summaryrefslogtreecommitdiff
path: root/debian/patches/selinux-role.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r--debian/patches/selinux-role.patch66
1 files changed, 33 insertions, 33 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index e0ca12fb0..1fa0bf928 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001 1From c9638aa44d787849cea1ae273f0908c6313fd19b Mon Sep 17 00:00:00 2001
2From: Manoj Srivastava <srivasta@debian.org> 2From: Manoj Srivastava <srivasta@debian.org>
3Date: Sun, 9 Feb 2014 16:09:49 +0000 3Date: Sun, 9 Feb 2014 16:09:49 +0000
4Subject: Handle SELinux authorisation roles 4Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
32 16 files changed, 104 insertions(+), 31 deletions(-) 32 16 files changed, 104 insertions(+), 31 deletions(-)
33 33
34diff --git a/auth.h b/auth.h 34diff --git a/auth.h b/auth.h
35index 124e597..79e4ea5 100644 35index d081c94..f099e98 100644
36--- a/auth.h 36--- a/auth.h
37+++ b/auth.h 37+++ b/auth.h
38@@ -59,6 +59,7 @@ struct Authctxt { 38@@ -59,6 +59,7 @@ struct Authctxt {
@@ -44,10 +44,10 @@ index 124e597..79e4ea5 100644
44 char *info; /* Extra info for next auth_log */ 44 char *info; /* Extra info for next auth_log */
45 #ifdef BSD_AUTH 45 #ifdef BSD_AUTH
46diff --git a/auth1.c b/auth1.c 46diff --git a/auth1.c b/auth1.c
47index 0f870b3..c707390 100644 47index 5038828..52b17db 100644
48--- a/auth1.c 48--- a/auth1.c
49+++ b/auth1.c 49+++ b/auth1.c
50@@ -380,7 +380,7 @@ void 50@@ -381,7 +381,7 @@ void
51 do_authentication(Authctxt *authctxt) 51 do_authentication(Authctxt *authctxt)
52 { 52 {
53 u_int ulen; 53 u_int ulen;
@@ -56,7 +56,7 @@ index 0f870b3..c707390 100644
56 56
57 /* Get the name of the user that we wish to log in as. */ 57 /* Get the name of the user that we wish to log in as. */
58 packet_read_expect(SSH_CMSG_USER); 58 packet_read_expect(SSH_CMSG_USER);
59@@ -389,11 +389,17 @@ do_authentication(Authctxt *authctxt) 59@@ -390,11 +390,17 @@ do_authentication(Authctxt *authctxt)
60 user = packet_get_cstring(&ulen); 60 user = packet_get_cstring(&ulen);
61 packet_check_eom(); 61 packet_check_eom();
62 62
@@ -75,10 +75,10 @@ index 0f870b3..c707390 100644
75 /* Verify that the user is a valid user. */ 75 /* Verify that the user is a valid user. */
76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) 76 if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77diff --git a/auth2.c b/auth2.c 77diff --git a/auth2.c b/auth2.c
78index fbe3e1b..70f2925 100644 78index 2f0d565..fa1a588 100644
79--- a/auth2.c 79--- a/auth2.c
80+++ b/auth2.c 80+++ b/auth2.c
81@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 81@@ -217,7 +217,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
82 { 82 {
83 Authctxt *authctxt = ctxt; 83 Authctxt *authctxt = ctxt;
84 Authmethod *m = NULL; 84 Authmethod *m = NULL;
@@ -87,7 +87,7 @@ index fbe3e1b..70f2925 100644
87 int authenticated = 0; 87 int authenticated = 0;
88 88
89 if (authctxt == NULL) 89 if (authctxt == NULL)
90@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 90@@ -229,8 +229,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
91 debug("userauth-request for user %s service %s method %s", user, service, method); 91 debug("userauth-request for user %s service %s method %s", user, service, method);
92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 92 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
93 93
@@ -101,7 +101,7 @@ index fbe3e1b..70f2925 100644
101 101
102 if (authctxt->attempt++ == 0) { 102 if (authctxt->attempt++ == 0) {
103 /* setup auth context */ 103 /* setup auth context */
104@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) 104@@ -254,8 +259,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
105 use_privsep ? " [net]" : ""); 105 use_privsep ? " [net]" : "");
106 authctxt->service = xstrdup(service); 106 authctxt->service = xstrdup(service);
107 authctxt->style = style ? xstrdup(style) : NULL; 107 authctxt->style = style ? xstrdup(style) : NULL;
@@ -113,10 +113,10 @@ index fbe3e1b..70f2925 100644
113 if (auth2_setup_methods_lists(authctxt) != 0) 113 if (auth2_setup_methods_lists(authctxt) != 0)
114 packet_disconnect("no authentication methods enabled"); 114 packet_disconnect("no authentication methods enabled");
115diff --git a/monitor.c b/monitor.c 115diff --git a/monitor.c b/monitor.c
116index 2918814..11eac63 100644 116index b0896ef..94b194d 100644
117--- a/monitor.c 117--- a/monitor.c
118+++ b/monitor.c 118+++ b/monitor.c
119@@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *); 119@@ -148,6 +148,7 @@ int mm_answer_sign(int, Buffer *);
120 int mm_answer_pwnamallow(int, Buffer *); 120 int mm_answer_pwnamallow(int, Buffer *);
121 int mm_answer_auth2_read_banner(int, Buffer *); 121 int mm_answer_auth2_read_banner(int, Buffer *);
122 int mm_answer_authserv(int, Buffer *); 122 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index 2918814..11eac63 100644
124 int mm_answer_authpassword(int, Buffer *); 124 int mm_answer_authpassword(int, Buffer *);
125 int mm_answer_bsdauthquery(int, Buffer *); 125 int mm_answer_bsdauthquery(int, Buffer *);
126 int mm_answer_bsdauthrespond(int, Buffer *); 126 int mm_answer_bsdauthrespond(int, Buffer *);
127@@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = { 127@@ -229,6 +230,7 @@ struct mon_table mon_dispatch_proto20[] = {
128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, 128 {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, 129 {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, 130 {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index 2918814..11eac63 100644
132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, 132 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, 133 {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134 #ifdef USE_PAM 134 #ifdef USE_PAM
135@@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m) 135@@ -841,6 +843,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136 else { 136 else {
137 /* Allow service/style information on the auth context */ 137 /* Allow service/style information on the auth context */
138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); 138 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index 2918814..11eac63 100644
140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); 140 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141 } 141 }
142 #ifdef USE_PAM 142 #ifdef USE_PAM
143@@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m) 143@@ -871,14 +874,37 @@ mm_answer_authserv(int sock, Buffer *m)
144 144
145 authctxt->service = buffer_get_string(m, NULL); 145 authctxt->service = buffer_get_string(m, NULL);
146 authctxt->style = buffer_get_string(m, NULL); 146 authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index 2918814..11eac63 100644
180 return (0); 180 return (0);
181 } 181 }
182 182
183@@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m) 183@@ -1485,7 +1511,7 @@ mm_answer_pty(int sock, Buffer *m)
184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); 184 res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185 if (res == 0) 185 if (res == 0)
186 goto error; 186 goto error;
@@ -203,10 +203,10 @@ index 7f32b0c..4d5e8fa 100644
203 203
204 struct mm_master; 204 struct mm_master;
205diff --git a/monitor_wrap.c b/monitor_wrap.c 205diff --git a/monitor_wrap.c b/monitor_wrap.c
206index 60b987d..f75dc9d 100644 206index e476f0d..6dc890a 100644
207--- a/monitor_wrap.c 207--- a/monitor_wrap.c
208+++ b/monitor_wrap.c 208+++ b/monitor_wrap.c
209@@ -318,10 +318,10 @@ mm_auth2_read_banner(void) 209@@ -324,10 +324,10 @@ mm_auth2_read_banner(void)
210 return (banner); 210 return (banner);
211 } 211 }
212 212
@@ -219,7 +219,7 @@ index 60b987d..f75dc9d 100644
219 { 219 {
220 Buffer m; 220 Buffer m;
221 221
222@@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style) 222@@ -336,12 +336,30 @@ mm_inform_authserv(char *service, char *style)
223 buffer_init(&m); 223 buffer_init(&m);
224 buffer_put_cstring(&m, service); 224 buffer_put_cstring(&m, service);
225 buffer_put_cstring(&m, style ? style : ""); 225 buffer_put_cstring(&m, style ? style : "");
@@ -361,10 +361,10 @@ index e3d1004..80ce13a 100644
361 void ssh_selinux_setfscreatecon(const char *); 361 void ssh_selinux_setfscreatecon(const char *);
362 #endif 362 #endif
363diff --git a/platform.c b/platform.c 363diff --git a/platform.c b/platform.c
364index 30fc609..4aab9a9 100644 364index ee313da..f35ec39 100644
365--- a/platform.c 365--- a/platform.c
366+++ b/platform.c 366+++ b/platform.c
367@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw) 367@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
368 * called if sshd is running as root. 368 * called if sshd is running as root.
369 */ 369 */
370 void 370 void
@@ -373,7 +373,7 @@ index 30fc609..4aab9a9 100644
373 { 373 {
374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) 374 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375 /* 375 /*
376@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw) 376@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377 } 377 }
378 #endif /* HAVE_SETPCRED */ 378 #endif /* HAVE_SETPCRED */
379 #ifdef WITH_SELINUX 379 #ifdef WITH_SELINUX
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
396 char *platform_krb5_get_principal_name(const char *); 396 char *platform_krb5_get_principal_name(const char *);
397 int platform_sys_dir_uid(uid_t); 397 int platform_sys_dir_uid(uid_t);
398diff --git a/session.c b/session.c 398diff --git a/session.c b/session.c
399index 2bcf818..6848df4 100644 399index 3e96557..6f389ac 100644
400--- a/session.c 400--- a/session.c
401+++ b/session.c 401+++ b/session.c
402@@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid) 402@@ -1486,7 +1486,7 @@ safely_chroot(const char *path, uid_t uid)
403 403
404 /* Set login name, uid, gid, and groups. */ 404 /* Set login name, uid, gid, and groups. */
405 void 405 void
@@ -407,8 +407,8 @@ index 2bcf818..6848df4 100644
407+do_setusercontext(struct passwd *pw, const char *role) 407+do_setusercontext(struct passwd *pw, const char *role)
408 { 408 {
409 char *chroot_path, *tmp; 409 char *chroot_path, *tmp;
410 410 #ifdef USE_LIBIAF
411@@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw) 411@@ -1517,7 +1517,7 @@ do_setusercontext(struct passwd *pw)
412 endgrent(); 412 endgrent();
413 #endif 413 #endif
414 414
@@ -417,7 +417,7 @@ index 2bcf818..6848df4 100644
417 417
418 if (options.chroot_directory != NULL && 418 if (options.chroot_directory != NULL &&
419 strcasecmp(options.chroot_directory, "none") != 0) { 419 strcasecmp(options.chroot_directory, "none") != 0) {
420@@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command) 420@@ -1676,7 +1676,7 @@ do_child(Session *s, const char *command)
421 421
422 /* Force a password change */ 422 /* Force a password change */
423 if (s->authctxt->force_pwchange) { 423 if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 2bcf818..6848df4 100644
426 child_close_fds(); 426 child_close_fds();
427 do_pwchange(s); 427 do_pwchange(s);
428 exit(1); 428 exit(1);
429@@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command) 429@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command)
430 /* When PAM is enabled we rely on it to do the nologin check */ 430 /* When PAM is enabled we rely on it to do the nologin check */
431 if (!options.use_pam) 431 if (!options.use_pam)
432 do_nologin(pw); 432 do_nologin(pw);
@@ -435,7 +435,7 @@ index 2bcf818..6848df4 100644
435 /* 435 /*
436 * PAM session modules in do_setusercontext may have 436 * PAM session modules in do_setusercontext may have
437 * generated messages, so if this in an interactive 437 * generated messages, so if this in an interactive
438@@ -2117,7 +2117,7 @@ session_pty_req(Session *s) 438@@ -2114,7 +2114,7 @@ session_pty_req(Session *s)
439 tty_parse_modes(s->ttyfd, &n_bytes); 439 tty_parse_modes(s->ttyfd, &n_bytes);
440 440
441 if (!use_privsep) 441 if (!use_privsep)
@@ -458,10 +458,10 @@ index 6a2f35e..ef6593c 100644
458 const char *value); 458 const char *value);
459 459
460diff --git a/sshd.c b/sshd.c 460diff --git a/sshd.c b/sshd.c
461index d787fea..e343d90 100644 461index 3a6be65..48a14dd 100644
462--- a/sshd.c 462--- a/sshd.c
463+++ b/sshd.c 463+++ b/sshd.c
464@@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt) 464@@ -772,7 +772,7 @@ privsep_postauth(Authctxt *authctxt)
465 explicit_bzero(rnd, sizeof(rnd)); 465 explicit_bzero(rnd, sizeof(rnd));
466 466
467 /* Drop privileges */ 467 /* Drop privileges */
@@ -471,10 +471,10 @@ index d787fea..e343d90 100644
471 skip: 471 skip:
472 /* It is safe now to apply the key state */ 472 /* It is safe now to apply the key state */
473diff --git a/sshpty.c b/sshpty.c 473diff --git a/sshpty.c b/sshpty.c
474index bbbc0fe..8cc26a2 100644 474index a2059b7..3512ec8 100644
475--- a/sshpty.c 475--- a/sshpty.c
476+++ b/sshpty.c 476+++ b/sshpty.c
477@@ -200,7 +200,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col, 477@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
478 } 478 }
479 479
480 void 480 void
@@ -483,7 +483,7 @@ index bbbc0fe..8cc26a2 100644
483 { 483 {
484 struct group *grp; 484 struct group *grp;
485 gid_t gid; 485 gid_t gid;
486@@ -227,7 +227,7 @@ pty_setowner(struct passwd *pw, const char *tty) 486@@ -214,7 +214,7 @@ pty_setowner(struct passwd *pw, const char *tty)
487 strerror(errno)); 487 strerror(errno));
488 488
489 #ifdef WITH_SELINUX 489 #ifdef WITH_SELINUX