diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
-rw-r--r-- | debian/patches/selinux-role.patch | 50 |
1 files changed, 25 insertions, 25 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 95d582067..269a87c76 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch | |||
@@ -1,4 +1,4 @@ | |||
1 | From 03979f2e0768e146d179c66f2d2e33afe61c1be3 Mon Sep 17 00:00:00 2001 | 1 | From cf3f6ac19812e4d32874304b3854b055831c2124 Mon Sep 17 00:00:00 2001 |
2 | From: Manoj Srivastava <srivasta@debian.org> | 2 | From: Manoj Srivastava <srivasta@debian.org> |
3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 | 3 | Date: Sun, 9 Feb 2014 16:09:49 +0000 |
4 | Subject: Handle SELinux authorisation roles | 4 | Subject: Handle SELinux authorisation roles |
@@ -43,7 +43,7 @@ index 977562f0a..90802a5eb 100644 | |||
43 | /* Method lists for multiple authentication */ | 43 | /* Method lists for multiple authentication */ |
44 | char **auth_methods; /* modified from server config */ | 44 | char **auth_methods; /* modified from server config */ |
45 | diff --git a/auth2.c b/auth2.c | 45 | diff --git a/auth2.c b/auth2.c |
46 | index 96efe164c..90a247c1c 100644 | 46 | index a77742819..3035926ba 100644 |
47 | --- a/auth2.c | 47 | --- a/auth2.c |
48 | +++ b/auth2.c | 48 | +++ b/auth2.c |
49 | @@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | 49 | @@ -257,7 +257,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) |
@@ -81,10 +81,10 @@ index 96efe164c..90a247c1c 100644 | |||
81 | if (auth2_setup_methods_lists(authctxt) != 0) | 81 | if (auth2_setup_methods_lists(authctxt) != 0) |
82 | packet_disconnect("no authentication methods enabled"); | 82 | packet_disconnect("no authentication methods enabled"); |
83 | diff --git a/monitor.c b/monitor.c | 83 | diff --git a/monitor.c b/monitor.c |
84 | index 4e574a2ae..c1e7e9b80 100644 | 84 | index eabc1e89b..08fddabd7 100644 |
85 | --- a/monitor.c | 85 | --- a/monitor.c |
86 | +++ b/monitor.c | 86 | +++ b/monitor.c |
87 | @@ -115,6 +115,7 @@ int mm_answer_sign(int, struct sshbuf *); | 87 | @@ -117,6 +117,7 @@ int mm_answer_sign(int, struct sshbuf *); |
88 | int mm_answer_pwnamallow(int, struct sshbuf *); | 88 | int mm_answer_pwnamallow(int, struct sshbuf *); |
89 | int mm_answer_auth2_read_banner(int, struct sshbuf *); | 89 | int mm_answer_auth2_read_banner(int, struct sshbuf *); |
90 | int mm_answer_authserv(int, struct sshbuf *); | 90 | int mm_answer_authserv(int, struct sshbuf *); |
@@ -92,7 +92,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
92 | int mm_answer_authpassword(int, struct sshbuf *); | 92 | int mm_answer_authpassword(int, struct sshbuf *); |
93 | int mm_answer_bsdauthquery(int, struct sshbuf *); | 93 | int mm_answer_bsdauthquery(int, struct sshbuf *); |
94 | int mm_answer_bsdauthrespond(int, struct sshbuf *); | 94 | int mm_answer_bsdauthrespond(int, struct sshbuf *); |
95 | @@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { | 95 | @@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { |
96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | 96 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | 97 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | 98 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
@@ -100,7 +100,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | 100 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, |
101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 101 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
102 | #ifdef USE_PAM | 102 | #ifdef USE_PAM |
103 | @@ -813,6 +815,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | 103 | @@ -817,6 +819,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) |
104 | 104 | ||
105 | /* Allow service/style information on the auth context */ | 105 | /* Allow service/style information on the auth context */ |
106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | 106 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
@@ -108,7 +108,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | 108 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
109 | 109 | ||
110 | #ifdef USE_PAM | 110 | #ifdef USE_PAM |
111 | @@ -846,16 +849,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) | 111 | @@ -850,16 +853,42 @@ mm_answer_authserv(int sock, struct sshbuf *m) |
112 | monitor_permit_authentications(1); | 112 | monitor_permit_authentications(1); |
113 | 113 | ||
114 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || | 114 | if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || |
@@ -154,7 +154,7 @@ index 4e574a2ae..c1e7e9b80 100644 | |||
154 | return (0); | 154 | return (0); |
155 | } | 155 | } |
156 | 156 | ||
157 | @@ -1497,7 +1526,7 @@ mm_answer_pty(int sock, struct sshbuf *m) | 157 | @@ -1501,7 +1530,7 @@ mm_answer_pty(int sock, struct sshbuf *m) |
158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 158 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
159 | if (res == 0) | 159 | if (res == 0) |
160 | goto error; | 160 | goto error; |
@@ -245,10 +245,10 @@ index 7f93144ff..79e78cc90 100644 | |||
245 | char *mm_auth2_read_banner(void); | 245 | char *mm_auth2_read_banner(void); |
246 | int mm_auth_password(struct ssh *, char *); | 246 | int mm_auth_password(struct ssh *, char *); |
247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c | 247 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
248 | index 8c5325cc3..9fdda664f 100644 | 248 | index 622988822..3e6e07670 100644 |
249 | --- a/openbsd-compat/port-linux.c | 249 | --- a/openbsd-compat/port-linux.c |
250 | +++ b/openbsd-compat/port-linux.c | 250 | +++ b/openbsd-compat/port-linux.c |
251 | @@ -55,7 +55,7 @@ ssh_selinux_enabled(void) | 251 | @@ -56,7 +56,7 @@ ssh_selinux_enabled(void) |
252 | 252 | ||
253 | /* Return the default security context for the given username */ | 253 | /* Return the default security context for the given username */ |
254 | static security_context_t | 254 | static security_context_t |
@@ -257,7 +257,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
257 | { | 257 | { |
258 | security_context_t sc = NULL; | 258 | security_context_t sc = NULL; |
259 | char *sename = NULL, *lvl = NULL; | 259 | char *sename = NULL, *lvl = NULL; |
260 | @@ -70,9 +70,16 @@ ssh_selinux_getctxbyname(char *pwname) | 260 | @@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) |
261 | #endif | 261 | #endif |
262 | 262 | ||
263 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 263 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
@@ -276,7 +276,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
276 | #endif | 276 | #endif |
277 | 277 | ||
278 | if (r != 0) { | 278 | if (r != 0) { |
279 | @@ -102,7 +109,7 @@ ssh_selinux_getctxbyname(char *pwname) | 279 | @@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) |
280 | 280 | ||
281 | /* Set the execution context to the default for the specified user */ | 281 | /* Set the execution context to the default for the specified user */ |
282 | void | 282 | void |
@@ -285,7 +285,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
285 | { | 285 | { |
286 | security_context_t user_ctx = NULL; | 286 | security_context_t user_ctx = NULL; |
287 | 287 | ||
288 | @@ -111,7 +118,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 288 | @@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
289 | 289 | ||
290 | debug3("%s: setting execution context", __func__); | 290 | debug3("%s: setting execution context", __func__); |
291 | 291 | ||
@@ -294,7 +294,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
294 | if (setexeccon(user_ctx) != 0) { | 294 | if (setexeccon(user_ctx) != 0) { |
295 | switch (security_getenforce()) { | 295 | switch (security_getenforce()) { |
296 | case -1: | 296 | case -1: |
297 | @@ -133,7 +140,7 @@ ssh_selinux_setup_exec_context(char *pwname) | 297 | @@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) |
298 | 298 | ||
299 | /* Set the TTY context for the specified user */ | 299 | /* Set the TTY context for the specified user */ |
300 | void | 300 | void |
@@ -303,7 +303,7 @@ index 8c5325cc3..9fdda664f 100644 | |||
303 | { | 303 | { |
304 | security_context_t new_tty_ctx = NULL; | 304 | security_context_t new_tty_ctx = NULL; |
305 | security_context_t user_ctx = NULL; | 305 | security_context_t user_ctx = NULL; |
306 | @@ -145,7 +152,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | 306 | @@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) |
307 | 307 | ||
308 | debug3("%s: setting TTY context on %s", __func__, tty); | 308 | debug3("%s: setting TTY context on %s", __func__, tty); |
309 | 309 | ||
@@ -363,10 +363,10 @@ index ea4f9c584..60d72ffe7 100644 | |||
363 | char *platform_krb5_get_principal_name(const char *); | 363 | char *platform_krb5_get_principal_name(const char *); |
364 | int platform_sys_dir_uid(uid_t); | 364 | int platform_sys_dir_uid(uid_t); |
365 | diff --git a/session.c b/session.c | 365 | diff --git a/session.c b/session.c |
366 | index f2cf52006..d5d2e94b0 100644 | 366 | index 2d0958d11..19f38637e 100644 |
367 | --- a/session.c | 367 | --- a/session.c |
368 | +++ b/session.c | 368 | +++ b/session.c |
369 | @@ -1378,7 +1378,7 @@ safely_chroot(const char *path, uid_t uid) | 369 | @@ -1380,7 +1380,7 @@ safely_chroot(const char *path, uid_t uid) |
370 | 370 | ||
371 | /* Set login name, uid, gid, and groups. */ | 371 | /* Set login name, uid, gid, and groups. */ |
372 | void | 372 | void |
@@ -375,7 +375,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
375 | { | 375 | { |
376 | char uidstr[32], *chroot_path, *tmp; | 376 | char uidstr[32], *chroot_path, *tmp; |
377 | 377 | ||
378 | @@ -1406,7 +1406,7 @@ do_setusercontext(struct passwd *pw) | 378 | @@ -1408,7 +1408,7 @@ do_setusercontext(struct passwd *pw) |
379 | endgrent(); | 379 | endgrent(); |
380 | #endif | 380 | #endif |
381 | 381 | ||
@@ -384,7 +384,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
384 | 384 | ||
385 | if (!in_chroot && options.chroot_directory != NULL && | 385 | if (!in_chroot && options.chroot_directory != NULL && |
386 | strcasecmp(options.chroot_directory, "none") != 0) { | 386 | strcasecmp(options.chroot_directory, "none") != 0) { |
387 | @@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 387 | @@ -1547,7 +1547,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
388 | 388 | ||
389 | /* Force a password change */ | 389 | /* Force a password change */ |
390 | if (s->authctxt->force_pwchange) { | 390 | if (s->authctxt->force_pwchange) { |
@@ -393,7 +393,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
393 | child_close_fds(ssh); | 393 | child_close_fds(ssh); |
394 | do_pwchange(s); | 394 | do_pwchange(s); |
395 | exit(1); | 395 | exit(1); |
396 | @@ -1563,7 +1563,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) | 396 | @@ -1565,7 +1565,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) |
397 | /* When PAM is enabled we rely on it to do the nologin check */ | 397 | /* When PAM is enabled we rely on it to do the nologin check */ |
398 | if (!options.use_pam) | 398 | if (!options.use_pam) |
399 | do_nologin(pw); | 399 | do_nologin(pw); |
@@ -402,7 +402,7 @@ index f2cf52006..d5d2e94b0 100644 | |||
402 | /* | 402 | /* |
403 | * PAM session modules in do_setusercontext may have | 403 | * PAM session modules in do_setusercontext may have |
404 | * generated messages, so if this in an interactive | 404 | * generated messages, so if this in an interactive |
405 | @@ -1953,7 +1953,7 @@ session_pty_req(struct ssh *ssh, Session *s) | 405 | @@ -1955,7 +1955,7 @@ session_pty_req(struct ssh *ssh, Session *s) |
406 | ssh_tty_parse_modes(ssh, s->ttyfd); | 406 | ssh_tty_parse_modes(ssh, s->ttyfd); |
407 | 407 | ||
408 | if (!use_privsep) | 408 | if (!use_privsep) |
@@ -412,10 +412,10 @@ index f2cf52006..d5d2e94b0 100644 | |||
412 | /* Set window size from the packet. */ | 412 | /* Set window size from the packet. */ |
413 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); | 413 | pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); |
414 | diff --git a/session.h b/session.h | 414 | diff --git a/session.h b/session.h |
415 | index 54dd1f0ca..8535ebcef 100644 | 415 | index ce59dabd9..675c91146 100644 |
416 | --- a/session.h | 416 | --- a/session.h |
417 | +++ b/session.h | 417 | +++ b/session.h |
418 | @@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *); | 418 | @@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *); |
419 | Session *session_new(void); | 419 | Session *session_new(void); |
420 | Session *session_by_tty(char *); | 420 | Session *session_by_tty(char *); |
421 | void session_close(struct ssh *, Session *); | 421 | void session_close(struct ssh *, Session *); |
@@ -425,10 +425,10 @@ index 54dd1f0ca..8535ebcef 100644 | |||
425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); | 425 | const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); |
426 | 426 | ||
427 | diff --git a/sshd.c b/sshd.c | 427 | diff --git a/sshd.c b/sshd.c |
428 | index 71c360da0..92d15c82d 100644 | 428 | index 673db87f6..2bc6679e5 100644 |
429 | --- a/sshd.c | 429 | --- a/sshd.c |
430 | +++ b/sshd.c | 430 | +++ b/sshd.c |
431 | @@ -684,7 +684,7 @@ privsep_postauth(Authctxt *authctxt) | 431 | @@ -683,7 +683,7 @@ privsep_postauth(Authctxt *authctxt) |
432 | reseed_prngs(); | 432 | reseed_prngs(); |
433 | 433 | ||
434 | /* Drop privileges */ | 434 | /* Drop privileges */ |