summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2014-02-09 16:09:49 +0000
committerColin Watson <cjwatson@debian.org>2018-08-24 17:49:07 +0100
commit03979f2e0768e146d179c66f2d2e33afe61c1be3 (patch)
tree624add62ece0fb72400966a483aa5af060fb0a77 /openbsd-compat
parent84a7a1b1c767056c80add9f0e15c9f9ec23ec94d (diff)
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach will need an SSH protocol change. In the meantime, this came from Debian's SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 Last-Update: 2018-08-24 Patch-Name: selinux-role.patch
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/port-linux.c21
-rw-r--r--openbsd-compat/port-linux.h4
2 files changed, 16 insertions, 9 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 8c5325cc3..9fdda664f 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -55,7 +55,7 @@ ssh_selinux_enabled(void)
55 55
56/* Return the default security context for the given username */ 56/* Return the default security context for the given username */
57static security_context_t 57static security_context_t
58ssh_selinux_getctxbyname(char *pwname) 58ssh_selinux_getctxbyname(char *pwname, const char *role)
59{ 59{
60 security_context_t sc = NULL; 60 security_context_t sc = NULL;
61 char *sename = NULL, *lvl = NULL; 61 char *sename = NULL, *lvl = NULL;
@@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname)
70#endif 70#endif
71 71
72#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 72#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
73 r = get_default_context_with_level(sename, lvl, NULL, &sc); 73 if (role != NULL && role[0])
74 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
75 &sc);
76 else
77 r = get_default_context_with_level(sename, lvl, NULL, &sc);
74#else 78#else
75 r = get_default_context(sename, NULL, &sc); 79 if (role != NULL && role[0])
80 r = get_default_context_with_role(sename, role, NULL, &sc);
81 else
82 r = get_default_context(sename, NULL, &sc);
76#endif 83#endif
77 84
78 if (r != 0) { 85 if (r != 0) {
@@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname)
102 109
103/* Set the execution context to the default for the specified user */ 110/* Set the execution context to the default for the specified user */
104void 111void
105ssh_selinux_setup_exec_context(char *pwname) 112ssh_selinux_setup_exec_context(char *pwname, const char *role)
106{ 113{
107 security_context_t user_ctx = NULL; 114 security_context_t user_ctx = NULL;
108 115
@@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname)
111 118
112 debug3("%s: setting execution context", __func__); 119 debug3("%s: setting execution context", __func__);
113 120
114 user_ctx = ssh_selinux_getctxbyname(pwname); 121 user_ctx = ssh_selinux_getctxbyname(pwname, role);
115 if (setexeccon(user_ctx) != 0) { 122 if (setexeccon(user_ctx) != 0) {
116 switch (security_getenforce()) { 123 switch (security_getenforce()) {
117 case -1: 124 case -1:
@@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname)
133 140
134/* Set the TTY context for the specified user */ 141/* Set the TTY context for the specified user */
135void 142void
136ssh_selinux_setup_pty(char *pwname, const char *tty) 143ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
137{ 144{
138 security_context_t new_tty_ctx = NULL; 145 security_context_t new_tty_ctx = NULL;
139 security_context_t user_ctx = NULL; 146 security_context_t user_ctx = NULL;
@@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
145 152
146 debug3("%s: setting TTY context on %s", __func__, tty); 153 debug3("%s: setting TTY context on %s", __func__, tty);
147 154
148 user_ctx = ssh_selinux_getctxbyname(pwname); 155 user_ctx = ssh_selinux_getctxbyname(pwname, role);
149 156
150 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 157 /* XXX: should these calls fatal() upon failure in enforcing mode? */
151 158
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 3c22a854d..c88129428 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -19,8 +19,8 @@
19 19
20#ifdef WITH_SELINUX 20#ifdef WITH_SELINUX
21int ssh_selinux_enabled(void); 21int ssh_selinux_enabled(void);
22void ssh_selinux_setup_pty(char *, const char *); 22void ssh_selinux_setup_pty(char *, const char *, const char *);
23void ssh_selinux_setup_exec_context(char *); 23void ssh_selinux_setup_exec_context(char *, const char *);
24void ssh_selinux_change_context(const char *); 24void ssh_selinux_change_context(const char *);
25void ssh_selinux_setfscreatecon(const char *); 25void ssh_selinux_setfscreatecon(const char *);
26#endif 26#endif