Attachment 2733 Details for Bug 2482 – selinux patches (1 - 4)

[patch] selinux patches (1 - 4)

openssh_selinux.patch (text/plain), 6.70 KB, created by Jakub Jelen on 2015-10-23 03:47:57 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Jakub Jelen

Created: 2015-10-23 03:47:57 AEDT

Size: 6.70 KB

patch

obsolete

>From 16f3b71a3b27f440e5dc7cddf8e9128546b37014 Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 22 Oct 2015 16:32:40 +0200
>Subject: [PATCH 1/4] Use string_to_security_class instead of hard-coded
> constant
>
>---
> openbsd-compat/port-linux.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
>
>diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
>index f36999d..11df568 100644
>--- a/openbsd-compat/port-linux.c
>+++ b/openbsd-compat/port-linux.c
>@@ -35,7 +35,6 @@
> 
> #ifdef WITH_SELINUX
> #include <selinux/selinux.h>
>-#include <selinux/flask.h>
> #include <selinux/get_context_list.h>
> 
> #ifndef SSH_SELINUX_UNCONFINED_TYPE
>@@ -141,6 +140,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
> 	security_context_t new_tty_ctx = NULL;
> 	security_context_t user_ctx = NULL;
> 	security_context_t old_tty_ctx = NULL;
>+	security_class_t class;
> 
> 	if (!ssh_selinux_enabled())
> 		return;
>@@ -156,8 +156,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
> 		goto out;
> 	}
> 
>+	class = string_to_security_class("chr_file");
>+	if (!class) {
>+		error("string_to_security_class failed to translate security class context");
>+		goto out;
>+	}
> 	if (security_compute_relabel(user_ctx, old_tty_ctx,
>-	    SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
>+	    class, &new_tty_ctx) != 0) {
> 		error("%s: security_compute_relabel: %s",
> 		    __func__, strerror(errno));
> 		goto out;
>@@ -210,7 +215,7 @@ ssh_selinux_change_context(const char *newname)
> 	strlcpy(newctx + len, newname, newlen - len);
> 	if ((cx = index(cx + 1, ':')))
> 		strlcat(newctx, cx, newlen);
>-	debug3("%s: setting context from '%s' to '%s'", __func__,
>+	debug("%s: setting context from '%s' to '%s'", __func__,
> 	    oldctx, newctx);
> 	if (setcon(newctx) < 0)
> 		switchlog("%s: setcon %s from %s failed with %s", __func__,
>-- 
>2.1.0
>
>
>From d30812681af2113e3a3fce26e963aa7802e2a309 Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 22 Oct 2015 16:51:29 +0200
>Subject: [PATCH 2/4] sshd_selinux_copy_context and its usage
>
>---
> openbsd-compat/port-linux.c | 22 ++++++++++++++++++++++
> openbsd-compat/port-linux.h |  2 ++
> session.c                   | 18 ++++++++++--------
> 3 files changed, 34 insertions(+), 8 deletions(-)
>
>diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
>index 11df568..f1599c5 100644
>--- a/openbsd-compat/port-linux.c
>+++ b/openbsd-compat/port-linux.c
>@@ -239,6 +239,28 @@ ssh_selinux_setfscreatecon(const char *path)
> 		setfscreatecon(context);
> }
> 
>+/* Copy execution context to the context of current process */
>+void
>+sshd_selinux_copy_context(void)
>+{
>+	security_context_t *ctx;
>+
>+	if (!ssh_selinux_enabled())
>+		return;
>+
>+	if (getexeccon((security_context_t *)&ctx) != 0) {
>+		logit("%s: getcon failed with %s", __func__, strerror (errno));
>+		return;
>+	}
>+	if (ctx != NULL) {
>+		/* unset exec context before we can lose this capabililty */
>+		if (setexeccon(NULL) != 0)
>+			fatal("%s: setexeccon failed with %s", __func__, strerror (errno));
>+		if (setcon(ctx) != 0)
>+			fatal("%s: setcon failed with %s", __func__, strerror (errno));
>+		freecon(ctx);
>+	}
>+}
> #endif /* WITH_SELINUX */
> 
> #ifdef LINUX_OOM_ADJUST
>diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
>index e3d1004..632a426 100644
>--- a/openbsd-compat/port-linux.h
>+++ b/openbsd-compat/port-linux.h
>@@ -25,6 +25,8 @@ void ssh_selinux_setup_pty(char *, const char *);
> void ssh_selinux_setup_exec_context(char *);
> void ssh_selinux_change_context(const char *);
> void ssh_selinux_setfscreatecon(const char *);
>+
>+void sshd_selinux_copy_context(void);
> #endif
> 
> #ifdef LINUX_OOM_ADJUST
>diff --git a/session.c b/session.c
>index 5a64715..17eeb43 100644
>--- a/session.c
>+++ b/session.c
>@@ -1490,7 +1490,7 @@ void
> do_setusercontext(struct passwd *pw)
> {
> 	char *chroot_path, *tmp;
>-#ifdef USE_LIBIAF
>+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
> 	int doing_chroot = 0;
> #endif
> 
>@@ -1526,13 +1526,16 @@ do_setusercontext(struct passwd *pw)
> 			    pw->pw_uid);
> 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
> 			    "u", pw->pw_name, (char *)NULL);
>+#ifdef WITH_SELINUX
>+			sshd_selinux_copy_context();
>+#endif
> 			safely_chroot(chroot_path, pw->pw_uid);
> 			free(tmp);
> 			free(chroot_path);
> 			/* Make sure we don't attempt to chroot again */
> 			free(options.chroot_directory);
> 			options.chroot_directory = NULL;
>-#ifdef USE_LIBIAF
>+#if defined(USE_LIBIAF) || defined(WITH_SELINUX)
> 			doing_chroot = 1;
> #endif
> 		}
>@@ -1563,6 +1566,11 @@ do_setusercontext(struct passwd *pw)
> 		/* Permanently switch to the desired uid. */
> 		permanently_set_uid(pw);
> #endif
>+
>+#ifdef WITH_SELINUX
>+		if (doing_chroot == 0)
>+			sshd_selinux_copy_context();
>+#endif
> 	} else if (options.chroot_directory != NULL &&
> 	    strcasecmp(options.chroot_directory, "none") != 0) {
> 		fatal("server lacks privileges to chroot to ChrootDirectory");
>@@ -1580,9 +1588,6 @@ do_pwchange(Session *s)
> 	if (s->ttyfd != -1) {
> 		fprintf(stderr,
> 		    "You must change your password now and login again!\n");
>-#ifdef WITH_SELINUX
>-		setexeccon(NULL);
>-#endif
> #ifdef PASSWD_NEEDS_USERNAME
> 		execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
> 		    (char *)NULL);
>@@ -1824,9 +1829,6 @@ do_child(Session *s, const char *command)
> 		argv[i] = NULL;
> 		optind = optreset = 1;
> 		__progname = argv[0];
>-#ifdef WITH_SELINUX
>-		ssh_selinux_change_context("sftpd_t");
>-#endif
> 		exit(sftp_server_main(i, argv, s->pw));
> 	}
> 
>-- 
>2.1.0
>
>
>From a43131df31488c06ad06904487ea4cc618557bff Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 22 Oct 2015 17:34:53 +0200
>Subject: [PATCH 3/4] Limit preauth child by SELinux context sshd_net_t
>
>---
> sshd.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/sshd.c b/sshd.c
>index d868089..03e0bc8 100644
>--- a/sshd.c
>+++ b/sshd.c
>@@ -630,6 +630,10 @@ privsep_preauth_child(void)
> 	/* Demote the private keys to public keys. */
> 	demote_sensitive_data();
> 
>+#ifdef WITH_SELINUX
>+	ssh_selinux_change_context("sshd_net_t");
>+#endif
>+
> 	/* Change our root directory */
> 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
> 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
>-- 
>2.1.0
>
>
>From b4db9193209594fb318a527cc302078785880307 Mon Sep 17 00:00:00 2001
>From: Jakub Jelen <jjelen@redhat.com>
>Date: Thu, 22 Oct 2015 17:35:43 +0200
>Subject: [PATCH 4/4] Apply postauth privilege separation also to root user if
> using SELinux
>
>---
> sshd.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/sshd.c b/sshd.c
>index 03e0bc8..c05df13 100644
>--- a/sshd.c
>+++ b/sshd.c
>@@ -736,6 +736,9 @@ privsep_postauth(Authctxt *authctxt)
> 
> #ifdef DISABLE_FD_PASSING
> 	if (1) {
>+#elif defined(WITH_SELINUX)
>+	if (options.use_login) {
>+		/* even root user can be confined by SELinux */
> #else
> 	if (authctxt->pw->pw_uid == 0 || options.use_login) {
> #endif
>-- 
>2.1.0
>

Actions: View | Diff

Attachments on bug 2482: 2733