summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2018-10-20 22:54:09 +0100
commitcf3f6ac19812e4d32874304b3854b055831c2124 (patch)
treea9f141a9525561b4002b0677c109e9a8dd1b293f /openbsd-compat
parent389e16d0109d8c49a761cd7c267438b05c9ab984 (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2018-08-24 Patch-Name: selinux-role.patch
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/port-linux.c21
-rw-r--r--openbsd-compat/port-linux.h4
2 files changed, 16 insertions, 9 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 622988822..3e6e07670 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
56 56
57/* Return the default security context for the given username */ 57/* Return the default security context for the given username */
58static security_context_t 58static security_context_t
59ssh_selinux_getctxbyname(char *pwname) 59ssh_selinux_getctxbyname(char *pwname, const char *role)
60{ 60{
61 security_context_t sc = NULL; 61 security_context_t sc = NULL;
62 char *sename = NULL, *lvl = NULL; 62 char *sename = NULL, *lvl = NULL;
@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
71#endif 71#endif
72 72
73#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 73#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
74 r = get_default_context_with_level(sename, lvl, NULL, &sc); 74 if (role != NULL && role[0])
75 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
76 &sc);
77 else
78 r = get_default_context_with_level(sename, lvl, NULL, &sc);
75#else 79#else
76 r = get_default_context(sename, NULL, &sc); 80 if (role != NULL && role[0])
81 r = get_default_context_with_role(sename, role, NULL, &sc);
82 else
83 r = get_default_context(sename, NULL, &sc);
77#endif 84#endif
78 85
79 if (r != 0) { 86 if (r != 0) {
@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
103 110
104/* Set the execution context to the default for the specified user */ 111/* Set the execution context to the default for the specified user */
105void 112void
106ssh_selinux_setup_exec_context(char *pwname) 113ssh_selinux_setup_exec_context(char *pwname, const char *role)
107{ 114{
108 security_context_t user_ctx = NULL; 115 security_context_t user_ctx = NULL;
109 116
@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
112 119
113 debug3("%s: setting execution context", __func__); 120 debug3("%s: setting execution context", __func__);
114 121
115 user_ctx = ssh_selinux_getctxbyname(pwname); 122 user_ctx = ssh_selinux_getctxbyname(pwname, role);
116 if (setexeccon(user_ctx) != 0) { 123 if (setexeccon(user_ctx) != 0) {
117 switch (security_getenforce()) { 124 switch (security_getenforce()) {
118 case -1: 125 case -1:
@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
134 141
135/* Set the TTY context for the specified user */ 142/* Set the TTY context for the specified user */
136void 143void
137ssh_selinux_setup_pty(char *pwname, const char *tty) 144ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
138{ 145{
139 security_context_t new_tty_ctx = NULL; 146 security_context_t new_tty_ctx = NULL;
140 security_context_t user_ctx = NULL; 147 security_context_t user_ctx = NULL;
@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
146 153
147 debug3("%s: setting TTY context on %s", __func__, tty); 154 debug3("%s: setting TTY context on %s", __func__, tty);
148 155
149 user_ctx = ssh_selinux_getctxbyname(pwname); 156 user_ctx = ssh_selinux_getctxbyname(pwname, role);
150 157
151 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 158 /* XXX: should these calls fatal() upon failure in enforcing mode? */
152 159
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a854d..c88129428 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
19 19
20#ifdef WITH_SELINUX 20#ifdef WITH_SELINUX
21int ssh_selinux_enabled(void); 21int ssh_selinux_enabled(void);
22void ssh_selinux_setup_pty(char *, const char *); 22void ssh_selinux_setup_pty(char *, const char *, const char *);
23void ssh_selinux_setup_exec_context(char *); 23void ssh_selinux_setup_exec_context(char *, const char *);
24void ssh_selinux_change_context(const char *); 24void ssh_selinux_change_context(const char *);
25void ssh_selinux_setfscreatecon(const char *); 25void ssh_selinux_setfscreatecon(const char *);
26#endif 26#endif