openssh/openssh-4.5p1-selinux.patch
2007-01-16 21:20:04 +00:00

256 lines
7.6 KiB
Diff

--- openssh-4.5p1/auth.h.selinux 2006-08-18 16:32:46.000000000 +0200
+++ openssh-4.5p1/auth.h 2006-12-20 22:10:48.000000000 +0100
@@ -58,6 +58,7 @@
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+ char *role;
void *kbdintctxt;
#ifdef BSD_AUTH
auth_session_t *as;
--- openssh-4.5p1/auth1.c.selinux 2006-12-20 22:10:35.000000000 +0100
+++ openssh-4.5p1/auth1.c 2006-12-20 22:10:48.000000000 +0100
@@ -388,7 +388,7 @@
do_authentication(Authctxt *authctxt)
{
u_int ulen;
- char *user, *style = NULL;
+ char *user, *style = NULL, *role=NULL;
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
@@ -397,11 +397,19 @@
user = packet_get_string(&ulen);
packet_check_eom();
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = '\0';
+
if ((style = strchr(user, ':')) != NULL)
*style++ = '\0';
+ else
+ if (role && (style = strchr(role, ':')) != NULL)
+ *style++ = '\0';
+
authctxt->user = user;
authctxt->style = style;
+ authctxt->role = role;
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
--- openssh-4.5p1/monitor.c.selinux 2006-11-07 13:16:08.000000000 +0100
+++ openssh-4.5p1/monitor.c 2006-12-20 22:10:48.000000000 +0100
@@ -133,6 +133,7 @@
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -204,6 +205,7 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -653,6 +655,7 @@
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -698,6 +701,23 @@
}
int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
mm_answer_authpassword(int sock, Buffer *m)
{
static int call_count;
--- openssh-4.5p1/openbsd-compat/port-linux.c.selinux 2006-09-01 07:38:41.000000000 +0200
+++ openssh-4.5p1/openbsd-compat/port-linux.c 2006-12-21 12:15:59.000000000 +0100
@@ -30,11 +30,16 @@
#ifdef WITH_SELINUX
#include "log.h"
#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
+extern Authctxt *the_authctxt;
+
/* Wrapper around is_selinux_enabled() to log its return value once only */
static int
ssh_selinux_enabled(void)
@@ -53,23 +58,36 @@
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
- security_context_t sc;
- char *sename = NULL, *lvl = NULL;
- int r;
+ security_context_t sc = NULL;
+ char *sename, *lvl;
+ char *role = NULL;
+ int r = 0;
+ if (the_authctxt)
+ role=the_authctxt->role;
#ifdef HAVE_GETSEUSERBYNAME
- if (getseuserbyname(pwname, &sename, &lvl) != 0)
- return NULL;
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
#else
sename = pwname;
lvl = NULL;
#endif
+ if (r == 0) {
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
- r = get_default_context_with_level(sename, lvl, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+ else
+ r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
- r = get_default_context(sename, NULL, &sc);
+ if (role != NULL && role[0])
+ r = get_default_context_with_role(sename, role, NULL, &sc);
+ else
+ r = get_default_context(sename, NULL, &sc);
#endif
+ }
if (r != 0) {
switch (security_getenforce()) {
--- openssh-4.5p1/configure.ac.selinux 2006-12-20 22:10:35.000000000 +0100
+++ openssh-4.5p1/configure.ac 2006-12-21 11:18:48.000000000 +0100
@@ -3137,8 +3137,16 @@
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
- [ --with-selinux Enable SELinux support],
+ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
[ if test "x$withval" != "xno" ; then
+ if test "x$withval" != "xyes"; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
--- openssh-4.5p1/auth2.c.selinux 2006-08-05 04:39:39.000000000 +0200
+++ openssh-4.5p1/auth2.c 2006-12-20 22:10:48.000000000 +0100
@@ -145,7 +145,7 @@
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method, *style = NULL;
+ char *user, *service, *method, *style = NULL, *role = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -157,6 +157,9 @@
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -182,8 +185,11 @@
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+ authctxt->role = role ? xstrdup(role) : NULL;
+ if (use_privsep) {
mm_inform_authserv(service, style);
+ mm_inform_authrole(role);
+ }
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
--- openssh-4.5p1/monitor_wrap.h.selinux 2006-08-05 04:39:40.000000000 +0200
+++ openssh-4.5p1/monitor_wrap.h 2006-12-20 22:10:48.000000000 +0100
@@ -41,6 +41,7 @@
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
--- openssh-4.5p1/monitor_wrap.c.selinux 2006-09-01 07:38:37.000000000 +0200
+++ openssh-4.5p1/monitor_wrap.c 2006-12-20 22:10:48.000000000 +0100
@@ -282,6 +282,23 @@
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
--- openssh-4.5p1/monitor.h.selinux 2006-03-26 05:30:02.000000000 +0200
+++ openssh-4.5p1/monitor.h 2006-12-20 22:10:35.000000000 +0100
@@ -30,7 +30,7 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,