[people/stevee/ipfire-3.x.git] / openssh / patches / openssh-5.8p1-selinux-role.patch

diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c
--- openssh-5.8p1/auth1.c.role	2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.8p1/auth1.c	2011-02-12 14:34:11.000000000 +0100
@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role=NULL;
+#endif
 
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = '\0';
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = '\0';
+#ifdef WITH_SELINUX
+	else
+		if (role && (style = strchr(role, ':')) != NULL)
+			*style++ = '\0';
+#endif
 
 	authctxt->user = user;
 	authctxt->style = style;
+#ifdef WITH_SELINUX
+	authctxt->role = role;
+#endif
 
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c
--- openssh-5.8p1/auth2.c.role	2010-08-31 14:36:39.000000000 +0200
+++ openssh-5.8p1/auth2.c	2011-02-12 14:34:11.000000000 +0100
@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+	char *role = NULL;
+#endif
 	int authenticated = 0;
 
 	if (authctxt == NULL)
@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
+#ifdef WITH_SELINUX
+	if ((role = strchr(user, '/')) != NULL)
+		*role++ = 0;
+#endif
+
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
+#ifdef WITH_SELINUX
+		authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+		if (use_privsep) {
 			mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+			mm_inform_authrole(role);
+#endif
+		}
 		userauth_banner();
 	} else if (strcmp(user, authctxt->user) != 0 ||
 	    strcmp(service, authctxt->service) != 0) {
diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c
--- openssh-5.8p1/auth2-gss.c.role	2007-12-02 12:59:45.000000000 +0100
+++ openssh-5.8p1/auth2-gss.c	2011-02-12 14:34:11.000000000 +0100
@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
+	char *micuser;
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
 
-	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
+#ifdef WITH_SELINUX
+	if (authctxt->role && (strlen(authctxt->role) > 0))
+		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
+	else
+#endif
+		micuser = authctxt->user;
+	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
 	    "gssapi-with-mic");
 
 	gssbuf.value = buffer_ptr(&b);
@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 
 	buffer_free(&b);
+	if (micuser != authctxt->user)
+		xfree(micuser);
 	xfree(mic.value);
 
 	authctxt->postponed = 0;
diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c
--- openssh-5.8p1/auth2-hostbased.c.role	2011-02-12 14:34:10.000000000 +0100
+++ openssh-5.8p1/auth2-hostbased.c	2011-02-12 14:34:11.000000000 +0100
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
 	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+	if (authctxt->role) {
+		buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+		buffer_append(&b, authctxt->user, strlen(authctxt->user));
+		buffer_put_char(&b, '/');
+		buffer_append(&b, authctxt->role, strlen(authctxt->role));
+	} else 
+#endif
+		buffer_put_cstring(&b, authctxt->user);
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c
--- openssh-5.8p1/auth2-pubkey.c.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/auth2-pubkey.c	2011-02-12 14:34:11.000000000 +0100
@@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-		buffer_put_cstring(&b, authctxt->user);
+#ifdef WITH_SELINUX
+		if (authctxt->role) {
+			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+			buffer_append(&b, authctxt->user, strlen(authctxt->user));
+			buffer_put_char(&b, '/');
+			buffer_append(&b, authctxt->role, strlen(authctxt->role));
+		} else 
+#endif
+			buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
 		    datafellows & SSH_BUG_PKSERVICE ?
 		    "ssh-userauth" :
diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h
--- openssh-5.8p1/auth.h.role	2011-02-12 14:34:10.000000000 +0100
+++ openssh-5.8p1/auth.h	2011-02-12 14:34:11.000000000 +0100
@@ -58,6 +58,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
+#ifdef WITH_SELINUX
+	char		*role;
+#endif
 	void		*kbdintctxt;
 	void		*jpake_ctx;
 #ifdef BSD_AUTH
diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c
--- openssh-5.8p1/auth-pam.c.role	2009-07-12 14:07:21.000000000 +0200
+++ openssh-5.8p1/auth-pam.c	2011-02-12 14:34:11.000000000 +0100
@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
-do_pam_putenv(char *name, char *value)
+do_pam_putenv(char *name, const char *value)
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h
--- openssh-5.8p1/auth-pam.h.role	2004-09-11 14:17:26.000000000 +0200
+++ openssh-5.8p1/auth-pam.h	2011-02-12 14:34:11.000000000 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
 void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
+int do_pam_putenv(char *, const char *);
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c
--- openssh-5.8p1/monitor.c.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor.c	2011-02-12 14:34:11.000000000 +0100
@@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+#ifdef WITH_SELINUX
+int mm_answer_authrole(int, Buffer *);
+#endif
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[] 
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+#ifdef WITH_SELINUX
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
+#endif
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+#ifdef WITH_SELINUX
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
+#endif
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
 
+#ifdef WITH_SELINUX
+int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+#endif
+
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
@@ -1112,7 +1140,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
-	char *p;
+	char *p, *r;
 	u_int len;
 	int fail = 0;
 
@@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
@@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
-	char *p;
+	char *p, *r;
 	u_int len;
 	int fail = 0;
 
@@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
 	p = buffer_get_string(&b, NULL);
+	if ((r = strchr(p, '/')) != NULL)
+		*r = '\0';
 	if (strcmp(authctxt->user, p) != 0) {
 		logit("wrong user name passed to monitor: expected %s != %.100s",
 		    authctxt->user, p);
diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h
--- openssh-5.8p1/monitor.h.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor.h	2011-02-12 14:34:11.000000000 +0100
@@ -31,6 +31,9 @@
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
 	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+#ifdef WITH_SELINUX
+	MONITOR_REQ_AUTHROLE,
+#endif
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c
--- openssh-5.8p1/monitor_wrap.c.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.c	2011-02-12 14:34:11.000000000 +0100
@@ -298,6 +298,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+#ifdef WITH_SELINUX
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+#endif
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h
--- openssh-5.8p1/monitor_wrap.h.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/monitor_wrap.h	2011-02-12 14:34:11.000000000 +0100
@@ -41,6 +41,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
+#endif
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in
--- openssh-5.8p1/openbsd-compat/Makefile.in.role	2010-10-07 13:19:24.000000000 +0200
+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-02-12 14:34:11.000000000 +0100
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
 
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c
--- openssh-5.8p1/openbsd-compat/port-linux.c.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux.c	2011-02-12 14:37:31.000000000 +0100
@@ -31,48 +31,73 @@
 
 #include "log.h"
 #include "xmalloc.h"
+#include "servconf.h"
 #include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
 
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 
-/* Wrapper around is_selinux_enabled() to log its return value once only */
-int
-ssh_selinux_enabled(void)
-{
-	static int enabled = -1;
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
+extern int rexeced_flag;
 
-	if (enabled == -1) {
-		enabled = (is_selinux_enabled() == 1);
-		debug("SELinux support %s", enabled ? "enabled" : "disabled");
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
+	*role = NULL;
+	*level = NULL;
+	if (the_authctxt) {
+		if (the_authctxt->role != NULL) {
+			char *slash;
+			*role = xstrdup(the_authctxt->role);
+			if ((slash = strchr(*role, '/')) != NULL) {
+				*slash = '\0';
+				*level = slash + 1;
+			}
+		}
 	}
-
-	return (enabled);
 }
 
 /* Return the default security context for the given username */
 static security_context_t
 ssh_selinux_getctxbyname(char *pwname)
 {
-	security_context_t sc;
-	char *sename = NULL, *lvl = NULL;
-	int r;
+	security_context_t sc = NULL;
+	char *sename, *lvl;
+	char *role;
+	const char *reqlvl;
+	int r = 0;
 
+	ssh_selinux_get_role_level(&role, &reqlvl);
 #ifdef HAVE_GETSEUSERBYNAME
-	if (getseuserbyname(pwname, &sename, &lvl) != 0)
-		return NULL;
+	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+		sename = NULL;
+		lvl = NULL;
+	}
 #else
 	sename = pwname;
 	lvl = NULL;
 #endif
 
+	if (r == 0) {
 #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-	r = get_default_context_with_level(sename, lvl, NULL, &sc);
+		if (role != NULL && role[0])
+			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+		else
+			r = get_default_context_with_level(sename, lvl, NULL, &sc);
 #else
-	r = get_default_context(sename, NULL, &sc);
+		if (role != NULL && role[0])
+			r = get_default_context_with_role(sename, role, NULL, &sc);
+		else
+			r = get_default_context(sename, NULL, &sc);
 #endif
+	}
 
 	if (r != 0) {
 		switch (security_getenforce()) {
@@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname)
 	return (sc);
 }
 
+/* Setup environment variables for pam_selinux */
+static int
+ssh_selinux_setup_pam_variables(void)
+{
+	const char *reqlvl;
+	char *role;
+	char *use_current;
+	int rv;
+
+	debug3("%s: setting execution context", __func__);
+
+	ssh_selinux_get_role_level(&role, &reqlvl);
+
+	rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+	
+	if (inetd_flag && !rexeced_flag) {
+		use_current = "1";
+	} else {
+		use_current = "";
+		rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
+	}
+
+	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+
+	if (role != NULL)
+		xfree(role);
+	
+	return rv;
+}
+
 /* Set the execution context to the default for the specified user */
 void
 ssh_selinux_setup_exec_context(char *pwname)
@@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn
 	if (!ssh_selinux_enabled())
 		return;
 
+	if (options.use_pam) {
+		/* do not compute context, just setup environment for pam_selinux */
+		if (ssh_selinux_setup_pam_variables()) {
+			switch (security_getenforce()) {
+			case -1:
+				fatal("%s: security_getenforce() failed", __func__);
+			case 0:
+				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+				    __func__);
+			break;
+			default:
+				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+				    __func__);
+			}
+		}
+		return;
+	}
+
 	debug3("%s: setting execution context", __func__);
 
 	user_ctx = ssh_selinux_getctxbyname(pwname);
@@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n
 	xfree(newctx);
 }
 
-void
-ssh_selinux_setfscreatecon(const char *path)
-{
-	security_context_t context;
-
-	if (!ssh_selinux_enabled())
-		return;
-	if (path == NULL) {
-		setfscreatecon(NULL);
-		return;
-	}
-	if (matchpathcon(path, 0700, &context) == 0)
-		setfscreatecon(context);
-}
-
 #endif /* WITH_SELINUX */
 
 #ifdef LINUX_OOM_ADJUST
diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c
--- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role	2011-02-12 14:34:11.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c	2011-02-12 14:34:11.000000000 +0100
@@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Linux-specific portability code - just SELinux support at present
+ */
+
+#include "includes.h"
+
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#include <errno.h>
+#include <stdarg.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "log.h"
+#include "xmalloc.h"
+#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/get_context_list.h>
+
+/* Wrapper around is_selinux_enabled() to log its return value once only */
+int
+ssh_selinux_enabled(void)
+{
+	static int enabled = -1;
+
+	if (enabled == -1) {
+		enabled = (is_selinux_enabled() == 1);
+		debug("SELinux support %s", enabled ? "enabled" : "disabled");
+	}
+
+	return (enabled);
+}
+
+void
+ssh_selinux_setfscreatecon(const char *path)
+{
+	security_context_t context;
+
+	if (!ssh_selinux_enabled())
+		return;
+	if (path == NULL) {
+		setfscreatecon(NULL);
+		return;
+	}
+	if (matchpathcon(path, 0700, &context) == 0)
+		setfscreatecon(context);
+}
+
+#endif /* WITH_SELINUX */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
Commit	Line	Data
852f4e06 SS	1	diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c
	2	--- openssh-5.8p1/auth1.c.role 2010-08-31 14:36:39.000000000 +0200
	3	+++ openssh-5.8p1/auth1.c 2011-02-12 14:34:11.000000000 +0100
	4	@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
	5	{
	6	u_int ulen;
	7	char user, style = NULL;
	8	+#ifdef WITH_SELINUX
	9	+ char *role=NULL;
	10	+#endif
	11
	12	/* Get the name of the user that we wish to log in as. */
	13	packet_read_expect(SSH_CMSG_USER);
	14	@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
	15	user = packet_get_cstring(&ulen);
	16	packet_check_eom();
	17
	18	+#ifdef WITH_SELINUX
	19	+ if ((role = strchr(user, '/')) != NULL)
	20	+ *role++ = '\0';
	21	+#endif
	22	+
	23	if ((style = strchr(user, ':')) != NULL)
	24	*style++ = '\0';
	25	+#ifdef WITH_SELINUX
	26	+ else
	27	+ if (role && (style = strchr(role, ':')) != NULL)
	28	+ *style++ = '\0';
	29	+#endif
	30
	31	authctxt->user = user;
	32	authctxt->style = style;
	33	+#ifdef WITH_SELINUX
	34	+ authctxt->role = role;
	35	+#endif
	36
	37	/* Verify that the user is a valid user. */
	38	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
	39	diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c
	40	--- openssh-5.8p1/auth2.c.role 2010-08-31 14:36:39.000000000 +0200
	41	+++ openssh-5.8p1/auth2.c 2011-02-12 14:34:11.000000000 +0100
	42	@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32
	43	Authctxt *authctxt = ctxt;
	44	Authmethod *m = NULL;
	45	char user, service, method, style = NULL;
	46	+#ifdef WITH_SELINUX
	47	+ char *role = NULL;
	48	+#endif
	49	int authenticated = 0;
	50
	51	if (authctxt == NULL)
	52	@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32
	53	debug("userauth-request for user %s service %s method %s", user, service, method);
	54	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
	55
	56	+#ifdef WITH_SELINUX
	57	+ if ((role = strchr(user, '/')) != NULL)
	58	+ *role++ = 0;
	59	+#endif
	60	+
	61	if ((style = strchr(user, ':')) != NULL)
	62	*style++ = 0;
	63
	64	@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32
65	use_privsep ? " [net]" : "");
66	authctxt->service = xstrdup(service);
67	authctxt->style = style ? xstrdup(style) : NULL;
68	- if (use_privsep)
69	+#ifdef WITH_SELINUX
70	+ authctxt->role = role ? xstrdup(role) : NULL;
71	+#endif
72	+ if (use_privsep) {
73	mm_inform_authserv(service, style);
74	+#ifdef WITH_SELINUX
75	+ mm_inform_authrole(role);
76	+#endif
77	+ }
78	userauth_banner();
79	} else if (strcmp(user, authctxt->user) != 0 \|\|
80	strcmp(service, authctxt->service) != 0) {
81	diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c
82	--- openssh-5.8p1/auth2-gss.c.role 2007-12-02 12:59:45.000000000 +0100
83	+++ openssh-5.8p1/auth2-gss.c 2011-02-12 14:34:11.000000000 +0100
84	@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
85	Authctxt *authctxt = ctxt;
86	Gssctxt *gssctxt;
87	int authenticated = 0;
88	+ char *micuser;
89	Buffer b;
90	gss_buffer_desc mic, gssbuf;
91	u_int len;
92	@@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple
93	mic.value = packet_get_string(&len);
94	mic.length = len;
95
96	- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
97	+#ifdef WITH_SELINUX
98	+ if (authctxt->role && (strlen(authctxt->role) > 0))
99	+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
100	+ else
101	+#endif
102	+ micuser = authctxt->user;
103	+ ssh_gssapi_buildmic(&b, micuser, authctxt->service,
104	"gssapi-with-mic");
105
106	gssbuf.value = buffer_ptr(&b);
107	@@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple
108	logit("GSSAPI MIC check failed");
109
110	buffer_free(&b);
111	+ if (micuser != authctxt->user)
112	+ xfree(micuser);
113	xfree(mic.value);
114
115	authctxt->postponed = 0;
116	diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c
117	--- openssh-5.8p1/auth2-hostbased.c.role 2011-02-12 14:34:10.000000000 +0100
118	+++ openssh-5.8p1/auth2-hostbased.c 2011-02-12 14:34:11.000000000 +0100
119	@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
120	buffer_put_string(&b, session_id2, session_id2_len);
121	/* reconstruct packet */
122	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
123	- buffer_put_cstring(&b, authctxt->user);
124	+#ifdef WITH_SELINUX
125	+ if (authctxt->role) {
126	+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
127	+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
128	+ buffer_put_char(&b, '/');
129	+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
130	+ } else
131	+#endif
132	+ buffer_put_cstring(&b, authctxt->user);
133	buffer_put_cstring(&b, service);
134	buffer_put_cstring(&b, "hostbased");
135	buffer_put_string(&b, pkalg, alen);
136	diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c
137	--- openssh-5.8p1/auth2-pubkey.c.role 2011-02-12 14:34:11.000000000 +0100
138	+++ openssh-5.8p1/auth2-pubkey.c 2011-02-12 14:34:11.000000000 +0100
139	@@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt)
140	}
141	/* reconstruct packet */
142	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
143	- buffer_put_cstring(&b, authctxt->user);
144	+#ifdef WITH_SELINUX
145	+ if (authctxt->role) {
146	+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
147	+ buffer_append(&b, authctxt->user, strlen(authctxt->user));
148	+ buffer_put_char(&b, '/');
149	+ buffer_append(&b, authctxt->role, strlen(authctxt->role));
150	+ } else
151	+#endif
152	+ buffer_put_cstring(&b, authctxt->user);
153	buffer_put_cstring(&b,
154	datafellows & SSH_BUG_PKSERVICE ?
155	"ssh-userauth" :
156	diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h
157	--- openssh-5.8p1/auth.h.role 2011-02-12 14:34:10.000000000 +0100
158	+++ openssh-5.8p1/auth.h 2011-02-12 14:34:11.000000000 +0100
159	@@ -58,6 +58,9 @@ struct Authctxt {
160	char *service;
161	struct passwd pw; / set if 'valid' */
162	char *style;
163	+#ifdef WITH_SELINUX
164	+ char *role;
165	+#endif
166	void *kbdintctxt;
167	void *jpake_ctx;
168	#ifdef BSD_AUTH
169	diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c
170	--- openssh-5.8p1/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200
171	+++ openssh-5.8p1/auth-pam.c 2011-02-12 14:34:11.000000000 +0100
172	@@ -1069,7 +1069,7 @@ is_pam_session_open(void)
173	* during the ssh authentication process.
174	*/
175	int
176	-do_pam_putenv(char name, char value)
177	+do_pam_putenv(char name, const char value)
178	{
179	int ret = 1;
180	#ifdef HAVE_PAM_PUTENV
181	diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h
182	--- openssh-5.8p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200
183	+++ openssh-5.8p1/auth-pam.h 2011-02-12 14:34:11.000000000 +0100
184	@@ -38,7 +38,7 @@ void do_pam_session(void);
185	void do_pam_set_tty(const char *);
186	void do_pam_setcred(int );
187	void do_pam_chauthtok(void);
188	-int do_pam_putenv(char , char );
189	+int do_pam_putenv(char , const char );
190	char ** fetch_pam_environment(void);
191	char ** fetch_pam_child_environment(void);
192	void free_pam_environment(char **);
193	diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c
194	--- openssh-5.8p1/monitor.c.role 2011-02-12 14:34:11.000000000 +0100
195	+++ openssh-5.8p1/monitor.c 2011-02-12 14:34:11.000000000 +0100
196	@@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *);
197	int mm_answer_pwnamallow(int, Buffer *);
198	int mm_answer_auth2_read_banner(int, Buffer *);
199	int mm_answer_authserv(int, Buffer *);
200	+#ifdef WITH_SELINUX
201	+int mm_answer_authrole(int, Buffer *);
202	+#endif
203	int mm_answer_authpassword(int, Buffer *);
204	int mm_answer_bsdauthquery(int, Buffer *);
205	int mm_answer_bsdauthrespond(int, Buffer *);
206	@@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[]
207	{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
208	{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
209	{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
210	+#ifdef WITH_SELINUX
211	+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
212	+#endif
213	{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
214	{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
215	#ifdef USE_PAM
216	@@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
217	else {
218	/* Allow service/style information on the auth context */
219	monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
220	+#ifdef WITH_SELINUX
221	+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
222	+#endif
223	monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
224	}
225
226	@@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m)
227	return (0);
228	}
229
230	+#ifdef WITH_SELINUX
231	+int
232	+mm_answer_authrole(int sock, Buffer *m)
233	+{
234	+ monitor_permit_authentications(1);
235	+
236	+ authctxt->role = buffer_get_string(m, NULL);
237	+ debug3("%s: role=%s",
238	+ __func__, authctxt->role);
239	+
240	+ if (strlen(authctxt->role) == 0) {
241	+ xfree(authctxt->role);
242	+ authctxt->role = NULL;
243	+ }
244	+
245	+ return (0);
246	+}
247	+#endif
248	+
249	int
250	mm_answer_authpassword(int sock, Buffer *m)
251	{
252	@@ -1112,7 +1140,7 @@ static int
253	monitor_valid_userblob(u_char *data, u_int datalen)
254	{
255	Buffer b;
256	- char *p;
257	+ char p, r;
258	u_int len;
259	int fail = 0;
260
261	@@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i
262	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
263	fail++;
264	p = buffer_get_string(&b, NULL);
265	+ if ((r = strchr(p, '/')) != NULL)
266	+ *r = '\0';
267	if (strcmp(authctxt->user, p) != 0) {
268	logit("wrong user name passed to monitor: expected %s != %.100s",
269	authctxt->user, p);
270	@@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data
271	char *chost)
272	{
273	Buffer b;
274	- char *p;
275	+ char p, r;
276	u_int len;
277	int fail = 0;
278
279	@@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data
280	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
281	fail++;
282	p = buffer_get_string(&b, NULL);
283	+ if ((r = strchr(p, '/')) != NULL)
284	+ *r = '\0';
285	if (strcmp(authctxt->user, p) != 0) {
286	logit("wrong user name passed to monitor: expected %s != %.100s",
287	authctxt->user, p);
288	diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h
289	--- openssh-5.8p1/monitor.h.role 2011-02-12 14:34:11.000000000 +0100
290	+++ openssh-5.8p1/monitor.h 2011-02-12 14:34:11.000000000 +0100
291	@@ -31,6 +31,9 @@
292	enum monitor_reqtype {
293	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
294	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
295	+#ifdef WITH_SELINUX
296	+ MONITOR_REQ_AUTHROLE,
297	+#endif
298	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
299	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
300	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
301	diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c
302	--- openssh-5.8p1/monitor_wrap.c.role 2011-02-12 14:34:11.000000000 +0100
303	+++ openssh-5.8p1/monitor_wrap.c 2011-02-12 14:34:11.000000000 +0100
304	@@ -298,6 +298,25 @@ mm_inform_authserv(char service, char
305	buffer_free(&m);
306	}
307
308	+/* Inform the privileged process about role */
309	+
310	+#ifdef WITH_SELINUX
311	+void
312	+mm_inform_authrole(char *role)
313	+{
314	+ Buffer m;
315	+
316	+ debug3("%s entering", __func__);
317	+
318	+ buffer_init(&m);
319	+ buffer_put_cstring(&m, role ? role : "");
320	+
321	+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
322	+
323	+ buffer_free(&m);
324	+}
325	+#endif
326	+
327	/* Do the password authentication */
328	int
329	mm_auth_password(Authctxt authctxt, char password)
330	diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h
331	--- openssh-5.8p1/monitor_wrap.h.role 2011-02-12 14:34:11.000000000 +0100
332	+++ openssh-5.8p1/monitor_wrap.h 2011-02-12 14:34:11.000000000 +0100
333	@@ -41,6 +41,9 @@ int mm_is_monitor(void);
334	DH *mm_choose_dh(int, int, int);
335	int mm_key_sign(Key , u_char , u_int , u_char *, u_int);
336	void mm_inform_authserv(char , char );
337	+#ifdef WITH_SELINUX
338	+void mm_inform_authrole(char *);
339	+#endif
340	struct passwd mm_getpwnamallow(const char );
341	char *mm_auth2_read_banner(void);
342	int mm_auth_password(struct Authctxt , char );
343	diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in
344	--- openssh-5.8p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200
345	+++ openssh-5.8p1/openbsd-compat/Makefile.in 2011-02-12 14:34:11.000000000 +0100
346	@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
347
348	COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
349
350	-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
351	+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
352
353	.c.o:
354	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
355	diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c
356	--- openssh-5.8p1/openbsd-compat/port-linux.c.role 2011-02-12 14:34:11.000000000 +0100
357	+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 14:37:31.000000000 +0100
358	@@ -31,48 +31,73 @@
359
360	#include "log.h"
361	#include "xmalloc.h"
362	+#include "servconf.h"
363	#include "port-linux.h"
364	+#include "key.h"
365	+#include "hostfile.h"
366	+#include "auth.h"
367
368	#ifdef WITH_SELINUX
369	#include <selinux/selinux.h>
370	#include <selinux/flask.h>
371	#include <selinux/get_context_list.h>
372
373	-/* Wrapper around is_selinux_enabled() to log its return value once only */
374	-int
375	-ssh_selinux_enabled(void)
376	-{
377	- static int enabled = -1;
378	+extern ServerOptions options;
379	+extern Authctxt *the_authctxt;
380	+extern int inetd_flag;
381	+extern int rexeced_flag;
382
383	- if (enabled == -1) {
384	- enabled = (is_selinux_enabled() == 1);
385	- debug("SELinux support %s", enabled ? "enabled" : "disabled");
386	+static void
387	+ssh_selinux_get_role_level(char role, const char level)
388	+{
389	+ *role = NULL;
390	+ *level = NULL;
391	+ if (the_authctxt) {
392	+ if (the_authctxt->role != NULL) {
393	+ char *slash;
394	+ *role = xstrdup(the_authctxt->role);
395	+ if ((slash = strchr(*role, '/')) != NULL) {
396	+ *slash = '\0';
397	+ *level = slash + 1;
398	+ }
399	+ }
400	}
401	-
402	- return (enabled);
403	}
404
405	/* Return the default security context for the given username */
406	static security_context_t
407	ssh_selinux_getctxbyname(char *pwname)
408	{
409	- security_context_t sc;
410	- char sename = NULL, lvl = NULL;
411	- int r;
412	+ security_context_t sc = NULL;
413	+ char sename, lvl;
414	+ char *role;
415	+ const char *reqlvl;
416	+ int r = 0;
417
418	+ ssh_selinux_get_role_level(&role, &reqlvl);
419	#ifdef HAVE_GETSEUSERBYNAME
420	- if (getseuserbyname(pwname, &sename, &lvl) != 0)
421	- return NULL;
422	+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
423	+ sename = NULL;
424	+ lvl = NULL;
425	+ }
426	#else
427	sename = pwname;
428	lvl = NULL;
429	#endif
430
431	+ if (r == 0) {
432	#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
433	- r = get_default_context_with_level(sename, lvl, NULL, &sc);
434	+ if (role != NULL && role[0])
435	+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
436	+ else
437	+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
438	#else
439	- r = get_default_context(sename, NULL, &sc);
440	+ if (role != NULL && role[0])
441	+ r = get_default_context_with_role(sename, role, NULL, &sc);
442	+ else
443	+ r = get_default_context(sename, NULL, &sc);
444	#endif
445	+ }
446
447	if (r != 0) {
448	switch (security_getenforce()) {
449	@@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname)
450	return (sc);
451	}
452
453	+/* Setup environment variables for pam_selinux */
454	+static int
455	+ssh_selinux_setup_pam_variables(void)
456	+{
457	+ const char *reqlvl;
458	+ char *role;
459	+ char *use_current;
460	+ int rv;
461	+
462	+ debug3("%s: setting execution context", __func__);
463	+
464	+ ssh_selinux_get_role_level(&role, &reqlvl);
465	+
466	+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
467	+
468	+ if (inetd_flag && !rexeced_flag) {
469	+ use_current = "1";
470	+ } else {
471	+ use_current = "";
472	+ rv = rv \|\| do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: "");
473	+ }
474	+
475	+ rv = rv \|\| do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
476	+
477	+ if (role != NULL)
478	+ xfree(role);
479	+
480	+ return rv;
481	+}
482	+
483	/* Set the execution context to the default for the specified user */
484	void
485	ssh_selinux_setup_exec_context(char *pwname)
486	@@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn
487	if (!ssh_selinux_enabled())
488	return;
489
490	+ if (options.use_pam) {
491	+ /* do not compute context, just setup environment for pam_selinux */
492	+ if (ssh_selinux_setup_pam_variables()) {
493	+ switch (security_getenforce()) {
494	+ case -1:
495	+ fatal("%s: security_getenforce() failed", __func__);
496	+ case 0:
497	+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
498	+ __func__);
499	+ break;
500	+ default:
501	+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
502	+ __func__);
503	+ }
504	+ }
505	+ return;
506	+ }
507	+
508	debug3("%s: setting execution context", __func__);
509
510	user_ctx = ssh_selinux_getctxbyname(pwname);
511	@@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n
512	xfree(newctx);
513	}
514
515	-void
516	-ssh_selinux_setfscreatecon(const char *path)
517	-{
518	- security_context_t context;
519	-
520	- if (!ssh_selinux_enabled())
521	- return;
522	- if (path == NULL) {
523	- setfscreatecon(NULL);
524	- return;
525	- }
526	- if (matchpathcon(path, 0700, &context) == 0)
527	- setfscreatecon(context);
528	-}
529	-
530	#endif /* WITH_SELINUX */
531
532	#ifdef LINUX_OOM_ADJUST
533	diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c
534	--- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role 2011-02-12 14:34:11.000000000 +0100
535	+++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c 2011-02-12 14:34:11.000000000 +0100
536	@@ -0,0 +1,75 @@
537	+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
538	+
539	+/*
540	+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
541	+ * Copyright (c) 2006 Damien Miller <djm@openbsd.org>
542	+ *
543	+ * Permission to use, copy, modify, and distribute this software for any
544	+ * purpose with or without fee is hereby granted, provided that the above
545	+ * copyright notice and this permission notice appear in all copies.
546	+ *
547	+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
548	+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
549	+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
550	+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
551	+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
552	+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
553	+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
554	+ */
555	+
556	+/*
557	+ * Linux-specific portability code - just SELinux support at present
558	+ */
559	+
560	+#include "includes.h"
561	+
562	+#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST)
563	+#include <errno.h>
564	+#include <stdarg.h>
565	+#include <string.h>
566	+#include <stdio.h>
567	+
568	+#include "log.h"
569	+#include "xmalloc.h"
570	+#include "port-linux.h"
571	+#include "key.h"
572	+#include "hostfile.h"
573	+#include "auth.h"
574	+
575	+#ifdef WITH_SELINUX
576	+#include <selinux/selinux.h>
577	+#include <selinux/flask.h>
578	+#include <selinux/get_context_list.h>
579	+
580	+/* Wrapper around is_selinux_enabled() to log its return value once only */
581	+int
582	+ssh_selinux_enabled(void)
583	+{
584	+ static int enabled = -1;
585	+
586	+ if (enabled == -1) {
587	+ enabled = (is_selinux_enabled() == 1);
588	+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
589	+ }
590	+
591	+ return (enabled);
592	+}
593	+
594	+void
595	+ssh_selinux_setfscreatecon(const char *path)
596	+{
597	+ security_context_t context;
598	+
599	+ if (!ssh_selinux_enabled())
600	+ return;
601	+ if (path == NULL) {
602	+ setfscreatecon(NULL);
603	+ return;
604	+ }
605	+ if (matchpathcon(path, 0700, &context) == 0)
606	+ setfscreatecon(context);
607	+}
608	+
609	+#endif /* WITH_SELINUX */
610	+
611	+#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST */