diff options
-rw-r--r-- | debian/changelog | 2 | ||||
-rw-r--r-- | debian/patches/selinux-build-failure.patch | 26 | ||||
-rw-r--r-- | debian/patches/selinux-role.patch | 226 | ||||
-rw-r--r-- | monitor.c | 2 | ||||
-rw-r--r-- | openbsd-compat/port-linux.c | 16 | ||||
-rw-r--r-- | openbsd-compat/port-linux.h | 4 | ||||
-rw-r--r-- | platform.c | 4 | ||||
-rw-r--r-- | platform.h | 2 | ||||
-rw-r--r-- | session.c | 10 | ||||
-rw-r--r-- | session.h | 2 | ||||
-rw-r--r-- | sshd.c | 2 | ||||
-rw-r--r-- | sshpty.c | 4 | ||||
-rw-r--r-- | sshpty.h | 2 |
13 files changed, 245 insertions, 57 deletions
diff --git a/debian/changelog b/debian/changelog index b063f0fac..5d1d80e6a 100644 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -27,6 +27,8 @@ openssh (1:5.7p1-1) UNRELEASED; urgency=low | |||
27 | /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config. | 27 | /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config. |
28 | * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support. | 28 | * Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support. |
29 | * Backport SELinux build fix from CVS. | 29 | * Backport SELinux build fix from CVS. |
30 | * Rearrange selinux-role.patch so that it links properly given this | ||
31 | SELinux build fix. | ||
30 | 32 | ||
31 | -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000 | 33 | -- Colin Watson <cjwatson@debian.org> Mon, 24 Jan 2011 12:07:24 +0000 |
32 | 34 | ||
diff --git a/debian/patches/selinux-build-failure.patch b/debian/patches/selinux-build-failure.patch index 47c953009..fb96e87b9 100644 --- a/debian/patches/selinux-build-failure.patch +++ b/debian/patches/selinux-build-failure.patch | |||
@@ -90,7 +90,7 @@ Index: b/configure | |||
90 | KRB5CONF | 90 | KRB5CONF |
91 | PRIVSEP_PATH | 91 | PRIVSEP_PATH |
92 | xauth_path | 92 | xauth_path |
93 | @@ -9047,7 +9159,6 @@ | 93 | @@ -9047,7 +9048,6 @@ |
94 | _ACEOF | 94 | _ACEOF |
95 | 95 | ||
96 | SSHDLIBS="$SSHDLIBS -lcontract" | 96 | SSHDLIBS="$SSHDLIBS -lcontract" |
@@ -98,7 +98,7 @@ Index: b/configure | |||
98 | SPC_MSG="yes" | 98 | SPC_MSG="yes" |
99 | fi | 99 | fi |
100 | 100 | ||
101 | @@ -9126,7 +9237,6 @@ | 101 | @@ -9126,7 +9126,6 @@ |
102 | _ACEOF | 102 | _ACEOF |
103 | 103 | ||
104 | SSHDLIBS="$SSHDLIBS -lproject" | 104 | SSHDLIBS="$SSHDLIBS -lproject" |
@@ -106,7 +106,7 @@ Index: b/configure | |||
106 | SP_MSG="yes" | 106 | SP_MSG="yes" |
107 | fi | 107 | fi |
108 | 108 | ||
109 | @@ -27806,6 +27916,7 @@ | 109 | @@ -27806,6 +27805,7 @@ |
110 | { (exit 1); exit 1; }; } | 110 | { (exit 1); exit 1; }; } |
111 | fi | 111 | fi |
112 | 112 | ||
@@ -114,7 +114,7 @@ Index: b/configure | |||
114 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" | 114 | SSHDLIBS="$SSHDLIBS $LIBSELINUX" |
115 | 115 | ||
116 | 116 | ||
117 | @@ -27908,6 +28019,8 @@ | 117 | @@ -27908,6 +27908,8 @@ |
118 | fi | 118 | fi |
119 | 119 | ||
120 | 120 | ||
@@ -123,7 +123,7 @@ Index: b/configure | |||
123 | # Check whether user wants Kerberos 5 support | 123 | # Check whether user wants Kerberos 5 support |
124 | KRB5_MSG="no" | 124 | KRB5_MSG="no" |
125 | 125 | ||
126 | @@ -31416,7 +31529,6 @@ | 126 | @@ -31416,7 +31418,6 @@ |
127 | LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim | 127 | LOGIN_PROGRAM_FALLBACK!$LOGIN_PROGRAM_FALLBACK$ac_delim |
128 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim | 128 | PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim |
129 | LD!$LD$ac_delim | 129 | LD!$LD$ac_delim |
@@ -131,7 +131,7 @@ Index: b/configure | |||
131 | PKGCONFIG!$PKGCONFIG$ac_delim | 131 | PKGCONFIG!$PKGCONFIG$ac_delim |
132 | LIBEDIT!$LIBEDIT$ac_delim | 132 | LIBEDIT!$LIBEDIT$ac_delim |
133 | TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim | 133 | TEST_SSH_SHA256!$TEST_SSH_SHA256$ac_delim |
134 | @@ -31433,6 +31545,7 @@ | 134 | @@ -31433,6 +31434,7 @@ |
135 | PROG_SAR!$PROG_SAR$ac_delim | 135 | PROG_SAR!$PROG_SAR$ac_delim |
136 | PROG_W!$PROG_W$ac_delim | 136 | PROG_W!$PROG_W$ac_delim |
137 | PROG_WHO!$PROG_WHO$ac_delim | 137 | PROG_WHO!$PROG_WHO$ac_delim |
@@ -139,7 +139,7 @@ Index: b/configure | |||
139 | _ACEOF | 139 | _ACEOF |
140 | 140 | ||
141 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then | 141 | if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then |
142 | @@ -31474,7 +31587,6 @@ | 142 | @@ -31474,7 +31476,6 @@ |
143 | ac_delim='%!_!# ' | 143 | ac_delim='%!_!# ' |
144 | for ac_last_try in false false false false false :; do | 144 | for ac_last_try in false false false false false :; do |
145 | cat >conf$$subs.sed <<_ACEOF | 145 | cat >conf$$subs.sed <<_ACEOF |
@@ -147,7 +147,7 @@ Index: b/configure | |||
147 | PROG_LASTLOG!$PROG_LASTLOG$ac_delim | 147 | PROG_LASTLOG!$PROG_LASTLOG$ac_delim |
148 | PROG_DF!$PROG_DF$ac_delim | 148 | PROG_DF!$PROG_DF$ac_delim |
149 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim | 149 | PROG_VMSTAT!$PROG_VMSTAT$ac_delim |
150 | @@ -31482,6 +31594,8 @@ | 150 | @@ -31482,6 +31483,8 @@ |
151 | PROG_IPCS!$PROG_IPCS$ac_delim | 151 | PROG_IPCS!$PROG_IPCS$ac_delim |
152 | PROG_TAIL!$PROG_TAIL$ac_delim | 152 | PROG_TAIL!$PROG_TAIL$ac_delim |
153 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim | 153 | INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim |
@@ -156,7 +156,7 @@ Index: b/configure | |||
156 | KRB5CONF!$KRB5CONF$ac_delim | 156 | KRB5CONF!$KRB5CONF$ac_delim |
157 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim | 157 | PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim |
158 | xauth_path!$xauth_path$ac_delim | 158 | xauth_path!$xauth_path$ac_delim |
159 | @@ -31496,7 +31610,7 @@ | 159 | @@ -31496,7 +31499,7 @@ |
160 | LTLIBOBJS!$LTLIBOBJS$ac_delim | 160 | LTLIBOBJS!$LTLIBOBJS$ac_delim |
161 | _ACEOF | 161 | _ACEOF |
162 | 162 | ||
@@ -165,7 +165,7 @@ Index: b/configure | |||
165 | break | 165 | break |
166 | elif $ac_last_try; then | 166 | elif $ac_last_try; then |
167 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 | 167 | { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 |
168 | @@ -31993,6 +32107,9 @@ | 168 | @@ -31993,6 +31996,9 @@ |
169 | if test ! -z "${SSHDLIBS}"; then | 169 | if test ! -z "${SSHDLIBS}"; then |
170 | echo " +for sshd: ${SSHDLIBS}" | 170 | echo " +for sshd: ${SSHDLIBS}" |
171 | fi | 171 | fi |
@@ -179,7 +179,7 @@ Index: b/openbsd-compat/port-linux.c | |||
179 | =================================================================== | 179 | =================================================================== |
180 | --- a/openbsd-compat/port-linux.c | 180 | --- a/openbsd-compat/port-linux.c |
181 | +++ b/openbsd-compat/port-linux.c | 181 | +++ b/openbsd-compat/port-linux.c |
182 | @@ -222,6 +222,20 @@ | 182 | @@ -218,6 +218,20 @@ |
183 | xfree(oldctx); | 183 | xfree(oldctx); |
184 | xfree(newctx); | 184 | xfree(newctx); |
185 | } | 185 | } |
@@ -205,8 +205,8 @@ Index: b/openbsd-compat/port-linux.h | |||
205 | --- a/openbsd-compat/port-linux.h | 205 | --- a/openbsd-compat/port-linux.h |
206 | +++ b/openbsd-compat/port-linux.h | 206 | +++ b/openbsd-compat/port-linux.h |
207 | @@ -24,6 +24,7 @@ | 207 | @@ -24,6 +24,7 @@ |
208 | void ssh_selinux_setup_pty(char *, const char *); | 208 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
209 | void ssh_selinux_setup_exec_context(char *); | 209 | void ssh_selinux_setup_exec_context(char *, const char *); |
210 | void ssh_selinux_change_context(const char *); | 210 | void ssh_selinux_change_context(const char *); |
211 | +void ssh_selinux_setfscreatecon(const char *); | 211 | +void ssh_selinux_setfscreatecon(const char *); |
212 | #endif | 212 | #endif |
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 74cd06201..30db352dd 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -156,6 +156,15 @@ Index: b/monitor.c | |||
156 | return (0); | 156 | return (0); |
157 | } | 157 | } |
158 | 158 | ||
159 | @@ -1327,7 +1353,7 @@ | ||
160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | ||
161 | if (res == 0) | ||
162 | goto error; | ||
163 | - pty_setowner(authctxt->pw, s->tty); | ||
164 | + pty_setowner(authctxt->pw, s->tty, authctxt->role); | ||
165 | |||
166 | buffer_put_int(m, 1); | ||
167 | buffer_put_cstring(m, s->tty); | ||
159 | Index: b/monitor.h | 168 | Index: b/monitor.h |
160 | =================================================================== | 169 | =================================================================== |
161 | --- a/monitor.h | 170 | --- a/monitor.h |
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c | |||
247 | #include "log.h" | 256 | #include "log.h" |
248 | #include "xmalloc.h" | 257 | #include "xmalloc.h" |
249 | #include "port-linux.h" | 258 | #include "port-linux.h" |
250 | @@ -38,6 +44,8 @@ | 259 | @@ -54,9 +60,9 @@ |
251 | #include <selinux/flask.h> | ||
252 | #include <selinux/get_context_list.h> | ||
253 | 260 | ||
254 | +extern Authctxt *the_authctxt; | 261 | /* Return the default security context for the given username */ |
255 | + | ||
256 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | ||
257 | int | ||
258 | ssh_selinux_enabled(void) | ||
259 | @@ -56,8 +64,8 @@ | ||
260 | static security_context_t | 262 | static security_context_t |
261 | ssh_selinux_getctxbyname(char *pwname) | 263 | -ssh_selinux_getctxbyname(char *pwname) |
264 | +ssh_selinux_getctxbyname(char *pwname, const char *role) | ||
262 | { | 265 | { |
263 | - security_context_t sc; | 266 | - security_context_t sc; |
264 | - char *sename = NULL, *lvl = NULL; | ||
265 | + security_context_t sc = NULL; | 267 | + security_context_t sc = NULL; |
266 | + char *sename = NULL, *role = NULL, *lvl = NULL; | 268 | char *sename = NULL, *lvl = NULL; |
267 | int r; | 269 | int r; |
268 | 270 | ||
269 | #ifdef HAVE_GETSEUSERBYNAME | 271 | @@ -69,9 +75,16 @@ |
270 | @@ -67,11 +75,20 @@ | ||
271 | sename = pwname; | ||
272 | lvl = NULL; | ||
273 | #endif | 272 | #endif |
274 | + if (the_authctxt) | ||
275 | + role = the_authctxt->role; | ||
276 | 273 | ||
277 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 274 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
278 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | 275 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); |
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c | |||
290 | #endif | 287 | #endif |
291 | 288 | ||
292 | if (r != 0) { | 289 | if (r != 0) { |
290 | @@ -102,7 +115,7 @@ | ||
291 | |||
292 | /* Set the execution context to the default for the specified user */ | ||
293 | void | ||
294 | -ssh_selinux_setup_exec_context(char *pwname) | ||
295 | +ssh_selinux_setup_exec_context(char *pwname, const char *role) | ||
296 | { | ||
297 | security_context_t user_ctx = NULL; | ||
298 | |||
299 | @@ -111,7 +124,7 @@ | ||
300 | |||
301 | debug3("%s: setting execution context", __func__); | ||
302 | |||
303 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
304 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
305 | if (setexeccon(user_ctx) != 0) { | ||
306 | switch (security_getenforce()) { | ||
307 | case -1: | ||
308 | @@ -133,7 +146,7 @@ | ||
309 | |||
310 | /* Set the TTY context for the specified user */ | ||
311 | void | ||
312 | -ssh_selinux_setup_pty(char *pwname, const char *tty) | ||
313 | +ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) | ||
314 | { | ||
315 | security_context_t new_tty_ctx = NULL; | ||
316 | security_context_t user_ctx = NULL; | ||
317 | @@ -144,7 +157,7 @@ | ||
318 | |||
319 | debug3("%s: setting TTY context on %s", __func__, tty); | ||
320 | |||
321 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
322 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
323 | |||
324 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | ||
325 | |||
326 | Index: b/openbsd-compat/port-linux.h | ||
327 | =================================================================== | ||
328 | --- a/openbsd-compat/port-linux.h | ||
329 | +++ b/openbsd-compat/port-linux.h | ||
330 | @@ -21,8 +21,8 @@ | ||
331 | |||
332 | #ifdef WITH_SELINUX | ||
333 | int ssh_selinux_enabled(void); | ||
334 | -void ssh_selinux_setup_pty(char *, const char *); | ||
335 | -void ssh_selinux_setup_exec_context(char *); | ||
336 | +void ssh_selinux_setup_pty(char *, const char *, const char *); | ||
337 | +void ssh_selinux_setup_exec_context(char *, const char *); | ||
338 | void ssh_selinux_change_context(const char *); | ||
339 | #endif | ||
340 | |||
341 | Index: b/platform.c | ||
342 | =================================================================== | ||
343 | --- a/platform.c | ||
344 | +++ b/platform.c | ||
345 | @@ -134,7 +134,7 @@ | ||
346 | * called if sshd is running as root. | ||
347 | */ | ||
348 | void | ||
349 | -platform_setusercontext_post_groups(struct passwd *pw) | ||
350 | +platform_setusercontext_post_groups(struct passwd *pw, const char *role) | ||
351 | { | ||
352 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | ||
353 | /* | ||
354 | @@ -181,7 +181,7 @@ | ||
355 | } | ||
356 | #endif /* HAVE_SETPCRED */ | ||
357 | #ifdef WITH_SELINUX | ||
358 | - ssh_selinux_setup_exec_context(pw->pw_name); | ||
359 | + ssh_selinux_setup_exec_context(pw->pw_name, role); | ||
360 | #endif | ||
361 | } | ||
362 | |||
363 | Index: b/platform.h | ||
364 | =================================================================== | ||
365 | --- a/platform.h | ||
366 | +++ b/platform.h | ||
367 | @@ -26,7 +26,7 @@ | ||
368 | void platform_post_fork_child(void); | ||
369 | int platform_privileged_uidswap(void); | ||
370 | void platform_setusercontext(struct passwd *); | ||
371 | -void platform_setusercontext_post_groups(struct passwd *); | ||
372 | +void platform_setusercontext_post_groups(struct passwd *, const char *); | ||
373 | char *platform_get_krb5_client(const char *); | ||
374 | char *platform_krb5_get_principal_name(const char *); | ||
375 | |||
376 | Index: b/session.c | ||
377 | =================================================================== | ||
378 | --- a/session.c | ||
379 | +++ b/session.c | ||
380 | @@ -1467,7 +1467,7 @@ | ||
381 | |||
382 | /* Set login name, uid, gid, and groups. */ | ||
383 | void | ||
384 | -do_setusercontext(struct passwd *pw) | ||
385 | +do_setusercontext(struct passwd *pw, const char *role) | ||
386 | { | ||
387 | char *chroot_path, *tmp; | ||
388 | |||
389 | @@ -1495,7 +1495,7 @@ | ||
390 | endgrent(); | ||
391 | #endif | ||
392 | |||
393 | - platform_setusercontext_post_groups(pw); | ||
394 | + platform_setusercontext_post_groups(pw, role); | ||
395 | |||
396 | if (options.chroot_directory != NULL && | ||
397 | strcasecmp(options.chroot_directory, "none") != 0) { | ||
398 | @@ -1618,7 +1618,7 @@ | ||
399 | |||
400 | /* Force a password change */ | ||
401 | if (s->authctxt->force_pwchange) { | ||
402 | - do_setusercontext(pw); | ||
403 | + do_setusercontext(pw, s->authctxt->role); | ||
404 | child_close_fds(); | ||
405 | do_pwchange(s); | ||
406 | exit(1); | ||
407 | @@ -1645,7 +1645,7 @@ | ||
408 | /* When PAM is enabled we rely on it to do the nologin check */ | ||
409 | if (!options.use_pam) | ||
410 | do_nologin(pw); | ||
411 | - do_setusercontext(pw); | ||
412 | + do_setusercontext(pw, s->authctxt->role); | ||
413 | /* | ||
414 | * PAM session modules in do_setusercontext may have | ||
415 | * generated messages, so if this in an interactive | ||
416 | @@ -2057,7 +2057,7 @@ | ||
417 | tty_parse_modes(s->ttyfd, &n_bytes); | ||
418 | |||
419 | if (!use_privsep) | ||
420 | - pty_setowner(s->pw, s->tty); | ||
421 | + pty_setowner(s->pw, s->tty, s->authctxt->role); | ||
422 | |||
423 | /* Set window size from the packet. */ | ||
424 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | ||
425 | Index: b/session.h | ||
426 | =================================================================== | ||
427 | --- a/session.h | ||
428 | +++ b/session.h | ||
429 | @@ -76,7 +76,7 @@ | ||
430 | Session *session_new(void); | ||
431 | Session *session_by_tty(char *); | ||
432 | void session_close(Session *); | ||
433 | -void do_setusercontext(struct passwd *); | ||
434 | +void do_setusercontext(struct passwd *, const char *); | ||
435 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | ||
436 | const char *value); | ||
437 | |||
438 | Index: b/sshd.c | ||
439 | =================================================================== | ||
440 | --- a/sshd.c | ||
441 | +++ b/sshd.c | ||
442 | @@ -707,7 +707,7 @@ | ||
443 | RAND_seed(rnd, sizeof(rnd)); | ||
444 | |||
445 | /* Drop privileges */ | ||
446 | - do_setusercontext(authctxt->pw); | ||
447 | + do_setusercontext(authctxt->pw, authctxt->role); | ||
448 | |||
449 | skip: | ||
450 | /* It is safe now to apply the key state */ | ||
451 | Index: b/sshpty.c | ||
452 | =================================================================== | ||
453 | --- a/sshpty.c | ||
454 | +++ b/sshpty.c | ||
455 | @@ -200,7 +200,7 @@ | ||
456 | } | ||
457 | |||
458 | void | ||
459 | -pty_setowner(struct passwd *pw, const char *tty) | ||
460 | +pty_setowner(struct passwd *pw, const char *tty, const char *role) | ||
461 | { | ||
462 | struct group *grp; | ||
463 | gid_t gid; | ||
464 | @@ -227,7 +227,7 @@ | ||
465 | strerror(errno)); | ||
466 | |||
467 | #ifdef WITH_SELINUX | ||
468 | - ssh_selinux_setup_pty(pw->pw_name, tty); | ||
469 | + ssh_selinux_setup_pty(pw->pw_name, tty, role); | ||
470 | #endif | ||
471 | |||
472 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | ||
473 | Index: b/sshpty.h | ||
474 | =================================================================== | ||
475 | --- a/sshpty.h | ||
476 | +++ b/sshpty.h | ||
477 | @@ -24,4 +24,4 @@ | ||
478 | void pty_release(const char *); | ||
479 | void pty_make_controlling_tty(int *, const char *); | ||
480 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | ||
481 | -void pty_setowner(struct passwd *, const char *); | ||
482 | +void pty_setowner(struct passwd *, const char *, const char *); | ||
@@ -1353,7 +1353,7 @@ mm_answer_pty(int sock, Buffer *m) | |||
1353 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 1353 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
1354 | if (res == 0) | 1354 | if (res == 0) |
1355 | goto error; | 1355 | goto error; |
1356 | pty_setowner(authctxt->pw, s->tty); | 1356 | pty_setowner(authctxt->pw, s->tty, authctxt->role); |
1357 | 1357 | ||
1358 | buffer_put_int(m, 1); | 1358 | buffer_put_int(m, 1); |
1359 | buffer_put_cstring(m, s->tty); | 1359 | buffer_put_cstring(m, s->tty); |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 744a404c8..11385326e 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -44,8 +44,6 @@ | |||
44 | #include <selinux/flask.h> | 44 | #include <selinux/flask.h> |
45 | #include <selinux/get_context_list.h> | 45 | #include <selinux/get_context_list.h> |
46 | 46 | ||
47 | extern Authctxt *the_authctxt; | ||
48 | |||
49 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | 47 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
50 | int | 48 | int |
51 | ssh_selinux_enabled(void) | 49 | ssh_selinux_enabled(void) |
@@ -62,10 +60,10 @@ ssh_selinux_enabled(void) | |||
62 | 60 | ||
63 | /* Return the default security context for the given username */ | 61 | /* Return the default security context for the given username */ |
64 | static security_context_t | 62 | static security_context_t |
65 | ssh_selinux_getctxbyname(char *pwname) | 63 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
66 | { | 64 | { |
67 | security_context_t sc = NULL; | 65 | security_context_t sc = NULL; |
68 | char *sename = NULL, *role = NULL, *lvl = NULL; | 66 | char *sename = NULL, *lvl = NULL; |
69 | int r; | 67 | int r; |
70 | 68 | ||
71 | #ifdef HAVE_GETSEUSERBYNAME | 69 | #ifdef HAVE_GETSEUSERBYNAME |
@@ -75,8 +73,6 @@ ssh_selinux_getctxbyname(char *pwname) | |||
75 | sename = pwname; | 73 | sename = pwname; |
76 | lvl = NULL; | 74 | lvl = NULL; |
77 | #endif | 75 | #endif |
78 | if (the_authctxt) | ||
79 | role = the_authctxt->role; | ||
80 | 76 | ||
81 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 77 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
82 | if (role != NULL && role[0]) | 78 | if (role != NULL && role[0]) |
@@ -119,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
119 | 115 | ||
120 | /* Set the execution context to the default for the specified user */ | 116 | /* Set the execution context to the default for the specified user */ |
121 | void | 117 | void |
122 | ssh_selinux_setup_exec_context(char *pwname) | 118 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
123 | { | 119 | { |
124 | security_context_t user_ctx = NULL; | 120 | security_context_t user_ctx = NULL; |
125 | 121 | ||
@@ -128,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
128 | 124 | ||
129 | debug3("%s: setting execution context", __func__); | 125 | debug3("%s: setting execution context", __func__); |
130 | 126 | ||
131 | user_ctx = ssh_selinux_getctxbyname(pwname); | 127 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
132 | if (setexeccon(user_ctx) != 0) { | 128 | if (setexeccon(user_ctx) != 0) { |
133 | switch (security_getenforce()) { | 129 | switch (security_getenforce()) { |
134 | case -1: | 130 | case -1: |
@@ -150,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
150 | 146 | ||
151 | /* Set the TTY context for the specified user */ | 147 | /* Set the TTY context for the specified user */ |
152 | void | 148 | void |
153 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 149 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
154 | { | 150 | { |
155 | security_context_t new_tty_ctx = NULL; | 151 | security_context_t new_tty_ctx = NULL; |
156 | security_context_t user_ctx = NULL; | 152 | security_context_t user_ctx = NULL; |
@@ -161,7 +157,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
161 | 157 | ||
162 | debug3("%s: setting TTY context on %s", __func__, tty); | 158 | debug3("%s: setting TTY context on %s", __func__, tty); |
163 | 159 | ||
164 | user_ctx = ssh_selinux_getctxbyname(pwname); | 160 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
165 | 161 | ||
166 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 162 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
167 | 163 | ||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index 884482bf5..8ed5587ee 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
@@ -21,8 +21,8 @@ | |||
21 | 21 | ||
22 | #ifdef WITH_SELINUX | 22 | #ifdef WITH_SELINUX |
23 | int ssh_selinux_enabled(void); | 23 | int ssh_selinux_enabled(void); |
24 | void ssh_selinux_setup_pty(char *, const char *); | 24 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
25 | void ssh_selinux_setup_exec_context(char *); | 25 | void ssh_selinux_setup_exec_context(char *, const char *); |
26 | void ssh_selinux_change_context(const char *); | 26 | void ssh_selinux_change_context(const char *); |
27 | void ssh_selinux_setfscreatecon(const char *); | 27 | void ssh_selinux_setfscreatecon(const char *); |
28 | #endif | 28 | #endif |
diff --git a/platform.c b/platform.c index a455472b3..e707aa4c7 100644 --- a/platform.c +++ b/platform.c | |||
@@ -134,7 +134,7 @@ platform_setusercontext(struct passwd *pw) | |||
134 | * called if sshd is running as root. | 134 | * called if sshd is running as root. |
135 | */ | 135 | */ |
136 | void | 136 | void |
137 | platform_setusercontext_post_groups(struct passwd *pw) | 137 | platform_setusercontext_post_groups(struct passwd *pw, const char *role) |
138 | { | 138 | { |
139 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | 139 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) |
140 | /* | 140 | /* |
@@ -181,7 +181,7 @@ platform_setusercontext_post_groups(struct passwd *pw) | |||
181 | } | 181 | } |
182 | #endif /* HAVE_SETPCRED */ | 182 | #endif /* HAVE_SETPCRED */ |
183 | #ifdef WITH_SELINUX | 183 | #ifdef WITH_SELINUX |
184 | ssh_selinux_setup_exec_context(pw->pw_name); | 184 | ssh_selinux_setup_exec_context(pw->pw_name, role); |
185 | #endif | 185 | #endif |
186 | } | 186 | } |
187 | 187 | ||
diff --git a/platform.h b/platform.h index 944d2c340..7b2d481af 100644 --- a/platform.h +++ b/platform.h | |||
@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid); | |||
26 | void platform_post_fork_child(void); | 26 | void platform_post_fork_child(void); |
27 | int platform_privileged_uidswap(void); | 27 | int platform_privileged_uidswap(void); |
28 | void platform_setusercontext(struct passwd *); | 28 | void platform_setusercontext(struct passwd *); |
29 | void platform_setusercontext_post_groups(struct passwd *); | 29 | void platform_setusercontext_post_groups(struct passwd *, const char *); |
30 | char *platform_get_krb5_client(const char *); | 30 | char *platform_get_krb5_client(const char *); |
31 | char *platform_krb5_get_principal_name(const char *); | 31 | char *platform_krb5_get_principal_name(const char *); |
32 | 32 | ||
@@ -1467,7 +1467,7 @@ safely_chroot(const char *path, uid_t uid) | |||
1467 | 1467 | ||
1468 | /* Set login name, uid, gid, and groups. */ | 1468 | /* Set login name, uid, gid, and groups. */ |
1469 | void | 1469 | void |
1470 | do_setusercontext(struct passwd *pw) | 1470 | do_setusercontext(struct passwd *pw, const char *role) |
1471 | { | 1471 | { |
1472 | char *chroot_path, *tmp; | 1472 | char *chroot_path, *tmp; |
1473 | 1473 | ||
@@ -1495,7 +1495,7 @@ do_setusercontext(struct passwd *pw) | |||
1495 | endgrent(); | 1495 | endgrent(); |
1496 | #endif | 1496 | #endif |
1497 | 1497 | ||
1498 | platform_setusercontext_post_groups(pw); | 1498 | platform_setusercontext_post_groups(pw, role); |
1499 | 1499 | ||
1500 | if (options.chroot_directory != NULL && | 1500 | if (options.chroot_directory != NULL && |
1501 | strcasecmp(options.chroot_directory, "none") != 0) { | 1501 | strcasecmp(options.chroot_directory, "none") != 0) { |
@@ -1618,7 +1618,7 @@ do_child(Session *s, const char *command) | |||
1618 | 1618 | ||
1619 | /* Force a password change */ | 1619 | /* Force a password change */ |
1620 | if (s->authctxt->force_pwchange) { | 1620 | if (s->authctxt->force_pwchange) { |
1621 | do_setusercontext(pw); | 1621 | do_setusercontext(pw, s->authctxt->role); |
1622 | child_close_fds(); | 1622 | child_close_fds(); |
1623 | do_pwchange(s); | 1623 | do_pwchange(s); |
1624 | exit(1); | 1624 | exit(1); |
@@ -1645,7 +1645,7 @@ do_child(Session *s, const char *command) | |||
1645 | /* When PAM is enabled we rely on it to do the nologin check */ | 1645 | /* When PAM is enabled we rely on it to do the nologin check */ |
1646 | if (!options.use_pam) | 1646 | if (!options.use_pam) |
1647 | do_nologin(pw); | 1647 | do_nologin(pw); |
1648 | do_setusercontext(pw); | 1648 | do_setusercontext(pw, s->authctxt->role); |
1649 | /* | 1649 | /* |
1650 | * PAM session modules in do_setusercontext may have | 1650 | * PAM session modules in do_setusercontext may have |
1651 | * generated messages, so if this in an interactive | 1651 | * generated messages, so if this in an interactive |
@@ -2057,7 +2057,7 @@ session_pty_req(Session *s) | |||
2057 | tty_parse_modes(s->ttyfd, &n_bytes); | 2057 | tty_parse_modes(s->ttyfd, &n_bytes); |
2058 | 2058 | ||
2059 | if (!use_privsep) | 2059 | if (!use_privsep) |
2060 | pty_setowner(s->pw, s->tty); | 2060 | pty_setowner(s->pw, s->tty, s->authctxt->role); |
2061 | 2061 | ||
2062 | /* Set window size from the packet. */ | 2062 | /* Set window size from the packet. */ |
2063 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 2063 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); | |||
76 | Session *session_new(void); | 76 | Session *session_new(void); |
77 | Session *session_by_tty(char *); | 77 | Session *session_by_tty(char *); |
78 | void session_close(Session *); | 78 | void session_close(Session *); |
79 | void do_setusercontext(struct passwd *); | 79 | void do_setusercontext(struct passwd *, const char *); |
80 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | 80 | void child_set_env(char ***envp, u_int *envsizep, const char *name, |
81 | const char *value); | 81 | const char *value); |
82 | 82 | ||
@@ -708,7 +708,7 @@ privsep_postauth(Authctxt *authctxt) | |||
708 | RAND_seed(rnd, sizeof(rnd)); | 708 | RAND_seed(rnd, sizeof(rnd)); |
709 | 709 | ||
710 | /* Drop privileges */ | 710 | /* Drop privileges */ |
711 | do_setusercontext(authctxt->pw); | 711 | do_setusercontext(authctxt->pw, authctxt->role); |
712 | 712 | ||
713 | skip: | 713 | skip: |
714 | /* It is safe now to apply the key state */ | 714 | /* It is safe now to apply the key state */ |
@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, | |||
200 | } | 200 | } |
201 | 201 | ||
202 | void | 202 | void |
203 | pty_setowner(struct passwd *pw, const char *tty) | 203 | pty_setowner(struct passwd *pw, const char *tty, const char *role) |
204 | { | 204 | { |
205 | struct group *grp; | 205 | struct group *grp; |
206 | gid_t gid; | 206 | gid_t gid; |
@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) | |||
227 | strerror(errno)); | 227 | strerror(errno)); |
228 | 228 | ||
229 | #ifdef WITH_SELINUX | 229 | #ifdef WITH_SELINUX |
230 | ssh_selinux_setup_pty(pw->pw_name, tty); | 230 | ssh_selinux_setup_pty(pw->pw_name, tty, role); |
231 | #endif | 231 | #endif |
232 | 232 | ||
233 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | 233 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { |
@@ -24,4 +24,4 @@ int pty_allocate(int *, int *, char *, size_t); | |||
24 | void pty_release(const char *); | 24 | void pty_release(const char *); |
25 | void pty_make_controlling_tty(int *, const char *); | 25 | void pty_make_controlling_tty(int *, const char *); |
26 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | 26 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); |
27 | void pty_setowner(struct passwd *, const char *); | 27 | void pty_setowner(struct passwd *, const char *, const char *); |