1 files changed, 472 insertions, 0 deletions

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
new file mode 100644
index 000000000..5ab339ac9
--- /dev/null
+++ b/debian/patches/selinux-role.patch
@@ -0,0 +1,472 @@
+From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001
+From: Manoj Srivastava <srivasta@debian.org>
+Date: Sun, 9 Feb 2014 16:09:49 +0000
+Subject: Handle SELinux authorisation roles
+
+Rejected upstream due to discomfort with magic usernames; a better approach
+will need an SSH protocol change.  In the meantime, this came from Debian's
+SELinux maintainer, so we'll keep it until we have something better.
+
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
+Bug-Debian: http://bugs.debian.org/394795
+Last-Update: 2019-06-05
+
+Patch-Name: selinux-role.patch
+---
+ auth.h                      |  1 +
+ auth2.c                     | 10 ++++++++--
+ monitor.c                   | 37 +++++++++++++++++++++++++++++++++----
+ monitor.h                   |  2 ++
+ monitor_wrap.c              | 27 ++++++++++++++++++++++++---
+ monitor_wrap.h              |  3 ++-
+ openbsd-compat/port-linux.c | 21 ++++++++++++++-------
+ openbsd-compat/port-linux.h |  4 ++--
+ platform.c                  |  4 ++--
+ platform.h                  |  2 +-
+ session.c                   | 10 +++++-----
+ session.h                   |  2 +-
+ sshd.c                      |  2 +-
+ sshpty.c                    |  4 ++--
+ sshpty.h                    |  2 +-
+ 15 files changed, 99 insertions(+), 32 deletions(-)
+
+diff --git a/auth.h b/auth.h
+index bf393e755..8f13bdf48 100644
+--- a/auth.h
++++ b/auth.h
+@@ -65,6 +65,7 @@ struct Authctxt {
+        char            *service;
+        struct passwd   *pw;            /* set if 'valid' */
+        char            *style;
++       char            *role;
+ 
+        /* Method lists for multiple authentication */
+        char            **auth_methods; /* modified from server config */
+diff --git a/auth2.c b/auth2.c
+index 7417eafa4..d60e7f1f2 100644
+--- a/auth2.c
++++ b/auth2.c
+@@ -267,7 +267,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+ {
+        Authctxt *authctxt = ssh->authctxt;
+        Authmethod *m = NULL;
+-       char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
++       char *user = NULL, *service = NULL, *method = NULL, *style = NULL, *role = NULL;
+        int r, authenticated = 0;
+        double tstart = monotime_double();
+ 
+@@ -281,8 +281,13 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+        debug("userauth-request for user %s service %s method %s", user, service, method);
+        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ 
++       if ((role = strchr(user, '/')) != NULL)
++               *role++ = 0;
++
+        if ((style = strchr(user, ':')) != NULL)
+                *style++ = 0;
++       else if (role && (style = strchr(role, ':')) != NULL)
++               *style++ = '\0';
+ 
+        if (authctxt->attempt++ == 0) {
+                /* setup auth context */
+@@ -309,8 +314,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
+                    use_privsep ? " [net]" : "");
+                authctxt->service = xstrdup(service);
+                authctxt->style = style ? xstrdup(style) : NULL;
++               authctxt->role = role ? xstrdup(role) : NULL;
+                if (use_privsep)
+-                       mm_inform_authserv(service, style);
++                       mm_inform_authserv(service, style, role);
+                userauth_banner(ssh);
+                if (auth2_setup_methods_lists(authctxt) != 0)
+                        ssh_packet_disconnect(ssh,
+diff --git a/monitor.c b/monitor.c
+index 0766d6ef5..5f84e880d 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *);
+ int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
+ int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
++int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
+@@ -197,6 +198,7 @@ struct mon_table mon_dispatch_proto20[] = {
+     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
++    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
+@@ -819,6 +821,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m)
+ 
+        /* Allow service/style information on the auth context */
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
++       monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+ 
+ #ifdef USE_PAM
+@@ -852,16 +855,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m)
+        monitor_permit_authentications(1);
+ 
+        if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 ||
+-           (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0)
++           (r = sshbuf_get_cstring(m, &authctxt->style, NULL)) != 0 ||
++           (r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+-       debug3("%s: service=%s, style=%s",
+-           __func__, authctxt->service, authctxt->style);
++       debug3("%s: service=%s, style=%s, role=%s",
++           __func__, authctxt->service, authctxt->style, authctxt->role);
+ 
+        if (strlen(authctxt->style) == 0) {
+                free(authctxt->style);
+                authctxt->style = NULL;
+        }
+ 
++       if (strlen(authctxt->role) == 0) {
++               free(authctxt->role);
++               authctxt->role = NULL;
++       }
++
++       return (0);
++}
++
++int
++mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
++{
++       int r;
++
++       monitor_permit_authentications(1);
++
++       if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++       debug3("%s: role=%s",
++           __func__, authctxt->role);
++
++       if (strlen(authctxt->role) == 0) {
++               free(authctxt->role);
++               authctxt->role = NULL;
++       }
++
+        return (0);
+ }
+ 
+@@ -1528,7 +1557,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m)
+        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
+        if (res == 0)
+                goto error;
+-       pty_setowner(authctxt->pw, s->tty);
++       pty_setowner(authctxt->pw, s->tty, authctxt->role);
+ 
+        if ((r = sshbuf_put_u32(m, 1)) != 0 ||
+            (r = sshbuf_put_cstring(m, s->tty)) != 0)
+diff --git a/monitor.h b/monitor.h
+index 2b1a2d590..4d87284aa 100644
+--- a/monitor.h
++++ b/monitor.h
+@@ -65,6 +65,8 @@ enum monitor_reqtype {
+ 
+        MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
+        MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
++
++       MONITOR_REQ_AUTHROLE = 154,
+ };
+ 
+ struct ssh;
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 8e4c1c1f8..6b3a6251c 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -364,10 +364,10 @@ mm_auth2_read_banner(void)
+        return (banner);
+ }
+ 
+-/* Inform the privileged process about service and style */
++/* Inform the privileged process about service, style, and role */
+ 
+ void
+-mm_inform_authserv(char *service, char *style)
++mm_inform_authserv(char *service, char *style, char *role)
+ {
+        struct sshbuf *m;
+        int r;
+@@ -377,7 +377,8 @@ mm_inform_authserv(char *service, char *style)
+        if ((m = sshbuf_new()) == NULL)
+                fatal("%s: sshbuf_new failed", __func__);
+        if ((r = sshbuf_put_cstring(m, service)) != 0 ||
+-           (r = sshbuf_put_cstring(m, style ? style : "")) != 0)
++           (r = sshbuf_put_cstring(m, style ? style : "")) != 0 ||
++           (r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+                fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 
+        mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m);
+@@ -385,6 +386,26 @@ mm_inform_authserv(char *service, char *style)
+        sshbuf_free(m);
+ }
+ 
++/* Inform the privileged process about role */
++
++void
++mm_inform_authrole(char *role)
++{
++       struct sshbuf *m;
++       int r;
++
++       debug3("%s entering", __func__);
++
++       if ((m = sshbuf_new()) == NULL)
++               fatal("%s: sshbuf_new failed", __func__);
++       if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
++               fatal("%s: buffer error: %s", __func__, ssh_err(r));
++
++       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
++
++       sshbuf_free(m);
++}
++
+ /* Do the password authentication */
+ int
+ mm_auth_password(struct ssh *ssh, char *password)
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 69164a8c0..3d0e32d48 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -44,7 +44,8 @@ int mm_is_monitor(void);
+ DH *mm_choose_dh(int, int, int);
+ int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
+     const u_char *, size_t, const char *, u_int compat);
+-void mm_inform_authserv(char *, char *);
++void mm_inform_authserv(char *, char *, char *);
++void mm_inform_authrole(char *);
+ struct passwd *mm_getpwnamallow(struct ssh *, const char *);
+ char *mm_auth2_read_banner(void);
+ int mm_auth_password(struct ssh *, char *);
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 622988822..3e6e07670 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -56,7 +56,7 @@ ssh_selinux_enabled(void)
+ 
+ /* Return the default security context for the given username */
+ static security_context_t
+-ssh_selinux_getctxbyname(char *pwname)
++ssh_selinux_getctxbyname(char *pwname, const char *role)
+ {
+        security_context_t sc = NULL;
+        char *sename = NULL, *lvl = NULL;
+@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname)
+ #endif
+ 
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-       r = get_default_context_with_level(sename, lvl, NULL, &sc);
++       if (role != NULL && role[0])
++               r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
++                                                      &sc);
++       else
++               r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ #else
+-       r = get_default_context(sename, NULL, &sc);
++       if (role != NULL && role[0])
++               r = get_default_context_with_role(sename, role, NULL, &sc);
++       else
++               r = get_default_context(sename, NULL, &sc);
+ #endif
+ 
+        if (r != 0) {
+@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname)
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+-ssh_selinux_setup_exec_context(char *pwname)
++ssh_selinux_setup_exec_context(char *pwname, const char *role)
+ {
+        security_context_t user_ctx = NULL;
+ 
+@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+        debug3("%s: setting execution context", __func__);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
++       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+        if (setexeccon(user_ctx) != 0) {
+                switch (security_getenforce()) {
+                case -1:
+@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+ 
+ /* Set the TTY context for the specified user */
+ void
+-ssh_selinux_setup_pty(char *pwname, const char *tty)
++ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
+ {
+        security_context_t new_tty_ctx = NULL;
+        security_context_t user_ctx = NULL;
+@@ -146,7 +153,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+ 
+        debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-       user_ctx = ssh_selinux_getctxbyname(pwname);
++       user_ctx = ssh_selinux_getctxbyname(pwname, role);
+ 
+        /* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 3c22a854d..c88129428 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -19,8 +19,8 @@
+ 
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+-void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
++void ssh_selinux_setup_pty(char *, const char *, const char *);
++void ssh_selinux_setup_exec_context(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+ #endif
+diff --git a/platform.c b/platform.c
+index 41acc9370..35654ea51 100644
+--- a/platform.c
++++ b/platform.c
+@@ -142,7 +142,7 @@ platform_setusercontext(struct passwd *pw)
+  * called if sshd is running as root.
+  */
+ void
+-platform_setusercontext_post_groups(struct passwd *pw)
++platform_setusercontext_post_groups(struct passwd *pw, const char *role)
+ {
+ #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
+        /*
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+        }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_exec_context(pw->pw_name);
++       ssh_selinux_setup_exec_context(pw->pw_name, role);
+ #endif
+ }
+ 
+diff --git a/platform.h b/platform.h
+index ea4f9c584..60d72ffe7 100644
+--- a/platform.h
++++ b/platform.h
+@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+ void platform_setusercontext(struct passwd *);
+-void platform_setusercontext_post_groups(struct passwd *);
++void platform_setusercontext_post_groups(struct passwd *, const char *);
+ char *platform_get_krb5_client(const char *);
+ char *platform_krb5_get_principal_name(const char *);
+ int platform_sys_dir_uid(uid_t);
+diff --git a/session.c b/session.c
+index ac3d9d19d..d87ea4d44 100644
+--- a/session.c
++++ b/session.c
+@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
+ 
+ /* Set login name, uid, gid, and groups. */
+ void
+-do_setusercontext(struct passwd *pw)
++do_setusercontext(struct passwd *pw, const char *role)
+ {
+        char uidstr[32], *chroot_path, *tmp;
+ 
+@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)
+                endgrent();
+ #endif
+ 
+-               platform_setusercontext_post_groups(pw);
++               platform_setusercontext_post_groups(pw, role);
+ 
+                if (!in_chroot && options.chroot_directory != NULL &&
+                    strcasecmp(options.chroot_directory, "none") != 0) {
+@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+ 
+        /* Force a password change */
+        if (s->authctxt->force_pwchange) {
+-               do_setusercontext(pw);
++               do_setusercontext(pw, s->authctxt->role);
+                child_close_fds(ssh);
+                do_pwchange(s);
+                exit(1);
+@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
+        /* When PAM is enabled we rely on it to do the nologin check */
+        if (!options.use_pam)
+                do_nologin(pw);
+-       do_setusercontext(pw);
++       do_setusercontext(pw, s->authctxt->role);
+        /*
+         * PAM session modules in do_setusercontext may have
+         * generated messages, so if this in an interactive
+@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s)
+                sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
+ 
+        if (!use_privsep)
+-               pty_setowner(s->pw, s->tty);
++               pty_setowner(s->pw, s->tty, s->authctxt->role);
+ 
+        /* Set window size from the packet. */
+        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
+diff --git a/session.h b/session.h
+index ce59dabd9..675c91146 100644
+--- a/session.h
++++ b/session.h
+@@ -77,7 +77,7 @@ void   session_pty_cleanup2(Session *);
+ Session        *session_new(void);
+ Session        *session_by_tty(char *);
+ void    session_close(struct ssh *, Session *);
+-void    do_setusercontext(struct passwd *);
++void    do_setusercontext(struct passwd *, const char *);
+ 
+ const char     *session_get_remote_name_or_ip(struct ssh *, u_int, int);
+ 
+diff --git a/sshd.c b/sshd.c
+index 46870d3b5..e3e96426e 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -594,7 +594,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
+        reseed_prngs();
+ 
+        /* Drop privileges */
+-       do_setusercontext(authctxt->pw);
++       do_setusercontext(authctxt->pw, authctxt->role);
+ 
+  skip:
+        /* It is safe now to apply the key state */
+diff --git a/sshpty.c b/sshpty.c
+index 4da84d05f..676ade50e 100644
+--- a/sshpty.c
++++ b/sshpty.c
+@@ -162,7 +162,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
+ }
+ 
+ void
+-pty_setowner(struct passwd *pw, const char *tty)
++pty_setowner(struct passwd *pw, const char *tty, const char *role)
+ {
+        struct group *grp;
+        gid_t gid;
+@@ -184,7 +184,7 @@ pty_setowner(struct passwd *pw, const char *tty)
+                    strerror(errno));
+ 
+ #ifdef WITH_SELINUX
+-       ssh_selinux_setup_pty(pw->pw_name, tty);
++       ssh_selinux_setup_pty(pw->pw_name, tty, role);
+ #endif
+ 
+        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
+diff --git a/sshpty.h b/sshpty.h
+index 9ec7e9a15..de7e000ae 100644
+--- a/sshpty.h
++++ b/sshpty.h
+@@ -24,5 +24,5 @@ int    pty_allocate(int *, int *, char *, size_t);
+ void    pty_release(const char *);
+ void    pty_make_controlling_tty(int *, const char *);
+ void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
+-void    pty_setowner(struct passwd *, const char *);
++void    pty_setowner(struct passwd *, const char *, const char *);
+ void    disconnect_controlling_tty(void);