diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 226 |
1 files changed, 208 insertions, 18 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 74cd06201..30db352dd 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -156,6 +156,15 @@ Index: b/monitor.c | |||
156 | return (0); | 156 | return (0); |
157 | } | 157 | } |
158 | 158 | ||
159 | @@ -1327,7 +1353,7 @@ | ||
160 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | ||
161 | if (res == 0) | ||
162 | goto error; | ||
163 | - pty_setowner(authctxt->pw, s->tty); | ||
164 | + pty_setowner(authctxt->pw, s->tty, authctxt->role); | ||
165 | |||
166 | buffer_put_int(m, 1); | ||
167 | buffer_put_cstring(m, s->tty); | ||
159 | Index: b/monitor.h | 168 | Index: b/monitor.h |
160 | =================================================================== | 169 | =================================================================== |
161 | --- a/monitor.h | 170 | --- a/monitor.h |
@@ -247,32 +256,20 @@ Index: b/openbsd-compat/port-linux.c | |||
247 | #include "log.h" | 256 | #include "log.h" |
248 | #include "xmalloc.h" | 257 | #include "xmalloc.h" |
249 | #include "port-linux.h" | 258 | #include "port-linux.h" |
250 | @@ -38,6 +44,8 @@ | 259 | @@ -54,9 +60,9 @@ |
251 | #include <selinux/flask.h> | ||
252 | #include <selinux/get_context_list.h> | ||
253 | 260 | ||
254 | +extern Authctxt *the_authctxt; | 261 | /* Return the default security context for the given username */ |
255 | + | ||
256 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | ||
257 | int | ||
258 | ssh_selinux_enabled(void) | ||
259 | @@ -56,8 +64,8 @@ | ||
260 | static security_context_t | 262 | static security_context_t |
261 | ssh_selinux_getctxbyname(char *pwname) | 263 | -ssh_selinux_getctxbyname(char *pwname) |
264 | +ssh_selinux_getctxbyname(char *pwname, const char *role) | ||
262 | { | 265 | { |
263 | - security_context_t sc; | 266 | - security_context_t sc; |
264 | - char *sename = NULL, *lvl = NULL; | ||
265 | + security_context_t sc = NULL; | 267 | + security_context_t sc = NULL; |
266 | + char *sename = NULL, *role = NULL, *lvl = NULL; | 268 | char *sename = NULL, *lvl = NULL; |
267 | int r; | 269 | int r; |
268 | 270 | ||
269 | #ifdef HAVE_GETSEUSERBYNAME | 271 | @@ -69,9 +75,16 @@ |
270 | @@ -67,11 +75,20 @@ | ||
271 | sename = pwname; | ||
272 | lvl = NULL; | ||
273 | #endif | 272 | #endif |
274 | + if (the_authctxt) | ||
275 | + role = the_authctxt->role; | ||
276 | 273 | ||
277 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 274 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
278 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | 275 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); |
@@ -290,3 +287,196 @@ Index: b/openbsd-compat/port-linux.c | |||
290 | #endif | 287 | #endif |
291 | 288 | ||
292 | if (r != 0) { | 289 | if (r != 0) { |
290 | @@ -102,7 +115,7 @@ | ||
291 | |||
292 | /* Set the execution context to the default for the specified user */ | ||
293 | void | ||
294 | -ssh_selinux_setup_exec_context(char *pwname) | ||
295 | +ssh_selinux_setup_exec_context(char *pwname, const char *role) | ||
296 | { | ||
297 | security_context_t user_ctx = NULL; | ||
298 | |||
299 | @@ -111,7 +124,7 @@ | ||
300 | |||
301 | debug3("%s: setting execution context", __func__); | ||
302 | |||
303 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
304 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
305 | if (setexeccon(user_ctx) != 0) { | ||
306 | switch (security_getenforce()) { | ||
307 | case -1: | ||
308 | @@ -133,7 +146,7 @@ | ||
309 | |||
310 | /* Set the TTY context for the specified user */ | ||
311 | void | ||
312 | -ssh_selinux_setup_pty(char *pwname, const char *tty) | ||
313 | +ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) | ||
314 | { | ||
315 | security_context_t new_tty_ctx = NULL; | ||
316 | security_context_t user_ctx = NULL; | ||
317 | @@ -144,7 +157,7 @@ | ||
318 | |||
319 | debug3("%s: setting TTY context on %s", __func__, tty); | ||
320 | |||
321 | - user_ctx = ssh_selinux_getctxbyname(pwname); | ||
322 | + user_ctx = ssh_selinux_getctxbyname(pwname, role); | ||
323 | |||
324 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | ||
325 | |||
326 | Index: b/openbsd-compat/port-linux.h | ||
327 | =================================================================== | ||
328 | --- a/openbsd-compat/port-linux.h | ||
329 | +++ b/openbsd-compat/port-linux.h | ||
330 | @@ -21,8 +21,8 @@ | ||
331 | |||
332 | #ifdef WITH_SELINUX | ||
333 | int ssh_selinux_enabled(void); | ||
334 | -void ssh_selinux_setup_pty(char *, const char *); | ||
335 | -void ssh_selinux_setup_exec_context(char *); | ||
336 | +void ssh_selinux_setup_pty(char *, const char *, const char *); | ||
337 | +void ssh_selinux_setup_exec_context(char *, const char *); | ||
338 | void ssh_selinux_change_context(const char *); | ||
339 | #endif | ||
340 | |||
341 | Index: b/platform.c | ||
342 | =================================================================== | ||
343 | --- a/platform.c | ||
344 | +++ b/platform.c | ||
345 | @@ -134,7 +134,7 @@ | ||
346 | * called if sshd is running as root. | ||
347 | */ | ||
348 | void | ||
349 | -platform_setusercontext_post_groups(struct passwd *pw) | ||
350 | +platform_setusercontext_post_groups(struct passwd *pw, const char *role) | ||
351 | { | ||
352 | #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) | ||
353 | /* | ||
354 | @@ -181,7 +181,7 @@ | ||
355 | } | ||
356 | #endif /* HAVE_SETPCRED */ | ||
357 | #ifdef WITH_SELINUX | ||
358 | - ssh_selinux_setup_exec_context(pw->pw_name); | ||
359 | + ssh_selinux_setup_exec_context(pw->pw_name, role); | ||
360 | #endif | ||
361 | } | ||
362 | |||
363 | Index: b/platform.h | ||
364 | =================================================================== | ||
365 | --- a/platform.h | ||
366 | +++ b/platform.h | ||
367 | @@ -26,7 +26,7 @@ | ||
368 | void platform_post_fork_child(void); | ||
369 | int platform_privileged_uidswap(void); | ||
370 | void platform_setusercontext(struct passwd *); | ||
371 | -void platform_setusercontext_post_groups(struct passwd *); | ||
372 | +void platform_setusercontext_post_groups(struct passwd *, const char *); | ||
373 | char *platform_get_krb5_client(const char *); | ||
374 | char *platform_krb5_get_principal_name(const char *); | ||
375 | |||
376 | Index: b/session.c | ||
377 | =================================================================== | ||
378 | --- a/session.c | ||
379 | +++ b/session.c | ||
380 | @@ -1467,7 +1467,7 @@ | ||
381 | |||
382 | /* Set login name, uid, gid, and groups. */ | ||
383 | void | ||
384 | -do_setusercontext(struct passwd *pw) | ||
385 | +do_setusercontext(struct passwd *pw, const char *role) | ||
386 | { | ||
387 | char *chroot_path, *tmp; | ||
388 | |||
389 | @@ -1495,7 +1495,7 @@ | ||
390 | endgrent(); | ||
391 | #endif | ||
392 | |||
393 | - platform_setusercontext_post_groups(pw); | ||
394 | + platform_setusercontext_post_groups(pw, role); | ||
395 | |||
396 | if (options.chroot_directory != NULL && | ||
397 | strcasecmp(options.chroot_directory, "none") != 0) { | ||
398 | @@ -1618,7 +1618,7 @@ | ||
399 | |||
400 | /* Force a password change */ | ||
401 | if (s->authctxt->force_pwchange) { | ||
402 | - do_setusercontext(pw); | ||
403 | + do_setusercontext(pw, s->authctxt->role); | ||
404 | child_close_fds(); | ||
405 | do_pwchange(s); | ||
406 | exit(1); | ||
407 | @@ -1645,7 +1645,7 @@ | ||
408 | /* When PAM is enabled we rely on it to do the nologin check */ | ||
409 | if (!options.use_pam) | ||
410 | do_nologin(pw); | ||
411 | - do_setusercontext(pw); | ||
412 | + do_setusercontext(pw, s->authctxt->role); | ||
413 | /* | ||
414 | * PAM session modules in do_setusercontext may have | ||
415 | * generated messages, so if this in an interactive | ||
416 | @@ -2057,7 +2057,7 @@ | ||
417 | tty_parse_modes(s->ttyfd, &n_bytes); | ||
418 | |||
419 | if (!use_privsep) | ||
420 | - pty_setowner(s->pw, s->tty); | ||
421 | + pty_setowner(s->pw, s->tty, s->authctxt->role); | ||
422 | |||
423 | /* Set window size from the packet. */ | ||
424 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | ||
425 | Index: b/session.h | ||
426 | =================================================================== | ||
427 | --- a/session.h | ||
428 | +++ b/session.h | ||
429 | @@ -76,7 +76,7 @@ | ||
430 | Session *session_new(void); | ||
431 | Session *session_by_tty(char *); | ||
432 | void session_close(Session *); | ||
433 | -void do_setusercontext(struct passwd *); | ||
434 | +void do_setusercontext(struct passwd *, const char *); | ||
435 | void child_set_env(char ***envp, u_int *envsizep, const char *name, | ||
436 | const char *value); | ||
437 | |||
438 | Index: b/sshd.c | ||
439 | =================================================================== | ||
440 | --- a/sshd.c | ||
441 | +++ b/sshd.c | ||
442 | @@ -707,7 +707,7 @@ | ||
443 | RAND_seed(rnd, sizeof(rnd)); | ||
444 | |||
445 | /* Drop privileges */ | ||
446 | - do_setusercontext(authctxt->pw); | ||
447 | + do_setusercontext(authctxt->pw, authctxt->role); | ||
448 | |||
449 | skip: | ||
450 | /* It is safe now to apply the key state */ | ||
451 | Index: b/sshpty.c | ||
452 | =================================================================== | ||
453 | --- a/sshpty.c | ||
454 | +++ b/sshpty.c | ||
455 | @@ -200,7 +200,7 @@ | ||
456 | } | ||
457 | |||
458 | void | ||
459 | -pty_setowner(struct passwd *pw, const char *tty) | ||
460 | +pty_setowner(struct passwd *pw, const char *tty, const char *role) | ||
461 | { | ||
462 | struct group *grp; | ||
463 | gid_t gid; | ||
464 | @@ -227,7 +227,7 @@ | ||
465 | strerror(errno)); | ||
466 | |||
467 | #ifdef WITH_SELINUX | ||
468 | - ssh_selinux_setup_pty(pw->pw_name, tty); | ||
469 | + ssh_selinux_setup_pty(pw->pw_name, tty, role); | ||
470 | #endif | ||
471 | |||
472 | if (st.st_uid != pw->pw_uid || st.st_gid != gid) { | ||
473 | Index: b/sshpty.h | ||
474 | =================================================================== | ||
475 | --- a/sshpty.h | ||
476 | +++ b/sshpty.h | ||
477 | @@ -24,4 +24,4 @@ | ||
478 | void pty_release(const char *); | ||
479 | void pty_make_controlling_tty(int *, const char *); | ||
480 | void pty_change_window_size(int, u_int, u_int, u_int, u_int); | ||
481 | -void pty_setowner(struct passwd *, const char *); | ||
482 | +void pty_setowner(struct passwd *, const char *, const char *); | ||