]>
Commit | Line | Data |
---|---|---|
9d8fd3ad SS |
1 | diff -up openssh-5.9p0/auth-pam.c.role openssh-5.9p0/auth-pam.c |
2 | --- openssh-5.9p0/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200 | |
3 | +++ openssh-5.9p0/auth-pam.c 2011-08-31 11:42:54.870087433 +0200 | |
4 | @@ -1069,7 +1069,7 @@ is_pam_session_open(void) | |
5 | * during the ssh authentication process. | |
6 | */ | |
7 | int | |
8 | -do_pam_putenv(char *name, char *value) | |
9 | +do_pam_putenv(char *name, const char *value) | |
10 | { | |
11 | int ret = 1; | |
12 | #ifdef HAVE_PAM_PUTENV | |
13 | diff -up openssh-5.9p0/auth-pam.h.role openssh-5.9p0/auth-pam.h | |
14 | --- openssh-5.9p0/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200 | |
15 | +++ openssh-5.9p0/auth-pam.h 2011-08-31 11:42:54.979086333 +0200 | |
16 | @@ -38,7 +38,7 @@ void do_pam_session(void); | |
17 | void do_pam_set_tty(const char *); | |
18 | void do_pam_setcred(int ); | |
19 | void do_pam_chauthtok(void); | |
20 | -int do_pam_putenv(char *, char *); | |
21 | +int do_pam_putenv(char *, const char *); | |
22 | char ** fetch_pam_environment(void); | |
23 | char ** fetch_pam_child_environment(void); | |
24 | void free_pam_environment(char **); | |
25 | diff -up openssh-5.9p0/auth.h.role openssh-5.9p0/auth.h | |
26 | --- openssh-5.9p0/auth.h.role 2011-08-31 11:42:47.760024631 +0200 | |
27 | +++ openssh-5.9p0/auth.h 2011-08-31 11:42:55.090151027 +0200 | |
28 | @@ -59,6 +59,9 @@ struct Authctxt { | |
29 | char *service; | |
30 | struct passwd *pw; /* set if 'valid' */ | |
31 | char *style; | |
32 | +#ifdef WITH_SELINUX | |
33 | + char *role; | |
34 | +#endif | |
35 | void *kbdintctxt; | |
36 | void *jpake_ctx; | |
37 | #ifdef BSD_AUTH | |
38 | diff -up openssh-5.9p0/auth1.c.role openssh-5.9p0/auth1.c | |
39 | --- openssh-5.9p0/auth1.c.role 2010-08-31 14:36:39.000000000 +0200 | |
40 | +++ openssh-5.9p0/auth1.c 2011-08-31 11:42:55.215033075 +0200 | |
852f4e06 SS |
41 | @@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) |
42 | { | |
43 | u_int ulen; | |
44 | char *user, *style = NULL; | |
45 | +#ifdef WITH_SELINUX | |
46 | + char *role=NULL; | |
47 | +#endif | |
48 | ||
49 | /* Get the name of the user that we wish to log in as. */ | |
50 | packet_read_expect(SSH_CMSG_USER); | |
51 | @@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) | |
52 | user = packet_get_cstring(&ulen); | |
53 | packet_check_eom(); | |
54 | ||
55 | +#ifdef WITH_SELINUX | |
56 | + if ((role = strchr(user, '/')) != NULL) | |
57 | + *role++ = '\0'; | |
58 | +#endif | |
59 | + | |
60 | if ((style = strchr(user, ':')) != NULL) | |
61 | *style++ = '\0'; | |
62 | +#ifdef WITH_SELINUX | |
63 | + else | |
64 | + if (role && (style = strchr(role, ':')) != NULL) | |
65 | + *style++ = '\0'; | |
66 | +#endif | |
67 | ||
68 | authctxt->user = user; | |
69 | authctxt->style = style; | |
70 | +#ifdef WITH_SELINUX | |
71 | + authctxt->role = role; | |
72 | +#endif | |
73 | ||
74 | /* Verify that the user is a valid user. */ | |
75 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | |
9d8fd3ad SS |
76 | diff -up openssh-5.9p0/auth2-gss.c.role openssh-5.9p0/auth2-gss.c |
77 | --- openssh-5.9p0/auth2-gss.c.role 2011-05-05 06:04:11.000000000 +0200 | |
78 | +++ openssh-5.9p0/auth2-gss.c 2011-08-31 11:42:55.313025576 +0200 | |
79 | @@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple | |
852f4e06 SS |
80 | Authctxt *authctxt = ctxt; |
81 | Gssctxt *gssctxt; | |
82 | int authenticated = 0; | |
83 | + char *micuser; | |
84 | Buffer b; | |
85 | gss_buffer_desc mic, gssbuf; | |
86 | u_int len; | |
9d8fd3ad | 87 | @@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple |
852f4e06 SS |
88 | mic.value = packet_get_string(&len); |
89 | mic.length = len; | |
90 | ||
91 | - ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | |
92 | +#ifdef WITH_SELINUX | |
93 | + if (authctxt->role && (strlen(authctxt->role) > 0)) | |
94 | + xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); | |
95 | + else | |
96 | +#endif | |
97 | + micuser = authctxt->user; | |
98 | + ssh_gssapi_buildmic(&b, micuser, authctxt->service, | |
99 | "gssapi-with-mic"); | |
100 | ||
101 | gssbuf.value = buffer_ptr(&b); | |
9d8fd3ad | 102 | @@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple |
852f4e06 SS |
103 | logit("GSSAPI MIC check failed"); |
104 | ||
105 | buffer_free(&b); | |
106 | + if (micuser != authctxt->user) | |
107 | + xfree(micuser); | |
108 | xfree(mic.value); | |
109 | ||
110 | authctxt->postponed = 0; | |
9d8fd3ad SS |
111 | diff -up openssh-5.9p0/auth2-hostbased.c.role openssh-5.9p0/auth2-hostbased.c |
112 | --- openssh-5.9p0/auth2-hostbased.c.role 2011-08-31 11:42:47.863023264 +0200 | |
113 | +++ openssh-5.9p0/auth2-hostbased.c 2011-08-31 11:42:55.421024814 +0200 | |
852f4e06 SS |
114 | @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) |
115 | buffer_put_string(&b, session_id2, session_id2_len); | |
116 | /* reconstruct packet */ | |
117 | buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); | |
118 | - buffer_put_cstring(&b, authctxt->user); | |
119 | +#ifdef WITH_SELINUX | |
120 | + if (authctxt->role) { | |
121 | + buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); | |
122 | + buffer_append(&b, authctxt->user, strlen(authctxt->user)); | |
123 | + buffer_put_char(&b, '/'); | |
124 | + buffer_append(&b, authctxt->role, strlen(authctxt->role)); | |
125 | + } else | |
126 | +#endif | |
127 | + buffer_put_cstring(&b, authctxt->user); | |
128 | buffer_put_cstring(&b, service); | |
129 | buffer_put_cstring(&b, "hostbased"); | |
130 | buffer_put_string(&b, pkalg, alen); | |
9d8fd3ad SS |
131 | diff -up openssh-5.9p0/auth2-pubkey.c.role openssh-5.9p0/auth2-pubkey.c |
132 | --- openssh-5.9p0/auth2-pubkey.c.role 2011-08-31 11:42:47.978087418 +0200 | |
133 | +++ openssh-5.9p0/auth2-pubkey.c 2011-08-31 11:42:55.551025263 +0200 | |
134 | @@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt) | |
852f4e06 SS |
135 | } |
136 | /* reconstruct packet */ | |
137 | buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); | |
138 | - buffer_put_cstring(&b, authctxt->user); | |
139 | +#ifdef WITH_SELINUX | |
140 | + if (authctxt->role) { | |
141 | + buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); | |
142 | + buffer_append(&b, authctxt->user, strlen(authctxt->user)); | |
143 | + buffer_put_char(&b, '/'); | |
144 | + buffer_append(&b, authctxt->role, strlen(authctxt->role)); | |
145 | + } else | |
146 | +#endif | |
147 | + buffer_put_cstring(&b, authctxt->user); | |
148 | buffer_put_cstring(&b, | |
149 | datafellows & SSH_BUG_PKSERVICE ? | |
150 | "ssh-userauth" : | |
9d8fd3ad SS |
151 | diff -up openssh-5.9p0/auth2.c.role openssh-5.9p0/auth2.c |
152 | --- openssh-5.9p0/auth2.c.role 2011-08-31 11:42:45.409026065 +0200 | |
153 | +++ openssh-5.9p0/auth2.c 2011-08-31 11:42:55.676024869 +0200 | |
154 | @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 | |
155 | Authctxt *authctxt = ctxt; | |
156 | Authmethod *m = NULL; | |
157 | char *user, *service, *method, *style = NULL; | |
852f4e06 | 158 | +#ifdef WITH_SELINUX |
9d8fd3ad | 159 | + char *role = NULL; |
852f4e06 | 160 | +#endif |
9d8fd3ad SS |
161 | int authenticated = 0; |
162 | ||
163 | if (authctxt == NULL) | |
164 | @@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 | |
165 | debug("userauth-request for user %s service %s method %s", user, service, method); | |
166 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | |
167 | ||
168 | +#ifdef WITH_SELINUX | |
169 | + if ((role = strchr(user, '/')) != NULL) | |
170 | + *role++ = 0; | |
171 | +#endif | |
172 | + | |
173 | if ((style = strchr(user, ':')) != NULL) | |
174 | *style++ = 0; | |
175 | ||
176 | @@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32 | |
177 | use_privsep ? " [net]" : ""); | |
178 | authctxt->service = xstrdup(service); | |
179 | authctxt->style = style ? xstrdup(style) : NULL; | |
180 | - if (use_privsep) | |
181 | +#ifdef WITH_SELINUX | |
182 | + authctxt->role = role ? xstrdup(role) : NULL; | |
183 | +#endif | |
184 | + if (use_privsep) { | |
185 | mm_inform_authserv(service, style); | |
186 | +#ifdef WITH_SELINUX | |
187 | + mm_inform_authrole(role); | |
188 | +#endif | |
189 | + } | |
190 | userauth_banner(); | |
191 | } else if (strcmp(user, authctxt->user) != 0 || | |
192 | strcmp(service, authctxt->service) != 0) { | |
193 | diff -up openssh-5.9p0/monitor.c.role openssh-5.9p0/monitor.c | |
194 | --- openssh-5.9p0/monitor.c.role 2011-08-31 11:42:53.301024819 +0200 | |
195 | +++ openssh-5.9p0/monitor.c 2011-08-31 11:42:55.796025812 +0200 | |
196 | @@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); | |
852f4e06 SS |
197 | int mm_answer_pwnamallow(int, Buffer *); |
198 | int mm_answer_auth2_read_banner(int, Buffer *); | |
199 | int mm_answer_authserv(int, Buffer *); | |
200 | +#ifdef WITH_SELINUX | |
201 | +int mm_answer_authrole(int, Buffer *); | |
202 | +#endif | |
203 | int mm_answer_authpassword(int, Buffer *); | |
204 | int mm_answer_bsdauthquery(int, Buffer *); | |
205 | int mm_answer_bsdauthrespond(int, Buffer *); | |
9d8fd3ad | 206 | @@ -231,6 +234,9 @@ struct mon_table mon_dispatch_proto20[] |
852f4e06 SS |
207 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
208 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | |
209 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | |
210 | +#ifdef WITH_SELINUX | |
211 | + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | |
212 | +#endif | |
213 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | |
214 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | |
215 | #ifdef USE_PAM | |
9d8fd3ad | 216 | @@ -819,6 +825,9 @@ mm_answer_pwnamallow(int sock, Buffer *m |
852f4e06 SS |
217 | else { |
218 | /* Allow service/style information on the auth context */ | |
219 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | |
220 | +#ifdef WITH_SELINUX | |
221 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | |
222 | +#endif | |
223 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | |
224 | } | |
9d8fd3ad SS |
225 | #ifdef USE_PAM |
226 | @@ -862,6 +871,25 @@ mm_answer_authserv(int sock, Buffer *m) | |
852f4e06 SS |
227 | return (0); |
228 | } | |
229 | ||
230 | +#ifdef WITH_SELINUX | |
231 | +int | |
232 | +mm_answer_authrole(int sock, Buffer *m) | |
233 | +{ | |
234 | + monitor_permit_authentications(1); | |
235 | + | |
236 | + authctxt->role = buffer_get_string(m, NULL); | |
237 | + debug3("%s: role=%s", | |
238 | + __func__, authctxt->role); | |
239 | + | |
240 | + if (strlen(authctxt->role) == 0) { | |
241 | + xfree(authctxt->role); | |
242 | + authctxt->role = NULL; | |
243 | + } | |
244 | + | |
245 | + return (0); | |
246 | +} | |
247 | +#endif | |
248 | + | |
249 | int | |
250 | mm_answer_authpassword(int sock, Buffer *m) | |
251 | { | |
9d8fd3ad | 252 | @@ -1227,7 +1255,7 @@ static int |
852f4e06 SS |
253 | monitor_valid_userblob(u_char *data, u_int datalen) |
254 | { | |
255 | Buffer b; | |
256 | - char *p; | |
257 | + char *p, *r; | |
258 | u_int len; | |
259 | int fail = 0; | |
260 | ||
9d8fd3ad | 261 | @@ -1253,6 +1281,8 @@ monitor_valid_userblob(u_char *data, u_i |
852f4e06 SS |
262 | if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) |
263 | fail++; | |
264 | p = buffer_get_string(&b, NULL); | |
265 | + if ((r = strchr(p, '/')) != NULL) | |
266 | + *r = '\0'; | |
267 | if (strcmp(authctxt->user, p) != 0) { | |
268 | logit("wrong user name passed to monitor: expected %s != %.100s", | |
269 | authctxt->user, p); | |
9d8fd3ad | 270 | @@ -1284,7 +1314,7 @@ monitor_valid_hostbasedblob(u_char *data |
852f4e06 SS |
271 | char *chost) |
272 | { | |
273 | Buffer b; | |
274 | - char *p; | |
275 | + char *p, *r; | |
276 | u_int len; | |
277 | int fail = 0; | |
278 | ||
9d8fd3ad | 279 | @@ -1301,6 +1331,8 @@ monitor_valid_hostbasedblob(u_char *data |
852f4e06 SS |
280 | if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) |
281 | fail++; | |
282 | p = buffer_get_string(&b, NULL); | |
283 | + if ((r = strchr(p, '/')) != NULL) | |
284 | + *r = '\0'; | |
285 | if (strcmp(authctxt->user, p) != 0) { | |
286 | logit("wrong user name passed to monitor: expected %s != %.100s", | |
287 | authctxt->user, p); | |
9d8fd3ad SS |
288 | diff -up openssh-5.9p0/monitor.h.role openssh-5.9p0/monitor.h |
289 | --- openssh-5.9p0/monitor.h.role 2011-08-31 11:42:53.409025333 +0200 | |
290 | +++ openssh-5.9p0/monitor.h 2011-08-31 11:42:55.889024801 +0200 | |
852f4e06 SS |
291 | @@ -31,6 +31,9 @@ |
292 | enum monitor_reqtype { | |
293 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | |
294 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | |
295 | +#ifdef WITH_SELINUX | |
296 | + MONITOR_REQ_AUTHROLE, | |
297 | +#endif | |
298 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | |
299 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | |
300 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | |
9d8fd3ad SS |
301 | diff -up openssh-5.9p0/monitor_wrap.c.role openssh-5.9p0/monitor_wrap.c |
302 | --- openssh-5.9p0/monitor_wrap.c.role 2011-08-31 11:42:53.548024503 +0200 | |
303 | +++ openssh-5.9p0/monitor_wrap.c 2011-08-31 11:42:56.029024553 +0200 | |
304 | @@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * | |
852f4e06 SS |
305 | buffer_free(&m); |
306 | } | |
307 | ||
308 | +/* Inform the privileged process about role */ | |
309 | + | |
310 | +#ifdef WITH_SELINUX | |
311 | +void | |
312 | +mm_inform_authrole(char *role) | |
313 | +{ | |
314 | + Buffer m; | |
315 | + | |
316 | + debug3("%s entering", __func__); | |
317 | + | |
318 | + buffer_init(&m); | |
319 | + buffer_put_cstring(&m, role ? role : ""); | |
320 | + | |
321 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | |
322 | + | |
323 | + buffer_free(&m); | |
324 | +} | |
325 | +#endif | |
326 | + | |
327 | /* Do the password authentication */ | |
328 | int | |
329 | mm_auth_password(Authctxt *authctxt, char *password) | |
9d8fd3ad SS |
330 | diff -up openssh-5.9p0/monitor_wrap.h.role openssh-5.9p0/monitor_wrap.h |
331 | --- openssh-5.9p0/monitor_wrap.h.role 2011-08-31 11:42:53.660025271 +0200 | |
332 | +++ openssh-5.9p0/monitor_wrap.h 2011-08-31 11:42:56.131025748 +0200 | |
333 | @@ -42,6 +42,9 @@ int mm_is_monitor(void); | |
852f4e06 SS |
334 | DH *mm_choose_dh(int, int, int); |
335 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | |
336 | void mm_inform_authserv(char *, char *); | |
337 | +#ifdef WITH_SELINUX | |
338 | +void mm_inform_authrole(char *); | |
339 | +#endif | |
340 | struct passwd *mm_getpwnamallow(const char *); | |
341 | char *mm_auth2_read_banner(void); | |
342 | int mm_auth_password(struct Authctxt *, char *); | |
9d8fd3ad SS |
343 | diff -up openssh-5.9p0/openbsd-compat/Makefile.in.role openssh-5.9p0/openbsd-compat/Makefile.in |
344 | --- openssh-5.9p0/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 | |
345 | +++ openssh-5.9p0/openbsd-compat/Makefile.in 2011-08-31 11:48:02.404091479 +0200 | |
852f4e06 SS |
346 | @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport |
347 | ||
348 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o | |
349 | ||
350 | -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o | |
351 | +PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o | |
352 | ||
353 | .c.o: | |
354 | $(CC) $(CFLAGS) $(CPPFLAGS) -c $< | |
9d8fd3ad SS |
355 | diff -up openssh-5.9p0/openbsd-compat/port-linux.c.role openssh-5.9p0/openbsd-compat/port-linux.c |
356 | --- openssh-5.9p0/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200 | |
357 | +++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-31 11:42:56.492087969 +0200 | |
358 | @@ -31,7 +31,11 @@ | |
852f4e06 SS |
359 | |
360 | #include "log.h" | |
361 | #include "xmalloc.h" | |
362 | +#include "servconf.h" | |
363 | #include "port-linux.h" | |
364 | +#include "key.h" | |
365 | +#include "hostfile.h" | |
366 | +#include "auth.h" | |
367 | ||
368 | #ifdef WITH_SELINUX | |
369 | #include <selinux/selinux.h> | |
9d8fd3ad SS |
370 | @@ -42,41 +46,63 @@ |
371 | # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" | |
372 | #endif | |
852f4e06 SS |
373 | |
374 | -/* Wrapper around is_selinux_enabled() to log its return value once only */ | |
375 | -int | |
376 | -ssh_selinux_enabled(void) | |
377 | -{ | |
378 | - static int enabled = -1; | |
379 | +extern ServerOptions options; | |
380 | +extern Authctxt *the_authctxt; | |
381 | +extern int inetd_flag; | |
382 | +extern int rexeced_flag; | |
383 | ||
384 | - if (enabled == -1) { | |
385 | - enabled = (is_selinux_enabled() == 1); | |
386 | - debug("SELinux support %s", enabled ? "enabled" : "disabled"); | |
387 | +static void | |
388 | +ssh_selinux_get_role_level(char **role, const char **level) | |
389 | +{ | |
390 | + *role = NULL; | |
391 | + *level = NULL; | |
392 | + if (the_authctxt) { | |
393 | + if (the_authctxt->role != NULL) { | |
394 | + char *slash; | |
395 | + *role = xstrdup(the_authctxt->role); | |
396 | + if ((slash = strchr(*role, '/')) != NULL) { | |
397 | + *slash = '\0'; | |
398 | + *level = slash + 1; | |
399 | + } | |
400 | + } | |
401 | } | |
402 | - | |
403 | - return (enabled); | |
404 | } | |
405 | ||
406 | /* Return the default security context for the given username */ | |
407 | static security_context_t | |
408 | ssh_selinux_getctxbyname(char *pwname) | |
409 | { | |
410 | - security_context_t sc; | |
411 | - char *sename = NULL, *lvl = NULL; | |
412 | - int r; | |
413 | + security_context_t sc = NULL; | |
414 | + char *sename, *lvl; | |
415 | + char *role; | |
416 | + const char *reqlvl; | |
417 | + int r = 0; | |
9d8fd3ad | 418 | + |
852f4e06 | 419 | + ssh_selinux_get_role_level(&role, &reqlvl); |
9d8fd3ad | 420 | |
852f4e06 SS |
421 | #ifdef HAVE_GETSEUSERBYNAME |
422 | - if (getseuserbyname(pwname, &sename, &lvl) != 0) | |
423 | - return NULL; | |
424 | + if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { | |
425 | + sename = NULL; | |
426 | + lvl = NULL; | |
427 | + } | |
428 | #else | |
429 | sename = pwname; | |
430 | lvl = NULL; | |
431 | #endif | |
432 | ||
433 | + if (r == 0) { | |
434 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | |
435 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | |
436 | + if (role != NULL && role[0]) | |
437 | + r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); | |
438 | + else | |
439 | + r = get_default_context_with_level(sename, lvl, NULL, &sc); | |
440 | #else | |
441 | - r = get_default_context(sename, NULL, &sc); | |
442 | + if (role != NULL && role[0]) | |
443 | + r = get_default_context_with_role(sename, role, NULL, &sc); | |
444 | + else | |
445 | + r = get_default_context(sename, NULL, &sc); | |
446 | #endif | |
447 | + } | |
448 | ||
449 | if (r != 0) { | |
450 | switch (security_getenforce()) { | |
9d8fd3ad | 451 | @@ -104,6 +130,36 @@ ssh_selinux_getctxbyname(char *pwname) |
852f4e06 SS |
452 | return (sc); |
453 | } | |
454 | ||
455 | +/* Setup environment variables for pam_selinux */ | |
456 | +static int | |
457 | +ssh_selinux_setup_pam_variables(void) | |
458 | +{ | |
459 | + const char *reqlvl; | |
460 | + char *role; | |
461 | + char *use_current; | |
462 | + int rv; | |
463 | + | |
464 | + debug3("%s: setting execution context", __func__); | |
465 | + | |
466 | + ssh_selinux_get_role_level(&role, &reqlvl); | |
467 | + | |
468 | + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); | |
469 | + | |
470 | + if (inetd_flag && !rexeced_flag) { | |
471 | + use_current = "1"; | |
472 | + } else { | |
473 | + use_current = ""; | |
474 | + rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); | |
475 | + } | |
476 | + | |
477 | + rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); | |
478 | + | |
479 | + if (role != NULL) | |
480 | + xfree(role); | |
481 | + | |
482 | + return rv; | |
483 | +} | |
484 | + | |
485 | /* Set the execution context to the default for the specified user */ | |
486 | void | |
487 | ssh_selinux_setup_exec_context(char *pwname) | |
9d8fd3ad | 488 | @@ -113,6 +169,24 @@ ssh_selinux_setup_exec_context(char *pwn |
852f4e06 SS |
489 | if (!ssh_selinux_enabled()) |
490 | return; | |
491 | ||
492 | + if (options.use_pam) { | |
493 | + /* do not compute context, just setup environment for pam_selinux */ | |
494 | + if (ssh_selinux_setup_pam_variables()) { | |
495 | + switch (security_getenforce()) { | |
496 | + case -1: | |
497 | + fatal("%s: security_getenforce() failed", __func__); | |
498 | + case 0: | |
499 | + error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", | |
500 | + __func__); | |
501 | + break; | |
502 | + default: | |
503 | + fatal("%s: SELinux PAM variable setup failure. Aborting connection.", | |
504 | + __func__); | |
505 | + } | |
506 | + } | |
507 | + return; | |
508 | + } | |
509 | + | |
510 | debug3("%s: setting execution context", __func__); | |
511 | ||
512 | user_ctx = ssh_selinux_getctxbyname(pwname); | |
9d8fd3ad | 513 | @@ -220,21 +294,6 @@ ssh_selinux_change_context(const char *n |
852f4e06 SS |
514 | xfree(newctx); |
515 | } | |
516 | ||
517 | -void | |
518 | -ssh_selinux_setfscreatecon(const char *path) | |
519 | -{ | |
520 | - security_context_t context; | |
521 | - | |
522 | - if (!ssh_selinux_enabled()) | |
523 | - return; | |
524 | - if (path == NULL) { | |
525 | - setfscreatecon(NULL); | |
526 | - return; | |
527 | - } | |
528 | - if (matchpathcon(path, 0700, &context) == 0) | |
529 | - setfscreatecon(context); | |
530 | -} | |
531 | - | |
532 | #endif /* WITH_SELINUX */ | |
533 | ||
534 | #ifdef LINUX_OOM_ADJUST | |
9d8fd3ad SS |
535 | diff -up openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role openssh-5.9p0/openbsd-compat/port-linux_part_2.c |
536 | --- openssh-5.9p0/openbsd-compat/port-linux_part_2.c.role 2011-08-31 11:42:56.583047619 +0200 | |
537 | +++ openssh-5.9p0/openbsd-compat/port-linux_part_2.c 2011-08-31 11:42:56.586178005 +0200 | |
852f4e06 SS |
538 | @@ -0,0 +1,75 @@ |
539 | +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ | |
540 | + | |
541 | +/* | |
542 | + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> | |
543 | + * Copyright (c) 2006 Damien Miller <djm@openbsd.org> | |
544 | + * | |
545 | + * Permission to use, copy, modify, and distribute this software for any | |
546 | + * purpose with or without fee is hereby granted, provided that the above | |
547 | + * copyright notice and this permission notice appear in all copies. | |
548 | + * | |
549 | + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |
550 | + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
551 | + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
552 | + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
553 | + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
554 | + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
555 | + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
556 | + */ | |
557 | + | |
558 | +/* | |
559 | + * Linux-specific portability code - just SELinux support at present | |
560 | + */ | |
561 | + | |
562 | +#include "includes.h" | |
563 | + | |
564 | +#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) | |
565 | +#include <errno.h> | |
566 | +#include <stdarg.h> | |
567 | +#include <string.h> | |
568 | +#include <stdio.h> | |
569 | + | |
570 | +#include "log.h" | |
571 | +#include "xmalloc.h" | |
572 | +#include "port-linux.h" | |
573 | +#include "key.h" | |
574 | +#include "hostfile.h" | |
575 | +#include "auth.h" | |
576 | + | |
577 | +#ifdef WITH_SELINUX | |
578 | +#include <selinux/selinux.h> | |
579 | +#include <selinux/flask.h> | |
580 | +#include <selinux/get_context_list.h> | |
581 | + | |
582 | +/* Wrapper around is_selinux_enabled() to log its return value once only */ | |
583 | +int | |
584 | +ssh_selinux_enabled(void) | |
585 | +{ | |
586 | + static int enabled = -1; | |
587 | + | |
588 | + if (enabled == -1) { | |
589 | + enabled = (is_selinux_enabled() == 1); | |
590 | + debug("SELinux support %s", enabled ? "enabled" : "disabled"); | |
591 | + } | |
592 | + | |
593 | + return (enabled); | |
594 | +} | |
595 | + | |
596 | +void | |
597 | +ssh_selinux_setfscreatecon(const char *path) | |
598 | +{ | |
599 | + security_context_t context; | |
600 | + | |
601 | + if (!ssh_selinux_enabled()) | |
602 | + return; | |
603 | + if (path == NULL) { | |
604 | + setfscreatecon(NULL); | |
605 | + return; | |
606 | + } | |
607 | + if (matchpathcon(path, 0700, &context) == 0) | |
608 | + setfscreatecon(context); | |
609 | +} | |
610 | + | |
611 | +#endif /* WITH_SELINUX */ | |
612 | + | |
613 | +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ |