diff options
| author | Manoj Srivastava <srivasta@debian.org> | 2014-02-09 16:09:49 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2018-04-03 08:20:56 +0100 |
| commit | 7da968d97beba5fb80a5488516563ea1376db907 (patch) | |
| tree | 0e9107c92138281814181acbdd1428a6862ef63b /openbsd-compat | |
| parent | 398af3d66bfe8dc7d436570026571e522a0a13a0 (diff) | |
Handle SELinux authorisation roles
Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change. In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2017-10-04
Patch-Name: selinux-role.patch
Diffstat (limited to 'openbsd-compat')
| -rw-r--r-- | openbsd-compat/port-linux.c | 27 | ||||
| -rw-r--r-- | openbsd-compat/port-linux.h | 4 |
2 files changed, 22 insertions, 9 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 8c5325cc3..8a3e5c68d 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
| @@ -27,6 +27,12 @@ | |||
| 27 | #include <string.h> | 27 | #include <string.h> |
| 28 | #include <stdio.h> | 28 | #include <stdio.h> |
| 29 | 29 | ||
| 30 | #ifdef WITH_SELINUX | ||
| 31 | #include "key.h" | ||
| 32 | #include "hostfile.h" | ||
| 33 | #include "auth.h" | ||
| 34 | #endif | ||
| 35 | |||
| 30 | #include "log.h" | 36 | #include "log.h" |
| 31 | #include "xmalloc.h" | 37 | #include "xmalloc.h" |
| 32 | #include "port-linux.h" | 38 | #include "port-linux.h" |
| @@ -55,7 +61,7 @@ ssh_selinux_enabled(void) | |||
| 55 | 61 | ||
| 56 | /* Return the default security context for the given username */ | 62 | /* Return the default security context for the given username */ |
| 57 | static security_context_t | 63 | static security_context_t |
| 58 | ssh_selinux_getctxbyname(char *pwname) | 64 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
| 59 | { | 65 | { |
| 60 | security_context_t sc = NULL; | 66 | security_context_t sc = NULL; |
| 61 | char *sename = NULL, *lvl = NULL; | 67 | char *sename = NULL, *lvl = NULL; |
| @@ -70,9 +76,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
| 70 | #endif | 76 | #endif |
| 71 | 77 | ||
| 72 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 78 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
| 73 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 79 | if (role != NULL && role[0]) |
| 80 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
| 81 | &sc); | ||
| 82 | else | ||
| 83 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
| 74 | #else | 84 | #else |
| 75 | r = get_default_context(sename, NULL, &sc); | 85 | if (role != NULL && role[0]) |
| 86 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
| 87 | else | ||
| 88 | r = get_default_context(sename, NULL, &sc); | ||
| 76 | #endif | 89 | #endif |
| 77 | 90 | ||
| 78 | if (r != 0) { | 91 | if (r != 0) { |
| @@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
| 102 | 115 | ||
| 103 | /* Set the execution context to the default for the specified user */ | 116 | /* Set the execution context to the default for the specified user */ |
| 104 | void | 117 | void |
| 105 | ssh_selinux_setup_exec_context(char *pwname) | 118 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
| 106 | { | 119 | { |
| 107 | security_context_t user_ctx = NULL; | 120 | security_context_t user_ctx = NULL; |
| 108 | 121 | ||
| @@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
| 111 | 124 | ||
| 112 | debug3("%s: setting execution context", __func__); | 125 | debug3("%s: setting execution context", __func__); |
| 113 | 126 | ||
| 114 | user_ctx = ssh_selinux_getctxbyname(pwname); | 127 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
| 115 | if (setexeccon(user_ctx) != 0) { | 128 | if (setexeccon(user_ctx) != 0) { |
| 116 | switch (security_getenforce()) { | 129 | switch (security_getenforce()) { |
| 117 | case -1: | 130 | case -1: |
| @@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
| 133 | 146 | ||
| 134 | /* Set the TTY context for the specified user */ | 147 | /* Set the TTY context for the specified user */ |
| 135 | void | 148 | void |
| 136 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 149 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
| 137 | { | 150 | { |
| 138 | security_context_t new_tty_ctx = NULL; | 151 | security_context_t new_tty_ctx = NULL; |
| 139 | security_context_t user_ctx = NULL; | 152 | security_context_t user_ctx = NULL; |
| @@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
| 145 | 158 | ||
| 146 | debug3("%s: setting TTY context on %s", __func__, tty); | 159 | debug3("%s: setting TTY context on %s", __func__, tty); |
| 147 | 160 | ||
| 148 | user_ctx = ssh_selinux_getctxbyname(pwname); | 161 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
| 149 | 162 | ||
| 150 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 163 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
| 151 | 164 | ||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index 3c22a854d..c88129428 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
| @@ -19,8 +19,8 @@ | |||
| 19 | 19 | ||
| 20 | #ifdef WITH_SELINUX | 20 | #ifdef WITH_SELINUX |
| 21 | int ssh_selinux_enabled(void); | 21 | int ssh_selinux_enabled(void); |
| 22 | void ssh_selinux_setup_pty(char *, const char *); | 22 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
| 23 | void ssh_selinux_setup_exec_context(char *); | 23 | void ssh_selinux_setup_exec_context(char *, const char *); |
| 24 | void ssh_selinux_change_context(const char *); | 24 | void ssh_selinux_change_context(const char *); |
| 25 | void ssh_selinux_setfscreatecon(const char *); | 25 | void ssh_selinux_setfscreatecon(const char *); |
| 26 | #endif | 26 | #endif |