From 21e3ff3ab4791d3c94bd775da66cde29797fcb36 Mon Sep 17 00:00:00 2001
From: Manoj Srivastava <srivasta@debian.org>
Date: Sun, 9 Feb 2014 16:09:49 +0000
Subject: Handle SELinux authorisation roles

Rejected upstream due to discomfort with magic usernames; a better approach
will need an SSH protocol change.  In the meantime, this came from Debian's
SELinux maintainer, so we'll keep it until we have something better.

Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641
Bug-Debian: http://bugs.debian.org/394795
Last-Update: 2019-06-05

Patch-Name: selinux-role.patch
---
 session.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'session.c')

diff --git a/session.c b/session.c
index ac3d9d19d..d87ea4d44 100644
--- a/session.c
+++ b/session.c
@@ -1356,7 +1356,7 @@ safely_chroot(const char *path, uid_t uid)
 
 /* Set login name, uid, gid, and groups. */
 void
-do_setusercontext(struct passwd *pw)
+do_setusercontext(struct passwd *pw, const char *role)
 {
 	char uidstr[32], *chroot_path, *tmp;
 
@@ -1384,7 +1384,7 @@ do_setusercontext(struct passwd *pw)
 		endgrent();
 #endif
 
-		platform_setusercontext_post_groups(pw);
+		platform_setusercontext_post_groups(pw, role);
 
 		if (!in_chroot && options.chroot_directory != NULL &&
 		    strcasecmp(options.chroot_directory, "none") != 0) {
@@ -1525,7 +1525,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
-		do_setusercontext(pw);
+		do_setusercontext(pw, s->authctxt->role);
 		child_close_fds(ssh);
 		do_pwchange(s);
 		exit(1);
@@ -1543,7 +1543,7 @@ do_child(struct ssh *ssh, Session *s, const char *command)
 	/* When PAM is enabled we rely on it to do the nologin check */
 	if (!options.use_pam)
 		do_nologin(pw);
-	do_setusercontext(pw);
+	do_setusercontext(pw, s->authctxt->role);
 	/*
 	 * PAM session modules in do_setusercontext may have
 	 * generated messages, so if this in an interactive
@@ -1942,7 +1942,7 @@ session_pty_req(struct ssh *ssh, Session *s)
 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
 
 	if (!use_privsep)
-		pty_setowner(s->pw, s->tty);
+		pty_setowner(s->pw, s->tty, s->authctxt->role);
 
 	/* Set window size from the packet. */
 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
-- 
cgit v1.2.3