diff options
author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2015-11-29 17:26:12 +0000 |
commit | 10dec1266aa5cf1ad906b1bef6f67edc322c00cb (patch) | |
tree | e7d77bfb62abe1038c7c0262b4cd7c97cb1076bf /openbsd-compat | |
parent | 206272ccede7e6fac5d7fda30ea305349b8ad781 (diff) |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2015-08-19
Patch-Name: selinux-role.patch
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/port-linux.c | 27 | ||||
-rw-r--r-- | openbsd-compat/port-linux.h | 4 |
2 files changed, 22 insertions, 9 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index f36999d7a..f9cdc15c3 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -29,6 +29,12 @@ | |||
29 | #include <string.h> | 29 | #include <string.h> |
30 | #include <stdio.h> | 30 | #include <stdio.h> |
31 | 31 | ||
32 | #ifdef WITH_SELINUX | ||
33 | #include "key.h" | ||
34 | #include "hostfile.h" | ||
35 | #include "auth.h" | ||
36 | #endif | ||
37 | |||
32 | #include "log.h" | 38 | #include "log.h" |
33 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
34 | #include "port-linux.h" | 40 | #include "port-linux.h" |
@@ -58,7 +64,7 @@ ssh_selinux_enabled(void) | |||
58 | 64 | ||
59 | /* Return the default security context for the given username */ | 65 | /* Return the default security context for the given username */ |
60 | static security_context_t | 66 | static security_context_t |
61 | ssh_selinux_getctxbyname(char *pwname) | 67 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
62 | { | 68 | { |
63 | security_context_t sc = NULL; | 69 | security_context_t sc = NULL; |
64 | char *sename = NULL, *lvl = NULL; | 70 | char *sename = NULL, *lvl = NULL; |
@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
73 | #endif | 79 | #endif |
74 | 80 | ||
75 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 81 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
76 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 82 | if (role != NULL && role[0]) |
83 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
84 | &sc); | ||
85 | else | ||
86 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
77 | #else | 87 | #else |
78 | r = get_default_context(sename, NULL, &sc); | 88 | if (role != NULL && role[0]) |
89 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
90 | else | ||
91 | r = get_default_context(sename, NULL, &sc); | ||
79 | #endif | 92 | #endif |
80 | 93 | ||
81 | if (r != 0) { | 94 | if (r != 0) { |
@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
105 | 118 | ||
106 | /* Set the execution context to the default for the specified user */ | 119 | /* Set the execution context to the default for the specified user */ |
107 | void | 120 | void |
108 | ssh_selinux_setup_exec_context(char *pwname) | 121 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
109 | { | 122 | { |
110 | security_context_t user_ctx = NULL; | 123 | security_context_t user_ctx = NULL; |
111 | 124 | ||
@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
114 | 127 | ||
115 | debug3("%s: setting execution context", __func__); | 128 | debug3("%s: setting execution context", __func__); |
116 | 129 | ||
117 | user_ctx = ssh_selinux_getctxbyname(pwname); | 130 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
118 | if (setexeccon(user_ctx) != 0) { | 131 | if (setexeccon(user_ctx) != 0) { |
119 | switch (security_getenforce()) { | 132 | switch (security_getenforce()) { |
120 | case -1: | 133 | case -1: |
@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
136 | 149 | ||
137 | /* Set the TTY context for the specified user */ | 150 | /* Set the TTY context for the specified user */ |
138 | void | 151 | void |
139 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 152 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
140 | { | 153 | { |
141 | security_context_t new_tty_ctx = NULL; | 154 | security_context_t new_tty_ctx = NULL; |
142 | security_context_t user_ctx = NULL; | 155 | security_context_t user_ctx = NULL; |
@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
147 | 160 | ||
148 | debug3("%s: setting TTY context on %s", __func__, tty); | 161 | debug3("%s: setting TTY context on %s", __func__, tty); |
149 | 162 | ||
150 | user_ctx = ssh_selinux_getctxbyname(pwname); | 163 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
151 | 164 | ||
152 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 165 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
153 | 166 | ||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index e3d1004aa..80ce13ad9 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
@@ -21,8 +21,8 @@ | |||
21 | 21 | ||
22 | #ifdef WITH_SELINUX | 22 | #ifdef WITH_SELINUX |
23 | int ssh_selinux_enabled(void); | 23 | int ssh_selinux_enabled(void); |
24 | void ssh_selinux_setup_pty(char *, const char *); | 24 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
25 | void ssh_selinux_setup_exec_context(char *); | 25 | void ssh_selinux_setup_exec_context(char *, const char *); |
26 | void ssh_selinux_change_context(const char *); | 26 | void ssh_selinux_change_context(const char *); |
27 | void ssh_selinux_setfscreatecon(const char *); | 27 | void ssh_selinux_setfscreatecon(const char *); |
28 | #endif | 28 | #endif |