diff options
Diffstat (limited to 'openbsd-compat/port-linux.c')
-rw-r--r-- | openbsd-compat/port-linux.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index be763656e..ea8dff40f 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */ | 1 | /* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> | 4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> |
@@ -38,6 +38,10 @@ | |||
38 | #include <selinux/flask.h> | 38 | #include <selinux/flask.h> |
39 | #include <selinux/get_context_list.h> | 39 | #include <selinux/get_context_list.h> |
40 | 40 | ||
41 | #ifndef SSH_SELINUX_UNCONFINED_TYPE | ||
42 | # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" | ||
43 | #endif | ||
44 | |||
41 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | 45 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
42 | int | 46 | int |
43 | ssh_selinux_enabled(void) | 47 | ssh_selinux_enabled(void) |
@@ -177,12 +181,13 @@ ssh_selinux_change_context(const char *newname) | |||
177 | { | 181 | { |
178 | int len, newlen; | 182 | int len, newlen; |
179 | char *oldctx, *newctx, *cx; | 183 | char *oldctx, *newctx, *cx; |
184 | void (*switchlog) (const char *fmt,...) = logit; | ||
180 | 185 | ||
181 | if (!ssh_selinux_enabled()) | 186 | if (!ssh_selinux_enabled()) |
182 | return; | 187 | return; |
183 | 188 | ||
184 | if (getcon((security_context_t *)&oldctx) < 0) { | 189 | if (getcon((security_context_t *)&oldctx) < 0) { |
185 | logit("%s: getcon failed with %s", __func__, strerror (errno)); | 190 | logit("%s: getcon failed with %s", __func__, strerror(errno)); |
186 | return; | 191 | return; |
187 | } | 192 | } |
188 | if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == | 193 | if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == |
@@ -191,6 +196,14 @@ ssh_selinux_change_context(const char *newname) | |||
191 | return; | 196 | return; |
192 | } | 197 | } |
193 | 198 | ||
199 | /* | ||
200 | * Check whether we are attempting to switch away from an unconfined | ||
201 | * security context. | ||
202 | */ | ||
203 | if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE, | ||
204 | sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) | ||
205 | switchlog = debug3; | ||
206 | |||
194 | newlen = strlen(oldctx) + strlen(newname) + 1; | 207 | newlen = strlen(oldctx) + strlen(newname) + 1; |
195 | newctx = xmalloc(newlen); | 208 | newctx = xmalloc(newlen); |
196 | len = cx - oldctx + 1; | 209 | len = cx - oldctx + 1; |
@@ -198,11 +211,11 @@ ssh_selinux_change_context(const char *newname) | |||
198 | strlcpy(newctx + len, newname, newlen - len); | 211 | strlcpy(newctx + len, newname, newlen - len); |
199 | if ((cx = index(cx + 1, ':'))) | 212 | if ((cx = index(cx + 1, ':'))) |
200 | strlcat(newctx, cx, newlen); | 213 | strlcat(newctx, cx, newlen); |
201 | debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, | 214 | debug3("%s: setting context from '%s' to '%s'", __func__, |
202 | newctx); | 215 | oldctx, newctx); |
203 | if (setcon(newctx) < 0) | 216 | if (setcon(newctx) < 0) |
204 | logit("%s: setcon %s from %s failed with %s", __func__, newctx, | 217 | switchlog("%s: setcon %s from %s failed with %s", __func__, |
205 | oldctx, strerror (errno)); | 218 | newctx, oldctx, strerror(errno)); |
206 | xfree(oldctx); | 219 | xfree(oldctx); |
207 | xfree(newctx); | 220 | xfree(newctx); |
208 | } | 221 | } |