diff options
Diffstat (limited to 'openbsd-compat/port-linux.c')
| -rw-r--r-- | openbsd-compat/port-linux.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index dc8b1fa55..ef91e4446 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ | 1 | /* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> | 4 | * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> |
| @@ -44,6 +44,10 @@ | |||
| 44 | #include <selinux/flask.h> | 44 | #include <selinux/flask.h> |
| 45 | #include <selinux/get_context_list.h> | 45 | #include <selinux/get_context_list.h> |
| 46 | 46 | ||
| 47 | #ifndef SSH_SELINUX_UNCONFINED_TYPE | ||
| 48 | # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" | ||
| 49 | #endif | ||
| 50 | |||
| 47 | /* Wrapper around is_selinux_enabled() to log its return value once only */ | 51 | /* Wrapper around is_selinux_enabled() to log its return value once only */ |
| 48 | int | 52 | int |
| 49 | ssh_selinux_enabled(void) | 53 | ssh_selinux_enabled(void) |
| @@ -190,12 +194,13 @@ ssh_selinux_change_context(const char *newname) | |||
| 190 | { | 194 | { |
| 191 | int len, newlen; | 195 | int len, newlen; |
| 192 | char *oldctx, *newctx, *cx; | 196 | char *oldctx, *newctx, *cx; |
| 197 | void (*switchlog) (const char *fmt,...) = logit; | ||
| 193 | 198 | ||
| 194 | if (!ssh_selinux_enabled()) | 199 | if (!ssh_selinux_enabled()) |
| 195 | return; | 200 | return; |
| 196 | 201 | ||
| 197 | if (getcon((security_context_t *)&oldctx) < 0) { | 202 | if (getcon((security_context_t *)&oldctx) < 0) { |
| 198 | logit("%s: getcon failed with %s", __func__, strerror (errno)); | 203 | logit("%s: getcon failed with %s", __func__, strerror(errno)); |
| 199 | return; | 204 | return; |
| 200 | } | 205 | } |
| 201 | if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == | 206 | if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == |
| @@ -204,6 +209,14 @@ ssh_selinux_change_context(const char *newname) | |||
| 204 | return; | 209 | return; |
| 205 | } | 210 | } |
| 206 | 211 | ||
| 212 | /* | ||
| 213 | * Check whether we are attempting to switch away from an unconfined | ||
| 214 | * security context. | ||
| 215 | */ | ||
| 216 | if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE, | ||
| 217 | sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) | ||
| 218 | switchlog = debug3; | ||
| 219 | |||
| 207 | newlen = strlen(oldctx) + strlen(newname) + 1; | 220 | newlen = strlen(oldctx) + strlen(newname) + 1; |
| 208 | newctx = xmalloc(newlen); | 221 | newctx = xmalloc(newlen); |
| 209 | len = cx - oldctx + 1; | 222 | len = cx - oldctx + 1; |
| @@ -211,10 +224,11 @@ ssh_selinux_change_context(const char *newname) | |||
| 211 | strlcpy(newctx + len, newname, newlen - len); | 224 | strlcpy(newctx + len, newname, newlen - len); |
| 212 | if ((cx = index(cx + 1, ':'))) | 225 | if ((cx = index(cx + 1, ':'))) |
| 213 | strlcat(newctx, cx, newlen); | 226 | strlcat(newctx, cx, newlen); |
| 214 | debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, | 227 | debug3("%s: setting context from '%s' to '%s'", __func__, |
| 215 | newctx); | 228 | oldctx, newctx); |
| 216 | if (setcon(newctx) < 0) | 229 | if (setcon(newctx) < 0) |
| 217 | logit("%s: setcon failed with %s", __func__, strerror (errno)); | 230 | switchlog("%s: setcon %s from %s failed with %s", __func__, |
| 231 | newctx, oldctx, strerror(errno)); | ||
| 218 | xfree(oldctx); | 232 | xfree(oldctx); |
| 219 | xfree(newctx); | 233 | xfree(newctx); |
| 220 | } | 234 | } |