upstream commit

add sshd_config RDomain keyword to place sshd and the
subsequent user session (including the shell and any TCP/IP forwardings) into
the specified rdomain(4)

ok markus@

Upstream-ID: be2358e86346b5cacf20d90f59f980b87d1af0f5

1 files changed, 29 insertions, 1 deletions

diff --git a/sshd.c b/sshd.c
index 93b02b6c8..3ad106f72 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.494 2017/10/25 00:15:35 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.495 2017/10/25 00:17:08 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1368,6 +1368,31 @@ check_ip_options(struct ssh *ssh)
 #endif /* IP_OPTIONS */
 }
 
+/* Set the routing domain for this process */
+static void
+set_process_rdomain(struct ssh *ssh, const char *name)
+{
+        int rtable, ortable = getrtable();
+        const char *errstr;
+
+        if (name == NULL)
+                return; /* default */
+
+        if (strcmp(name, "%D") == 0) {
+                /* "expands" to routing domain of connection */
+                if ((name = ssh_packet_rdomain_in(ssh)) == NULL)
+                        return;
+        }
+
+        rtable = (int)strtonum(name, 0, 255, &errstr);
+        if (errstr != NULL) /* Shouldn't happen */
+                fatal("Invalid routing domain \"%s\": %s", name, errstr);
+        if (rtable != ortable && setrtable(rtable) != 0)
+                fatal("Unable to set routing domain %d: %s",
+                    rtable, strerror(errno));
+        debug("%s: set routing domain %d (was %d)", __func__, rtable, ortable);
+}
+
 /*
  * Main program for the daemon.
  */
@@ -1983,6 +2008,9 @@ main(int ac, char **av)
                 cleanup_exit(255);
         }
 
+        if (options.routing_domain != NULL)
+                set_process_rdomain(ssh, options.routing_domain);
+
         /*
          * The rest of the code depends on the fact that
          * ssh_remote_ipaddr() caches the remote ip, even if