diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2019-06-05 13:11:52 +0100 |
commit | 21e3ff3ab4791d3c94bd775da66cde29797fcb36 (patch) | |
tree | c218b12d60175ae0572c0236f2390d9e26de5bc9 /openbsd-compat/port-linux.c | |
parent | 0f9f44654708e4fde2f52c52f717d061b5e458fa (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2019-06-05
Patch-Name: selinux-role.patch
Diffstat (limited to 'openbsd-compat/port-linux.c')
-rw-r--r-- | openbsd-compat/port-linux.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 622988822..3e6e07670 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void) | |||
56 | 56 | ||
57 | /* Return the default security context for the given username */ | 57 | /* Return the default security context for the given username */ |
58 | static security_context_t | 58 | static security_context_t |
59 | ssh_selinux_getctxbyname(char *pwname) | 59 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
60 | { | 60 | { |
61 | security_context_t sc = NULL; | 61 | security_context_t sc = NULL; |
62 | char *sename = NULL, *lvl = NULL; | 62 | char *sename = NULL, *lvl = NULL; |
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
71 | #endif | 71 | #endif |
72 | 72 | ||
73 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 73 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
74 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 74 | if (role != NULL && role[0]) |
75 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
76 | &sc); | ||
77 | else | ||
78 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
75 | #else | 79 | #else |
76 | r = get_default_context(sename, NULL, &sc); | 80 | if (role != NULL && role[0]) |
81 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
82 | else | ||
83 | r = get_default_context(sename, NULL, &sc); | ||
77 | #endif | 84 | #endif |
78 | 85 | ||
79 | if (r != 0) { | 86 | if (r != 0) { |
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
103 | 110 | ||
104 | /* Set the execution context to the default for the specified user */ | 111 | /* Set the execution context to the default for the specified user */ |
105 | void | 112 | void |
106 | ssh_selinux_setup_exec_context(char *pwname) | 113 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
107 | { | 114 | { |
108 | security_context_t user_ctx = NULL; | 115 | security_context_t user_ctx = NULL; |
109 | 116 | ||
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
112 | 119 | ||
113 | debug3("%s: setting execution context", __func__); | 120 | debug3("%s: setting execution context", __func__); |
114 | 121 | ||
115 | user_ctx = ssh_selinux_getctxbyname(pwname); | 122 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
116 | if (setexeccon(user_ctx) != 0) { | 123 | if (setexeccon(user_ctx) != 0) { |
117 | switch (security_getenforce()) { | 124 | switch (security_getenforce()) { |
118 | case -1: | 125 | case -1: |
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
134 | 141 | ||
135 | /* Set the TTY context for the specified user */ | 142 | /* Set the TTY context for the specified user */ |
136 | void | 143 | void |
137 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 144 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
138 | { | 145 | { |
139 | security_context_t new_tty_ctx = NULL; | 146 | security_context_t new_tty_ctx = NULL; |
140 | security_context_t user_ctx = NULL; | 147 | security_context_t user_ctx = NULL; |
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
146 | 153 | ||
147 | debug3("%s: setting TTY context on %s", __func__, tty); | 154 | debug3("%s: setting TTY context on %s", __func__, tty); |
148 | 155 | ||
149 | user_ctx = ssh_selinux_getctxbyname(pwname); | 156 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
150 | 157 | ||
151 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 158 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
152 | 159 | ||