]>
Commit | Line | Data |
---|---|---|
852f4e06 SS |
1 | diff -up openssh-5.8p1/auth1.c.role openssh-5.8p1/auth1.c |
2 | --- openssh-5.8p1/auth1.c.role 2010-08-31 14:36:39.000000000 +0200 | |
3 | +++ openssh-5.8p1/auth1.c 2011-02-12 14:34:11.000000000 +0100 | |
4 | @@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) | |
5 | { | |
6 | u_int ulen; | |
7 | char *user, *style = NULL; | |
8 | +#ifdef WITH_SELINUX | |
9 | + char *role=NULL; | |
10 | +#endif | |
11 | ||
12 | /* Get the name of the user that we wish to log in as. */ | |
13 | packet_read_expect(SSH_CMSG_USER); | |
14 | @@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) | |
15 | user = packet_get_cstring(&ulen); | |
16 | packet_check_eom(); | |
17 | ||
18 | +#ifdef WITH_SELINUX | |
19 | + if ((role = strchr(user, '/')) != NULL) | |
20 | + *role++ = '\0'; | |
21 | +#endif | |
22 | + | |
23 | if ((style = strchr(user, ':')) != NULL) | |
24 | *style++ = '\0'; | |
25 | +#ifdef WITH_SELINUX | |
26 | + else | |
27 | + if (role && (style = strchr(role, ':')) != NULL) | |
28 | + *style++ = '\0'; | |
29 | +#endif | |
30 | ||
31 | authctxt->user = user; | |
32 | authctxt->style = style; | |
33 | +#ifdef WITH_SELINUX | |
34 | + authctxt->role = role; | |
35 | +#endif | |
36 | ||
37 | /* Verify that the user is a valid user. */ | |
38 | if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) | |
39 | diff -up openssh-5.8p1/auth2.c.role openssh-5.8p1/auth2.c | |
40 | --- openssh-5.8p1/auth2.c.role 2010-08-31 14:36:39.000000000 +0200 | |
41 | +++ openssh-5.8p1/auth2.c 2011-02-12 14:34:11.000000000 +0100 | |
42 | @@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 | |
43 | Authctxt *authctxt = ctxt; | |
44 | Authmethod *m = NULL; | |
45 | char *user, *service, *method, *style = NULL; | |
46 | +#ifdef WITH_SELINUX | |
47 | + char *role = NULL; | |
48 | +#endif | |
49 | int authenticated = 0; | |
50 | ||
51 | if (authctxt == NULL) | |
52 | @@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 | |
53 | debug("userauth-request for user %s service %s method %s", user, service, method); | |
54 | debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); | |
55 | ||
56 | +#ifdef WITH_SELINUX | |
57 | + if ((role = strchr(user, '/')) != NULL) | |
58 | + *role++ = 0; | |
59 | +#endif | |
60 | + | |
61 | if ((style = strchr(user, ':')) != NULL) | |
62 | *style++ = 0; | |
63 | ||
64 | @@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32 | |
65 | use_privsep ? " [net]" : ""); | |
66 | authctxt->service = xstrdup(service); | |
67 | authctxt->style = style ? xstrdup(style) : NULL; | |
68 | - if (use_privsep) | |
69 | +#ifdef WITH_SELINUX | |
70 | + authctxt->role = role ? xstrdup(role) : NULL; | |
71 | +#endif | |
72 | + if (use_privsep) { | |
73 | mm_inform_authserv(service, style); | |
74 | +#ifdef WITH_SELINUX | |
75 | + mm_inform_authrole(role); | |
76 | +#endif | |
77 | + } | |
78 | userauth_banner(); | |
79 | } else if (strcmp(user, authctxt->user) != 0 || | |
80 | strcmp(service, authctxt->service) != 0) { | |
81 | diff -up openssh-5.8p1/auth2-gss.c.role openssh-5.8p1/auth2-gss.c | |
82 | --- openssh-5.8p1/auth2-gss.c.role 2007-12-02 12:59:45.000000000 +0100 | |
83 | +++ openssh-5.8p1/auth2-gss.c 2011-02-12 14:34:11.000000000 +0100 | |
84 | @@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple | |
85 | Authctxt *authctxt = ctxt; | |
86 | Gssctxt *gssctxt; | |
87 | int authenticated = 0; | |
88 | + char *micuser; | |
89 | Buffer b; | |
90 | gss_buffer_desc mic, gssbuf; | |
91 | u_int len; | |
92 | @@ -270,7 +271,13 @@ input_gssapi_mic(int type, u_int32_t ple | |
93 | mic.value = packet_get_string(&len); | |
94 | mic.length = len; | |
95 | ||
96 | - ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, | |
97 | +#ifdef WITH_SELINUX | |
98 | + if (authctxt->role && (strlen(authctxt->role) > 0)) | |
99 | + xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); | |
100 | + else | |
101 | +#endif | |
102 | + micuser = authctxt->user; | |
103 | + ssh_gssapi_buildmic(&b, micuser, authctxt->service, | |
104 | "gssapi-with-mic"); | |
105 | ||
106 | gssbuf.value = buffer_ptr(&b); | |
107 | @@ -282,6 +289,8 @@ input_gssapi_mic(int type, u_int32_t ple | |
108 | logit("GSSAPI MIC check failed"); | |
109 | ||
110 | buffer_free(&b); | |
111 | + if (micuser != authctxt->user) | |
112 | + xfree(micuser); | |
113 | xfree(mic.value); | |
114 | ||
115 | authctxt->postponed = 0; | |
116 | diff -up openssh-5.8p1/auth2-hostbased.c.role openssh-5.8p1/auth2-hostbased.c | |
117 | --- openssh-5.8p1/auth2-hostbased.c.role 2011-02-12 14:34:10.000000000 +0100 | |
118 | +++ openssh-5.8p1/auth2-hostbased.c 2011-02-12 14:34:11.000000000 +0100 | |
119 | @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) | |
120 | buffer_put_string(&b, session_id2, session_id2_len); | |
121 | /* reconstruct packet */ | |
122 | buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); | |
123 | - buffer_put_cstring(&b, authctxt->user); | |
124 | +#ifdef WITH_SELINUX | |
125 | + if (authctxt->role) { | |
126 | + buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); | |
127 | + buffer_append(&b, authctxt->user, strlen(authctxt->user)); | |
128 | + buffer_put_char(&b, '/'); | |
129 | + buffer_append(&b, authctxt->role, strlen(authctxt->role)); | |
130 | + } else | |
131 | +#endif | |
132 | + buffer_put_cstring(&b, authctxt->user); | |
133 | buffer_put_cstring(&b, service); | |
134 | buffer_put_cstring(&b, "hostbased"); | |
135 | buffer_put_string(&b, pkalg, alen); | |
136 | diff -up openssh-5.8p1/auth2-pubkey.c.role openssh-5.8p1/auth2-pubkey.c | |
137 | --- openssh-5.8p1/auth2-pubkey.c.role 2011-02-12 14:34:11.000000000 +0100 | |
138 | +++ openssh-5.8p1/auth2-pubkey.c 2011-02-12 14:34:11.000000000 +0100 | |
139 | @@ -122,7 +122,15 @@ userauth_pubkey(Authctxt *authctxt) | |
140 | } | |
141 | /* reconstruct packet */ | |
142 | buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); | |
143 | - buffer_put_cstring(&b, authctxt->user); | |
144 | +#ifdef WITH_SELINUX | |
145 | + if (authctxt->role) { | |
146 | + buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); | |
147 | + buffer_append(&b, authctxt->user, strlen(authctxt->user)); | |
148 | + buffer_put_char(&b, '/'); | |
149 | + buffer_append(&b, authctxt->role, strlen(authctxt->role)); | |
150 | + } else | |
151 | +#endif | |
152 | + buffer_put_cstring(&b, authctxt->user); | |
153 | buffer_put_cstring(&b, | |
154 | datafellows & SSH_BUG_PKSERVICE ? | |
155 | "ssh-userauth" : | |
156 | diff -up openssh-5.8p1/auth.h.role openssh-5.8p1/auth.h | |
157 | --- openssh-5.8p1/auth.h.role 2011-02-12 14:34:10.000000000 +0100 | |
158 | +++ openssh-5.8p1/auth.h 2011-02-12 14:34:11.000000000 +0100 | |
159 | @@ -58,6 +58,9 @@ struct Authctxt { | |
160 | char *service; | |
161 | struct passwd *pw; /* set if 'valid' */ | |
162 | char *style; | |
163 | +#ifdef WITH_SELINUX | |
164 | + char *role; | |
165 | +#endif | |
166 | void *kbdintctxt; | |
167 | void *jpake_ctx; | |
168 | #ifdef BSD_AUTH | |
169 | diff -up openssh-5.8p1/auth-pam.c.role openssh-5.8p1/auth-pam.c | |
170 | --- openssh-5.8p1/auth-pam.c.role 2009-07-12 14:07:21.000000000 +0200 | |
171 | +++ openssh-5.8p1/auth-pam.c 2011-02-12 14:34:11.000000000 +0100 | |
172 | @@ -1069,7 +1069,7 @@ is_pam_session_open(void) | |
173 | * during the ssh authentication process. | |
174 | */ | |
175 | int | |
176 | -do_pam_putenv(char *name, char *value) | |
177 | +do_pam_putenv(char *name, const char *value) | |
178 | { | |
179 | int ret = 1; | |
180 | #ifdef HAVE_PAM_PUTENV | |
181 | diff -up openssh-5.8p1/auth-pam.h.role openssh-5.8p1/auth-pam.h | |
182 | --- openssh-5.8p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200 | |
183 | +++ openssh-5.8p1/auth-pam.h 2011-02-12 14:34:11.000000000 +0100 | |
184 | @@ -38,7 +38,7 @@ void do_pam_session(void); | |
185 | void do_pam_set_tty(const char *); | |
186 | void do_pam_setcred(int ); | |
187 | void do_pam_chauthtok(void); | |
188 | -int do_pam_putenv(char *, char *); | |
189 | +int do_pam_putenv(char *, const char *); | |
190 | char ** fetch_pam_environment(void); | |
191 | char ** fetch_pam_child_environment(void); | |
192 | void free_pam_environment(char **); | |
193 | diff -up openssh-5.8p1/monitor.c.role openssh-5.8p1/monitor.c | |
194 | --- openssh-5.8p1/monitor.c.role 2011-02-12 14:34:11.000000000 +0100 | |
195 | +++ openssh-5.8p1/monitor.c 2011-02-12 14:34:11.000000000 +0100 | |
196 | @@ -138,6 +138,9 @@ int mm_answer_sign(int, Buffer *); | |
197 | int mm_answer_pwnamallow(int, Buffer *); | |
198 | int mm_answer_auth2_read_banner(int, Buffer *); | |
199 | int mm_answer_authserv(int, Buffer *); | |
200 | +#ifdef WITH_SELINUX | |
201 | +int mm_answer_authrole(int, Buffer *); | |
202 | +#endif | |
203 | int mm_answer_authpassword(int, Buffer *); | |
204 | int mm_answer_bsdauthquery(int, Buffer *); | |
205 | int mm_answer_bsdauthrespond(int, Buffer *); | |
206 | @@ -218,6 +221,9 @@ struct mon_table mon_dispatch_proto20[] | |
207 | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, | |
208 | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, | |
209 | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, | |
210 | +#ifdef WITH_SELINUX | |
211 | + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, | |
212 | +#endif | |
213 | {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, | |
214 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | |
215 | #ifdef USE_PAM | |
216 | @@ -703,6 +709,9 @@ mm_answer_pwnamallow(int sock, Buffer *m | |
217 | else { | |
218 | /* Allow service/style information on the auth context */ | |
219 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); | |
220 | +#ifdef WITH_SELINUX | |
221 | + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); | |
222 | +#endif | |
223 | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); | |
224 | } | |
225 | ||
226 | @@ -747,6 +756,25 @@ mm_answer_authserv(int sock, Buffer *m) | |
227 | return (0); | |
228 | } | |
229 | ||
230 | +#ifdef WITH_SELINUX | |
231 | +int | |
232 | +mm_answer_authrole(int sock, Buffer *m) | |
233 | +{ | |
234 | + monitor_permit_authentications(1); | |
235 | + | |
236 | + authctxt->role = buffer_get_string(m, NULL); | |
237 | + debug3("%s: role=%s", | |
238 | + __func__, authctxt->role); | |
239 | + | |
240 | + if (strlen(authctxt->role) == 0) { | |
241 | + xfree(authctxt->role); | |
242 | + authctxt->role = NULL; | |
243 | + } | |
244 | + | |
245 | + return (0); | |
246 | +} | |
247 | +#endif | |
248 | + | |
249 | int | |
250 | mm_answer_authpassword(int sock, Buffer *m) | |
251 | { | |
252 | @@ -1112,7 +1140,7 @@ static int | |
253 | monitor_valid_userblob(u_char *data, u_int datalen) | |
254 | { | |
255 | Buffer b; | |
256 | - char *p; | |
257 | + char *p, *r; | |
258 | u_int len; | |
259 | int fail = 0; | |
260 | ||
261 | @@ -1138,6 +1166,8 @@ monitor_valid_userblob(u_char *data, u_i | |
262 | if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) | |
263 | fail++; | |
264 | p = buffer_get_string(&b, NULL); | |
265 | + if ((r = strchr(p, '/')) != NULL) | |
266 | + *r = '\0'; | |
267 | if (strcmp(authctxt->user, p) != 0) { | |
268 | logit("wrong user name passed to monitor: expected %s != %.100s", | |
269 | authctxt->user, p); | |
270 | @@ -1169,7 +1199,7 @@ monitor_valid_hostbasedblob(u_char *data | |
271 | char *chost) | |
272 | { | |
273 | Buffer b; | |
274 | - char *p; | |
275 | + char *p, *r; | |
276 | u_int len; | |
277 | int fail = 0; | |
278 | ||
279 | @@ -1186,6 +1216,8 @@ monitor_valid_hostbasedblob(u_char *data | |
280 | if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) | |
281 | fail++; | |
282 | p = buffer_get_string(&b, NULL); | |
283 | + if ((r = strchr(p, '/')) != NULL) | |
284 | + *r = '\0'; | |
285 | if (strcmp(authctxt->user, p) != 0) { | |
286 | logit("wrong user name passed to monitor: expected %s != %.100s", | |
287 | authctxt->user, p); | |
288 | diff -up openssh-5.8p1/monitor.h.role openssh-5.8p1/monitor.h | |
289 | --- openssh-5.8p1/monitor.h.role 2011-02-12 14:34:11.000000000 +0100 | |
290 | +++ openssh-5.8p1/monitor.h 2011-02-12 14:34:11.000000000 +0100 | |
291 | @@ -31,6 +31,9 @@ | |
292 | enum monitor_reqtype { | |
293 | MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, | |
294 | MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, | |
295 | +#ifdef WITH_SELINUX | |
296 | + MONITOR_REQ_AUTHROLE, | |
297 | +#endif | |
298 | MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, | |
299 | MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, | |
300 | MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, | |
301 | diff -up openssh-5.8p1/monitor_wrap.c.role openssh-5.8p1/monitor_wrap.c | |
302 | --- openssh-5.8p1/monitor_wrap.c.role 2011-02-12 14:34:11.000000000 +0100 | |
303 | +++ openssh-5.8p1/monitor_wrap.c 2011-02-12 14:34:11.000000000 +0100 | |
304 | @@ -298,6 +298,25 @@ mm_inform_authserv(char *service, char * | |
305 | buffer_free(&m); | |
306 | } | |
307 | ||
308 | +/* Inform the privileged process about role */ | |
309 | + | |
310 | +#ifdef WITH_SELINUX | |
311 | +void | |
312 | +mm_inform_authrole(char *role) | |
313 | +{ | |
314 | + Buffer m; | |
315 | + | |
316 | + debug3("%s entering", __func__); | |
317 | + | |
318 | + buffer_init(&m); | |
319 | + buffer_put_cstring(&m, role ? role : ""); | |
320 | + | |
321 | + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); | |
322 | + | |
323 | + buffer_free(&m); | |
324 | +} | |
325 | +#endif | |
326 | + | |
327 | /* Do the password authentication */ | |
328 | int | |
329 | mm_auth_password(Authctxt *authctxt, char *password) | |
330 | diff -up openssh-5.8p1/monitor_wrap.h.role openssh-5.8p1/monitor_wrap.h | |
331 | --- openssh-5.8p1/monitor_wrap.h.role 2011-02-12 14:34:11.000000000 +0100 | |
332 | +++ openssh-5.8p1/monitor_wrap.h 2011-02-12 14:34:11.000000000 +0100 | |
333 | @@ -41,6 +41,9 @@ int mm_is_monitor(void); | |
334 | DH *mm_choose_dh(int, int, int); | |
335 | int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); | |
336 | void mm_inform_authserv(char *, char *); | |
337 | +#ifdef WITH_SELINUX | |
338 | +void mm_inform_authrole(char *); | |
339 | +#endif | |
340 | struct passwd *mm_getpwnamallow(const char *); | |
341 | char *mm_auth2_read_banner(void); | |
342 | int mm_auth_password(struct Authctxt *, char *); | |
343 | diff -up openssh-5.8p1/openbsd-compat/Makefile.in.role openssh-5.8p1/openbsd-compat/Makefile.in | |
344 | --- openssh-5.8p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 | |
345 | +++ openssh-5.8p1/openbsd-compat/Makefile.in 2011-02-12 14:34:11.000000000 +0100 | |
346 | @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport | |
347 | ||
348 | COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o | |
349 | ||
350 | -PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o | |
351 | +PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o | |
352 | ||
353 | .c.o: | |
354 | $(CC) $(CFLAGS) $(CPPFLAGS) -c $< | |
355 | diff -up openssh-5.8p1/openbsd-compat/port-linux.c.role openssh-5.8p1/openbsd-compat/port-linux.c | |
356 | --- openssh-5.8p1/openbsd-compat/port-linux.c.role 2011-02-12 14:34:11.000000000 +0100 | |
357 | +++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 14:37:31.000000000 +0100 | |
358 | @@ -31,48 +31,73 @@ | |
359 | ||
360 | #include "log.h" | |
361 | #include "xmalloc.h" | |
362 | +#include "servconf.h" | |
363 | #include "port-linux.h" | |
364 | +#include "key.h" | |
365 | +#include "hostfile.h" | |
366 | +#include "auth.h" | |
367 | ||
368 | #ifdef WITH_SELINUX | |
369 | #include <selinux/selinux.h> | |
370 | #include <selinux/flask.h> | |
371 | #include <selinux/get_context_list.h> | |
372 | ||
373 | -/* Wrapper around is_selinux_enabled() to log its return value once only */ | |
374 | -int | |
375 | -ssh_selinux_enabled(void) | |
376 | -{ | |
377 | - static int enabled = -1; | |
378 | +extern ServerOptions options; | |
379 | +extern Authctxt *the_authctxt; | |
380 | +extern int inetd_flag; | |
381 | +extern int rexeced_flag; | |
382 | ||
383 | - if (enabled == -1) { | |
384 | - enabled = (is_selinux_enabled() == 1); | |
385 | - debug("SELinux support %s", enabled ? "enabled" : "disabled"); | |
386 | +static void | |
387 | +ssh_selinux_get_role_level(char **role, const char **level) | |
388 | +{ | |
389 | + *role = NULL; | |
390 | + *level = NULL; | |
391 | + if (the_authctxt) { | |
392 | + if (the_authctxt->role != NULL) { | |
393 | + char *slash; | |
394 | + *role = xstrdup(the_authctxt->role); | |
395 | + if ((slash = strchr(*role, '/')) != NULL) { | |
396 | + *slash = '\0'; | |
397 | + *level = slash + 1; | |
398 | + } | |
399 | + } | |
400 | } | |
401 | - | |
402 | - return (enabled); | |
403 | } | |
404 | ||
405 | /* Return the default security context for the given username */ | |
406 | static security_context_t | |
407 | ssh_selinux_getctxbyname(char *pwname) | |
408 | { | |
409 | - security_context_t sc; | |
410 | - char *sename = NULL, *lvl = NULL; | |
411 | - int r; | |
412 | + security_context_t sc = NULL; | |
413 | + char *sename, *lvl; | |
414 | + char *role; | |
415 | + const char *reqlvl; | |
416 | + int r = 0; | |
417 | ||
418 | + ssh_selinux_get_role_level(&role, &reqlvl); | |
419 | #ifdef HAVE_GETSEUSERBYNAME | |
420 | - if (getseuserbyname(pwname, &sename, &lvl) != 0) | |
421 | - return NULL; | |
422 | + if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { | |
423 | + sename = NULL; | |
424 | + lvl = NULL; | |
425 | + } | |
426 | #else | |
427 | sename = pwname; | |
428 | lvl = NULL; | |
429 | #endif | |
430 | ||
431 | + if (r == 0) { | |
432 | #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL | |
433 | - r = get_default_context_with_level(sename, lvl, NULL, &sc); | |
434 | + if (role != NULL && role[0]) | |
435 | + r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); | |
436 | + else | |
437 | + r = get_default_context_with_level(sename, lvl, NULL, &sc); | |
438 | #else | |
439 | - r = get_default_context(sename, NULL, &sc); | |
440 | + if (role != NULL && role[0]) | |
441 | + r = get_default_context_with_role(sename, role, NULL, &sc); | |
442 | + else | |
443 | + r = get_default_context(sename, NULL, &sc); | |
444 | #endif | |
445 | + } | |
446 | ||
447 | if (r != 0) { | |
448 | switch (security_getenforce()) { | |
449 | @@ -100,6 +125,36 @@ ssh_selinux_getctxbyname(char *pwname) | |
450 | return (sc); | |
451 | } | |
452 | ||
453 | +/* Setup environment variables for pam_selinux */ | |
454 | +static int | |
455 | +ssh_selinux_setup_pam_variables(void) | |
456 | +{ | |
457 | + const char *reqlvl; | |
458 | + char *role; | |
459 | + char *use_current; | |
460 | + int rv; | |
461 | + | |
462 | + debug3("%s: setting execution context", __func__); | |
463 | + | |
464 | + ssh_selinux_get_role_level(&role, &reqlvl); | |
465 | + | |
466 | + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); | |
467 | + | |
468 | + if (inetd_flag && !rexeced_flag) { | |
469 | + use_current = "1"; | |
470 | + } else { | |
471 | + use_current = ""; | |
472 | + rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); | |
473 | + } | |
474 | + | |
475 | + rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); | |
476 | + | |
477 | + if (role != NULL) | |
478 | + xfree(role); | |
479 | + | |
480 | + return rv; | |
481 | +} | |
482 | + | |
483 | /* Set the execution context to the default for the specified user */ | |
484 | void | |
485 | ssh_selinux_setup_exec_context(char *pwname) | |
486 | @@ -109,6 +164,24 @@ ssh_selinux_setup_exec_context(char *pwn | |
487 | if (!ssh_selinux_enabled()) | |
488 | return; | |
489 | ||
490 | + if (options.use_pam) { | |
491 | + /* do not compute context, just setup environment for pam_selinux */ | |
492 | + if (ssh_selinux_setup_pam_variables()) { | |
493 | + switch (security_getenforce()) { | |
494 | + case -1: | |
495 | + fatal("%s: security_getenforce() failed", __func__); | |
496 | + case 0: | |
497 | + error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", | |
498 | + __func__); | |
499 | + break; | |
500 | + default: | |
501 | + fatal("%s: SELinux PAM variable setup failure. Aborting connection.", | |
502 | + __func__); | |
503 | + } | |
504 | + } | |
505 | + return; | |
506 | + } | |
507 | + | |
508 | debug3("%s: setting execution context", __func__); | |
509 | ||
510 | user_ctx = ssh_selinux_getctxbyname(pwname); | |
511 | @@ -206,21 +279,6 @@ ssh_selinux_change_context(const char *n | |
512 | xfree(newctx); | |
513 | } | |
514 | ||
515 | -void | |
516 | -ssh_selinux_setfscreatecon(const char *path) | |
517 | -{ | |
518 | - security_context_t context; | |
519 | - | |
520 | - if (!ssh_selinux_enabled()) | |
521 | - return; | |
522 | - if (path == NULL) { | |
523 | - setfscreatecon(NULL); | |
524 | - return; | |
525 | - } | |
526 | - if (matchpathcon(path, 0700, &context) == 0) | |
527 | - setfscreatecon(context); | |
528 | -} | |
529 | - | |
530 | #endif /* WITH_SELINUX */ | |
531 | ||
532 | #ifdef LINUX_OOM_ADJUST | |
533 | diff -up openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role openssh-5.8p1/openbsd-compat/port-linux_part_2.c | |
534 | --- openssh-5.8p1/openbsd-compat/port-linux_part_2.c.role 2011-02-12 14:34:11.000000000 +0100 | |
535 | +++ openssh-5.8p1/openbsd-compat/port-linux_part_2.c 2011-02-12 14:34:11.000000000 +0100 | |
536 | @@ -0,0 +1,75 @@ | |
537 | +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ | |
538 | + | |
539 | +/* | |
540 | + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> | |
541 | + * Copyright (c) 2006 Damien Miller <djm@openbsd.org> | |
542 | + * | |
543 | + * Permission to use, copy, modify, and distribute this software for any | |
544 | + * purpose with or without fee is hereby granted, provided that the above | |
545 | + * copyright notice and this permission notice appear in all copies. | |
546 | + * | |
547 | + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |
548 | + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |
549 | + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |
550 | + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |
551 | + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
552 | + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
553 | + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
554 | + */ | |
555 | + | |
556 | +/* | |
557 | + * Linux-specific portability code - just SELinux support at present | |
558 | + */ | |
559 | + | |
560 | +#include "includes.h" | |
561 | + | |
562 | +#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) | |
563 | +#include <errno.h> | |
564 | +#include <stdarg.h> | |
565 | +#include <string.h> | |
566 | +#include <stdio.h> | |
567 | + | |
568 | +#include "log.h" | |
569 | +#include "xmalloc.h" | |
570 | +#include "port-linux.h" | |
571 | +#include "key.h" | |
572 | +#include "hostfile.h" | |
573 | +#include "auth.h" | |
574 | + | |
575 | +#ifdef WITH_SELINUX | |
576 | +#include <selinux/selinux.h> | |
577 | +#include <selinux/flask.h> | |
578 | +#include <selinux/get_context_list.h> | |
579 | + | |
580 | +/* Wrapper around is_selinux_enabled() to log its return value once only */ | |
581 | +int | |
582 | +ssh_selinux_enabled(void) | |
583 | +{ | |
584 | + static int enabled = -1; | |
585 | + | |
586 | + if (enabled == -1) { | |
587 | + enabled = (is_selinux_enabled() == 1); | |
588 | + debug("SELinux support %s", enabled ? "enabled" : "disabled"); | |
589 | + } | |
590 | + | |
591 | + return (enabled); | |
592 | +} | |
593 | + | |
594 | +void | |
595 | +ssh_selinux_setfscreatecon(const char *path) | |
596 | +{ | |
597 | + security_context_t context; | |
598 | + | |
599 | + if (!ssh_selinux_enabled()) | |
600 | + return; | |
601 | + if (path == NULL) { | |
602 | + setfscreatecon(NULL); | |
603 | + return; | |
604 | + } | |
605 | + if (matchpathcon(path, 0700, &context) == 0) | |
606 | + setfscreatecon(context); | |
607 | +} | |
608 | + | |
609 | +#endif /* WITH_SELINUX */ | |
610 | + | |
611 | +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ |