Convert to source format 3.0 (quilt).

author: Colin Watson <cjwatson@debian.org> 2010-02-27 14:05:10 +0000
committer: Colin Watson <cjwatson@debian.org> 2010-02-27 14:05:10 +0000
commit: 8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (patch)
tree: 2e0d8058bdfc24a60a20c5bcbfd1075ef1048ff3 /debian/patches/selinux-role.patch
parent: e44a1fb6e8e59e67e5c8b6e83c0d8566d146aad9 (diff)
1 files changed, 283 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..5e2a9ecb6
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,283 @@
+Index: b/auth.h
+===================================================================
+--- a/auth.h
+++ b/auth.h
+@@ -59,6 +59,7 @@
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
+       char            *role;
+        void            *kbdintctxt;
+        void            *jpake_ctx;
+ #ifdef BSD_AUTH
+Index: b/auth1.c
+===================================================================
+--- a/auth1.c
+++ b/auth1.c
+@@ -383,7 +383,7 @@
+ do_authentication(Authctxt *authctxt)
+ {
+        u_int ulen;
+-       char *user, *style = NULL;
+       char *user, *style = NULL, *role = NULL;
+ 
+        /* Get the name of the user that we wish to log in as. */
+        packet_read_expect(SSH_CMSG_USER);
+@@ -392,11 +392,17 @@
+        user = packet_get_string(&ulen);
+        packet_check_eom();
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = '\0';
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = '\0';
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        authctxt->user = user;
+        authctxt->style = style;
+       authctxt->role = role;
+ 
+        /* Verify that the user is a valid user. */
+        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
+Index: b/auth2.c
+===================================================================
+--- a/auth2.c
+++ b/auth2.c
+@@ -217,7 +217,7 @@
+ {
+        Authctxt *authctxt = ctxt;
+        Authmethod *m = NULL;
+-       char *user, *service, *method, *style = NULL;
+       char *user, *service, *method, *style = NULL, *role = NULL;
+        int authenticated = 0;
+ 
+        if (authctxt == NULL)
+@@ -229,8 +229,13 @@
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
+       if ((role = strchr(user, '/')) != NULL)
+               *role++ = 0;
+
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
+       else if (role && (style = strchr(role, ':')) != NULL)
+               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -254,8 +259,9 @@
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
+               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
+                       mm_inform_authserv(service, style, role);
+                userauth_banner();
+        } else if (strcmp(user, authctxt->user) != 0 ||
+            strcmp(service, authctxt->service) != 0) {
+Index: b/monitor.c
+===================================================================
+--- a/monitor.c
+++ b/monitor.c
+@@ -137,6 +137,7 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -215,6 +216,7 @@
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -699,6 +701,7 @@
+        else {
+                /* Allow service/style information on the auth context */
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+               monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+        }
+ 
+@@ -732,14 +735,37 @@
+ 
+        authctxt->service = buffer_get_string(m, NULL);
+        authctxt->style = buffer_get_string(m, NULL);
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: service=%s, style=%s, role=%s",
+           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                xfree(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+       return (0);
+}
+
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+       monitor_permit_authentications(1);
+
+       authctxt->role = buffer_get_string(m, NULL);
+       debug3("%s: role=%s",
+           __func__, authctxt->role);
+
+       if (strlen(authctxt->role) == 0) {
+               xfree(authctxt->role);
+               authctxt->role = NULL;
+       }
+
+        return (0);
+ }
+ 
+Index: b/monitor.h
+===================================================================
+--- a/monitor.h
+++ b/monitor.h
+@@ -30,7 +30,7 @@
+ 
+ enum monitor_reqtype {
+        MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
+-       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+       MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
+        MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
+        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
+        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
+Index: b/monitor_wrap.c
+===================================================================
+--- a/monitor_wrap.c
+++ b/monitor_wrap.c
+@@ -279,10 +279,10 @@
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
+ {
+        Buffer m;
+ 
+@@ -291,11 +291,29 @@
+        buffer_init(&m);
+        buffer_put_cstring(&m, service);
+        buffer_put_cstring(&m, style ? style : "");
+       buffer_put_cstring(&m, role ? role : "");
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
+ 
+        buffer_free(&m);
+ }
+
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+       Buffer m;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, role ? role : "");
+
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+       buffer_free(&m);
+}
+ 
+ /* Do the password authentication */
+ int
+Index: b/monitor_wrap.h
+===================================================================
+--- a/monitor_wrap.h
+++ b/monitor_wrap.h
+@@ -40,7 +40,8 @@
+ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+-void mm_inform_authserv(char *, char *);
+void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct Authctxt *, char *);
+Index: b/openbsd-compat/port-linux.c
+===================================================================
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -28,6 +28,12 @@
+ #include <string.h>
+ 
+ #ifdef WITH_SELINUX
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#ifdef HAVE_GETSEUSERBYNAME
+#include "xmalloc.h"
+#endif
+ #include "log.h"
+ #include "port-linux.h"
+ 
+@@ -35,6 +41,8 @@
+ #include <selinux/flask.h>
+ #include <selinux/get_context_list.h>
+ 
+extern Authctxt *the_authctxt;
+
+ /* Wrapper around is_selinux_enabled() to log its return value once only */
+ int
+ ssh_selinux_enabled(void)
+@@ -53,8 +61,8 @@
+ static security_context_t
+ ssh_selinux_getctxbyname(char *pwname)
+ {
+-       security_context_t sc;
+-       char *sename = NULL, *lvl = NULL;
+       security_context_t sc = NULL;
+       char *sename = NULL, *role = NULL, *lvl = NULL;
+        int r;
+ 
+ #ifdef HAVE_GETSEUSERBYNAME
+@@ -64,11 +72,20 @@
+        sename = pwname;
+        lvl = NULL;
+ #endif
+       if (the_authctxt)
+               role = the_authctxt->role;
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
+                                                      &sc);
+       else
+               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
+       if (role != NULL && role[0])
+               r = get_default_context_with_role(sename, role, NULL, &sc);
+       else
+               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {
author	Colin Watson <cjwatson@debian.org>	2010-02-27 14:05:10 +0000
committer	Colin Watson <cjwatson@debian.org>	2010-02-27 14:05:10 +0000
commit	8dcc7c5ef45cf5032dca7a308ffe17d3935e62d5 (patch)
tree	2e0d8058bdfc24a60a20c5bcbfd1075ef1048ff3 /debian/patches/selinux-role.patch
parent	e44a1fb6e8e59e67e5c8b6e83c0d8566d146aad9 (diff)

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..5e2a9ecb6 --- /dev/null +++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,283 @@
	1	Index: b/auth.h
	2	===================================================================
	3	--- a/auth.h
	4	+++ b/auth.h
	5	@@ -59,6 +59,7 @@
	6	char *service;
	7	struct passwd pw; / set if 'valid' */
	8	char *style;
	9	+ char *role;
	10	void *kbdintctxt;
	11	void *jpake_ctx;
	12	#ifdef BSD_AUTH
	13	Index: b/auth1.c
	14	===================================================================
	15	--- a/auth1.c
	16	+++ b/auth1.c
	17	@@ -383,7 +383,7 @@
	18	do_authentication(Authctxt *authctxt)
	19	{
	20	u_int ulen;
	21	- char user, style = NULL;
	22	+ char user, style = NULL, *role = NULL;
	23
	24	/* Get the name of the user that we wish to log in as. */
	25	packet_read_expect(SSH_CMSG_USER);
	26	@@ -392,11 +392,17 @@
	27	user = packet_get_string(&ulen);
	28	packet_check_eom();
	29
	30	+ if ((role = strchr(user, '/')) != NULL)
	31	+ *role++ = '\0';
	32	+
	33	if ((style = strchr(user, ':')) != NULL)
	34	*style++ = '\0';
	35	+ else if (role && (style = strchr(role, ':')) != NULL)
	36	+ *style++ = '\0';
	37
	38	authctxt->user = user;
	39	authctxt->style = style;
	40	+ authctxt->role = role;
	41
	42	/* Verify that the user is a valid user. */
	43	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
	44	Index: b/auth2.c
	45	===================================================================
	46	--- a/auth2.c
	47	+++ b/auth2.c
	48	@@ -217,7 +217,7 @@
	49	{
	50	Authctxt *authctxt = ctxt;
	51	Authmethod *m = NULL;
	52	- char user, service, method, style = NULL;
	53	+ char user, service, method, style = NULL, *role = NULL;
	54	int authenticated = 0;
	55
	56	if (authctxt == NULL)
	57	@@ -229,8 +229,13 @@
	58	debug("userauth-request for user %s service %s method %s", user, service, method);
	59	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	60
	61	+ if ((role = strchr(user, '/')) != NULL)
	62	+ *role++ = 0;
	63	+
	64	if ((style = strchr(user, ':')) != NULL)
	65	*style++ = 0;
	66	+ else if (role && (style = strchr(role, ':')) != NULL)
	67	+ *style++ = '\0';
	68
	69	if (authctxt->attempt++ == 0) {
	70	/* setup auth context */
	71	@@ -254,8 +259,9 @@
	72	use_privsep ? " [net]" : "");
	73	authctxt->service = xstrdup(service);
	74	authctxt->style = style ? xstrdup(style) : NULL;
	75	+ authctxt->role = role ? xstrdup(role) : NULL;
	76	if (use_privsep)
	77	- mm_inform_authserv(service, style);
	78	+ mm_inform_authserv(service, style, role);
	79	userauth_banner();
	80	} else if (strcmp(user, authctxt->user) != 0 \|\|
	81	strcmp(service, authctxt->service) != 0) {
	82	Index: b/monitor.c
	83	===================================================================
	84	--- a/monitor.c
	85	+++ b/monitor.c
	86	@@ -137,6 +137,7 @@
	87	int mm_answer_pwnamallow(int, Buffer *);
	88	int mm_answer_auth2_read_banner(int, Buffer *);
	89	int mm_answer_authserv(int, Buffer *);
	90	+int mm_answer_authrole(int, Buffer *);
	91	int mm_answer_authpassword(int, Buffer *);
	92	int mm_answer_bsdauthquery(int, Buffer *);
	93	int mm_answer_bsdauthrespond(int, Buffer *);
	94	@@ -215,6 +216,7 @@
	95	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
	96	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
	97	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
	98	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
	99	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
	100	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
	101	#ifdef USE_PAM
	102	@@ -699,6 +701,7 @@
	103	else {
	104	/* Allow service/style information on the auth context */
	105	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
	106	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
	107	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
	108	}
	109
	110	@@ -732,14 +735,37 @@
	111
	112	authctxt->service = buffer_get_string(m, NULL);
	113	authctxt->style = buffer_get_string(m, NULL);
	114	- debug3("%s: service=%s, style=%s",
	115	- __func__, authctxt->service, authctxt->style);
	116	+ authctxt->role = buffer_get_string(m, NULL);
	117	+ debug3("%s: service=%s, style=%s, role=%s",
	118	+ __func__, authctxt->service, authctxt->style, authctxt->role);
	119
	120	if (strlen(authctxt->style) == 0) {
	121	xfree(authctxt->style);
	122	authctxt->style = NULL;
	123	}
	124
	125	+ if (strlen(authctxt->role) == 0) {
	126	+ xfree(authctxt->role);
	127	+ authctxt->role = NULL;
	128	+ }
	129	+
	130	+ return (0);
	131	+}
	132	+
	133	+int
	134	+mm_answer_authrole(int sock, Buffer *m)
	135	+{
	136	+ monitor_permit_authentications(1);
	137	+
	138	+ authctxt->role = buffer_get_string(m, NULL);
	139	+ debug3("%s: role=%s",
	140	+ __func__, authctxt->role);
	141	+
	142	+ if (strlen(authctxt->role) == 0) {
	143	+ xfree(authctxt->role);
	144	+ authctxt->role = NULL;
	145	+ }
	146	+
	147	return (0);
	148	}
	149
	150	Index: b/monitor.h
	151	===================================================================
	152	--- a/monitor.h
	153	+++ b/monitor.h
	154	@@ -30,7 +30,7 @@
	155
	156	enum monitor_reqtype {
	157	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
	158	- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
	159	+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE,
	160	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
	161	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
	162	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
	163	Index: b/monitor_wrap.c
	164	===================================================================
	165	--- a/monitor_wrap.c
	166	+++ b/monitor_wrap.c
	167	@@ -279,10 +279,10 @@
	168	return (banner);
	169	}
	170
	171	-/* Inform the privileged process about service and style */
	172	+/* Inform the privileged process about service, style, and role */
	173
	174	void
	175	-mm_inform_authserv(char service, char style)
	176	+mm_inform_authserv(char service, char style, char *role)
	177	{
	178	Buffer m;
	179
	180	@@ -291,11 +291,29 @@
	181	buffer_init(&m);
	182	buffer_put_cstring(&m, service);
	183	buffer_put_cstring(&m, style ? style : "");
	184	+ buffer_put_cstring(&m, role ? role : "");
	185
	186	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
	187
	188	buffer_free(&m);
	189	}
	190	+
	191	+/* Inform the privileged process about role */
	192	+
	193	+void
	194	+mm_inform_authrole(char *role)
	195	+{
	196	+ Buffer m;
	197	+
	198	+ debug3("%s entering", __func__);
	199	+
	200	+ buffer_init(&m);
	201	+ buffer_put_cstring(&m, role ? role : "");
	202	+
	203	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
	204	+
	205	+ buffer_free(&m);
	206	+}
	207
	208	/* Do the password authentication */
	209	int
	210	Index: b/monitor_wrap.h
	211	===================================================================
	212	--- a/monitor_wrap.h
	213	+++ b/monitor_wrap.h
	214	@@ -40,7 +40,8 @@
	215	int mm_is_monitor(void);
	216	DH *mm_choose_dh(int, int, int);
	217	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
	218	-void mm_inform_authserv(char , char );
	219	+void mm_inform_authserv(char , char , char *);
	220	+void mm_inform_authrole(char *);
	221	struct passwd mm_getpwnamallow(const char );
	222	char *mm_auth2_read_banner(void);
	223	int mm_auth_password(struct Authctxt , char );
	224	Index: b/openbsd-compat/port-linux.c
	225	===================================================================
	226	--- a/openbsd-compat/port-linux.c
	227	+++ b/openbsd-compat/port-linux.c
	228	@@ -28,6 +28,12 @@
	229	#include <string.h>
	230
	231	#ifdef WITH_SELINUX
	232	+#include "key.h"
	233	+#include "hostfile.h"
	234	+#include "auth.h"
	235	+#ifdef HAVE_GETSEUSERBYNAME
	236	+#include "xmalloc.h"
	237	+#endif
	238	#include "log.h"
	239	#include "port-linux.h"
	240
	241	@@ -35,6 +41,8 @@
	242	#include <selinux/flask.h>
	243	#include <selinux/get_context_list.h>
	244
	245	+extern Authctxt *the_authctxt;
	246	+
	247	/* Wrapper around is_selinux_enabled() to log its return value once only */
	248	int
	249	ssh_selinux_enabled(void)
	250	@@ -53,8 +61,8 @@
	251	static security_context_t
	252	ssh_selinux_getctxbyname(char *pwname)
	253	{
	254	- security_context_t sc;
	255	- char sename = NULL, lvl = NULL;
	256	+ security_context_t sc = NULL;
	257	+ char sename = NULL, role = NULL, *lvl = NULL;
	258	int r;
	259
	260	#ifdef HAVE_GETSEUSERBYNAME
	261	@@ -64,11 +72,20 @@
	262	sename = pwname;
	263	lvl = NULL;
	264	#endif
	265	+ if (the_authctxt)
	266	+ role = the_authctxt->role;
	267
	268	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
	269	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
	270	+ if (role != NULL && role[0])
	271	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
	272	+ &sc);
	273	+ else
	274	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
	275	#else
	276	- r = get_default_context(sename, NULL, &sc);
	277	+ if (role != NULL && role[0])
	278	+ r = get_default_context_with_role(sename, role, NULL, &sc);
	279	+ else
	280	+ r = get_default_context(sename, NULL, &sc);
	281	#endif
	282
	283	if (r != 0) {