Rework SELinux context handling with chroot using libcap-ng (#1357860)

This commit is contained in:
Jakub Jelen 2016-07-20 16:18:46 +02:00
parent 9dc741314f
commit b4df5ebb8d
2 changed files with 106 additions and 0 deletions

View File

@ -0,0 +1,102 @@
diff --git a/configure.ac b/configure.ac
index aeef42a..d01e67e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4998,6 +4998,37 @@ if test -n "$conf_lastlog_location"; then
[Define if you want to specify the path to your lastlog file])
fi
+AC_ARG_WITH(libcap-ng,
+ [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],,
+ with_libcap_ng=auto)
+
+dnl libcap-ng detection
+if test x$with_libcap_ng = xno ; then
+ have_libcap_ng=no;
+else
+ # Start by checking for header file
+ AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no)
+
+ # See if we have libcap-ng library
+ AC_CHECK_LIB(cap-ng, capng_clear, CAPNG_LDADD=-lcap-ng,)
+
+ # Check results are usable
+ if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then
+ AC_MSG_ERROR(libcap-ng support was requested and the library was not found)
+ fi
+ if test x$CAPNG_LDADD != x -a $capng_headers = no ; then
+ AC_MSG_ERROR(libcap-ng libraries found but headers are missing)
+ fi
+fi
+AC_MSG_CHECKING(whether to use libcap-ng)
+if test x$CAPNG_LDADD != x ; then
+ AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support])
+ SSHDLIBS="$SSHDLIBS -lcap-ng"
+ AC_MSG_RESULT(yes)
+else
+ AC_MSG_RESULT(no)
+fi
+
dnl utmp detection
AC_MSG_CHECKING([if your system defines UTMP_FILE])
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
diff --git a/session.c b/session.c
index 6cfcba4..80d2806 100644
--- a/session.c
+++ b/session.c
@@ -96,6 +96,10 @@
#include "monitor_wrap.h"
#include "sftp.h"
+#ifdef HAVE_LIBCAP_NG
+#include <cap-ng.h>
+#endif
+
#if defined(KRB5) && defined(USE_AFS)
#include <kafs.h>
#endif
@@ -1586,6 +1590,7 @@ void
do_setusercontext(struct passwd *pw)
{
char *chroot_path, *tmp;
+ int dropped_suid = -1;
platform_setusercontext(pw);
@@ -1619,10 +1624,24 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef HAVE_LIBCAP_NG
+ /* drop suid soon, retain SYS_CHROOT capability */
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_CHROOT);
+ if ((dropped_suid = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_DROP_SUPP_GRP | CAPNG_CLEAR_BOUNDING)) != 0)
+ logit("capng_change_id() = %d (failure): Try to drop UID later", dropped_suid);
+#endif
#ifdef WITH_SELINUX
sshd_selinux_copy_context();
#endif
safely_chroot(chroot_path, pw->pw_uid);
+#ifdef HAVE_LIBCAP_NG
+ /* Drop chroot capability. Already used */
+ if (dropped_suid == 0) {
+ capng_clear(CAPNG_SELECT_BOTH);
+ capng_apply(CAPNG_SELECT_BOTH);
+ }
+#endif
free(tmp);
free(chroot_path);
/* Make sure we don't attempt to chroot again */
@@ -1654,8 +1673,9 @@ do_setusercontext(struct passwd *pw)
if (!in_chroot && set_id(pw->pw_name) != 0)
fatal("set_id(%s) Failed", pw->pw_name);
# endif /* USE_LIBIAF */
- /* Permanently switch to the desired uid. */
- permanently_set_uid(pw);
+ /* Permanently switch to the desired uid if not yet done. */
+ if (dropped_suid != 0)
+ permanently_set_uid(pw);
#endif
#ifdef WITH_SELINUX

View File

@ -245,6 +245,8 @@ Patch940: openssh-7.2p2-expose-pam.patch
# https://github.com/openssh/openssh-portable/commit/9286875a # https://github.com/openssh/openssh-portable/commit/9286875a
# https://github.com/openssh/openssh-portable/commit/283b97ff # https://github.com/openssh/openssh-portable/commit/283b97ff
Patch941: openssh-7.2p2-user-enumeration.patch Patch941: openssh-7.2p2-user-enumeration.patch
# Rework SELinux context handling with chroot (#1357860)
Patch942: openssh-7.2p2-chroot-capabilities.patch
License: BSD License: BSD
@ -274,6 +276,7 @@ BuildRequires: tcp_wrappers-devel
BuildRequires: fipscheck-devel >= 1.3.0 BuildRequires: fipscheck-devel >= 1.3.0
BuildRequires: openssl-devel >= 0.9.8j BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: perl-podlators BuildRequires: perl-podlators
BuildRequires: libcap-ng-devel
%if %{kerberos5} %if %{kerberos5}
BuildRequires: krb5-devel BuildRequires: krb5-devel
@ -485,6 +488,7 @@ popd
%patch939 -p1 -b .s390-dev %patch939 -p1 -b .s390-dev
%patch940 -p1 -b .expose-pam %patch940 -p1 -b .expose-pam
%patch941 -p1 -b .user-enumeration %patch941 -p1 -b .user-enumeration
%patch942 -p1 -b .chroot-cap
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race