setusercontext_post_groups(struct passwd pw, const char role)
		351	{
		352	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
		353	/*
		354	@@ -181,7 +181,7 @@
		355	}
		356	#endif /* HAVE_SETPCRED */
		357	#ifdef WITH_SELINUX
		358	- ssh_selinux_setup_exec_context(pw->pw_name);
		359	+ ssh_selinux_setup_exec_context(pw->pw_name, role);
		360	#endif
		361	}
		362
		363	Index: b/platform.h
		364	===================================================================
		365	--- a/platform.h
		366	+++ b/platform.h
		367	@@ -26,7 +26,7 @@
		368	void platform_post_fork_child(void);
		369	int platform_privileged_uidswap(void);
		370	void platform_setusercontext(struct passwd *);
		371	-void platform_setusercontext_post_groups(struct passwd *);
		372	+void platform_setusercontext_post_groups(struct passwd , const char );
		373	char platform_get_krb5_client(const char );
		374	char platform_krb5_get_principal_name(const char );
		375
		376	Index: b/session.c
		377	===================================================================
		378	--- a/session.c
		379	+++ b/session.c
		380	@@ -1467,7 +1467,7 @@
		381
		382	/* Set login name, uid, gid, and groups. */
		383	void
		384	-do_setusercontext(struct passwd *pw)
		385	+do_setusercontext(struct passwd pw, const char role)
		386	{
		387	char chroot_path, tmp;
		388
		389	@@ -1495,7 +1495,7 @@
		390	endgrent();
		391	#endif
		392
		393	- platform_setusercontext_post_groups(pw);
		394	+ platform_setusercontext_post_groups(pw, role);
		395
		396	if (options.chroot_directory != NULL &&
		397	strcasecmp(options.chroot_directory, "none") != 0) {
		398	@@ -1618,7 +1618,7 @@
		399
		400	/* Force a password change */
		401	if (s->authctxt->force_pwchange) {
		402	- do_setusercontext(pw);
		403	+ do_setusercontext(pw, s->authctxt->role);
		404	child_close_fds();
		405	do_pwchange(s);
		406	exit(1);
		407	@@ -1645,7 +1645,7 @@
		408	/* When PAM is enabled we rely on it to do the nologin check */
		409	if (!options.use_pam)
		410	do_nologin(pw);
		411	- do_setusercontext(pw);
		412	+ do_setusercontext(pw, s->authctxt->role);
		413	/*
		414	* PAM session modules in do_setusercontext may have
		415	* generated messages, so if this in an interactive
		416	@@ -2057,7 +2057,7 @@
		417	tty_parse_modes(s->ttyfd, &n_bytes);
		418
		419	if (!use_privsep)
		420	- pty_setowner(s->pw, s->tty);
		421	+ pty_setowner(s->pw, s->tty, s->authctxt->role);
		422
		423	/* Set window size from the packet. */
		424	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
		425	Index: b/session.h
		426	===================================================================
		427	--- a/session.h
		428	+++ b/session.h
		429	@@ -76,7 +76,7 @@
		430	Session *session_new(void);
		431	Session session_by_tty(char );
		432	void session_close(Session *);
		433	-void do_setusercontext(struct passwd *);
		434	+void do_setusercontext(struct passwd , const char );
		435	void child_set_env(char **envp, u_int envsizep, const char *name,
		436	const char *value);
		437
		438	Index: b/sshd.c
		439	===================================================================
		440	--- a/sshd.c
		441	+++ b/sshd.c
		442	@@ -707,7 +707,7 @@
		443	RAND_seed(rnd, sizeof(rnd));
		444
		445	/* Drop privileges */
		446	- do_setusercontext(authctxt->pw);
		447	+ do_setusercontext(authctxt->pw, authctxt->role);
		448
		449	skip:
		450	/* It is safe now to apply the key state */
		451	Index: b/sshpty.c
		452	===================================================================
		453	--- a/sshpty.c
		454	+++ b/sshpty.c
		455	@@ -200,7 +200,7 @@
		456	}
		457
		458	void
		459	-pty_setowner(struct passwd pw, const char tty)
		460	+pty_setowner(struct passwd pw, const char tty, const char *role)
		461	{
		462	struct group *grp;
		463	gid_t gid;
		464	@@ -227,7 +227,7 @@
		465	strerror(errno));
		466
		467	#ifdef WITH_SELINUX
		468	- ssh_selinux_setup_pty(pw->pw_name, tty);
		469	+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
		470	#endif
		471
		472	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
		473	Index: b/sshpty.h
		474	===================================================================
		475	--- a/sshpty.h
		476	+++ b/sshpty.h
		477	@@ -24,4 +24,4 @@
		478	void pty_release(const char *);
		479	void pty_make_controlling_tty(int , const char );
		480	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
		481	-void pty_setowner(struct passwd , const char );
		482	+void pty_setowner(struct passwd , const char , const char *);