diff options
Diffstat (limited to 'openbsd-compat')
| -rw-r--r-- | openbsd-compat/getrrsetbyname.c | 10 | ||||
| -rw-r--r-- | openbsd-compat/getrrsetbyname.h | 3 | ||||
| -rw-r--r-- | openbsd-compat/port-linux.c | 31 | ||||
| -rw-r--r-- | openbsd-compat/port-linux.h | 4 |
4 files changed, 32 insertions, 16 deletions
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 98876673d..011821198 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
| @@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
| 209 | goto fail; | 209 | goto fail; |
| 210 | } | 210 | } |
| 211 | 211 | ||
| 212 | /* don't allow flags yet, unimplemented */ | 212 | /* Allow RRSET_FORCE_EDNS0 flag only. */ |
| 213 | if (flags) { | 213 | if ((flags & !RRSET_FORCE_EDNS0) != 0) { |
| 214 | result = ERRSET_INVAL; | 214 | result = ERRSET_INVAL; |
| 215 | goto fail; | 215 | goto fail; |
| 216 | } | 216 | } |
| @@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
| 226 | #endif /* DEBUG */ | 226 | #endif /* DEBUG */ |
| 227 | 227 | ||
| 228 | #ifdef RES_USE_DNSSEC | 228 | #ifdef RES_USE_DNSSEC |
| 229 | /* turn on DNSSEC if EDNS0 is configured */ | 229 | /* turn on DNSSEC if required */ |
| 230 | if (_resp->options & RES_USE_EDNS0) | 230 | if (flags & RRSET_FORCE_EDNS0) |
| 231 | _resp->options |= RES_USE_DNSSEC; | 231 | _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); |
| 232 | #endif /* RES_USE_DNSEC */ | 232 | #endif /* RES_USE_DNSEC */ |
| 233 | 233 | ||
| 234 | /* make query */ | 234 | /* make query */ |
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h | |||
| @@ -72,6 +72,9 @@ | |||
| 72 | #ifndef RRSET_VALIDATED | 72 | #ifndef RRSET_VALIDATED |
| 73 | # define RRSET_VALIDATED 1 | 73 | # define RRSET_VALIDATED 1 |
| 74 | #endif | 74 | #endif |
| 75 | #ifndef RRSET_FORCE_EDNS0 | ||
| 76 | # define RRSET_FORCE_EDNS0 0x0001 | ||
| 77 | #endif | ||
| 75 | 78 | ||
| 76 | /* | 79 | /* |
| 77 | * Return codes for getrrsetbyname() | 80 | * Return codes for getrrsetbyname() |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index ede533fdd..dc8b1fa55 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
| @@ -29,6 +29,12 @@ | |||
| 29 | #include <string.h> | 29 | #include <string.h> |
| 30 | #include <stdio.h> | 30 | #include <stdio.h> |
| 31 | 31 | ||
| 32 | #ifdef WITH_SELINUX | ||
| 33 | #include "key.h" | ||
| 34 | #include "hostfile.h" | ||
| 35 | #include "auth.h" | ||
| 36 | #endif | ||
| 37 | |||
| 32 | #include "log.h" | 38 | #include "log.h" |
| 33 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
| 34 | #include "port-linux.h" | 40 | #include "port-linux.h" |
| @@ -54,9 +60,9 @@ ssh_selinux_enabled(void) | |||
| 54 | 60 | ||
| 55 | /* Return the default security context for the given username */ | 61 | /* Return the default security context for the given username */ |
| 56 | static security_context_t | 62 | static security_context_t |
| 57 | ssh_selinux_getctxbyname(char *pwname) | 63 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
| 58 | { | 64 | { |
| 59 | security_context_t sc; | 65 | security_context_t sc = NULL; |
| 60 | char *sename = NULL, *lvl = NULL; | 66 | char *sename = NULL, *lvl = NULL; |
| 61 | int r; | 67 | int r; |
| 62 | 68 | ||
| @@ -69,9 +75,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
| 69 | #endif | 75 | #endif |
| 70 | 76 | ||
| 71 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 77 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
| 72 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 78 | if (role != NULL && role[0]) |
| 79 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
| 80 | &sc); | ||
| 81 | else | ||
| 82 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
| 73 | #else | 83 | #else |
| 74 | r = get_default_context(sename, NULL, &sc); | 84 | if (role != NULL && role[0]) |
| 85 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
| 86 | else | ||
| 87 | r = get_default_context(sename, NULL, &sc); | ||
| 75 | #endif | 88 | #endif |
| 76 | 89 | ||
| 77 | if (r != 0) { | 90 | if (r != 0) { |
| @@ -102,7 +115,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
| 102 | 115 | ||
| 103 | /* Set the execution context to the default for the specified user */ | 116 | /* Set the execution context to the default for the specified user */ |
| 104 | void | 117 | void |
| 105 | ssh_selinux_setup_exec_context(char *pwname) | 118 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
| 106 | { | 119 | { |
| 107 | security_context_t user_ctx = NULL; | 120 | security_context_t user_ctx = NULL; |
| 108 | 121 | ||
| @@ -111,7 +124,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
| 111 | 124 | ||
| 112 | debug3("%s: setting execution context", __func__); | 125 | debug3("%s: setting execution context", __func__); |
| 113 | 126 | ||
| 114 | user_ctx = ssh_selinux_getctxbyname(pwname); | 127 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
| 115 | if (setexeccon(user_ctx) != 0) { | 128 | if (setexeccon(user_ctx) != 0) { |
| 116 | switch (security_getenforce()) { | 129 | switch (security_getenforce()) { |
| 117 | case -1: | 130 | case -1: |
| @@ -133,7 +146,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
| 133 | 146 | ||
| 134 | /* Set the TTY context for the specified user */ | 147 | /* Set the TTY context for the specified user */ |
| 135 | void | 148 | void |
| 136 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 149 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
| 137 | { | 150 | { |
| 138 | security_context_t new_tty_ctx = NULL; | 151 | security_context_t new_tty_ctx = NULL; |
| 139 | security_context_t user_ctx = NULL; | 152 | security_context_t user_ctx = NULL; |
| @@ -144,7 +157,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
| 144 | 157 | ||
| 145 | debug3("%s: setting TTY context on %s", __func__, tty); | 158 | debug3("%s: setting TTY context on %s", __func__, tty); |
| 146 | 159 | ||
| 147 | user_ctx = ssh_selinux_getctxbyname(pwname); | 160 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
| 148 | 161 | ||
| 149 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 162 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
| 150 | 163 | ||
| @@ -213,7 +226,7 @@ ssh_selinux_setfscreatecon(const char *path) | |||
| 213 | 226 | ||
| 214 | if (!ssh_selinux_enabled()) | 227 | if (!ssh_selinux_enabled()) |
| 215 | return; | 228 | return; |
| 216 | if (path == NULL) | 229 | if (path == NULL) { |
| 217 | setfscreatecon(NULL); | 230 | setfscreatecon(NULL); |
| 218 | return; | 231 | return; |
| 219 | } | 232 | } |
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index c2f618400..3804fa2d1 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
| @@ -21,8 +21,8 @@ | |||
| 21 | 21 | ||
| 22 | #ifdef WITH_SELINUX | 22 | #ifdef WITH_SELINUX |
| 23 | int ssh_selinux_enabled(void); | 23 | int ssh_selinux_enabled(void); |
| 24 | void ssh_selinux_setup_pty(char *, const char *); | 24 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
| 25 | void ssh_selinux_setup_exec_context(char *); | 25 | void ssh_selinux_setup_exec_context(char *, const char *); |
| 26 | void ssh_selinux_change_context(const char *); | 26 | void ssh_selinux_change_context(const char *); |
| 27 | void ssh_selinux_setfscreatecon(const char *); | 27 | void ssh_selinux_setfscreatecon(const char *); |
| 28 | #endif | 28 | #endif |