summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--debian/changelog2
-rw-r--r--debian/patches/selinux-build-failure.patch26
-rw-r--r--debian/patches/selinux-role.patch226
-rw-r--r--monitor.c2
-rw-r--r--openbsd-compat/port-linux.c16
-rw-r--r--openbsd-compat/port-linux.h4
-rw-r--r--platform.c4
-rw-r--r--platform.h2
-rw-r--r--session.c10
-rw-r--r--session.h2
-rw-r--r--sshd.c2
-rw-r--r--sshpty.c4
-rw-r--r--sshpty.h2
13 files changed, 245 insertions, 57 deletions
diff --git a/debian/changelog b/debian/changelog
index b063f0fac..5d1d80e6a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,8 @@ openssh (1:5.7p1-1) UNRELEASED; urgency=low
27 /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config. 27 /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
28 * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support. 28 * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support.
29 * Backport SELinux build fix from CVS. 29 * Backport SELinux build fix from CVS.
30 * Rearrange selinux-role.patch so that it links properly given this
31 SELinux build fix.
30 32
31 -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000 33 -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000
32 34
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch
index 47c953009..fb96e87b9 100644
--- a/debian/patches/selinux-build-failure.patch
+++ b/debian/patches/selinux-build-failure.patch
@@ -90,7 +90,7 @@ Index: b/configure
90 KRB5CONF 90 KRB5CONF
91 PRIVSEP_PATH 91 PRIVSEP_PATH
92 xauth_path 92 xauth_path
93@@ -9047,7 +9159,6 @@ 93@@ -9047,7 +9048,6 @@
94 _ACEOF 94 _ACEOF
95 95
96 SSHDLIBS="$SSHDLIBS -lcontract" 96 SSHDLIBS="$SSHDLIBS -lcontract"
@@ -98,7 +98,7 @@ Index: b/configure
98 SPC_MSG="yes" 98 SPC_MSG="yes"
99 fi 99 fi
100 100
101@@ -9126,7 +9237,6 @@ 101@@ -9126,7 +9126,6 @@
102 _ACEOF 102 _ACEOF
103 103
104 SSHDLIBS="$SSHDLIBS -lproject" 104 SSHDLIBS="$SSHDLIBS -lproject"
@@ -106,7 +106,7 @@ Index: b/configure
106 SP_MSG="yes" 106 SP_MSG="yes"
107 fi 107 fi
108 108
109@@ -27806,6 +27916,7 @@ 109@@ -27806,6 +27805,7 @@
110 { (exit 1); exit 1; }; } 110 { (exit 1); exit 1; }; }
111 fi 111 fi
112 112
@@ -114,7 +114,7 @@ Index: b/configure
114 SSHDLIBS="$SSHDLIBS $LIBSELINUX" 114 SSHDLIBS="$SSHDLIBS $LIBSELINUX"
115 115
116 116
117@@ -27908,6 +28019,8 @@ 117@@ -27908,6 +27908,8 @@
118 fi 118 fi
119 119
120 120
@@ -123,7 +123,7 @@ Index: b/configure
123 # Check whether user wants Kerberos 5 support 123 # Check whether user wants Kerberos 5 support
124 KRB5_MSG="no" 124 KRB5_MSG="no"
125 125
126@@ -31416,7 +31529,6 @@ 126@@ -31416,7 +31418,6 @@
127 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim 127 LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim
128 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim 128 PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
129 LD!$LD$ac_delim 129 LD!$LD$ac_delim
@@ -131,7 +131,7 @@ Index: b/configure
131 PKGCONFIG!$PKGCONFIG$ac_delim 131 PKGCONFIG!$PKGCONFIG$ac_delim
132 LIBEDIT!$LIBEDIT$ac_delim 132 LIBEDIT!$LIBEDIT$ac_delim
133 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim 133 TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim
134@@ -31433,6 +31545,7 @@ 134@@ -31433,6 +31434,7 @@
135 PROG_SAR!$PROG_SAR$ac_delim 135 PROG_SAR!$PROG_SAR$ac_delim
136 PROG_W!$PROG_W$ac_delim 136 PROG_W!$PROG_W$ac_delim
137 PROG_WHO!$PROG_WHO$ac_delim 137 PROG_WHO!$PROG_WHO$ac_delim
@@ -139,7 +139,7 @@ Index: b/configure
139 _ACEOF 139 _ACEOF
140 140
141 if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then 141 if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
142@@ -31474,7 +31587,6 @@ 142@@ -31474,7 +31476,6 @@
143 ac_delim='%!_!# ' 143 ac_delim='%!_!# '
144 for ac_last_try in false false false false false :; do 144 for ac_last_try in false false false false false :; do
145 cat >conf$$subs.sed <<_ACEOF 145 cat >conf$$subs.sed <<_ACEOF
@@ -147,7 +147,7 @@ Index: b/configure
147 PROG_LASTLOG!$PROG_LASTLOG$ac_delim 147 PROG_LASTLOG!$PROG_LASTLOG$ac_delim
148 PROG_DF!$PROG_DF$ac_delim 148 PROG_DF!$PROG_DF$ac_delim
149 PROG_VMSTAT!$PROG_VMSTAT$ac_delim 149 PROG_VMSTAT!$PROG_VMSTAT$ac_delim
150@@ -31482,6 +31594,8 @@ 150@@ -31482,6 +31483,8 @@
151 PROG_IPCS!$PROG_IPCS$ac_delim 151 PROG_IPCS!$PROG_IPCS$ac_delim
152 PROG_TAIL!$PROG_TAIL$ac_delim 152 PROG_TAIL!$PROG_TAIL$ac_delim
153 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim 153 INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
@@ -156,7 +156,7 @@ Index: b/configure
156 KRB5CONF!$KRB5CONF$ac_delim 156 KRB5CONF!$KRB5CONF$ac_delim
157 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim 157 PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
158 xauth_path!$xauth_path$ac_delim 158 xauth_path!$xauth_path$ac_delim
159@@ -31496,7 +31610,7 @@ 159@@ -31496,7 +31499,7 @@
160 LTLIBOBJS!$LTLIBOBJS$ac_delim 160 LTLIBOBJS!$LTLIBOBJS$ac_delim
161 _ACEOF 161 _ACEOF
162 162
@@ -165,7 +165,7 @@ Index: b/configure
165 break 165 break
166 elif $ac_last_try; then 166 elif $ac_last_try; then
167 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 167 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
168@@ -31993,6 +32107,9 @@ 168@@ -31993,6 +31996,9 @@
169 if test ! -z "${SSHDLIBS}"; then 169 if test ! -z "${SSHDLIBS}"; then
170 echo " +for sshd: ${SSHDLIBS}" 170 echo " +for sshd: ${SSHDLIBS}"
171 fi 171 fi
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c
179=================================================================== 179===================================================================
180--- a/openbsd-compat/port-linux.c 180--- a/openbsd-compat/port-linux.c
181+++ b/openbsd-compat/port-linux.c 181+++ b/openbsd-compat/port-linux.c
182@@ -222,6 +222,20 @@ 182@@ -218,6 +218,20 @@
183 xfree(oldctx); 183 xfree(oldctx);
184 xfree(newctx); 184 xfree(newctx);
185 } 185 }
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h
205--- a/openbsd-compat/port-linux.h 205--- a/openbsd-compat/port-linux.h
206+++ b/openbsd-compat/port-linux.h 206+++ b/openbsd-compat/port-linux.h
207@@ -24,6 +24,7 @@ 207@@ -24,6 +24,7 @@
208 void ssh_selinux_setup_pty(char *, const char *); 208 void ssh_selinux_setup_pty(char *, const char *, const char *);
209 void ssh_selinux_setup_exec_context(char *); 209 void ssh_selinux_setup_exec_context(char *, const char *);
210 void ssh_selinux_change_context(const char *); 210 void ssh_selinux_change_context(const char *);
211+void ssh_selinux_setfscreatecon(const char *); 211+void ssh_selinux_setfscreatecon(const char *);
212 #endif 212 #endif
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 74cd06201..30db352dd 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -156,6 +156,15 @@ Index: b/monitor.c
156 return (0); 156 return (0);
157 } 157 }
158 158
159@@ -1327,7 +1353,7 @@
160 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
161 if (res == 0)
162 goto error;
163- pty_setowner(authctxt->pw, s->tty);
164+ pty_setowner(authctxt->pw, s->tty, authctxt->role);
165
166 buffer_put_int(m, 1);
167 buffer_put_cstring(m, s->tty);
159Index: b/monitor.h 168Index: b/monitor.h
160=================================================================== 169===================================================================
161--- a/monitor.h 170--- a/monitor.h
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c
247 #include "log.h" 256 #include "log.h"
248 #include "xmalloc.h" 257 #include "xmalloc.h"
249 #include "port-linux.h" 258 #include "port-linux.h"
250@@ -38,6 +44,8 @@ 259@@ -54,9 +60,9 @@
251 #include <selinux/flask.h>
252 #include <selinux/get_context_list.h>
253 260
254+extern Authctxt *the_authctxt; 261 /* Return the default security context for the given username */
255+
256 /* Wrapper around is_selinux_enabled() to log its return value once only */
257 int
258 ssh_selinux_enabled(void)
259@@ -56,8 +64,8 @@
260 static security_context_t 262 static security_context_t
261 ssh_selinux_getctxbyname(char *pwname) 263-ssh_selinux_getctxbyname(char *pwname)
264+ssh_selinux_getctxbyname(char *pwname, const char *role)
262 { 265 {
263- security_context_t sc; 266- security_context_t sc;
264- char *sename = NULL, *lvl = NULL;
265+ security_context_t sc = NULL; 267+ security_context_t sc = NULL;
266+ char *sename = NULL, *role = NULL, *lvl = NULL; 268 char *sename = NULL, *lvl = NULL;
267 int r; 269 int r;
268 270
269 #ifdef HAVE_GETSEUSERBYNAME 271@@ -69,9 +75,16 @@
270@@ -67,11 +75,20 @@
271 sename = pwname;
272 lvl = NULL;
273 #endif 272 #endif
274+ if (the_authctxt)
275+ role = the_authctxt->role;
276 273
277 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 274 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
278- r = get_default_context_with_level(sename, lvl, NULL, &sc); 275- r = get_default_context_with_level(sename, lvl, NULL, &sc);
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c
290 #endif 287 #endif
291 288
292 if (r != 0) { 289 if (r != 0) {
290@@ -102,7 +115,7 @@
291
292 /* Set the execution context to the default for the specified user */
293 void
294-ssh_selinux_setup_exec_context(char *pwname)
295+ssh_selinux_setup_exec_context(char *pwname, const char *role)
296 {
297 security_context_t user_ctx = NULL;
298
299@@ -111,7 +124,7 @@
300
301 debug3("%s: setting execution context", __func__);
302
303- user_ctx = ssh_selinux_getctxbyname(pwname);
304+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
305 if (setexeccon(user_ctx) != 0) {
306 switch (security_getenforce()) {
307 case -1:
308@@ -133,7 +146,7 @@
309
310 /* Set the TTY context for the specified user */
311 void
312-ssh_selinux_setup_pty(char *pwname, const char *tty)
313+ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
314 {
315 security_context_t new_tty_ctx = NULL;
316 security_context_t user_ctx = NULL;
317@@ -144,7 +157,7 @@
318
319 debug3("%s: setting TTY context on %s", __func__, tty);
320
321- user_ctx = ssh_selinux_getctxbyname(pwname);
322+ user_ctx = ssh_selinux_getctxbyname(pwname, role);
323
324 /* XXX: should these calls fatal() upon failure in enforcing mode? */
325
326Index: b/openbsd-compat/port-linux.h
327===================================================================
328--- a/openbsd-compat/port-linux.h
329+++ b/openbsd-compat/port-linux.h
330@@ -21,8 +21,8 @@
331
332 #ifdef WITH_SELINUX
333 int ssh_selinux_enabled(void);
334-void ssh_selinux_setup_pty(char *, const char *);
335-void ssh_selinux_setup_exec_context(char *);
336+void ssh_selinux_setup_pty(char *, const char *, const char *);
337+void ssh_selinux_setup_exec_context(char *, const char *);
338 void ssh_selinux_change_context(const char *);
339 #endif
340
341Index: b/platform.c
342===================================================================
343--- a/platform.c
344+++ b/platform.c
345@@ -134,7 +134,7 @@
346 * called if sshd is running as root.
347 */
348 void
349-platform_setusercontext_post_groups(struct passwd *pw)
350+platform_setusercontext_post_groups(struct passwd *pw, const char *role)
351 {
352 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
353 /*
354@@ -181,7 +181,7 @@
355 }
356 #endif /* HAVE_SETPCRED */
357 #ifdef WITH_SELINUX
358- ssh_selinux_setup_exec_context(pw->pw_name);
359+ ssh_selinux_setup_exec_context(pw->pw_name, role);
360 #endif
361 }
362
363Index: b/platform.h
364===================================================================
365--- a/platform.h
366+++ b/platform.h
367@@ -26,7 +26,7 @@
368 void platform_post_fork_child(void);
369 int platform_privileged_uidswap(void);
370 void platform_setusercontext(struct passwd *);
371-void platform_setusercontext_post_groups(struct passwd *);
372+void platform_setusercontext_post_groups(struct passwd *, const char *);
373 char *platform_get_krb5_client(const char *);
374 char *platform_krb5_get_principal_name(const char *);
375
376Index: b/session.c
377===================================================================
378--- a/session.c
379+++ b/session.c
380@@ -1467,7 +1467,7 @@
381
382 /* Set login name, uid, gid, and groups. */
383 void
384-do_setusercontext(struct passwd *pw)
385+do_setusercontext(struct passwd *pw, const char *role)
386 {
387 char *chroot_path, *tmp;
388
389@@ -1495,7 +1495,7 @@
390 endgrent();
391 #endif
392
393- platform_setusercontext_post_groups(pw);
394+ platform_setusercontext_post_groups(pw, role);
395
396 if (options.chroot_directory != NULL &&
397 strcasecmp(options.chroot_directory, "none") != 0) {
398@@ -1618,7 +1618,7 @@
399
400 /* Force a password change */
401 if (s->authctxt->force_pwchange) {
402- do_setusercontext(pw);
403+ do_setusercontext(pw, s->authctxt->role);
404 child_close_fds();
405 do_pwchange(s);
406 exit(1);
407@@ -1645,7 +1645,7 @@
408 /* When PAM is enabled we rely on it to do the nologin check */
409 if (!options.use_pam)
410 do_nologin(pw);
411- do_setusercontext(pw);
412+ do_setusercontext(pw, s->authctxt->role);
413 /*
414 * PAM session modules in do_setusercontext may have
415 * generated messages, so if this in an interactive
416@@ -2057,7 +2057,7 @@
417 tty_parse_modes(s->ttyfd, &n_bytes);
418
419 if (!use_privsep)
420- pty_setowner(s->pw, s->tty);
421+ pty_setowner(s->pw, s->tty, s->authctxt->role);
422
423 /* Set window size from the packet. */
424 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
425Index: b/session.h
426===================================================================
427--- a/session.h
428+++ b/session.h
429@@ -76,7 +76,7 @@
430 Session *session_new(void);
431 Session *session_by_tty(char *);
432 void session_close(Session *);
433-void do_setusercontext(struct passwd *);
434+void do_setusercontext(struct passwd *, const char *);
435 void child_set_env(char ***envp, u_int *envsizep, const char *name,
436 const char *value);
437
438Index: b/sshd.c
439===================================================================
440--- a/sshd.c
441+++ b/sshd.c
442@@ -707,7 +707,7 @@
443 RAND_seed(rnd, sizeof(rnd));
444
445 /* Drop privileges */
446- do_setusercontext(authctxt->pw);
447+ do_setusercontext(authctxt->pw, authctxt->role);
448
449 skip:
450 /* It is safe now to apply the key state */
451Index: b/sshpty.c
452===================================================================
453--- a/sshpty.c
454+++ b/sshpty.c
455@@ -200,7 +200,7 @@
456 }
457
458 void
459-pty_setowner(struct passwd *pw, const char *tty)
460+pty_setowner(struct passwd *pw, const char *tty, const char *role)
461 {
462 struct group *grp;
463 gid_t gid;
464@@ -227,7 +227,7 @@
465 strerror(errno));
466
467 #ifdef WITH_SELINUX
468- ssh_selinux_setup_pty(pw->pw_name, tty);
469+ ssh_selinux_setup_pty(pw->pw_name, tty, role);
470 #endif
471
472 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
473Index: b/sshpty.h
474===================================================================
475--- a/sshpty.h
476+++ b/sshpty.h
477@@ -24,4 +24,4 @@
478 void pty_release(const char *);
479 void pty_make_controlling_tty(int *, const char *);
480 void pty_change_window_size(int, u_int, u_int, u_int, u_int);
481-void pty_setowner(struct passwd *, const char *);
482+void pty_setowner(struct passwd *, const char *, const char *);
diff --git a/monitor.c b/monitor.c
index f7c5720d5..fa7fb0e25 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1353,7 +1353,7 @@ mm_answer_pty(int sock, Buffer *m)
1353 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 1353 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
1354 if (res == 0) 1354 if (res == 0)
1355 goto error; 1355 goto error;
1356 pty_setowner(authctxt->pw, s->tty); 1356 pty_setowner(authctxt->pw, s->tty, authctxt->role);
1357 1357
1358 buffer_put_int(m, 1); 1358 buffer_put_int(m, 1);
1359 buffer_put_cstring(m, s->tty); 1359 buffer_put_cstring(m, s->tty);
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 744a404c8..11385326e 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -44,8 +44,6 @@
44#include <selinux/flask.h> 44#include <selinux/flask.h>
45#include <selinux/get_context_list.h> 45#include <selinux/get_context_list.h>
46 46
47extern Authctxt *the_authctxt;
48
49/* Wrapper around is_selinux_enabled() to log its return value once only */ 47/* Wrapper around is_selinux_enabled() to log its return value once only */
50int 48int
51ssh_selinux_enabled(void) 49ssh_selinux_enabled(void)
@@ -62,10 +60,10 @@ ssh_selinux_enabled(void)
62 60
63/* Return the default security context for the given username */ 61/* Return the default security context for the given username */
64static security_context_t 62static security_context_t
65ssh_selinux_getctxbyname(char *pwname) 63ssh_selinux_getctxbyname(char *pwname, const char *role)
66{ 64{
67 security_context_t sc = NULL; 65 security_context_t sc = NULL;
68 char *sename = NULL, *role = NULL, *lvl = NULL; 66 char *sename = NULL, *lvl = NULL;
69 int r; 67 int r;
70 68
71#ifdef HAVE_GETSEUSERBYNAME 69#ifdef HAVE_GETSEUSERBYNAME
@@ -75,8 +73,6 @@ ssh_selinux_getctxbyname(char *pwname)
75 sename = pwname; 73 sename = pwname;
76 lvl = NULL; 74 lvl = NULL;
77#endif 75#endif
78 if (the_authctxt)
79 role = the_authctxt->role;
80 76
81#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 77#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
82 if (role != NULL && role[0]) 78 if (role != NULL && role[0])
@@ -119,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname)
119 115
120/* Set the execution context to the default for the specified user */ 116/* Set the execution context to the default for the specified user */
121void 117void
122ssh_selinux_setup_exec_context(char *pwname) 118ssh_selinux_setup_exec_context(char *pwname, const char *role)
123{ 119{
124 security_context_t user_ctx = NULL; 120 security_context_t user_ctx = NULL;
125 121
@@ -128,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname)
128 124
129 debug3("%s: setting execution context", __func__); 125 debug3("%s: setting execution context", __func__);
130 126
131 user_ctx = ssh_selinux_getctxbyname(pwname); 127 user_ctx = ssh_selinux_getctxbyname(pwname, role);
132 if (setexeccon(user_ctx) != 0) { 128 if (setexeccon(user_ctx) != 0) {
133 switch (security_getenforce()) { 129 switch (security_getenforce()) {
134 case -1: 130 case -1:
@@ -150,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname)
150 146
151/* Set the TTY context for the specified user */ 147/* Set the TTY context for the specified user */
152void 148void
153ssh_selinux_setup_pty(char *pwname, const char *tty) 149ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
154{ 150{
155 security_context_t new_tty_ctx = NULL; 151 security_context_t new_tty_ctx = NULL;
156 security_context_t user_ctx = NULL; 152 security_context_t user_ctx = NULL;
@@ -161,7 +157,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
161 157
162 debug3("%s: setting TTY context on %s", __func__, tty); 158 debug3("%s: setting TTY context on %s", __func__, tty);
163 159
164 user_ctx = ssh_selinux_getctxbyname(pwname); 160 user_ctx = ssh_selinux_getctxbyname(pwname, role);
165 161
166 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 162 /* XXX: should these calls fatal() upon failure in enforcing mode? */
167 163
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index 884482bf5..8ed5587ee 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -21,8 +21,8 @@
21 21
22#ifdef WITH_SELINUX 22#ifdef WITH_SELINUX
23int ssh_selinux_enabled(void); 23int ssh_selinux_enabled(void);
24void ssh_selinux_setup_pty(char *, const char *); 24void ssh_selinux_setup_pty(char *, const char *, const char *);
25void ssh_selinux_setup_exec_context(char *); 25void ssh_selinux_setup_exec_context(char *, const char *);
26void ssh_selinux_change_context(const char *); 26void ssh_selinux_change_context(const char *);
27void ssh_selinux_setfscreatecon(const char *); 27void ssh_selinux_setfscreatecon(const char *);
28#endif 28#endif
diff --git a/platform.c b/platform.c
index a455472b3..e707aa4c7 100644
--- a/platform.c
+++ b/platform.c
@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw)
134 * called if sshd is running as root. 134 * called if sshd is running as root.
135 */ 135 */
136void 136void
137platform_setusercontext_post_groups(struct passwd *pw) 137platform_setusercontext_post_groups(struct passwd *pw, const char *role)
138{ 138{
139#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 139#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
140 /* 140 /*
@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
181 } 181 }
182#endif /* HAVE_SETPCRED */ 182#endif /* HAVE_SETPCRED */
183#ifdef WITH_SELINUX 183#ifdef WITH_SELINUX
184 ssh_selinux_setup_exec_context(pw->pw_name); 184 ssh_selinux_setup_exec_context(pw->pw_name, role);
185#endif 185#endif
186} 186}
187 187
diff --git a/platform.h b/platform.h
index 944d2c340..7b2d481af 100644
--- a/platform.h
+++ b/platform.h
@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid);
26void platform_post_fork_child(void); 26void platform_post_fork_child(void);
27int platform_privileged_uidswap(void); 27int platform_privileged_uidswap(void);
28void platform_setusercontext(struct passwd *); 28void platform_setusercontext(struct passwd *);
29void platform_setusercontext_post_groups(struct passwd *); 29void platform_setusercontext_post_groups(struct passwd *, const char *);
30char *platform_get_krb5_client(const char *); 30char *platform_get_krb5_client(const char *);
31char *platform_krb5_get_principal_name(const char *); 31char *platform_krb5_get_principal_name(const char *);
32 32
diff --git a/session.c b/session.c
index fff31b02e..1eaacb528 100644
--- a/session.c
+++ b/session.c
@@ -1467,7 +1467,7 @@ safely_chroot(const char *path, uid_t uid)
1467 1467
1468/* Set login name, uid, gid, and groups. */ 1468/* Set login name, uid, gid, and groups. */
1469void 1469void
1470do_setusercontext(struct passwd *pw) 1470do_setusercontext(struct passwd *pw, const char *role)
1471{ 1471{
1472 char *chroot_path, *tmp; 1472 char *chroot_path, *tmp;
1473 1473
@@ -1495,7 +1495,7 @@ do_setusercontext(struct passwd *pw)
1495 endgrent(); 1495 endgrent();
1496#endif 1496#endif
1497 1497
1498 platform_setusercontext_post_groups(pw); 1498 platform_setusercontext_post_groups(pw, role);
1499 1499
1500 if (options.chroot_directory != NULL && 1500 if (options.chroot_directory != NULL &&
1501 strcasecmp(options.chroot_directory, "none") != 0) { 1501 strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1618,7 +1618,7 @@ do_child(Session *s, const char *command)
1618 1618
1619 /* Force a password change */ 1619 /* Force a password change */
1620 if (s->authctxt->force_pwchange) { 1620 if (s->authctxt->force_pwchange) {
1621 do_setusercontext(pw); 1621 do_setusercontext(pw, s->authctxt->role);
1622 child_close_fds(); 1622 child_close_fds();
1623 do_pwchange(s); 1623 do_pwchange(s);
1624 exit(1); 1624 exit(1);
@@ -1645,7 +1645,7 @@ do_child(Session *s, const char *command)
1645 /* When PAM is enabled we rely on it to do the nologin check */ 1645 /* When PAM is enabled we rely on it to do the nologin check */
1646 if (!options.use_pam) 1646 if (!options.use_pam)
1647 do_nologin(pw); 1647 do_nologin(pw);
1648 do_setusercontext(pw); 1648 do_setusercontext(pw, s->authctxt->role);
1649 /* 1649 /*
1650 * PAM session modules in do_setusercontext may have 1650 * PAM session modules in do_setusercontext may have
1651 * generated messages, so if this in an interactive 1651 * generated messages, so if this in an interactive
@@ -2057,7 +2057,7 @@ session_pty_req(Session *s)
2057 tty_parse_modes(s->ttyfd, &n_bytes); 2057 tty_parse_modes(s->ttyfd, &n_bytes);
2058 2058
2059 if (!use_privsep) 2059 if (!use_privsep)
2060 pty_setowner(s->pw, s->tty); 2060 pty_setowner(s->pw, s->tty, s->authctxt->role);
2061 2061
2062 /* Set window size from the packet. */ 2062 /* Set window size from the packet. */
2063 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); 2063 pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
diff --git a/session.h b/session.h
index cbb8e3a32..cb4f19600 100644
--- a/session.h
+++ b/session.h
@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
76Session *session_new(void); 76Session *session_new(void);
77Session *session_by_tty(char *); 77Session *session_by_tty(char *);
78void session_close(Session *); 78void session_close(Session *);
79void do_setusercontext(struct passwd *); 79void do_setusercontext(struct passwd *, const char *);
80void child_set_env(char ***envp, u_int *envsizep, const char *name, 80void child_set_env(char ***envp, u_int *envsizep, const char *name,
81 const char *value); 81 const char *value);
82 82
diff --git a/sshd.c b/sshd.c
index d351094d4..67a2f9d6b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -708,7 +708,7 @@ privsep_postauth(Authctxt *authctxt)
708 RAND_seed(rnd, sizeof(rnd)); 708 RAND_seed(rnd, sizeof(rnd));
709 709
710 /* Drop privileges */ 710 /* Drop privileges */
711 do_setusercontext(authctxt->pw); 711 do_setusercontext(authctxt->pw, authctxt->role);
712 712
713 skip: 713 skip:
714 /* It is safe now to apply the key state */ 714 /* It is safe now to apply the key state */
diff --git a/sshpty.c b/sshpty.c
index bbbc0fefe..8cc26a249 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
200} 200}
201 201
202void 202void
203pty_setowner(struct passwd *pw, const char *tty) 203pty_setowner(struct passwd *pw, const char *tty, const char *role)
204{ 204{
205 struct group *grp; 205 struct group *grp;
206 gid_t gid; 206 gid_t gid;
@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty)
227 strerror(errno)); 227 strerror(errno));
228 228
229#ifdef WITH_SELINUX 229#ifdef WITH_SELINUX
230 ssh_selinux_setup_pty(pw->pw_name, tty); 230 ssh_selinux_setup_pty(pw->pw_name, tty, role);
231#endif 231#endif
232 232
233 if (st.st_uid != pw->pw_uid || st.st_gid != gid) { 233 if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
diff --git a/sshpty.h b/sshpty.h
index cfa322480..edf24365f 100644
--- a/sshpty.h
+++ b/sshpty.h
@@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t);
24void pty_release(const char *); 24void pty_release(const char *);
25void pty_make_controlling_tty(int *, const char *); 25void pty_make_controlling_tty(int *, const char *);
26void pty_change_window_size(int, u_int, u_int, u_int, u_int); 26void pty_change_window_size(int, u_int, u_int, u_int, u_int);
27void pty_setowner(struct passwd *, const char *); 27void pty_setowner(struct passwd *, const char *, const char *);
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 03:15:25 +0000