| diff -up openssh-7.4p1/openbsd-compat/port-linux.h.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux.h |
| |
| |
| @@ -23,6 +23,7 @@ void ssh_selinux_setup_pty(char *, const |
| void ssh_selinux_change_context(const char *); |
| void ssh_selinux_setfscreatecon(const char *); |
| |
| +void sshd_selinux_copy_context(void); |
| void sshd_selinux_setup_exec_context(char *); |
| #endif |
| |
| diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-7.4p1/openbsd-compat/port-linux-sshd.c |
| |
| |
| @@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw |
| debug3("%s: done", __func__); |
| } |
| |
| +void |
| +sshd_selinux_copy_context(void) |
| +{ |
| + security_context_t *ctx; |
| + |
| + if (!ssh_selinux_enabled()) |
| + return; |
| + |
| + if (getexeccon((security_context_t *)&ctx) != 0) { |
| + logit("%s: getexeccon failed with %s", __func__, strerror(errno)); |
| + return; |
| + } |
| + if (ctx != NULL) { |
| + /* unset exec context before we will lose this capabililty */ |
| + if (setexeccon(NULL) != 0) |
| + fatal("%s: setexeccon failed with %s", __func__, strerror(errno)); |
| + if (setcon(ctx) != 0) |
| + fatal("%s: setcon failed with %s", __func__, strerror(errno)); |
| + freecon(ctx); |
| + } |
| +} |
| + |
| #endif |
| #endif |
| |
| diff -up openssh-7.4p1/session.c.privsep-selinux openssh-7.4p1/session.c |
| |
| |
| @@ -1331,7 +1331,7 @@ do_setusercontext(struct passwd *pw) |
| |
| platform_setusercontext(pw); |
| |
| - if (platform_privileged_uidswap()) { |
| + if (platform_privileged_uidswap() && (!is_child || !use_privsep)) { |
| #ifdef HAVE_LOGIN_CAP |
| if (setusercontext(lc, pw, pw->pw_uid, |
| (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { |
| @@ -1361,6 +1361,9 @@ do_setusercontext(struct passwd *pw) |
| (unsigned long long)pw->pw_uid); |
| chroot_path = percent_expand(tmp, "h", pw->pw_dir, |
| "u", pw->pw_name, "U", uidstr, (char *)NULL); |
| +#ifdef WITH_SELINUX |
| + sshd_selinux_copy_context(); |
| +#endif |
| safely_chroot(chroot_path, pw->pw_uid); |
| free(tmp); |
| free(chroot_path); |
| @@ -1396,6 +1399,11 @@ do_setusercontext(struct passwd *pw) |
| /* Permanently switch to the desired uid. */ |
| permanently_set_uid(pw); |
| #endif |
| + |
| +#ifdef WITH_SELINUX |
| + if (in_chroot == 0) |
| + sshd_selinux_copy_context(); |
| +#endif |
| } else if (options.chroot_directory != NULL && |
| strcasecmp(options.chroot_directory, "none") != 0) { |
| fatal("server lacks privileges to chroot to ChrootDirectory"); |
| @@ -1413,9 +1421,6 @@ do_pwchange(Session *s) |
| if (s->ttyfd != -1) { |
| fprintf(stderr, |
| "You must change your password now and login again!\n"); |
| -#ifdef WITH_SELINUX |
| - setexeccon(NULL); |
| -#endif |
| #ifdef PASSWD_NEEDS_USERNAME |
| execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name, |
| (char *)NULL); |
| @@ -1625,9 +1630,6 @@ do_child(Session *s, const char *command |
| argv[i] = NULL; |
| optind = optreset = 1; |
| __progname = argv[0]; |
| -#ifdef WITH_SELINUX |
| - ssh_selinux_change_context("sftpd_t"); |
| -#endif |
| exit(sftp_server_main(i, argv, s->pw)); |
| } |
| |
| diff -up openssh-7.4p1/sshd.c.privsep-selinux openssh-7.4p1/sshd.c |
| |
| |
| @@ -540,6 +540,10 @@ privsep_preauth_child(void) |
| /* Demote the private keys to public keys. */ |
| demote_sensitive_data(); |
| |
| +#ifdef WITH_SELINUX |
| + ssh_selinux_change_context("sshd_net_t"); |
| +#endif |
| + |
| /* Demote the child */ |
| if (privsep_chroot) { |
| /* Change our root directory */ |
| @@ -633,6 +637,9 @@ privsep_postauth(Authctxt *authctxt) |
| { |
| #ifdef DISABLE_FD_PASSING |
| if (1) { |
| +#elif defined(WITH_SELINUX) |
| + if (0) { |
| + /* even root user can be confined by SELinux */ |
| #else |
| if (authctxt->pw->pw_uid == 0) { |
| #endif |