diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 76 |
1 files changed, 38 insertions, 38 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index ae83d23b0..1402b9025 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From e5d3ea2ca423a54b1d53d45252cb7173a15600eb Mon Sep 17 00:00:00 2001 | 1 | From 4b276122c04aed0726803a92c8ca955e614a4d3a Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better. | |||
9 | 9 | ||
10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 | 10 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 |
11 | Bug-Debian: http://bugs.debian.org/394795 | 11 | Bug-Debian: http://bugs.debian.org/394795 |
12 | Last-Update: 2015-08-19 | 12 | Last-Update: 2017-10-04 |
13 | 13 | ||
14 | Patch-Name: selinux-role.patch | 14 | Patch-Name: selinux-role.patch |
15 | --- | 15 | --- |
@@ -31,31 +31,31 @@ Patch-Name: selinux-role.patch | |||
31 | 15 files changed, 97 insertions(+), 30 deletions(-) | 31 | 15 files changed, 97 insertions(+), 30 deletions(-) |
32 | 32 | ||
33 | diff --git a/auth.h b/auth.h | 33 | diff --git a/auth.h b/auth.h |
34 | index 338a62da..8c658d16 100644 | 34 | index 29835ae9..27a1a88e 100644 |
35 | --- a/auth.h | 35 | --- a/auth.h |
36 | +++ b/auth.h | 36 | +++ b/auth.h |
37 | @@ -62,6 +62,7 @@ struct Authctxt { | 37 | @@ -63,6 +63,7 @@ struct Authctxt { |
38 | char *service; | 38 | char *service; |
39 | struct passwd *pw; /* set if 'valid' */ | 39 | struct passwd *pw; /* set if 'valid' */ |
40 | char *style; | 40 | char *style; |
41 | + char *role; | 41 | + char *role; |
42 | void *kbdintctxt; | 42 | |
43 | char *info; /* Extra info for next auth_log */ | 43 | /* Method lists for multiple authentication */ |
44 | #ifdef BSD_AUTH | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index 946e9235..2f51be23 100644 | 46 | index 54070e3a..1f9ec632 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 49 | @@ -221,7 +221,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
50 | struct ssh *ssh = active_state; /* XXX */ | 50 | { |
51 | Authctxt *authctxt = ctxt; | 51 | Authctxt *authctxt = ssh->authctxt; |
52 | Authmethod *m = NULL; | 52 | Authmethod *m = NULL; |
53 | - char *user, *service, *method, *style = NULL; | 53 | - char *user, *service, *method, *style = NULL; |
54 | + char *user, *service, *method, *style = NULL, *role = NULL; | 54 | + char *user, *service, *method, *style = NULL, *role = NULL; |
55 | int authenticated = 0; | 55 | int authenticated = 0; |
56 | 56 | ||
57 | if (authctxt == NULL) | 57 | if (authctxt == NULL) |
58 | @@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 58 | @@ -233,8 +233,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
59 | debug("userauth-request for user %s service %s method %s", user, service, method); | 59 | debug("userauth-request for user %s service %s method %s", user, service, method); |
60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | 60 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); |
61 | 61 | ||
@@ -69,7 +69,7 @@ index 946e9235..2f51be23 100644 | |||
69 | 69 | ||
70 | if (authctxt->attempt++ == 0) { | 70 | if (authctxt->attempt++ == 0) { |
71 | /* setup auth context */ | 71 | /* setup auth context */ |
72 | @@ -257,8 +262,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | 72 | @@ -261,8 +266,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
73 | use_privsep ? " [net]" : ""); | 73 | use_privsep ? " [net]" : ""); |
74 | authctxt->service = xstrdup(service); | 74 | authctxt->service = xstrdup(service); |
75 | authctxt->style = style ? xstrdup(style) : NULL; | 75 | authctxt->style = style ? xstrdup(style) : NULL; |
@@ -81,7 +81,7 @@ index 946e9235..2f51be23 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | packet_disconnect("no authentication methods enabled"); | 82 | packet_disconnect("no authentication methods enabled"); |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index 506645c7..7452e20e 100644 | 84 | index cabfeb8a..510e3496 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); | 87 | @@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *); |
@@ -100,7 +100,7 @@ index 506645c7..7452e20e 100644 | |||
100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
102 | #ifdef USE_PAM | 102 | #ifdef USE_PAM |
103 | @@ -791,6 +793,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) | 103 | @@ -799,6 +801,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) |
104 | 104 | ||
105 | /* Allow service/style information on the auth context */ | 105 | /* Allow service/style information on the auth context */ |
106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -108,7 +108,7 @@ index 506645c7..7452e20e 100644 | |||
108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
109 | 109 | ||
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -821,14 +824,37 @@ mm_answer_authserv(int sock, Buffer *m) | 111 | @@ -829,14 +832,37 @@ mm_answer_authserv(int sock, Buffer *m) |
112 | 112 | ||
113 | authctxt->service = buffer_get_string(m, NULL); | 113 | authctxt->service = buffer_get_string(m, NULL); |
114 | authctxt->style = buffer_get_string(m, NULL); | 114 | authctxt->style = buffer_get_string(m, NULL); |
@@ -148,7 +148,7 @@ index 506645c7..7452e20e 100644 | |||
148 | return (0); | 148 | return (0); |
149 | } | 149 | } |
150 | 150 | ||
151 | @@ -1463,7 +1489,7 @@ mm_answer_pty(int sock, Buffer *m) | 151 | @@ -1471,7 +1497,7 @@ mm_answer_pty(int sock, Buffer *m) |
152 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 152 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
153 | if (res == 0) | 153 | if (res == 0) |
154 | goto error; | 154 | goto error; |
@@ -171,10 +171,10 @@ index ec41404c..4c7955d7 100644 | |||
171 | 171 | ||
172 | struct monitor { | 172 | struct monitor { |
173 | diff --git a/monitor_wrap.c b/monitor_wrap.c | 173 | diff --git a/monitor_wrap.c b/monitor_wrap.c |
174 | index d5cb640a..2ff8064a 100644 | 174 | index 0e171a6a..d806bb2e 100644 |
175 | --- a/monitor_wrap.c | 175 | --- a/monitor_wrap.c |
176 | +++ b/monitor_wrap.c | 176 | +++ b/monitor_wrap.c |
177 | @@ -327,10 +327,10 @@ mm_auth2_read_banner(void) | 177 | @@ -336,10 +336,10 @@ mm_auth2_read_banner(void) |
178 | return (banner); | 178 | return (banner); |
179 | } | 179 | } |
180 | 180 | ||
@@ -187,7 +187,7 @@ index d5cb640a..2ff8064a 100644 | |||
187 | { | 187 | { |
188 | Buffer m; | 188 | Buffer m; |
189 | 189 | ||
190 | @@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style) | 190 | @@ -348,12 +348,30 @@ mm_inform_authserv(char *service, char *style) |
191 | buffer_init(&m); | 191 | buffer_init(&m); |
192 | buffer_put_cstring(&m, service); | 192 | buffer_put_cstring(&m, service); |
193 | buffer_put_cstring(&m, style ? style : ""); | 193 | buffer_put_cstring(&m, style ? style : ""); |
@@ -219,13 +219,13 @@ index d5cb640a..2ff8064a 100644 | |||
219 | int | 219 | int |
220 | mm_auth_password(Authctxt *authctxt, char *password) | 220 | mm_auth_password(Authctxt *authctxt, char *password) |
221 | diff --git a/monitor_wrap.h b/monitor_wrap.h | 221 | diff --git a/monitor_wrap.h b/monitor_wrap.h |
222 | index 8f9dd896..3e75867c 100644 | 222 | index 7b2e8945..a9ccb243 100644 |
223 | --- a/monitor_wrap.h | 223 | --- a/monitor_wrap.h |
224 | +++ b/monitor_wrap.h | 224 | +++ b/monitor_wrap.h |
225 | @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *); | 225 | @@ -41,7 +41,8 @@ int mm_is_monitor(void); |
226 | int mm_is_monitor(void); | ||
227 | DH *mm_choose_dh(int, int, int); | 226 | DH *mm_choose_dh(int, int, int); |
228 | int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int, const char *); | 227 | int mm_key_sign(struct sshkey *, u_char **, u_int *, const u_char *, u_int, |
228 | const char *); | ||
229 | -void mm_inform_authserv(char *, char *); | 229 | -void mm_inform_authserv(char *, char *); |
230 | +void mm_inform_authserv(char *, char *, char *); | 230 | +void mm_inform_authserv(char *, char *, char *); |
231 | +void mm_inform_authrole(char *); | 231 | +void mm_inform_authrole(char *); |
@@ -329,7 +329,7 @@ index 3c22a854..c8812942 100644 | |||
329 | void ssh_selinux_setfscreatecon(const char *); | 329 | void ssh_selinux_setfscreatecon(const char *); |
330 | #endif | 330 | #endif |
331 | diff --git a/platform.c b/platform.c | 331 | diff --git a/platform.c b/platform.c |
332 | index 973a63e4..cd7bf566 100644 | 332 | index 18c7751d..380ee3a4 100644 |
333 | --- a/platform.c | 333 | --- a/platform.c |
334 | +++ b/platform.c | 334 | +++ b/platform.c |
335 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) | 335 | @@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw) |
@@ -364,10 +364,10 @@ index ea4f9c58..60d72ffe 100644 | |||
364 | char *platform_krb5_get_principal_name(const char *); | 364 | char *platform_krb5_get_principal_name(const char *); |
365 | int platform_sys_dir_uid(uid_t); | 365 | int platform_sys_dir_uid(uid_t); |
366 | diff --git a/session.c b/session.c | 366 | diff --git a/session.c b/session.c |
367 | index a08aa69d..ea3871eb 100644 | 367 | index 4bccb62d..d40afe4f 100644 |
368 | --- a/session.c | 368 | --- a/session.c |
369 | +++ b/session.c | 369 | +++ b/session.c |
370 | @@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid) | 370 | @@ -1312,7 +1312,7 @@ safely_chroot(const char *path, uid_t uid) |
371 | 371 | ||
372 | /* Set login name, uid, gid, and groups. */ | 372 | /* Set login name, uid, gid, and groups. */ |
373 | void | 373 | void |
@@ -376,7 +376,7 @@ index a08aa69d..ea3871eb 100644 | |||
376 | { | 376 | { |
377 | char *chroot_path, *tmp; | 377 | char *chroot_path, *tmp; |
378 | 378 | ||
379 | @@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw) | 379 | @@ -1340,7 +1340,7 @@ do_setusercontext(struct passwd *pw) |
380 | endgrent(); | 380 | endgrent(); |
381 | #endif | 381 | #endif |
382 | 382 | ||
@@ -385,16 +385,16 @@ index a08aa69d..ea3871eb 100644 | |||
385 | 385 | ||
386 | if (!in_chroot && options.chroot_directory != NULL && | 386 | if (!in_chroot && options.chroot_directory != NULL && |
387 | strcasecmp(options.chroot_directory, "none") != 0) { | 387 | strcasecmp(options.chroot_directory, "none") != 0) { |
388 | @@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command) | 388 | @@ -1477,7 +1477,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
389 | 389 | ||
390 | /* Force a password change */ | 390 | /* Force a password change */ |
391 | if (s->authctxt->force_pwchange) { | 391 | if (s->authctxt->force_pwchange) { |
392 | - do_setusercontext(pw); | 392 | - do_setusercontext(pw); |
393 | + do_setusercontext(pw, s->authctxt->role); | 393 | + do_setusercontext(pw, s->authctxt->role); |
394 | child_close_fds(); | 394 | child_close_fds(ssh); |
395 | do_pwchange(s); | 395 | do_pwchange(s); |
396 | exit(1); | 396 | exit(1); |
397 | @@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command) | 397 | @@ -1499,7 +1499,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
398 | /* When PAM is enabled we rely on it to do the nologin check */ | 398 | /* When PAM is enabled we rely on it to do the nologin check */ |
399 | if (!options.use_pam) | 399 | if (!options.use_pam) |
400 | do_nologin(pw); | 400 | do_nologin(pw); |
@@ -403,7 +403,7 @@ index a08aa69d..ea3871eb 100644 | |||
403 | /* | 403 | /* |
404 | * PAM session modules in do_setusercontext may have | 404 | * PAM session modules in do_setusercontext may have |
405 | * generated messages, so if this in an interactive | 405 | * generated messages, so if this in an interactive |
406 | @@ -1903,7 +1903,7 @@ session_pty_req(Session *s) | 406 | @@ -1891,7 +1891,7 @@ session_pty_req(struct ssh *ssh, Session *s) |
407 | tty_parse_modes(s->ttyfd, &n_bytes); | 407 | tty_parse_modes(s->ttyfd, &n_bytes); |
408 | 408 | ||
409 | if (!use_privsep) | 409 | if (!use_privsep) |
@@ -413,23 +413,23 @@ index a08aa69d..ea3871eb 100644 | |||
413 | /* Set window size from the packet. */ | 413 | /* Set window size from the packet. */ |
414 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 414 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
415 | diff --git a/session.h b/session.h | 415 | diff --git a/session.h b/session.h |
416 | index 98e1dafe..0a31dce4 100644 | 416 | index 54dd1f0c..8535ebce 100644 |
417 | --- a/session.h | 417 | --- a/session.h |
418 | +++ b/session.h | 418 | +++ b/session.h |
419 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); | 419 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); |
420 | Session *session_new(void); | 420 | Session *session_new(void); |
421 | Session *session_by_tty(char *); | 421 | Session *session_by_tty(char *); |
422 | void session_close(Session *); | 422 | void session_close(struct ssh *, Session *); |
423 | -void do_setusercontext(struct passwd *); | 423 | -void do_setusercontext(struct passwd *); |
424 | +void do_setusercontext(struct passwd *, const char *); | 424 | +void do_setusercontext(struct passwd *, const char *); |
425 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | 425 | |
426 | const char *value); | 426 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
427 | 427 | ||
428 | diff --git a/sshd.c b/sshd.c | 428 | diff --git a/sshd.c b/sshd.c |
429 | index 38cf9b49..9221632e 100644 | 429 | index a66e9ca6..af1ec337 100644 |
430 | --- a/sshd.c | 430 | --- a/sshd.c |
431 | +++ b/sshd.c | 431 | +++ b/sshd.c |
432 | @@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt) | 432 | @@ -677,7 +677,7 @@ privsep_postauth(Authctxt *authctxt) |
433 | reseed_prngs(); | 433 | reseed_prngs(); |
434 | 434 | ||
435 | /* Drop privileges */ | 435 | /* Drop privileges */ |