diff options
Diffstat (limited to 'debian/patches/selinux-role.patch')
| -rw-r--r-- | debian/patches/selinux-role.patch | 110 |
1 files changed, 50 insertions, 60 deletions
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch index 4287d28..c160e00 100644 --- a/debian/patches/selinux-role.patch +++ b/debian/patches/selinux-role.patch @@ -1,4 +1,4 @@ -From 13a9ed0149b0861aac9c6c6f078ff42a5d8839f0 Mon Sep 17 00:00:00 2001 +From 1b327bbfa9728e3e2f9ec02371b94069c9664f2f Mon Sep 17 00:00:00 2001 From: Manoj Srivastava <srivasta@debian.org> Date: Sun, 9 Feb 2014 16:09:49 +0000 Subject: Handle SELinux authorisation roles @@ -9,7 +9,7 @@ SELinux maintainer, so we'll keep it until we have something better. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1641 Bug-Debian: http://bugs.debian.org/394795 -Last-Update: 2021-11-05 +Last-Update: 2024-07-03 Patch-Name: selinux-role.patch --- @@ -23,15 +23,15 @@ Patch-Name: selinux-role.patch openbsd-compat/port-linux.h | 4 ++-- platform.c | 4 ++-- platform.h | 2 +- - session.c | 10 +++++----- + session.c | 8 ++++---- session.h | 2 +- - sshd.c | 2 +- + sshd-session.c | 2 +- sshpty.c | 4 ++-- sshpty.h | 2 +- - 15 files changed, 99 insertions(+), 31 deletions(-) + 15 files changed, 98 insertions(+), 30 deletions(-) diff --git a/auth.h b/auth.h -index 6d2d39762..d16dc66b8 100644 +index 98bb23d4c..59799a812 100644 --- a/auth.h +++ b/auth.h @@ -65,6 +65,7 @@ struct Authctxt { @@ -43,7 +43,7 @@ index 6d2d39762..d16dc66b8 100644 /* Method lists for multiple authentication */ char **auth_methods; /* modified from server config */ diff --git a/auth2.c b/auth2.c -index 514a697ca..12210c043 100644 +index f75f1d20d..44558851e 100644 --- a/auth2.c +++ b/auth2.c @@ -272,7 +272,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) @@ -69,19 +69,18 @@ index 514a697ca..12210c043 100644 if (authctxt->attempt >= 1024) auth_maxtries_exceeded(ssh); -@@ -316,8 +321,9 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) - use_privsep ? " [net]" : ""); +@@ -315,7 +320,8 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) + setproctitle("%s [net]", authctxt->valid ? user : "unknown"); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; +- mm_inform_authserv(service, style); + authctxt->role = role ? xstrdup(role) : NULL; - if (use_privsep) -- mm_inform_authserv(service, style); -+ mm_inform_authserv(service, style, role); ++ mm_inform_authserv(service, style, role); userauth_banner(ssh); if ((r = kex_server_update_ext_info(ssh)) != 0) fatal_fr(r, "kex_server_update_ext_info failed"); diff --git a/monitor.c b/monitor.c -index 2bc152468..c7e6f25d7 100644 +index 92e2ca107..62cc2da6b 100644 --- a/monitor.c +++ b/monitor.c @@ -117,6 +117,7 @@ int mm_answer_sign(struct ssh *, int, struct sshbuf *); @@ -92,7 +91,7 @@ index 2bc152468..c7e6f25d7 100644 int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); -@@ -192,6 +193,7 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -191,6 +192,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -100,7 +99,7 @@ index 2bc152468..c7e6f25d7 100644 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -817,6 +819,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -832,6 +834,7 @@ mm_answer_pwnamallow(struct ssh *ssh, int sock, struct sshbuf *m) /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -108,7 +107,7 @@ index 2bc152468..c7e6f25d7 100644 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); #ifdef USE_PAM -@@ -850,15 +853,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -865,15 +868,42 @@ mm_answer_authserv(struct ssh *ssh, int sock, struct sshbuf *m) monitor_permit_authentications(1); if ((r = sshbuf_get_cstring(m, &authctxt->service, NULL)) != 0 || @@ -153,7 +152,7 @@ index 2bc152468..c7e6f25d7 100644 return (0); } -@@ -1579,7 +1609,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) +@@ -1594,7 +1624,7 @@ mm_answer_pty(struct ssh *ssh, int sock, struct sshbuf *m) res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); if (res == 0) goto error; @@ -163,7 +162,7 @@ index 2bc152468..c7e6f25d7 100644 if ((r = sshbuf_put_u32(m, 1)) != 0 || (r = sshbuf_put_cstring(m, s->tty)) != 0) diff --git a/monitor.h b/monitor.h -index 2b1a2d590..4d87284aa 100644 +index 7d8f3c6fa..d84415fe2 100644 --- a/monitor.h +++ b/monitor.h @@ -65,6 +65,8 @@ enum monitor_reqtype { @@ -176,10 +175,10 @@ index 2b1a2d590..4d87284aa 100644 struct ssh; diff --git a/monitor_wrap.c b/monitor_wrap.c -index 189467037..4b986ded6 100644 +index cb3261b4d..60c339d02 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c -@@ -375,10 +375,10 @@ mm_auth2_read_banner(void) +@@ -431,10 +431,10 @@ mm_auth2_read_banner(void) return (banner); } @@ -192,7 +191,7 @@ index 189467037..4b986ded6 100644 { struct sshbuf *m; int r; -@@ -388,7 +388,8 @@ mm_inform_authserv(char *service, char *style) +@@ -444,7 +444,8 @@ mm_inform_authserv(char *service, char *style) if ((m = sshbuf_new()) == NULL) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_cstring(m, service)) != 0 || @@ -202,7 +201,7 @@ index 189467037..4b986ded6 100644 fatal_fr(r, "assemble"); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSERV, m); -@@ -396,6 +397,26 @@ mm_inform_authserv(char *service, char *style) +@@ -452,6 +453,26 @@ mm_inform_authserv(char *service, char *style) sshbuf_free(m); } @@ -230,10 +229,10 @@ index 189467037..4b986ded6 100644 int mm_auth_password(struct ssh *ssh, char *password) diff --git a/monitor_wrap.h b/monitor_wrap.h -index 830fdb308..c84f96d0c 100644 +index 09b0ccaaa..2493da591 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h -@@ -48,7 +48,8 @@ DH *mm_choose_dh(int, int, int); +@@ -45,7 +45,8 @@ DH *mm_choose_dh(int, int, int); int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *, const u_char *, size_t, const char *, const char *, const char *, u_int compat); @@ -244,10 +243,10 @@ index 830fdb308..c84f96d0c 100644 char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c -index 0457e28d0..0394f4808 100644 +index 4c024c6d2..4fe61f020 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c -@@ -57,7 +57,7 @@ ssh_selinux_enabled(void) +@@ -65,7 +65,7 @@ ssh_selinux_enabled(void) /* Return the default security context for the given username */ static char * @@ -256,7 +255,7 @@ index 0457e28d0..0394f4808 100644 { char *sc = NULL, *sename = NULL, *lvl = NULL; int r; -@@ -71,9 +71,16 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -79,9 +79,16 @@ ssh_selinux_getctxbyname(char *pwname) #endif #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL @@ -275,7 +274,7 @@ index 0457e28d0..0394f4808 100644 #endif if (r != 0) { -@@ -103,7 +110,7 @@ ssh_selinux_getctxbyname(char *pwname) +@@ -111,7 +118,7 @@ ssh_selinux_getctxbyname(char *pwname) /* Set the execution context to the default for the specified user */ void @@ -284,7 +283,7 @@ index 0457e28d0..0394f4808 100644 { char *user_ctx = NULL; -@@ -112,7 +119,7 @@ ssh_selinux_setup_exec_context(char *pwname) +@@ -120,7 +127,7 @@ ssh_selinux_setup_exec_context(char *pwname) debug3("%s: setting execution context", __func__); @@ -293,7 +292,7 @@ index 0457e28d0..0394f4808 100644 if (setexeccon(user_ctx) != 0) { switch (security_getenforce()) { case -1: -@@ -134,7 +141,7 @@ ssh_selinux_setup_exec_context(char *pwname) +@@ -142,7 +149,7 @@ ssh_selinux_setup_exec_context(char *pwname) /* Set the TTY context for the specified user */ void @@ -302,7 +301,7 @@ index 0457e28d0..0394f4808 100644 { char *new_tty_ctx = NULL, *user_ctx = NULL, *old_tty_ctx = NULL; security_class_t chrclass; -@@ -144,7 +151,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) +@@ -152,7 +159,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) debug3("%s: setting TTY context on %s", __func__, tty); @@ -312,7 +311,7 @@ index 0457e28d0..0394f4808 100644 /* XXX: should these calls fatal() upon failure in enforcing mode? */ diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index 3c22a854d..c88129428 100644 +index 14064f87d..6c4c37115 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h @@ -19,8 +19,8 @@ @@ -327,10 +326,10 @@ index 3c22a854d..c88129428 100644 void ssh_selinux_setfscreatecon(const char *); #endif diff --git a/platform.c b/platform.c -index 4fe8744ee..70c3a9b58 100644 +index 4c4fe57ea..f3dc7c3a8 100644 --- a/platform.c +++ b/platform.c -@@ -144,7 +144,7 @@ platform_setusercontext(struct passwd *pw) +@@ -99,7 +99,7 @@ platform_setusercontext(struct passwd *pw) * called if sshd is running as root. */ void @@ -339,7 +338,7 @@ index 4fe8744ee..70c3a9b58 100644 { #if !defined(HAVE_LOGIN_CAP) && defined(USE_PAM) /* -@@ -185,7 +185,7 @@ platform_setusercontext_post_groups(struct passwd *pw) +@@ -140,7 +140,7 @@ platform_setusercontext_post_groups(struct passwd *pw) } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -349,10 +348,10 @@ index 4fe8744ee..70c3a9b58 100644 } diff --git a/platform.h b/platform.h -index 7fef8c983..027fdfb51 100644 +index 5dec23276..1b77c3e3d 100644 --- a/platform.h +++ b/platform.h -@@ -25,7 +25,7 @@ void platform_post_fork_parent(pid_t child_pid); +@@ -26,7 +26,7 @@ void platform_post_fork_parent(pid_t child_pid); void platform_post_fork_child(void); int platform_privileged_uidswap(void); void platform_setusercontext(struct passwd *); @@ -362,10 +361,10 @@ index 7fef8c983..027fdfb51 100644 char *platform_krb5_get_principal_name(const char *); int platform_locked_account(struct passwd *); diff --git a/session.c b/session.c -index cbb4edac5..2cb7d0c71 100644 +index 3d9a16b1e..1c67f9fd1 100644 --- a/session.c +++ b/session.c -@@ -1355,7 +1355,7 @@ safely_chroot(const char *path, uid_t uid) +@@ -1344,7 +1344,7 @@ safely_chroot(const char *path, uid_t uid) /* Set login name, uid, gid, and groups. */ void @@ -374,7 +373,7 @@ index cbb4edac5..2cb7d0c71 100644 { char uidstr[32], *chroot_path, *tmp; -@@ -1383,7 +1383,7 @@ do_setusercontext(struct passwd *pw) +@@ -1372,7 +1372,7 @@ do_setusercontext(struct passwd *pw) endgrent(); #endif @@ -383,7 +382,7 @@ index cbb4edac5..2cb7d0c71 100644 if (!in_chroot && options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { -@@ -1527,7 +1527,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1516,7 +1516,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) /* Force a password change */ if (s->authctxt->force_pwchange) { @@ -392,7 +391,7 @@ index cbb4edac5..2cb7d0c71 100644 child_close_fds(ssh); do_pwchange(s); exit(1); -@@ -1545,7 +1545,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) +@@ -1534,7 +1534,7 @@ do_child(struct ssh *ssh, Session *s, const char *command) /* When PAM is enabled we rely on it to do the nologin check */ if (!options.use_pam) do_nologin(pw); @@ -401,15 +400,6 @@ index cbb4edac5..2cb7d0c71 100644 /* * PAM session modules in do_setusercontext may have * generated messages, so if this in an interactive -@@ -1941,7 +1941,7 @@ session_pty_req(struct ssh *ssh, Session *s) - sshpkt_fatal(ssh, r, "%s: parse packet", __func__); - - if (!use_privsep) -- pty_setowner(s->pw, s->tty); -+ pty_setowner(s->pw, s->tty, s->authctxt->role); - - /* Set window size from the packet. */ - pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel); diff --git a/session.h b/session.h index 344a1ddf9..20ea822a7 100644 --- a/session.h @@ -423,19 +413,19 @@ index 344a1ddf9..20ea822a7 100644 const char *session_get_remote_name_or_ip(struct ssh *, u_int, int); -diff --git a/sshd.c b/sshd.c -index 87e25d19b..9c9f38e5b 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -579,7 +579,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) - reseed_prngs(); +diff --git a/sshd-session.c b/sshd-session.c +index a9fa63224..f0fd85367 100644 +--- a/sshd-session.c ++++ b/sshd-session.c +@@ -438,7 +438,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) /* Drop privileges */ -- do_setusercontext(authctxt->pw); -+ do_setusercontext(authctxt->pw, authctxt->role); + if (!skip_privdrop) +- do_setusercontext(authctxt->pw); ++ do_setusercontext(authctxt->pw, authctxt->role); - skip: /* It is safe now to apply the key state */ + monitor_apply_keystate(ssh, pmonitor); diff --git a/sshpty.c b/sshpty.c index cae0b977a..7870c6482 100644 --- a/sshpty.c |