Attachment #2733 for bug #2482

View | Details | Raw Unified | Return to bug 2482
Collapse All | Expand All

Lines 35-41 Link Here

(-)a/openbsd-compat/port-linux.c (-5 / +8 lines)
35		35
36	#ifdef WITH_SELINUX	36	#ifdef WITH_SELINUX
37	#include <selinux/selinux.h>	37	#include <selinux/selinux.h>
38	#include <selinux/flask.h>
39	#include <selinux/get_context_list.h>	38	#include <selinux/get_context_list.h>
40		39
41	#ifndef SSH_SELINUX_UNCONFINED_TYPE	40	#ifndef SSH_SELINUX_UNCONFINED_TYPE
Lines 141-146 ssh_selinux_setup_pty(char pwname, const char tty) Link Here
141	security_context_t new_tty_ctx = NULL;	140	security_context_t new_tty_ctx = NULL;
142	security_context_t user_ctx = NULL;	141	security_context_t user_ctx = NULL;
143	security_context_t old_tty_ctx = NULL;	142	security_context_t old_tty_ctx = NULL;
		143	security_class_t class;
144		144
145	if (!ssh_selinux_enabled())	145	if (!ssh_selinux_enabled())
146	return;	146	return;
Lines 156-163 ssh_selinux_setup_pty(char pwname, const char tty) Link Here
156	goto out;	156	goto out;
157	}	157	}
158		158
		159	class = string_to_security_class("chr_file");
		160	if (!class) {
		161	error("string_to_security_class failed to translate security class context");
		162	goto out;
		163	}
159	if (security_compute_relabel(user_ctx, old_tty_ctx,	164	if (security_compute_relabel(user_ctx, old_tty_ctx,
160	SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {	165	class, &new_tty_ctx) != 0) {
161	error("%s: security_compute_relabel: %s",	166	error("%s: security_compute_relabel: %s",
162	__func__, strerror(errno));	167	__func__, strerror(errno));
163	goto out;	168	goto out;
Lines 210-216 ssh_selinux_change_context(const char *newname) Link Here
210	strlcpy(newctx + len, newname, newlen - len);	215	strlcpy(newctx + len, newname, newlen - len);
211	if ((cx = index(cx + 1, ':')))	216	if ((cx = index(cx + 1, ':')))
212	strlcat(newctx, cx, newlen);	217	strlcat(newctx, cx, newlen);
213	debug3("%s: setting context from '%s' to '%s'", __func__,	218	debug("%s: setting context from '%s' to '%s'", __func__,
214	oldctx, newctx);	219	oldctx, newctx);
215	if (setcon(newctx) < 0)	220	if (setcon(newctx) < 0)
216	switchlog("%s: setcon %s from %s failed with %s", __func__,	221	switchlog("%s: setcon %s from %s failed with %s", __func__,
217	-
218	--
219	openbsd-compat/port-linux.c \| 22 ++++++++++++++++++++++	222	openbsd-compat/port-linux.c \| 22 ++++++++++++++++++++++
220	openbsd-compat/port-linux.h \| 2 ++	223	openbsd-compat/port-linux.h \| 2 ++
221	session.c \| 18 ++++++++++--------	224	session.c \| 18 ++++++++++--------
222	3 files changed, 34 insertions(+), 8 deletions(-)	225	3 files changed, 34 insertions(+), 8 deletions(-)




		setfscreatecon(context);
}

/* Copy execution context to the context of current process */
void
sshd_selinux_copy_context(void)
{
	security_context_t *ctx;

	if (!ssh_selinux_enabled())
		return;

	if (getexeccon((security_context_t *)&ctx) != 0) {
		logit("%s: getcon failed with %s", __func__, strerror (errno));
		return;
	}
	if (ctx != NULL) {
		/* unset exec context before we can lose this capabililty */
		if (setexeccon(NULL) != 0)
			fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
		if (setcon(ctx) != 0)
			fatal("%s: setcon failed with %s", __func__, strerror (errno));
		freecon(ctx);
	}
}
#endif /* WITH_SELINUX */

#ifdef LINUX_OOM_ADJUST

Lines 25-30 void ssh_selinux_setup_pty(char , const char ); Link Here

(-)a/openbsd-compat/port-linux.h (+2 lines)
25	void ssh_selinux_setup_exec_context(char *);	25	void ssh_selinux_setup_exec_context(char *);
26	void ssh_selinux_change_context(const char *);	26	void ssh_selinux_change_context(const char *);
27	void ssh_selinux_setfscreatecon(const char *);	27	void ssh_selinux_setfscreatecon(const char *);
		28
		29	void sshd_selinux_copy_context(void);
28	#endif	30	#endif
29		31
30	#ifdef LINUX_OOM_ADJUST	32	#ifdef LINUX_OOM_ADJUST

Lines 1490-1496 void Link Here

(-)a/session.c (-10 / +10 lines)
1490	do_setusercontext(struct passwd *pw)	1490	do_setusercontext(struct passwd *pw)
1491	{	1491	{
1492	char chroot_path, tmp;	1492	char chroot_path, tmp;
1493	#ifdef USE_LIBIAF	1493	#if defined(USE_LIBIAF) \|\| defined(WITH_SELINUX)
1494	int doing_chroot = 0;	1494	int doing_chroot = 0;
1495	#endif	1495	#endif
1496		1496
Lines 1526-1538 do_setusercontext(struct passwd *pw) Link Here
1526	pw->pw_uid);	1526	pw->pw_uid);
1527	chroot_path = percent_expand(tmp, "h", pw->pw_dir,	1527	chroot_path = percent_expand(tmp, "h", pw->pw_dir,
1528	"u", pw->pw_name, (char *)NULL);	1528	"u", pw->pw_name, (char *)NULL);
		1529	#ifdef WITH_SELINUX
		1530	sshd_selinux_copy_context();
		1531	#endif
1529	safely_chroot(chroot_path, pw->pw_uid);	1532	safely_chroot(chroot_path, pw->pw_uid);
1530	free(tmp);	1533	free(tmp);
1531	free(chroot_path);	1534	free(chroot_path);
1532	/* Make sure we don't attempt to chroot again */	1535	/* Make sure we don't attempt to chroot again */
1533	free(options.chroot_directory);	1536	free(options.chroot_directory);
1534	options.chroot_directory = NULL;	1537	options.chroot_directory = NULL;
1535	#ifdef USE_LIBIAF	1538	#if defined(USE_LIBIAF) \|\| defined(WITH_SELINUX)
1536	doing_chroot = 1;	1539	doing_chroot = 1;
1537	#endif	1540	#endif
1538	}	1541	}
Lines 1563-1568 do_setusercontext(struct passwd *pw) Link Here
1563	/* Permanently switch to the desired uid. */	1566	/* Permanently switch to the desired uid. */
1564	permanently_set_uid(pw);	1567	permanently_set_uid(pw);
1565	#endif	1568	#endif
		1569
		1570	#ifdef WITH_SELINUX
		1571	if (doing_chroot == 0)
		1572	sshd_selinux_copy_context();
		1573	#endif
1566	} else if (options.chroot_directory != NULL &&	1574	} else if (options.chroot_directory != NULL &&
1567	strcasecmp(options.chroot_directory, "none") != 0) {	1575	strcasecmp(options.chroot_directory, "none") != 0) {
1568	fatal("server lacks privileges to chroot to ChrootDirectory");	1576	fatal("server lacks privileges to chroot to ChrootDirectory");
Lines 1580-1588 do_pwchange(Session *s) Link Here
1580	if (s->ttyfd != -1) {	1588	if (s->ttyfd != -1) {
1581	fprintf(stderr,	1589	fprintf(stderr,
1582	"You must change your password now and login again!\n");	1590	"You must change your password now and login again!\n");
1583	#ifdef WITH_SELINUX
1584	setexeccon(NULL);
1585	#endif
1586	#ifdef PASSWD_NEEDS_USERNAME	1591	#ifdef PASSWD_NEEDS_USERNAME
1587	execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,	1592	execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
1588	(char *)NULL);	1593	(char *)NULL);
Lines 1824-1832 do_child(Session s, const char command) Link Here
1824	argv[i] = NULL;	1829	argv[i] = NULL;
1825	optind = optreset = 1;	1830	optind = optreset = 1;
1826	__progname = argv[0];	1831	__progname = argv[0];
1827	#ifdef WITH_SELINUX
1828	ssh_selinux_change_context("sftpd_t");
1829	#endif
1830	exit(sftp_server_main(i, argv, s->pw));	1832	exit(sftp_server_main(i, argv, s->pw));
1831	}	1833	}
1832		1834
1833	-
1834	--
1835	sshd.c \| 4 ++++	1835	sshd.c \| 4 ++++
1836	1 file changed, 4 insertions(+)	1836	1 file changed, 4 insertions(+)

Lines 630-635 privsep_preauth_child(void) Link Here

(-)a/sshd.c (-2 / +4 lines)
630	/* Demote the private keys to public keys. */	630	/* Demote the private keys to public keys. */
631	demote_sensitive_data();	631	demote_sensitive_data();
632		632
		633	#ifdef WITH_SELINUX
		634	ssh_selinux_change_context("sshd_net_t");
		635	#endif
		636
633	/* Change our root directory */	637	/* Change our root directory */
634	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)	638	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
635	fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,	639	fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
636	-
637	using SELinux	640	using SELinux
638	--
639	sshd.c \| 3 +++	641	sshd.c \| 3 +++
640	1 file changed, 3 insertions(+)	642	1 file changed, 3 insertions(+)

Lines 736-741 privsep_postauth(Authctxt *authctxt) Link Here

(-)a/sshd.c (-1 / +3 lines)
736		736
737	#ifdef DISABLE_FD_PASSING	737	#ifdef DISABLE_FD_PASSING
738	if (1) {	738	if (1) {
		739	#elif defined(WITH_SELINUX)
		740	if (options.use_login) {
		741	/* even root user can be confined by SELinux */
739	#else	742	#else
740	if (authctxt->pw->pw_uid == 0 \|\| options.use_login) {	743	if (authctxt->pw->pw_uid == 0 \|\| options.use_login) {
741	#endif	744	#endif
742	-

Return to bug 2482

Lines 239-244 ssh_selinux_setfscreatecon(const char *path) Link Here

(-)a/openbsd-compat/port-linux.c (+22 lines)
239	setfscreatecon(context);	239	setfscreatecon(context);
240	}	240	}
241		241
		242	/* Copy execution context to the context of current process */
		243	void
		244	sshd_selinux_copy_context(void)
		245	{
		246	security_context_t *ctx;
		247
		248	if (!ssh_selinux_enabled())
		249	return;
		250
		251	if (getexeccon((security_context_t *)&ctx) != 0) {
		252	logit("%s: getcon failed with %s", __func__, strerror (errno));
		253	return;
		254	}
		255	if (ctx != NULL) {
		256	/* unset exec context before we can lose this capabililty */
		257	if (setexeccon(NULL) != 0)
		258	fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
		259	if (setcon(ctx) != 0)
		260	fatal("%s: setcon failed with %s", __func__, strerror (errno));
		261	freecon(ctx);
		262	}
		263	}
242	#endif /* WITH_SELINUX */	264	#endif /* WITH_SELINUX */
243		265
244	#ifdef LINUX_OOM_ADJUST	266	#ifdef LINUX_OOM_ADJUST