summaryrefslogtreecommitdiff
path: root/openbsd-compat/port-linux.c
diff options
context:
space:
mode:
Diffstat (limited to 'openbsd-compat/port-linux.c')
-rw-r--r--openbsd-compat/port-linux.c29
1 files changed, 21 insertions, 8 deletions
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index ea8dff40f..ef91e4446 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -29,6 +29,12 @@
29#include <string.h> 29#include <string.h>
30#include <stdio.h> 30#include <stdio.h>
31 31
32#ifdef WITH_SELINUX
33#include "key.h"
34#include "hostfile.h"
35#include "auth.h"
36#endif
37
32#include "log.h" 38#include "log.h"
33#include "xmalloc.h" 39#include "xmalloc.h"
34#include "port-linux.h" 40#include "port-linux.h"
@@ -58,9 +64,9 @@ ssh_selinux_enabled(void)
58 64
59/* Return the default security context for the given username */ 65/* Return the default security context for the given username */
60static security_context_t 66static security_context_t
61ssh_selinux_getctxbyname(char *pwname) 67ssh_selinux_getctxbyname(char *pwname, const char *role)
62{ 68{
63 security_context_t sc; 69 security_context_t sc = NULL;
64 char *sename = NULL, *lvl = NULL; 70 char *sename = NULL, *lvl = NULL;
65 int r; 71 int r;
66 72
@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
73#endif 79#endif
74 80
75#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 81#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
76 r = get_default_context_with_level(sename, lvl, NULL, &sc); 82 if (role != NULL && role[0])
83 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
84 &sc);
85 else
86 r = get_default_context_with_level(sename, lvl, NULL, &sc);
77#else 87#else
78 r = get_default_context(sename, NULL, &sc); 88 if (role != NULL && role[0])
89 r = get_default_context_with_role(sename, role, NULL, &sc);
90 else
91 r = get_default_context(sename, NULL, &sc);
79#endif 92#endif
80 93
81 if (r != 0) { 94 if (r != 0) {
@@ -106,7 +119,7 @@ ssh_selinux_getctxbyname(char *pwname)
106 119
107/* Set the execution context to the default for the specified user */ 120/* Set the execution context to the default for the specified user */
108void 121void
109ssh_selinux_setup_exec_context(char *pwname) 122ssh_selinux_setup_exec_context(char *pwname, const char *role)
110{ 123{
111 security_context_t user_ctx = NULL; 124 security_context_t user_ctx = NULL;
112 125
@@ -115,7 +128,7 @@ ssh_selinux_setup_exec_context(char *pwname)
115 128
116 debug3("%s: setting execution context", __func__); 129 debug3("%s: setting execution context", __func__);
117 130
118 user_ctx = ssh_selinux_getctxbyname(pwname); 131 user_ctx = ssh_selinux_getctxbyname(pwname, role);
119 if (setexeccon(user_ctx) != 0) { 132 if (setexeccon(user_ctx) != 0) {
120 switch (security_getenforce()) { 133 switch (security_getenforce()) {
121 case -1: 134 case -1:
@@ -137,7 +150,7 @@ ssh_selinux_setup_exec_context(char *pwname)
137 150
138/* Set the TTY context for the specified user */ 151/* Set the TTY context for the specified user */
139void 152void
140ssh_selinux_setup_pty(char *pwname, const char *tty) 153ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
141{ 154{
142 security_context_t new_tty_ctx = NULL; 155 security_context_t new_tty_ctx = NULL;
143 security_context_t user_ctx = NULL; 156 security_context_t user_ctx = NULL;
@@ -148,7 +161,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
148 161
149 debug3("%s: setting TTY context on %s", __func__, tty); 162 debug3("%s: setting TTY context on %s", __func__, tty);
150 163
151 user_ctx = ssh_selinux_getctxbyname(pwname); 164 user_ctx = ssh_selinux_getctxbyname(pwname, role);
152 165
153 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 166 /* XXX: should these calls fatal() upon failure in enforcing mode? */
154 167
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-13 21:25:56 +0000