Handle SELinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2015-08-19 Patch-Name: selinux-role.patch
author: Manoj Srivastava <srivasta@debian.org> 2014-02-09 16:09:49 +0000
committer: Colin Watson <cjwatson@debian.org> 2016-03-10 13:00:39 +0000
commit: 16caff9bcfbc638ed7d2e01a338db678f138faa5 (patch)
tree: 4dc7fd839271789949e30e2c3edf255cf2f17a31 /monitor.c
parent: 1b820bd5376b5b04403f0489b2e135566cedd4e6 (diff)
1 files changed, 29 insertions, 3 deletions
diff --git a/monitor.c b/monitor.c
index 6c8202325..5be3fbfdb 100644
--- a/monitor.c
+++ b/monitor.c
@@ -126,6 +126,7 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -207,6 +208,7 @@ struct mon_table mon_dispatch_proto20[] = {
    {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
    {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -875,6 +877,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
        else {
                /* Allow service/style information on the auth context */
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
        }
 #ifdef USE_PAM
@@ -905,14 +908,37 @@ mm_answer_authserv(int sock, Buffer *m)
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
-        debug3("%s: service=%s, style=%s",
+        authctxt->role = buffer_get_string(m, NULL);
-            __func__, authctxt->service, authctxt->style);
+        debug3("%s: service=%s, style=%s, role=%s",
+            __func__, authctxt->service, authctxt->style, authctxt->role);
        if (strlen(authctxt->style) == 0) {
                free(authctxt->style);
                authctxt->style = NULL;
        }
+        if (strlen(authctxt->role) == 0) {
+                free(authctxt->role);
+                authctxt->role = NULL;
+        }
+        return (0);
+}
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+        monitor_permit_authentications(1);
+        authctxt->role = buffer_get_string(m, NULL);
+        debug3("%s: role=%s",
+            __func__, authctxt->role);
+        if (strlen(authctxt->role) == 0) {
+                free(authctxt->role);
+                authctxt->role = NULL;
+        }
        return (0);
 }
@@ -1541,7 +1567,7 @@ mm_answer_pty(int sock, Buffer *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
-        pty_setowner(authctxt->pw, s->tty);
+        pty_setowner(authctxt->pw, s->tty, authctxt->role);
        buffer_put_int(m, 1);
        buffer_put_cstring(m, s->tty);
author	Manoj Srivastava <srivasta@debian.org>	2014-02-09 16:09:49 +0000
committer	Colin Watson <cjwatson@debian.org>	2016-03-10 13:00:39 +0000
commit	16caff9bcfbc638ed7d2e01a338db678f138faa5 (patch)
tree	4dc7fd839271789949e30e2c3edf255cf2f17a31 /monitor.c
parent	1b820bd5376b5b04403f0489b2e135566cedd4e6 (diff)