summaryrefslogtreecommitdiff
path: root/monitor_wrap.c
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2019-06-05 13:11:52 +0100
commit21e3ff3ab4791d3c94bd775da66cde29797fcb36 (patch)
treec218b12d60175ae0572c0236f2390d9e26de5bc9 /monitor_wrap.c
parent0f9f44654708e4fde2f52c52f717d061b5e458fa (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2019-06-05 Patch-Name: selinux-role.patch
Diffstat (limited to 'monitor_wrap.c')
-rw-r--r--monitor_wrap.c27
1 files changed, 24 insertions, 3 deletions
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 8e4c1c1f8..6b3a6251c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
364 return (banner); 364 return (banner);
365} 365}
366 366
367/* Inform the privileged process about service and style */ 367/* Inform the privileged process about service, style, and role */
368 368
369void 369void
370mm_inform_authserv(char *service, char *style) 370mm_inform_authserv(char *service, char *style, char *role)
371{ 371{
372 struct sshbuf *m; 372 struct sshbuf *m;
373 int r; 373 int r;
@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
377 if ((m = sshbuf_new()) == NULL) 377 if ((m = sshbuf_new()) == NULL)
378 fatal("%s: sshbuf_new failed", __func__); 378 fatal("%s: sshbuf_new failed", __func__);
379 if ((r = sshbuf_put_cstring(m, service)) != 0 || 379 if ((r = sshbuf_put_cstring(m, service)) != 0 ||
380 (r = sshbuf_put_cstring(m, style ? style : "")) != 0) 380 (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
381 (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
381 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 382 fatal("%s: buffer error: %s", __func__, ssh_err(r));
382 383
383 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); 384 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
385 sshbuf_free(m); 386 sshbuf_free(m);
386} 387}
387 388
389/* Inform the privileged process about role */
390
391void
392mm_inform_authrole(char *role)
393{
394 struct sshbuf *m;
395 int r;
396
397 debug3("%s entering", __func__);
398
399 if ((m = sshbuf_new()) == NULL)
400 fatal("%s: sshbuf_new failed", __func__);
401 if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
402 fatal("%s: buffer error: %s", __func__, ssh_err(r));
403
404 mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
405
406 sshbuf_free(m);
407}
408
388/* Do the password authentication */ 409/* Do the password authentication */
389int 410int
390mm_auth_password(struct ssh *ssh, char *password) 411mm_auth_password(struct ssh *ssh, char *password)