Handle SELinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2017-10-04

Patch-Name: selinux-role.patch

1 files changed, 20 insertions, 2 deletions

diff --git a/monitor_wrap.c b/monitor_wrap.c
index 0e171a6a6..d806bb2e7 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -336,10 +336,10 @@ mm_auth2_read_banner(void)
         return (banner);
 }
 
-/* Inform the privileged process about service and style */
+/* Inform the privileged process about service, style, and role */
 
 void
-mm_inform_authserv(char *service, char *style)
+mm_inform_authserv(char *service, char *style, char *role)
 {
         Buffer m;
 
@@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style)
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
+        buffer_put_cstring(&m, role ? role : "");
 
         mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m);
 
         buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+        Buffer m;
+
+        debug3("%s entering", __func__);
+
+        buffer_init(&m);
+        buffer_put_cstring(&m, role ? role : "");
+
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+        buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)