1 files changed, 60 insertions, 91 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index bcb61480d..9ab9394b3 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 7a7851c903e5dbb58a85014deb2c88cb718068c9 Mon Sep 17 00:00:00 2001
+From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -14,7 +14,6 @@ Last-Update: 2015-08-19
 Patch-Name: selinux-role.patch
 ---
 auth.h                      |  1 +
- auth1.c                     |  8 +++++++-
 auth2.c                     | 10 ++++++++--
 monitor.c                   | 32 +++++++++++++++++++++++++++++---
 monitor.h                   |  2 ++
@@ -29,10 +28,10 @@ Patch-Name: selinux-role.patch
 sshd.c                      |  2 +-
 sshpty.c                    |  4 ++--
 sshpty.h                    |  2 +-
- 16 files changed, 104 insertions(+), 31 deletions(-)
+ 15 files changed, 97 insertions(+), 30 deletions(-)
 diff --git a/auth.h b/auth.h
-index 55170af..50baeaa 100644
+index 338a62da..8c658d16 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -62,6 +62,7 @@ struct Authctxt {
@@ -43,39 +42,8 @@ index 55170af..50baeaa 100644
        void            *kbdintctxt;
        char            *info;          /* Extra info for next auth_log */
 #ifdef BSD_AUTH
-diff --git a/auth1.c b/auth1.c
-index 5073c49..dd00648 100644
--- a/auth1.c
-+++ b/auth1.c
-@@ -383,7 +383,7 @@ void
- do_authentication(Authctxt *authctxt)
- {
-        u_int ulen;
-       char *user, *style = NULL;
-+       char *user, *style = NULL, *role = NULL;
- 
-        /* Get the name of the user that we wish to log in as. */
-        packet_read_expect(SSH_CMSG_USER);
-@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
-        user = packet_get_cstring(&ulen);
-        packet_check_eom();
- 
-+       if ((role = strchr(user, '/')) != NULL)
-+               *role++ = '\0';
-+
-        if ((style = strchr(user, ':')) != NULL)
-                *style++ = '\0';
-+       else if (role && (style = strchr(role, ':')) != NULL)
-+               *style++ = '\0';
- 
-        authctxt->user = user;
-        authctxt->style = style;
-+       authctxt->role = role;
- 
-        /* Verify that the user is a valid user. */
-        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 diff --git a/auth2.c b/auth2.c
-index ce0d376..461311b 100644
+index ce0d3760..461311bd 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -113,10 +81,10 @@ index ce0d376..461311b 100644
                if (auth2_setup_methods_lists(authctxt) != 0)
                        packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index 05bb48a..e91054e 100644
+index 76d9e346..64286a12 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);
+@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@@ -124,7 +92,7 @@ index 05bb48a..e91054e 100644
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -209,6 +210,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,15 +100,15 @@ index 05bb48a..e91054e 100644
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -880,6 +882,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
-        else {
+ 
-                /* Allow service/style information on the auth context */
+        /* Allow service/style information on the auth context */
-                monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
-+               monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+       monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
-                monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
+        monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
-        }
+ 
 #ifdef USE_PAM
-@@ -910,14 +913,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
 
        authctxt->service = buffer_get_string(m, NULL);
        authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +148,7 @@ index 05bb48a..e91054e 100644
        return (0);
 }
 
-@@ -1553,7 +1579,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
        res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
        if (res == 0)
                goto error;
@@ -190,7 +158,7 @@ index 05bb48a..e91054e 100644
        buffer_put_int(m, 1);
        buffer_put_cstring(m, s->tty);
 diff --git a/monitor.h b/monitor.h
-index bc50ade..2d82b8b 100644
+index ec41404c..4c7955d7 100644
 --- a/monitor.h
 +++ b/monitor.h
 @@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -201,12 +169,12 @@ index bc50ade..2d82b8b 100644
 +
 };
 
- struct mm_master;
+ struct monitor {
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 5a9f1b5..11e3a69 100644
+index d5cb640a..2ff8064a 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -328,10 +328,10 @@ mm_auth2_read_banner(void)
+@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
        return (banner);
 }
 
@@ -219,7 +187,7 @@ index 5a9f1b5..11e3a69 100644
 {
        Buffer m;
 
-@@ -340,12 +340,30 @@ mm_inform_authserv(char *service, char *style)
+@@ -339,12 +339,30 @@ mm_inform_authserv(char *service, char *style)
        buffer_init(&m);
        buffer_put_cstring(&m, service);
        buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +219,7 @@ index 5a9f1b5..11e3a69 100644
 int
 mm_auth_password(Authctxt *authctxt, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index b5414c2..d5b3334 100644
+index 8f9dd896..3e75867c 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -265,10 +233,10 @@ index b5414c2..d5b3334 100644
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index f36999d..f9cdc15 100644
+index e4c5d1b7..e26faf08 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
-@@ -29,6 +29,12 @@
+@@ -27,6 +27,12 @@
 #include <string.h>
 #include <stdio.h>
 
@@ -281,7 +249,7 @@ index f36999d..f9cdc15 100644
 #include "log.h"
 #include "xmalloc.h"
 #include "port-linux.h"
-@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
+@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
 
 /* Return the default security context for the given username */
 static security_context_t
@@ -290,7 +258,7 @@ index f36999d..f9cdc15 100644
 {
        security_context_t sc = NULL;
        char *sename = NULL, *lvl = NULL;
-@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
 #endif
 
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -309,7 +277,7 @@ index f36999d..f9cdc15 100644
 #endif
 
        if (r != 0) {
-@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
 
 /* Set the execution context to the default for the specified user */
 void
@@ -318,7 +286,7 @@ index f36999d..f9cdc15 100644
 {
        security_context_t user_ctx = NULL;
 
-@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
 
        debug3("%s: setting execution context", __func__);
 
@@ -327,7 +295,7 @@ index f36999d..f9cdc15 100644
        if (setexeccon(user_ctx) != 0) {
                switch (security_getenforce()) {
                case -1:
-@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)
+@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
 
 /* Set the TTY context for the specified user */
 void
@@ -336,7 +304,7 @@ index f36999d..f9cdc15 100644
 {
        security_context_t new_tty_ctx = NULL;
        security_context_t user_ctx = NULL;
-@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
 
        debug3("%s: setting TTY context on %s", __func__, tty);
 
@@ -346,10 +314,10 @@ index f36999d..f9cdc15 100644
        /* XXX: should these calls fatal() upon failure in enforcing mode? */
 
 diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index e3d1004..80ce13a 100644
+index 3c22a854..c8812942 100644
 --- a/openbsd-compat/port-linux.h
 +++ b/openbsd-compat/port-linux.h
-@@ -21,8 +21,8 @@
+@@ -19,8 +19,8 @@
 
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
@@ -361,10 +329,10 @@ index e3d1004..80ce13a 100644
 void ssh_selinux_setfscreatecon(const char *);
 #endif
 diff --git a/platform.c b/platform.c
-index acf8554..4831706 100644
+index 973a63e4..cd7bf566 100644
 --- a/platform.c
 +++ b/platform.c
-@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw)
+@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
  * called if sshd is running as root.
  */
 void
@@ -373,7 +341,7 @@ index acf8554..4831706 100644
 {
 #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
        /*
-@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
        }
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
@@ -383,10 +351,10 @@ index acf8554..4831706 100644
 }
 
 diff --git a/platform.h b/platform.h
-index e97ecd9..5b72304 100644
+index ea4f9c58..60d72ffe 100644
 --- a/platform.h
 +++ b/platform.h
-@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);
+@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
 void platform_post_fork_child(void);
 int  platform_privileged_uidswap(void);
 void platform_setusercontext(struct passwd *);
@@ -396,10 +364,10 @@ index e97ecd9..5b72304 100644
 char *platform_krb5_get_principal_name(const char *);
 int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 2235f26..6dfcf84 100644
+index a08aa69d..ea3871eb 100644
 --- a/session.c
 +++ b/session.c
-@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
@@ -408,7 +376,7 @@ index 2235f26..6dfcf84 100644
 {
        char *chroot_path, *tmp;
 
-@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
                endgrent();
 #endif
 
@@ -417,7 +385,7 @@ index 2235f26..6dfcf84 100644
 
                if (!in_chroot && options.chroot_directory != NULL &&
                    strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1703,7 +1703,7 @@ do_child(Session *s, const char *command)
+@@ -1489,7 +1489,7 @@ do_child(Session *s, const char *command)
 
        /* Force a password change */
        if (s->authctxt->force_pwchange) {
@@ -426,16 +394,16 @@ index 2235f26..6dfcf84 100644
                child_close_fds();
                do_pwchange(s);
                exit(1);
-@@ -1730,7 +1730,7 @@ do_child(Session *s, const char *command)
+@@ -1511,7 +1511,7 @@ do_child(Session *s, const char *command)
-                /* When PAM is enabled we rely on it to do the nologin check */
+        /* When PAM is enabled we rely on it to do the nologin check */
-                if (!options.use_pam)
+        if (!options.use_pam)
-                        do_nologin(pw);
+                do_nologin(pw);
-               do_setusercontext(pw);
+-       do_setusercontext(pw);
-+               do_setusercontext(pw, s->authctxt->role);
+       do_setusercontext(pw, s->authctxt->role);
-                /*
+        /*
-                 * PAM session modules in do_setusercontext may have
+         * PAM session modules in do_setusercontext may have
-                 * generated messages, so if this in an interactive
+         * generated messages, so if this in an interactive
-@@ -2141,7 +2141,7 @@ session_pty_req(Session *s)
+@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
        tty_parse_modes(s->ttyfd, &n_bytes);
 
        if (!use_privsep)
@@ -445,10 +413,10 @@ index 2235f26..6dfcf84 100644
        /* Set window size from the packet. */
        pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
 diff --git a/session.h b/session.h
-index f18eaf3..2b7d939 100644
+index 98e1dafe..0a31dce4 100644
 --- a/session.h
 +++ b/session.h
-@@ -77,7 +77,7 @@ void   session_pty_cleanup2(Session *);
+@@ -76,7 +76,7 @@ void   session_pty_cleanup2(Session *);
 Session        *session_new(void);
 Session        *session_by_tty(char *);
 void    session_close(Session *);
@@ -458,11 +426,11 @@ index f18eaf3..2b7d939 100644
                       const char *value);
 
 diff --git a/sshd.c b/sshd.c
-index 982e545..76306da 100644
+index 4f791b92..5a3f796d 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -787,7 +787,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
-        explicit_bzero(rnd, sizeof(rnd));
+        reseed_prngs();
 
        /* Drop privileges */
 -       do_setusercontext(authctxt->pw);
@@ -471,7 +439,7 @@ index 982e545..76306da 100644
  skip:
        /* It is safe now to apply the key state */
 diff --git a/sshpty.c b/sshpty.c
-index 15da8c6..e89efb7 100644
+index fe2fb5aa..feb22b06 100644
 --- a/sshpty.c
 +++ b/sshpty.c
 @@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -493,12 +461,13 @@ index 15da8c6..e89efb7 100644
 
        if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
 diff --git a/sshpty.h b/sshpty.h
-index cfa3224..edf2436 100644
+index 9ec7e9a1..de7e000a 100644
 --- a/sshpty.h
 +++ b/sshpty.h
-@@ -24,4 +24,4 @@ int    pty_allocate(int *, int *, char *, size_t);
+@@ -24,5 +24,5 @@ int    pty_allocate(int *, int *, char *, size_t);
 void    pty_release(const char *);
 void    pty_make_controlling_tty(int *, const char *);
 void    pty_change_window_size(int, u_int, u_int, u_int, u_int);
 -void    pty_setowner(struct passwd *, const char *);
 +void    pty_setowner(struct passwd *, const char *, const char *);
+ void    disconnect_controlling_tty(void);

diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index bcb61480d..9ab9394b3 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
1	From 7a7851c903e5dbb58a85014deb2c88cb718068c9 Mon Sep 17 00:00:00 2001	1	From 5e4ebd6472d995738a2c67d618c4bd1ee2c00968 Mon Sep 17 00:00:00 2001
2	From: Manoj Srivastava <srivasta@debian.org>	2	From: Manoj Srivastava <srivasta@debian.org>
3	Date: Sun, 9 Feb 2014 16:09:49 +0000	3	Date: Sun, 9 Feb 2014 16:09:49 +0000
4	Subject: Handle SELinux authorisation roles	4	Subject: Handle SELinux authorisation roles
@@ -14,7 +14,6 @@ Last-Update: 2015-08-19
14	Patch-Name: selinux-role.patch	14	Patch-Name: selinux-role.patch
15	---	15	---
16	auth.h \| 1 +	16	auth.h \| 1 +
17	auth1.c \| 8 +++++++-
18	auth2.c \| 10 ++++++++--	17	auth2.c \| 10 ++++++++--
19	monitor.c \| 32 +++++++++++++++++++++++++++++---	18	monitor.c \| 32 +++++++++++++++++++++++++++++---
20	monitor.h \| 2 ++	19	monitor.h \| 2 ++
@@ -29,10 +28,10 @@ Patch-Name: selinux-role.patch
29	sshd.c \| 2 +-	28	sshd.c \| 2 +-
30	sshpty.c \| 4 ++--	29	sshpty.c \| 4 ++--
31	sshpty.h \| 2 +-	30	sshpty.h \| 2 +-
32	16 files changed, 104 insertions(+), 31 deletions(-)	31	15 files changed, 97 insertions(+), 30 deletions(-)
33		32
34	diff --git a/auth.h b/auth.h	33	diff --git a/auth.h b/auth.h
35	index 55170af..50baeaa 100644	34	index 338a62da..8c658d16 100644
36	--- a/auth.h	35	--- a/auth.h
37	+++ b/auth.h	36	+++ b/auth.h
38	@@ -62,6 +62,7 @@ struct Authctxt {	37	@@ -62,6 +62,7 @@ struct Authctxt {
@@ -43,39 +42,8 @@ index 55170af..50baeaa 100644
43	void *kbdintctxt;	42	void *kbdintctxt;
44	char info; / Extra info for next auth_log */	43	char info; / Extra info for next auth_log */
45	#ifdef BSD_AUTH	44	#ifdef BSD_AUTH
46	diff --git a/auth1.c b/auth1.c
47	index 5073c49..dd00648 100644
48	--- a/auth1.c
49	+++ b/auth1.c
50	@@ -383,7 +383,7 @@ void
51	do_authentication(Authctxt *authctxt)
52	{
53	u_int ulen;
54	- char user, style = NULL;
55	+ char user, style = NULL, *role = NULL;
56
57	/* Get the name of the user that we wish to log in as. */
58	packet_read_expect(SSH_CMSG_USER);
59	@@ -392,11 +392,17 @@ do_authentication(Authctxt *authctxt)
60	user = packet_get_cstring(&ulen);
61	packet_check_eom();
62
63	+ if ((role = strchr(user, '/')) != NULL)
64	+ *role++ = '\0';
65	+
66	if ((style = strchr(user, ':')) != NULL)
67	*style++ = '\0';
68	+ else if (role && (style = strchr(role, ':')) != NULL)
69	+ *style++ = '\0';
70
71	authctxt->user = user;
72	authctxt->style = style;
73	+ authctxt->role = role;
74
75	/* Verify that the user is a valid user. */
76	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
77	diff --git a/auth2.c b/auth2.c	45	diff --git a/auth2.c b/auth2.c
78	index ce0d376..461311b 100644	46	index ce0d3760..461311bd 100644
79	--- a/auth2.c	47	--- a/auth2.c
80	+++ b/auth2.c	48	+++ b/auth2.c
81	@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)	49	@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
@@ -113,10 +81,10 @@ index ce0d376..461311b 100644
113	if (auth2_setup_methods_lists(authctxt) != 0)	81	if (auth2_setup_methods_lists(authctxt) != 0)
114	packet_disconnect("no authentication methods enabled");	82	packet_disconnect("no authentication methods enabled");
115	diff --git a/monitor.c b/monitor.c	83	diff --git a/monitor.c b/monitor.c
116	index 05bb48a..e91054e 100644	84	index 76d9e346..64286a12 100644
117	--- a/monitor.c	85	--- a/monitor.c
118	+++ b/monitor.c	86	+++ b/monitor.c
119	@@ -128,6 +128,7 @@ int mm_answer_sign(int, Buffer *);	87	@@ -127,6 +127,7 @@ int mm_answer_sign(int, Buffer *);
120	int mm_answer_pwnamallow(int, Buffer *);	88	int mm_answer_pwnamallow(int, Buffer *);
121	int mm_answer_auth2_read_banner(int, Buffer *);	89	int mm_answer_auth2_read_banner(int, Buffer *);
122	int mm_answer_authserv(int, Buffer *);	90	int mm_answer_authserv(int, Buffer *);
@@ -124,7 +92,7 @@ index 05bb48a..e91054e 100644
124	int mm_answer_authpassword(int, Buffer *);	92	int mm_answer_authpassword(int, Buffer *);
125	int mm_answer_bsdauthquery(int, Buffer *);	93	int mm_answer_bsdauthquery(int, Buffer *);
126	int mm_answer_bsdauthrespond(int, Buffer *);	94	int mm_answer_bsdauthrespond(int, Buffer *);
127	@@ -209,6 +210,7 @@ struct mon_table mon_dispatch_proto20[] = {	95	@@ -204,6 +205,7 @@ struct mon_table mon_dispatch_proto20[] = {
128	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},	96	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
129	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},	97	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
130	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},	98	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,15 +100,15 @@ index 05bb48a..e91054e 100644
132	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},	100	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
133	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},	101	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
134	#ifdef USE_PAM	102	#ifdef USE_PAM
135	@@ -880,6 +882,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)	103	@@ -786,6 +788,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
136	else {	104
137	/* Allow service/style information on the auth context */	105	/* Allow service/style information on the auth context */
138	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);	106	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
139	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);	107	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
140	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);	108	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
141	}	109
142	#ifdef USE_PAM	110	#ifdef USE_PAM
143	@@ -910,14 +913,37 @@ mm_answer_authserv(int sock, Buffer *m)	111	@@ -816,14 +819,37 @@ mm_answer_authserv(int sock, Buffer *m)
144		112
145	authctxt->service = buffer_get_string(m, NULL);	113	authctxt->service = buffer_get_string(m, NULL);
146	authctxt->style = buffer_get_string(m, NULL);	114	authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +148,7 @@ index 05bb48a..e91054e 100644
180	return (0);	148	return (0);
181	}	149	}
182		150
183	@@ -1553,7 +1579,7 @@ mm_answer_pty(int sock, Buffer *m)	151	@@ -1458,7 +1484,7 @@ mm_answer_pty(int sock, Buffer *m)
184	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));	152	res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
185	if (res == 0)	153	if (res == 0)
186	goto error;	154	goto error;
@@ -190,7 +158,7 @@ index 05bb48a..e91054e 100644
190	buffer_put_int(m, 1);	158	buffer_put_int(m, 1);
191	buffer_put_cstring(m, s->tty);	159	buffer_put_cstring(m, s->tty);
192	diff --git a/monitor.h b/monitor.h	160	diff --git a/monitor.h b/monitor.h
193	index bc50ade..2d82b8b 100644	161	index ec41404c..4c7955d7 100644
194	--- a/monitor.h	162	--- a/monitor.h
195	+++ b/monitor.h	163	+++ b/monitor.h
196	@@ -68,6 +68,8 @@ enum monitor_reqtype {	164	@@ -68,6 +68,8 @@ enum monitor_reqtype {
@@ -201,12 +169,12 @@ index bc50ade..2d82b8b 100644
201	+	169	+
202	};	170	};
203		171
204	struct mm_master;	172	struct monitor {
205	diff --git a/monitor_wrap.c b/monitor_wrap.c	173	diff --git a/monitor_wrap.c b/monitor_wrap.c
206	index 5a9f1b5..11e3a69 100644	174	index d5cb640a..2ff8064a 100644
207	--- a/monitor_wrap.c	175	--- a/monitor_wrap.c
208	+++ b/monitor_wrap.c	176	+++ b/monitor_wrap.c
209	@@ -328,10 +328,10 @@ mm_auth2_read_banner(void)	177	@@ -327,10 +327,10 @@ mm_auth2_read_banner(void)
210	return (banner);	178	return (banner);
211	}	179	}
212		180
@@ -219,7 +187,7 @@ index 5a9f1b5..11e3a69 100644
219	{	187	{
220	Buffer m;	188	Buffer m;
221		189
222	@@ -340,12 +340,30 @@ mm_inform_authserv(char service, char style)	190	@@ -339,12 +339,30 @@ mm_inform_authserv(char service, char style)
223	buffer_init(&m);	191	buffer_init(&m);
224	buffer_put_cstring(&m, service);	192	buffer_put_cstring(&m, service);
225	buffer_put_cstring(&m, style ? style : "");	193	buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +219,7 @@ index 5a9f1b5..11e3a69 100644
251	int	219	int
252	mm_auth_password(Authctxt authctxt, char password)	220	mm_auth_password(Authctxt authctxt, char password)
253	diff --git a/monitor_wrap.h b/monitor_wrap.h	221	diff --git a/monitor_wrap.h b/monitor_wrap.h
254	index b5414c2..d5b3334 100644	222	index 8f9dd896..3e75867c 100644
255	--- a/monitor_wrap.h	223	--- a/monitor_wrap.h
256	+++ b/monitor_wrap.h	224	+++ b/monitor_wrap.h
257	@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char , void );	225	@@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char , void );
@@ -265,10 +233,10 @@ index b5414c2..d5b3334 100644
265	char *mm_auth2_read_banner(void);	233	char *mm_auth2_read_banner(void);
266	int mm_auth_password(struct Authctxt , char );	234	int mm_auth_password(struct Authctxt , char );
267	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c	235	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
268	index f36999d..f9cdc15 100644	236	index e4c5d1b7..e26faf08 100644
269	--- a/openbsd-compat/port-linux.c	237	--- a/openbsd-compat/port-linux.c
270	+++ b/openbsd-compat/port-linux.c	238	+++ b/openbsd-compat/port-linux.c
271	@@ -29,6 +29,12 @@	239	@@ -27,6 +27,12 @@
272	#include <string.h>	240	#include <string.h>
273	#include <stdio.h>	241	#include <stdio.h>
274		242
@@ -281,7 +249,7 @@ index f36999d..f9cdc15 100644
281	#include "log.h"	249	#include "log.h"
282	#include "xmalloc.h"	250	#include "xmalloc.h"
283	#include "port-linux.h"	251	#include "port-linux.h"
284	@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)	252	@@ -56,7 +62,7 @@ ssh_selinux_enabled(void)
285		253
286	/* Return the default security context for the given username */	254	/* Return the default security context for the given username */
287	static security_context_t	255	static security_context_t
@@ -290,7 +258,7 @@ index f36999d..f9cdc15 100644
290	{	258	{
291	security_context_t sc = NULL;	259	security_context_t sc = NULL;
292	char sename = NULL, lvl = NULL;	260	char sename = NULL, lvl = NULL;
293	@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)	261	@@ -71,9 +77,16 @@ ssh_selinux_getctxbyname(char *pwname)
294	#endif	262	#endif
295		263
296	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL	264	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -309,7 +277,7 @@ index f36999d..f9cdc15 100644
309	#endif	277	#endif
310		278
311	if (r != 0) {	279	if (r != 0) {
312	@@ -105,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname)	280	@@ -103,7 +116,7 @@ ssh_selinux_getctxbyname(char *pwname)
313		281
314	/* Set the execution context to the default for the specified user */	282	/* Set the execution context to the default for the specified user */
315	void	283	void
@@ -318,7 +286,7 @@ index f36999d..f9cdc15 100644
318	{	286	{
319	security_context_t user_ctx = NULL;	287	security_context_t user_ctx = NULL;
320		288
321	@@ -114,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname)	289	@@ -112,7 +125,7 @@ ssh_selinux_setup_exec_context(char *pwname)
322		290
323	debug3("%s: setting execution context", __func__);	291	debug3("%s: setting execution context", __func__);
324		292
@@ -327,7 +295,7 @@ index f36999d..f9cdc15 100644
327	if (setexeccon(user_ctx) != 0) {	295	if (setexeccon(user_ctx) != 0) {
328	switch (security_getenforce()) {	296	switch (security_getenforce()) {
329	case -1:	297	case -1:
330	@@ -136,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname)	298	@@ -134,7 +147,7 @@ ssh_selinux_setup_exec_context(char *pwname)
331		299
332	/* Set the TTY context for the specified user */	300	/* Set the TTY context for the specified user */
333	void	301	void
@@ -336,7 +304,7 @@ index f36999d..f9cdc15 100644
336	{	304	{
337	security_context_t new_tty_ctx = NULL;	305	security_context_t new_tty_ctx = NULL;
338	security_context_t user_ctx = NULL;	306	security_context_t user_ctx = NULL;
339	@@ -147,7 +160,7 @@ ssh_selinux_setup_pty(char pwname, const char tty)	307	@@ -145,7 +158,7 @@ ssh_selinux_setup_pty(char pwname, const char tty)
340		308
341	debug3("%s: setting TTY context on %s", __func__, tty);	309	debug3("%s: setting TTY context on %s", __func__, tty);
342		310
@@ -346,10 +314,10 @@ index f36999d..f9cdc15 100644
346	/* XXX: should these calls fatal() upon failure in enforcing mode? */	314	/* XXX: should these calls fatal() upon failure in enforcing mode? */
347		315
348	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h	316	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
349	index e3d1004..80ce13a 100644	317	index 3c22a854..c8812942 100644
350	--- a/openbsd-compat/port-linux.h	318	--- a/openbsd-compat/port-linux.h
351	+++ b/openbsd-compat/port-linux.h	319	+++ b/openbsd-compat/port-linux.h
352	@@ -21,8 +21,8 @@	320	@@ -19,8 +19,8 @@
353		321
354	#ifdef WITH_SELINUX	322	#ifdef WITH_SELINUX
355	int ssh_selinux_enabled(void);	323	int ssh_selinux_enabled(void);
@@ -361,10 +329,10 @@ index e3d1004..80ce13a 100644
361	void ssh_selinux_setfscreatecon(const char *);	329	void ssh_selinux_setfscreatecon(const char *);
362	#endif	330	#endif
363	diff --git a/platform.c b/platform.c	331	diff --git a/platform.c b/platform.c
364	index acf8554..4831706 100644	332	index 973a63e4..cd7bf566 100644
365	--- a/platform.c	333	--- a/platform.c
366	+++ b/platform.c	334	+++ b/platform.c
367	@@ -145,7 +145,7 @@ platform_setusercontext(struct passwd *pw)	335	@@ -143,7 +143,7 @@ platform_setusercontext(struct passwd *pw)
368	* called if sshd is running as root.	336	* called if sshd is running as root.
369	*/	337	*/
370	void	338	void
@@ -373,7 +341,7 @@ index acf8554..4831706 100644
373	{	341	{
374	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)	342	#if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM)
375	/*	343	/*
376	@@ -186,7 +186,7 @@ platform_setusercontext_post_groups(struct passwd *pw)	344	@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
377	}	345	}
378	#endif /* HAVE_SETPCRED */	346	#endif /* HAVE_SETPCRED */
379	#ifdef WITH_SELINUX	347	#ifdef WITH_SELINUX
@@ -383,10 +351,10 @@ index acf8554..4831706 100644
383	}	351	}
384		352
385	diff --git a/platform.h b/platform.h	353	diff --git a/platform.h b/platform.h
386	index e97ecd9..5b72304 100644	354	index ea4f9c58..60d72ffe 100644
387	--- a/platform.h	355	--- a/platform.h
388	+++ b/platform.h	356	+++ b/platform.h
389	@@ -27,7 +27,7 @@ void platform_post_fork_parent(pid_t child_pid);	357	@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid);
390	void platform_post_fork_child(void);	358	void platform_post_fork_child(void);
391	int platform_privileged_uidswap(void);	359	int platform_privileged_uidswap(void);
392	void platform_setusercontext(struct passwd *);	360	void platform_setusercontext(struct passwd *);
@@ -396,10 +364,10 @@ index e97ecd9..5b72304 100644
396	char platform_krb5_get_principal_name(const char );	364	char platform_krb5_get_principal_name(const char );
397	int platform_sys_dir_uid(uid_t);	365	int platform_sys_dir_uid(uid_t);
398	diff --git a/session.c b/session.c	366	diff --git a/session.c b/session.c
399	index 2235f26..6dfcf84 100644	367	index a08aa69d..ea3871eb 100644
400	--- a/session.c	368	--- a/session.c
401	+++ b/session.c	369	+++ b/session.c
402	@@ -1517,7 +1517,7 @@ safely_chroot(const char *path, uid_t uid)	370	@@ -1325,7 +1325,7 @@ safely_chroot(const char *path, uid_t uid)
403		371
404	/* Set login name, uid, gid, and groups. */	372	/* Set login name, uid, gid, and groups. */
405	void	373	void
@@ -408,7 +376,7 @@ index 2235f26..6dfcf84 100644
408	{	376	{
409	char chroot_path, tmp;	377	char chroot_path, tmp;
410		378
411	@@ -1545,7 +1545,7 @@ do_setusercontext(struct passwd *pw)	379	@@ -1353,7 +1353,7 @@ do_setusercontext(struct passwd *pw)
412	endgrent();	380	endgrent();
413	#endif	381	#endif
414		382
@@ -417,7 +385,7 @@ index 2235f26..6dfcf84 100644
417		385
418	if (!in_chroot && options.chroot_directory != NULL &&	386	if (!in_chroot && options.chroot_directory != NULL &&
419	strcasecmp(options.chroot_directory, "none") != 0) {	387	strcasecmp(options.chroot_directory, "none") != 0) {
420	@@ -1703,7 +1703,7 @@ do_child(Session s, const char command)	388	@@ -1489,7 +1489,7 @@ do_child(Session s, const char command)
421		389
422	/* Force a password change */	390	/* Force a password change */
423	if (s->authctxt->force_pwchange) {	391	if (s->authctxt->force_pwchange) {
@@ -426,16 +394,16 @@ index 2235f26..6dfcf84 100644
426	child_close_fds();	394	child_close_fds();
427	do_pwchange(s);	395	do_pwchange(s);
428	exit(1);	396	exit(1);
429	@@ -1730,7 +1730,7 @@ do_child(Session s, const char command)	397	@@ -1511,7 +1511,7 @@ do_child(Session s, const char command)
430	/* When PAM is enabled we rely on it to do the nologin check */	398	/* When PAM is enabled we rely on it to do the nologin check */
431	if (!options.use_pam)	399	if (!options.use_pam)
432	do_nologin(pw);	400	do_nologin(pw);
433	- do_setusercontext(pw);	401	- do_setusercontext(pw);
434	+ do_setusercontext(pw, s->authctxt->role);	402	+ do_setusercontext(pw, s->authctxt->role);
435	/*	403	/*
436	* PAM session modules in do_setusercontext may have	404	* PAM session modules in do_setusercontext may have
437	* generated messages, so if this in an interactive	405	* generated messages, so if this in an interactive
438	@@ -2141,7 +2141,7 @@ session_pty_req(Session *s)	406	@@ -1903,7 +1903,7 @@ session_pty_req(Session *s)
439	tty_parse_modes(s->ttyfd, &n_bytes);	407	tty_parse_modes(s->ttyfd, &n_bytes);
440		408
441	if (!use_privsep)	409	if (!use_privsep)
@@ -445,10 +413,10 @@ index 2235f26..6dfcf84 100644
445	/* Set window size from the packet. */	413	/* Set window size from the packet. */
446	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);	414	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
447	diff --git a/session.h b/session.h	415	diff --git a/session.h b/session.h
448	index f18eaf3..2b7d939 100644	416	index 98e1dafe..0a31dce4 100644
449	--- a/session.h	417	--- a/session.h
450	+++ b/session.h	418	+++ b/session.h
451	@@ -77,7 +77,7 @@ void session_pty_cleanup2(Session *);	419	@@ -76,7 +76,7 @@ void session_pty_cleanup2(Session *);
452	Session *session_new(void);	420	Session *session_new(void);
453	Session session_by_tty(char );	421	Session session_by_tty(char );
454	void session_close(Session *);	422	void session_close(Session *);
@@ -458,11 +426,11 @@ index f18eaf3..2b7d939 100644
458	const char *value);	426	const char *value);
459		427
460	diff --git a/sshd.c b/sshd.c	428	diff --git a/sshd.c b/sshd.c
461	index 982e545..76306da 100644	429	index 4f791b92..5a3f796d 100644
462	--- a/sshd.c	430	--- a/sshd.c
463	+++ b/sshd.c	431	+++ b/sshd.c
464	@@ -787,7 +787,7 @@ privsep_postauth(Authctxt *authctxt)	432	@@ -678,7 +678,7 @@ privsep_postauth(Authctxt *authctxt)
465	explicit_bzero(rnd, sizeof(rnd));	433	reseed_prngs();
466		434
467	/* Drop privileges */	435	/* Drop privileges */
468	- do_setusercontext(authctxt->pw);	436	- do_setusercontext(authctxt->pw);
@@ -471,7 +439,7 @@ index 982e545..76306da 100644
471	skip:	439	skip:
472	/* It is safe now to apply the key state */	440	/* It is safe now to apply the key state */
473	diff --git a/sshpty.c b/sshpty.c	441	diff --git a/sshpty.c b/sshpty.c
474	index 15da8c6..e89efb7 100644	442	index fe2fb5aa..feb22b06 100644
475	--- a/sshpty.c	443	--- a/sshpty.c
476	+++ b/sshpty.c	444	+++ b/sshpty.c
477	@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,	445	@@ -187,7 +187,7 @@ pty_change_window_size(int ptyfd, u_int row, u_int col,
@@ -493,12 +461,13 @@ index 15da8c6..e89efb7 100644
493		461
494	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {	462	if (st.st_uid != pw->pw_uid \|\| st.st_gid != gid) {
495	diff --git a/sshpty.h b/sshpty.h	463	diff --git a/sshpty.h b/sshpty.h
496	index cfa3224..edf2436 100644	464	index 9ec7e9a1..de7e000a 100644
497	--- a/sshpty.h	465	--- a/sshpty.h
498	+++ b/sshpty.h	466	+++ b/sshpty.h
499	@@ -24,4 +24,4 @@ int pty_allocate(int , int , char *, size_t);	467	@@ -24,5 +24,5 @@ int pty_allocate(int , int , char *, size_t);
500	void pty_release(const char *);	468	void pty_release(const char *);
501	void pty_make_controlling_tty(int , const char );	469	void pty_make_controlling_tty(int , const char );
502	void pty_change_window_size(int, u_int, u_int, u_int, u_int);	470	void pty_change_window_size(int, u_int, u_int, u_int, u_int);
503	-void pty_setowner(struct passwd , const char );	471	-void pty_setowner(struct passwd , const char );
504	+void pty_setowner(struct passwd , const char , const char *);	472	+void pty_setowner(struct passwd , const char , const char *);
		473	void disconnect_controlling_tty(void);