diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 283 |
1 files changed, 283 insertions, 0 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch new file mode 100644 index 000000000..5e2a9ecb6 --- /dev/null +++ b/debian/patches/selinux-role.patch | |||
@@ -0,0 +1,283 @@ | |||
1 | Index: b/auth.h | ||
2 | =================================================================== | ||
3 | --- a/auth.h | ||
4 | +++ b/auth.h | ||
5 | @@ -59,6 +59,7 @@ | ||
6 | char *service; | ||
7 | struct passwd *pw; /* set if 'valid' */ | ||
8 | char *style; | ||
9 | + char *role; | ||
10 | void *kbdintctxt; | ||
11 | void *jpake_ctx; | ||
12 | #ifdef BSD_AUTH | ||
13 | Index: b/auth1.c | ||
14 | =================================================================== | ||
15 | --- a/auth1.c | ||
16 | +++ b/auth1.c | ||
17 | @@ -383,7 +383,7 @@ | ||
18 | do_authentication(Authctxt *authctxt) | ||
19 | { | ||
20 | u_int ulen; | ||
21 | - char *user, *style = NULL; | ||
22 | + char *user, *style = NULL, *role = NULL; | ||
23 | |||
24 | /* Get the name of the user that we wish to log in as. */ | ||
25 | packet_read_expect(SSH_CMSG_USER); | ||
26 | @@ -392,11 +392,17 @@ | ||
27 | user = packet_get_string(&ulen); | ||
28 | packet_check_eom(); | ||
29 | |||
30 | + if ((role = strchr(user, '/')) != NULL) | ||
31 | + *role++ = '\0'; | ||
32 | + | ||
33 | if ((style = strchr(user, ':')) != NULL) | ||
34 | *style++ = '\0'; | ||
35 | + else if (role && (style = strchr(role, ':')) != NULL) | ||
36 | + *style++ = '\0'; | ||
37 | |||
38 | authctxt->user = user; | ||
39 | authctxt->style = style; | ||
40 | + authctxt->role = role; | ||
41 | |||
42 | /* Verify that the user is a valid user. */ | ||
43 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | ||
44 | Index: b/auth2.c | ||
45 | =================================================================== | ||
46 | --- a/auth2.c | ||
47 | +++ b/auth2.c | ||
48 | @@ -217,7 +217,7 @@ | ||
49 | { | ||
50 | Authctxt *authctxt = ctxt; | ||
51 | Authmethod *m = NULL; | ||
52 | - char *user, *service, *method, *style = NULL; | ||
53 | + char *user, *service, *method, *style = NULL, *role = NULL; | ||
54 | int authenticated = 0; | ||
55 | |||
56 | if (authctxt == NULL) | ||
57 | @@ -229,8 +229,13 @@ | ||
58 | debug("userauth-request for user %s service %s method %s", user, service, method); | ||
59 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | ||
60 | |||
61 | + if ((role = strchr(user, '/')) != NULL) | ||
62 | + *role++ = 0; | ||
63 | + | ||
64 | if ((style = strchr(user, ':')) != NULL) | ||
65 | *style++ = 0; | ||
66 | + else if (role && (style = strchr(role, ':')) != NULL) | ||
67 | + *style++ = '\0'; | ||
68 | |||
69 | if (authctxt->attempt++ == 0) { | ||
70 | /* setup auth context */ | ||
71 | @@ -254,8 +259,9 @@ | ||
72 | use_privsep ? " [net]" : ""); | ||
73 | authctxt->service = xstrdup(service); | ||
74 | authctxt->style = style ? xstrdup(style) : NULL; | ||
75 | + authctxt->role = role ? xstrdup(role) : NULL; | ||
76 | if (use_privsep) | ||
77 | - mm_inform_authserv(service, style); | ||
78 | + mm_inform_authserv(service, style, role); | ||
79 | userauth_banner(); | ||
80 | } else if (strcmp(user, authctxt->user) != 0 || | ||
81 | strcmp(service, authctxt->service) != 0) { | ||
82 | Index: b/monitor.c | ||
83 | =================================================================== | ||
84 | --- a/monitor.c | ||
85 | +++ b/monitor.c | ||
86 | @@ -137,6 +137,7 @@ | ||
87 | int mm_answer_pwnamallow(int, Buffer *); | ||
88 | int mm_answer_auth2_read_banner(int, Buffer *); | ||
89 | int mm_answer_authserv(int, Buffer *); | ||
90 | +int mm_answer_authrole(int, Buffer *); | ||
91 | int mm_answer_authpassword(int, Buffer *); | ||
92 | int mm_answer_bsdauthquery(int, Buffer *); | ||
93 | int mm_answer_bsdauthrespond(int, Buffer *); | ||
94 | @@ -215,6 +216,7 @@ | ||
95 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | ||
96 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | ||
97 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | ||
98 | + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | ||
99 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | ||
100 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | ||
101 | #ifdef USE_PAM | ||
102 | @@ -699,6 +701,7 @@ | ||
103 | else { | ||
104 | /* Allow service/style information on the auth context */ | ||
105 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | ||
106 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | ||
107 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | ||
108 | } | ||
109 | |||
110 | @@ -732,14 +735,37 @@ | ||
111 | |||
112 | authctxt->service = buffer_get_string(m, NULL); | ||
113 | authctxt->style = buffer_get_string(m, NULL); | ||
114 | - debug3("%s: service=%s, style=%s", | ||
115 | - __func__, authctxt->service, authctxt->style); | ||
116 | + authctxt->role = buffer_get_string(m, NULL); | ||
117 | + debug3("%s: service=%s, style=%s, role=%s", | ||
118 | + __func__, authctxt->service, authctxt->style, authctxt->role); | ||
119 | |||
120 | if (strlen(authctxt->style) == 0) { | ||
121 | xfree(authctxt->style); | ||
122 | authctxt->style = NULL; | ||
123 | } | ||
124 | |||
125 | + if (strlen(authctxt->role) == 0) { | ||
126 | + xfree(authctxt->role); | ||
127 | + authctxt->role = NULL; | ||
128 | + } | ||
129 | + | ||
130 | + return (0); | ||
131 | +} | ||
132 | + | ||
133 | +int | ||
134 | +mm_answer_authrole(int sock, Buffer *m) | ||
135 | +{ | ||
136 | + monitor_permit_authentications(1); | ||
137 | + | ||
138 | + authctxt->role = buffer_get_string(m, NULL); | ||
139 | + debug3("%s: role=%s", | ||
140 | + __func__, authctxt->role); | ||
141 | + | ||
142 | + if (strlen(authctxt->role) == 0) { | ||
143 | + xfree(authctxt->role); | ||
144 | + authctxt->role = NULL; | ||
145 | + } | ||
146 | + | ||
147 | return (0); | ||
148 | } | ||
149 | |||
150 | Index: b/monitor.h | ||
151 | =================================================================== | ||
152 | --- a/monitor.h | ||
153 | +++ b/monitor.h | ||
154 | @@ -30,7 +30,7 @@ | ||
155 | |||
156 | enum monitor_reqtype { | ||
157 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | ||
158 | - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | ||
159 | + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, MONITOR_REQ_AUTHROLE, | ||
160 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | ||
161 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | ||
162 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | ||
163 | Index: b/monitor_wrap.c | ||
164 | =================================================================== | ||
165 | --- a/monitor_wrap.c | ||
166 | +++ b/monitor_wrap.c | ||
167 | @@ -279,10 +279,10 @@ | ||
168 | return (banner); | ||
169 | } | ||
170 | |||
171 | -/* Inform the privileged process about service and style */ | ||
172 | +/* Inform the privileged process about service, style, and role */ | ||
173 | |||
174 | void | ||
175 | -mm_inform_authserv(char *service, char *style) | ||
176 | +mm_inform_authserv(char *service, char *style, char *role) | ||
177 | { | ||
178 | Buffer m; | ||
179 | |||
180 | @@ -291,11 +291,29 @@ | ||
181 | buffer_init(&m); | ||
182 | buffer_put_cstring(&m, service); | ||
183 | buffer_put_cstring(&m, style ? style : ""); | ||
184 | + buffer_put_cstring(&m, role ? role : ""); | ||
185 | |||
186 | mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, &m); | ||
187 | |||
188 | buffer_free(&m); | ||
189 | } | ||
190 | + | ||
191 | +/* Inform the privileged process about role */ | ||
192 | + | ||
193 | +void | ||
194 | +mm_inform_authrole(char *role) | ||
195 | +{ | ||
196 | + Buffer m; | ||
197 | + | ||
198 | + debug3("%s entering", __func__); | ||
199 | + | ||
200 | + buffer_init(&m); | ||
201 | + buffer_put_cstring(&m, role ? role : ""); | ||
202 | + | ||
203 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | ||
204 | + | ||
205 | + buffer_free(&m); | ||
206 | +} | ||
207 | |||
208 | /* Do the password authentication */ | ||
209 | int | ||
210 | Index: b/monitor_wrap.h | ||
211 | =================================================================== | ||
212 | --- a/monitor_wrap.h | ||
213 | +++ b/monitor_wrap.h | ||
214 | @@ -40,7 +40,8 @@ | ||
215 | int mm_is_monitor(void); | ||
216 | DH *mm_choose_dh(int, int, int); | ||
217 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | ||
218 | -void mm_inform_authserv(char *, char *); | ||
219 | +void mm_inform_authserv(char *, char *, char *); | ||
220 | +void mm_inform_authrole(char *); | ||
221 | struct passwd *mm_getpwnamallow(const char *); | ||
222 | char *mm_auth2_read_banner(void); | ||
223 | int mm_auth_password(struct Authctxt *, char *); | ||
224 | Index: b/openbsd-compat/port-linux.c | ||
225 | =================================================================== | ||
226 | --- a/openbsd-compat/port-linux.c | ||
227 | +++ b/openbsd-compat/port-linux.c | ||
228 | @@ -28,6 +28,12 @@ | ||
229 | #include <string.h> | ||
230 | |||
231 | #ifdef WITH_SELINUX | ||
232 | +#include "key.h" | ||
233 | +#include "hostfile.h" | ||
234 | +#include "auth.h" | ||
235 | +#ifdef HAVE_GETSEUSERBYNAME | ||
236 | +#include "xmalloc.h" | ||
237 | +#endif | ||
238 | #include "log.h" | ||
239 | #include "port-linux.h" | ||
240 | |||
241 | @@ -35,6 +41,8 @@ | ||
242 | #include <selinux/flask.h> | ||
243 | #include <selinux/get_context_list.h> | ||
244 | |||
245 | +extern Authctxt *the_authctxt; | ||
246 | + | ||
247 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | ||
248 | int | ||
249 | ssh_selinux_enabled(void) | ||
250 | @@ -53,8 +61,8 @@ | ||
251 | static security_context_t | ||
252 | ssh_selinux_getctxbyname(char *pwname) | ||
253 | { | ||
254 | - security_context_t sc; | ||
255 | - char *sename = NULL, *lvl = NULL; | ||
256 | + security_context_t sc = NULL; | ||
257 | + char *sename = NULL, *role = NULL, *lvl = NULL; | ||
258 | int r; | ||
259 | |||
260 | #ifdef HAVE_GETSEUSERBYNAME | ||
261 | @@ -64,11 +72,20 @@ | ||
262 | sename = pwname; | ||
263 | lvl = NULL; | ||
264 | #endif | ||
265 | + if (the_authctxt) | ||
266 | + role = the_authctxt->role; | ||
267 | |||
268 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | ||
269 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
270 | + if (role != NULL && role[0]) | ||
271 | + r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
272 | + &sc); | ||
273 | + else | ||
274 | + r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
275 | #else | ||
276 | - r = get_default_context(sename, NULL, &sc); | ||
277 | + if (role != NULL && role[0]) | ||
278 | + r = get_default_context_with_role(sename, role, NULL, &sc); | ||
279 | + else | ||
280 | + r = get_default_context(sename, NULL, &sc); | ||
281 | #endif | ||
282 | |||
283 | if (r != 0) { | ||