diff options
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/getrrsetbyname.c | 10 | ||||
-rw-r--r-- | openbsd-compat/getrrsetbyname.h | 3 | ||||
-rw-r--r-- | openbsd-compat/port-linux.c | 27 | ||||
-rw-r--r-- | openbsd-compat/port-linux.h | 4 |
4 files changed, 30 insertions, 14 deletions
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index dc6fe0533..e061a290a 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c | |||
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
209 | goto fail; | 209 | goto fail; |
210 | } | 210 | } |
211 | 211 | ||
212 | /* don't allow flags yet, unimplemented */ | 212 | /* Allow RRSET_FORCE_EDNS0 flag only. */ |
213 | if (flags) { | 213 | if ((flags & !RRSET_FORCE_EDNS0) != 0) { |
214 | result = ERRSET_INVAL; | 214 | result = ERRSET_INVAL; |
215 | goto fail; | 215 | goto fail; |
216 | } | 216 | } |
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, | |||
226 | #endif /* DEBUG */ | 226 | #endif /* DEBUG */ |
227 | 227 | ||
228 | #ifdef RES_USE_DNSSEC | 228 | #ifdef RES_USE_DNSSEC |
229 | /* turn on DNSSEC if EDNS0 is configured */ | 229 | /* turn on DNSSEC if required */ |
230 | if (_resp->options & RES_USE_EDNS0) | 230 | if (flags & RRSET_FORCE_EDNS0) |
231 | _resp->options |= RES_USE_DNSSEC; | 231 | _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC); |
232 | #endif /* RES_USE_DNSEC */ | 232 | #endif /* RES_USE_DNSEC */ |
233 | 233 | ||
234 | /* make query */ | 234 | /* make query */ |
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 1283f5506..dbbc85a2a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h | |||
@@ -72,6 +72,9 @@ | |||
72 | #ifndef RRSET_VALIDATED | 72 | #ifndef RRSET_VALIDATED |
73 | # define RRSET_VALIDATED 1 | 73 | # define RRSET_VALIDATED 1 |
74 | #endif | 74 | #endif |
75 | #ifndef RRSET_FORCE_EDNS0 | ||
76 | # define RRSET_FORCE_EDNS0 0x0001 | ||
77 | #endif | ||
75 | 78 | ||
76 | /* | 79 | /* |
77 | * Return codes for getrrsetbyname() | 80 | * Return codes for getrrsetbyname() |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index aba75387c..2b8a14a59 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c | |||
@@ -29,6 +29,12 @@ | |||
29 | #include <string.h> | 29 | #include <string.h> |
30 | #include <stdio.h> | 30 | #include <stdio.h> |
31 | 31 | ||
32 | #ifdef WITH_SELINUX | ||
33 | #include "key.h" | ||
34 | #include "hostfile.h" | ||
35 | #include "auth.h" | ||
36 | #endif | ||
37 | |||
32 | #include "log.h" | 38 | #include "log.h" |
33 | #include "xmalloc.h" | 39 | #include "xmalloc.h" |
34 | #include "port-linux.h" | 40 | #include "port-linux.h" |
@@ -58,7 +64,7 @@ ssh_selinux_enabled(void) | |||
58 | 64 | ||
59 | /* Return the default security context for the given username */ | 65 | /* Return the default security context for the given username */ |
60 | static security_context_t | 66 | static security_context_t |
61 | ssh_selinux_getctxbyname(char *pwname) | 67 | ssh_selinux_getctxbyname(char *pwname, const char *role) |
62 | { | 68 | { |
63 | security_context_t sc = NULL; | 69 | security_context_t sc = NULL; |
64 | char *sename = NULL, *lvl = NULL; | 70 | char *sename = NULL, *lvl = NULL; |
@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) | |||
73 | #endif | 79 | #endif |
74 | 80 | ||
75 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | 81 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL |
76 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | 82 | if (role != NULL && role[0]) |
83 | r = get_default_context_with_rolelevel(sename, role, lvl, NULL, | ||
84 | &sc); | ||
85 | else | ||
86 | r = get_default_context_with_level(sename, lvl, NULL, &sc); | ||
77 | #else | 87 | #else |
78 | r = get_default_context(sename, NULL, &sc); | 88 | if (role != NULL && role[0]) |
89 | r = get_default_context_with_role(sename, role, NULL, &sc); | ||
90 | else | ||
91 | r = get_default_context(sename, NULL, &sc); | ||
79 | #endif | 92 | #endif |
80 | 93 | ||
81 | if (r != 0) { | 94 | if (r != 0) { |
@@ -107,7 +120,7 @@ ssh_selinux_getctxbyname(char *pwname) | |||
107 | 120 | ||
108 | /* Set the execution context to the default for the specified user */ | 121 | /* Set the execution context to the default for the specified user */ |
109 | void | 122 | void |
110 | ssh_selinux_setup_exec_context(char *pwname) | 123 | ssh_selinux_setup_exec_context(char *pwname, const char *role) |
111 | { | 124 | { |
112 | security_context_t user_ctx = NULL; | 125 | security_context_t user_ctx = NULL; |
113 | 126 | ||
@@ -116,7 +129,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
116 | 129 | ||
117 | debug3("%s: setting execution context", __func__); | 130 | debug3("%s: setting execution context", __func__); |
118 | 131 | ||
119 | user_ctx = ssh_selinux_getctxbyname(pwname); | 132 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
120 | if (setexeccon(user_ctx) != 0) { | 133 | if (setexeccon(user_ctx) != 0) { |
121 | switch (security_getenforce()) { | 134 | switch (security_getenforce()) { |
122 | case -1: | 135 | case -1: |
@@ -138,7 +151,7 @@ ssh_selinux_setup_exec_context(char *pwname) | |||
138 | 151 | ||
139 | /* Set the TTY context for the specified user */ | 152 | /* Set the TTY context for the specified user */ |
140 | void | 153 | void |
141 | ssh_selinux_setup_pty(char *pwname, const char *tty) | 154 | ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role) |
142 | { | 155 | { |
143 | security_context_t new_tty_ctx = NULL; | 156 | security_context_t new_tty_ctx = NULL; |
144 | security_context_t user_ctx = NULL; | 157 | security_context_t user_ctx = NULL; |
@@ -149,7 +162,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) | |||
149 | 162 | ||
150 | debug3("%s: setting TTY context on %s", __func__, tty); | 163 | debug3("%s: setting TTY context on %s", __func__, tty); |
151 | 164 | ||
152 | user_ctx = ssh_selinux_getctxbyname(pwname); | 165 | user_ctx = ssh_selinux_getctxbyname(pwname, role); |
153 | 166 | ||
154 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ | 167 | /* XXX: should these calls fatal() upon failure in enforcing mode? */ |
155 | 168 | ||
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index e3d1004aa..80ce13ad9 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h | |||
@@ -21,8 +21,8 @@ | |||
21 | 21 | ||
22 | #ifdef WITH_SELINUX | 22 | #ifdef WITH_SELINUX |
23 | int ssh_selinux_enabled(void); | 23 | int ssh_selinux_enabled(void); |
24 | void ssh_selinux_setup_pty(char *, const char *); | 24 | void ssh_selinux_setup_pty(char *, const char *, const char *); |
25 | void ssh_selinux_setup_exec_context(char *); | 25 | void ssh_selinux_setup_exec_context(char *, const char *); |
26 | void ssh_selinux_change_context(const char *); | 26 | void ssh_selinux_change_context(const char *); |
27 | void ssh_selinux_setfscreatecon(const char *); | 27 | void ssh_selinux_setfscreatecon(const char *); |
28 | #endif | 28 | #endif |