summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/getrrsetbyname.c10
-rw-r--r--openbsd-compat/getrrsetbyname.h3
-rw-r--r--openbsd-compat/port-linux.c27
-rw-r--r--openbsd-compat/port-linux.h4
4 files changed, 30 insertions, 14 deletions
diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c
index dc6fe0533..e061a290a 100644
--- a/openbsd-compat/getrrsetbyname.c
+++ b/openbsd-compat/getrrsetbyname.c
@@ -209,8 +209,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
209 goto fail; 209 goto fail;
210 } 210 }
211 211
212 /* don't allow flags yet, unimplemented */ 212 /* Allow RRSET_FORCE_EDNS0 flag only. */
213 if (flags) { 213 if ((flags & !RRSET_FORCE_EDNS0) != 0) {
214 result = ERRSET_INVAL; 214 result = ERRSET_INVAL;
215 goto fail; 215 goto fail;
216 } 216 }
@@ -226,9 +226,9 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
226#endif /* DEBUG */ 226#endif /* DEBUG */
227 227
228#ifdef RES_USE_DNSSEC 228#ifdef RES_USE_DNSSEC
229 /* turn on DNSSEC if EDNS0 is configured */ 229 /* turn on DNSSEC if required */
230 if (_resp->options & RES_USE_EDNS0) 230 if (flags & RRSET_FORCE_EDNS0)
231 _resp->options |= RES_USE_DNSSEC; 231 _resp->options |= (RES_USE_EDNS0|RES_USE_DNSSEC);
232#endif /* RES_USE_DNSEC */ 232#endif /* RES_USE_DNSEC */
233 233
234 /* make query */ 234 /* make query */
diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h
index 1283f5506..dbbc85a2a 100644
--- a/openbsd-compat/getrrsetbyname.h
+++ b/openbsd-compat/getrrsetbyname.h
@@ -72,6 +72,9 @@
72#ifndef RRSET_VALIDATED 72#ifndef RRSET_VALIDATED
73# define RRSET_VALIDATED 1 73# define RRSET_VALIDATED 1
74#endif 74#endif
75#ifndef RRSET_FORCE_EDNS0
76# define RRSET_FORCE_EDNS0 0x0001
77#endif
75 78
76/* 79/*
77 * Return codes for getrrsetbyname() 80 * Return codes for getrrsetbyname()
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index aba75387c..2b8a14a59 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -29,6 +29,12 @@
29#include <string.h> 29#include <string.h>
30#include <stdio.h> 30#include <stdio.h>
31 31
32#ifdef WITH_SELINUX
33#include "key.h"
34#include "hostfile.h"
35#include "auth.h"
36#endif
37
32#include "log.h" 38#include "log.h"
33#include "xmalloc.h" 39#include "xmalloc.h"
34#include "port-linux.h" 40#include "port-linux.h"
@@ -58,7 +64,7 @@ ssh_selinux_enabled(void)
58 64
59/* Return the default security context for the given username */ 65/* Return the default security context for the given username */
60static security_context_t 66static security_context_t
61ssh_selinux_getctxbyname(char *pwname) 67ssh_selinux_getctxbyname(char *pwname, const char *role)
62{ 68{
63 security_context_t sc = NULL; 69 security_context_t sc = NULL;
64 char *sename = NULL, *lvl = NULL; 70 char *sename = NULL, *lvl = NULL;
@@ -73,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname)
73#endif 79#endif
74 80
75#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL 81#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
76 r = get_default_context_with_level(sename, lvl, NULL, &sc); 82 if (role != NULL && role[0])
83 r = get_default_context_with_rolelevel(sename, role, lvl, NULL,
84 &sc);
85 else
86 r = get_default_context_with_level(sename, lvl, NULL, &sc);
77#else 87#else
78 r = get_default_context(sename, NULL, &sc); 88 if (role != NULL && role[0])
89 r = get_default_context_with_role(sename, role, NULL, &sc);
90 else
91 r = get_default_context(sename, NULL, &sc);
79#endif 92#endif
80 93
81 if (r != 0) { 94 if (r != 0) {
@@ -107,7 +120,7 @@ ssh_selinux_getctxbyname(char *pwname)
107 120
108/* Set the execution context to the default for the specified user */ 121/* Set the execution context to the default for the specified user */
109void 122void
110ssh_selinux_setup_exec_context(char *pwname) 123ssh_selinux_setup_exec_context(char *pwname, const char *role)
111{ 124{
112 security_context_t user_ctx = NULL; 125 security_context_t user_ctx = NULL;
113 126
@@ -116,7 +129,7 @@ ssh_selinux_setup_exec_context(char *pwname)
116 129
117 debug3("%s: setting execution context", __func__); 130 debug3("%s: setting execution context", __func__);
118 131
119 user_ctx = ssh_selinux_getctxbyname(pwname); 132 user_ctx = ssh_selinux_getctxbyname(pwname, role);
120 if (setexeccon(user_ctx) != 0) { 133 if (setexeccon(user_ctx) != 0) {
121 switch (security_getenforce()) { 134 switch (security_getenforce()) {
122 case -1: 135 case -1:
@@ -138,7 +151,7 @@ ssh_selinux_setup_exec_context(char *pwname)
138 151
139/* Set the TTY context for the specified user */ 152/* Set the TTY context for the specified user */
140void 153void
141ssh_selinux_setup_pty(char *pwname, const char *tty) 154ssh_selinux_setup_pty(char *pwname, const char *tty, const char *role)
142{ 155{
143 security_context_t new_tty_ctx = NULL; 156 security_context_t new_tty_ctx = NULL;
144 security_context_t user_ctx = NULL; 157 security_context_t user_ctx = NULL;
@@ -149,7 +162,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
149 162
150 debug3("%s: setting TTY context on %s", __func__, tty); 163 debug3("%s: setting TTY context on %s", __func__, tty);
151 164
152 user_ctx = ssh_selinux_getctxbyname(pwname); 165 user_ctx = ssh_selinux_getctxbyname(pwname, role);
153 166
154 /* XXX: should these calls fatal() upon failure in enforcing mode? */ 167 /* XXX: should these calls fatal() upon failure in enforcing mode? */
155 168
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index e3d1004aa..80ce13ad9 100644
--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
@@ -21,8 +21,8 @@
21 21
22#ifdef WITH_SELINUX 22#ifdef WITH_SELINUX
23int ssh_selinux_enabled(void); 23int ssh_selinux_enabled(void);
24void ssh_selinux_setup_pty(char *, const char *); 24void ssh_selinux_setup_pty(char *, const char *, const char *);
25void ssh_selinux_setup_exec_context(char *); 25void ssh_selinux_setup_exec_context(char *, const char *);
26void ssh_selinux_change_context(const char *); 26void ssh_selinux_change_context(const char *);
27void ssh_selinux_setfscreatecon(const char *); 27void ssh_selinux_setfscreatecon(const char *);
28#endif 28#endif