summaryrefslogtreecommitdiff
path: root/openbsd-compat/port-linux.c
diff options
context:
space:
mode:
Diffstat (limited to 'openbsd-compat/port-linux.c')
-rw-r--r--openbsd-compat/port-linux.c27
1 files changed, 20 insertions, 7 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index aba75387c..2b8a14a59 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -29,6 +29,12 @@
29#include <string.h> 29#include <string.h>
30#include <stdio.h> 30#include <stdio.h>
31 31
32#ifdef WITH_SELINUX
33#include "key.h"
34#include "hostfile.h"
35#include "auth.h"
36#endif
37
32#include "log.h" 38#include "log.h"
33#include "xmalloc.h" 39#include "xmalloc.h"
34#include "port-linux.h" 40#include "port-linux.h"
@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
58 64
59/* Return the default security context for the given username */ 65/* Return the default security context for the given username */
60static security_context_t 66static security_context_t
61ssh_selinux_getctxbyname(char *pwname) 67ssh_selinux_getctxbyname(char *pwname, const char *role)
62{ 68{
63 security_context_t sc = NULL; 69 security_context_t sc = NULL;
64 char *sename = NULL, *lvl = NULL; 70 char *sename = NULL, *lvl = NULL;
@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
73#endif 79#endif
74 80
75#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 81#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
76 r = get_default_context_with_level(sename, lvl, NULL, &sc); 82 if (role != NULL && role[0])
83 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
84 &sc);
85 else
86 r = get_default_context_with_level(sename, lvl, NULL, &sc);
77#else 87#else
78 r = get_default_context(sename, NULL, &sc); 88 if (role != NULL && role[0])
89 r = get_default_context_with_role(sename, role, NULL, &sc);
90 else
91 r = get_default_context(sename, NULL, &sc);
79#endif 92#endif
80 93
81 if (r != 0) { 94 if (r != 0) {
@@ -107,7 +120,7 @@ ssh_selinux_getctxbyname(char *pwname)
107 120
108/* Set the execution context to the default for the specified user */ 121/* Set the execution context to the default for the specified user */
109void 122void
110ssh_selinux_setup_exec_context(char *pwname) 123ssh_selinux_setup_exec_context(char *pwname, const char *role)
111{ 124{
112 security_context_t user_ctx = NULL; 125 security_context_t user_ctx = NULL;
113 126
@@ -116,7 +129,7 @@ ssh_selinux_setup_exec_context(char *pwname)
116 129
117 debug3("%s: setting execution context", __func__); 130 debug3("%s: setting execution context", __func__);
118 131
119 user_ctx = ssh_selinux_getctxbyname(pwname); 132 user_ctx = ssh_selinux_getctxbyname(pwname, role);
120 if (setexeccon(user_ctx) != 0) { 133 if (setexeccon(user_ctx) != 0) {
121 switch (security_getenforce()) { 134 switch (security_getenforce()) {
122 case -1: 135 case -1:
@@ -138,7 +151,7 @@ ssh_selinux_setup_exec_context(char *pwname)
138 151
139/* Set the TTY context for the specified user */ 152/* Set the TTY context for the specified user */
140void 153void
141ssh_selinux_setup_pty(char *pwname, const char *tty) 154ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
142{ 155{
143 security_context_t new_tty_ctx = NULL; 156 security_context_t new_tty_ctx = NULL;
144 security_context_t user_ctx = NULL; 157 security_context_t user_ctx = NULL;
@@ -149,7 +162,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
149 162
150 debug3("%s: setting TTY context on %s", __func__, tty); 163 debug3("%s: setting TTY context on %s", __func__, tty);
151 164
152 user_ctx = ssh_selinux_getctxbyname(pwname); 165 user_ctx = ssh_selinux_getctxbyname(pwname, role);
153 166
154 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 167 /* XXX: should these calls fatal() upon failure in enforcing mode? */
155 168
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-28 15:49:48 +0000