diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 5fec9eae0..c632f0349 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 701eb985309b1c9fce617949298659843fce723d Mon Sep 17 00:00:00 2001 | 1 | From a00cba810338ce920de432e7797a45794bf280ba Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch | |||
32 | 16 files changed, 104 insertions(+), 31 deletions(-) | 32 | 16 files changed, 104 insertions(+), 31 deletions(-) |
33 | 33 | ||
34 | diff --git a/auth.h b/auth.h | 34 | diff --git a/auth.h b/auth.h |
35 | index 8b27575..3c2222f 100644 | 35 | index 2160154..3b3a085 100644 |
36 | --- a/auth.h | 36 | --- a/auth.h |
37 | +++ b/auth.h | 37 | +++ b/auth.h |
38 | @@ -62,6 +62,7 @@ struct Authctxt { | 38 | @@ -62,6 +62,7 @@ struct Authctxt { |
@@ -113,10 +113,10 @@ index 3f49bdc..6eb3cc7 100644 | |||
113 | if (auth2_setup_methods_lists(authctxt) != 0) | 113 | if (auth2_setup_methods_lists(authctxt) != 0) |
114 | packet_disconnect("no authentication methods enabled"); | 114 | packet_disconnect("no authentication methods enabled"); |
115 | diff --git a/monitor.c b/monitor.c | 115 | diff --git a/monitor.c b/monitor.c |
116 | index 2658aaa..c063ad1 100644 | 116 | index 6c82023..5be3fbf 100644 |
117 | --- a/monitor.c | 117 | --- a/monitor.c |
118 | +++ b/monitor.c | 118 | +++ b/monitor.c |
119 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); | 119 | @@ -126,6 +126,7 @@ int mm_answer_sign(int, Buffer *); |
120 | int mm_answer_pwnamallow(int, Buffer *); | 120 | int mm_answer_pwnamallow(int, Buffer *); |
121 | int mm_answer_auth2_read_banner(int, Buffer *); | 121 | int mm_answer_auth2_read_banner(int, Buffer *); |
122 | int mm_answer_authserv(int, Buffer *); | 122 | int mm_answer_authserv(int, Buffer *); |
@@ -124,7 +124,7 @@ index 2658aaa..c063ad1 100644 | |||
124 | int mm_answer_authpassword(int, Buffer *); | 124 | int mm_answer_authpassword(int, Buffer *); |
125 | int mm_answer_bsdauthquery(int, Buffer *); | 125 | int mm_answer_bsdauthquery(int, Buffer *); |
126 | int mm_answer_bsdauthrespond(int, Buffer *); | 126 | int mm_answer_bsdauthrespond(int, Buffer *); |
127 | @@ -208,6 +209,7 @@ struct mon_table mon_dispatch_proto20[] = { | 127 | @@ -207,6 +208,7 @@ struct mon_table mon_dispatch_proto20[] = { |
128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 128 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 129 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 130 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -132,7 +132,7 @@ index 2658aaa..c063ad1 100644 | |||
132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 132 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 133 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
134 | #ifdef USE_PAM | 134 | #ifdef USE_PAM |
135 | @@ -879,6 +881,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 135 | @@ -875,6 +877,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
136 | else { | 136 | else { |
137 | /* Allow service/style information on the auth context */ | 137 | /* Allow service/style information on the auth context */ |
138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 138 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -140,7 +140,7 @@ index 2658aaa..c063ad1 100644 | |||
140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 140 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
141 | } | 141 | } |
142 | #ifdef USE_PAM | 142 | #ifdef USE_PAM |
143 | @@ -909,14 +912,37 @@ mm_answer_authserv(int sock, Buffer *m) | 143 | @@ -905,14 +908,37 @@ mm_answer_authserv(int sock, Buffer *m) |
144 | 144 | ||
145 | authctxt->service = buffer_get_string(m, NULL); | 145 | authctxt->service = buffer_get_string(m, NULL); |
146 | authctxt->style = buffer_get_string(m, NULL); | 146 | authctxt->style = buffer_get_string(m, NULL); |
@@ -180,7 +180,7 @@ index 2658aaa..c063ad1 100644 | |||
180 | return (0); | 180 | return (0); |
181 | } | 181 | } |
182 | 182 | ||
183 | @@ -1544,7 +1570,7 @@ mm_answer_pty(int sock, Buffer *m) | 183 | @@ -1541,7 +1567,7 @@ mm_answer_pty(int sock, Buffer *m) |
184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 184 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
185 | if (res == 0) | 185 | if (res == 0) |
186 | goto error; | 186 | goto error; |
@@ -203,7 +203,7 @@ index bc50ade..2d82b8b 100644 | |||
203 | 203 | ||
204 | struct mm_master; | 204 | struct mm_master; |
205 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 205 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
206 | index 81ceddb..6799911 100644 | 206 | index 74fbd2e..eaf0a12 100644 |
207 | --- a/monitor_wrap.c | 207 | --- a/monitor_wrap.c |
208 | +++ b/monitor_wrap.c | 208 | +++ b/monitor_wrap.c |
209 | @@ -327,10 +327,10 @@ mm_auth2_read_banner(void) | 209 | @@ -327,10 +327,10 @@ mm_auth2_read_banner(void) |
@@ -251,13 +251,13 @@ index 81ceddb..6799911 100644 | |||
251 | int | 251 | int |
252 | mm_auth_password(Authctxt *authctxt, char *password) | 252 | mm_auth_password(Authctxt *authctxt, char *password) |
253 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 253 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
254 | index 9758290..57e740f 100644 | 254 | index 403f8d0..d9de551 100644 |
255 | --- a/monitor_wrap.h | 255 | --- a/monitor_wrap.h |
256 | +++ b/monitor_wrap.h | 256 | +++ b/monitor_wrap.h |
257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); | 257 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); |
258 | int mm_is_monitor(void); | 258 | int mm_is_monitor(void); |
259 | DH *mm_choose_dh(int, int, int); | 259 | DH *mm_choose_dh(int, int, int); |
260 | int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); | 260 | int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); |
261 | -void mm_inform_authserv(char *, char *); | 261 | -void mm_inform_authserv(char *, char *); |
262 | +void mm_inform_authserv(char *, char *, char *); | 262 | +void mm_inform_authserv(char *, char *, char *); |
263 | +void mm_inform_authrole(char *); | 263 | +void mm_inform_authrole(char *); |
@@ -383,7 +383,7 @@ index ee313da..f35ec39 100644 | |||
383 | } | 383 | } |
384 | 384 | ||
385 | diff --git a/platform.h b/platform.h | 385 | diff --git a/platform.h b/platform.h |
386 | index 1c7a45d..436ae7c 100644 | 386 | index e687c99..823901b 100644 |
387 | --- a/platform.h | 387 | --- a/platform.h |
388 | +++ b/platform.h | 388 | +++ b/platform.h |
389 | @@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); | 389 | @@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid); |
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644 | |||
396 | char *platform_krb5_get_principal_name(const char *); | 396 | char *platform_krb5_get_principal_name(const char *); |
397 | int platform_sys_dir_uid(uid_t); | 397 | int platform_sys_dir_uid(uid_t); |
398 | diff --git a/session.c b/session.c | 398 | diff --git a/session.c b/session.c |
399 | index 5a64715..afac4a5 100644 | 399 | index 7a02500..99ec6f3 100644 |
400 | --- a/session.c | 400 | --- a/session.c |
401 | +++ b/session.c | 401 | +++ b/session.c |
402 | @@ -1487,7 +1487,7 @@ safely_chroot(const char *path, uid_t uid) | 402 | @@ -1489,7 +1489,7 @@ safely_chroot(const char *path, uid_t uid) |
403 | 403 | ||
404 | /* Set login name, uid, gid, and groups. */ | 404 | /* Set login name, uid, gid, and groups. */ |
405 | void | 405 | void |
@@ -407,17 +407,17 @@ index 5a64715..afac4a5 100644 | |||
407 | +do_setusercontext(struct passwd *pw, const char *role) | 407 | +do_setusercontext(struct passwd *pw, const char *role) |
408 | { | 408 | { |
409 | char *chroot_path, *tmp; | 409 | char *chroot_path, *tmp; |
410 | #ifdef USE_LIBIAF | 410 | |
411 | @@ -1518,7 +1518,7 @@ do_setusercontext(struct passwd *pw) | 411 | @@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw) |
412 | endgrent(); | 412 | endgrent(); |
413 | #endif | 413 | #endif |
414 | 414 | ||
415 | - platform_setusercontext_post_groups(pw); | 415 | - platform_setusercontext_post_groups(pw); |
416 | + platform_setusercontext_post_groups(pw, role); | 416 | + platform_setusercontext_post_groups(pw, role); |
417 | 417 | ||
418 | if (options.chroot_directory != NULL && | 418 | if (!in_chroot && options.chroot_directory != NULL && |
419 | strcasecmp(options.chroot_directory, "none") != 0) { | 419 | strcasecmp(options.chroot_directory, "none") != 0) { |
420 | @@ -1677,7 +1677,7 @@ do_child(Session *s, const char *command) | 420 | @@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command) |
421 | 421 | ||
422 | /* Force a password change */ | 422 | /* Force a password change */ |
423 | if (s->authctxt->force_pwchange) { | 423 | if (s->authctxt->force_pwchange) { |
@@ -426,7 +426,7 @@ index 5a64715..afac4a5 100644 | |||
426 | child_close_fds(); | 426 | child_close_fds(); |
427 | do_pwchange(s); | 427 | do_pwchange(s); |
428 | exit(1); | 428 | exit(1); |
429 | @@ -1704,7 +1704,7 @@ do_child(Session *s, const char *command) | 429 | @@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command) |
430 | /* When PAM is enabled we rely on it to do the nologin check */ | 430 | /* When PAM is enabled we rely on it to do the nologin check */ |
431 | if (!options.use_pam) | 431 | if (!options.use_pam) |
432 | do_nologin(pw); | 432 | do_nologin(pw); |
@@ -435,7 +435,7 @@ index 5a64715..afac4a5 100644 | |||
435 | /* | 435 | /* |
436 | * PAM session modules in do_setusercontext may have | 436 | * PAM session modules in do_setusercontext may have |
437 | * generated messages, so if this in an interactive | 437 | * generated messages, so if this in an interactive |
438 | @@ -2115,7 +2115,7 @@ session_pty_req(Session *s) | 438 | @@ -2112,7 +2112,7 @@ session_pty_req(Session *s) |
439 | tty_parse_modes(s->ttyfd, &n_bytes); | 439 | tty_parse_modes(s->ttyfd, &n_bytes); |
440 | 440 | ||
441 | if (!use_privsep) | 441 | if (!use_privsep) |
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644 | |||
458 | const char *value); | 458 | const char *value); |
459 | 459 | ||
460 | diff --git a/sshd.c b/sshd.c | 460 | diff --git a/sshd.c b/sshd.c |
461 | index 9275e0b..1b49b26 100644 | 461 | index d1dd711..bb093cc 100644 |
462 | --- a/sshd.c | 462 | --- a/sshd.c |
463 | +++ b/sshd.c | 463 | +++ b/sshd.c |
464 | @@ -786,7 +786,7 @@ privsep_postauth(Authctxt *authctxt) | 464 | @@ -781,7 +781,7 @@ privsep_postauth(Authctxt *authctxt) |
465 | explicit_bzero(rnd, sizeof(rnd)); | 465 | explicit_bzero(rnd, sizeof(rnd)); |
466 | 466 | ||
467 | /* Drop privileges */ | 467 | /* Drop privileges */ |