|
Petr Lautrbach |
5296a7 |
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
|
|
Petr Lautrbach |
190035 |
index 8f32464..18a2ca4 100644
|
|
Petr Lautrbach |
5296a7 |
--- a/openbsd-compat/port-linux-sshd.c
|
|
Petr Lautrbach |
5296a7 |
+++ b/openbsd-compat/port-linux-sshd.c
|
|
Petr Lautrbach |
190035 |
@@ -32,6 +32,7 @@
|
|
Petr Lautrbach |
190035 |
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
|
Petr Lautrbach |
5296a7 |
#include "servconf.h"
|
|
Petr Lautrbach |
5296a7 |
#include "port-linux.h"
|
|
Petr Lautrbach |
5296a7 |
+#include "misc.h"
|
|
Jakub Jelen |
bbf61d |
#include "sshkey.h"
|
|
Petr Lautrbach |
5296a7 |
#include "hostfile.h"
|
|
Petr Lautrbach |
5296a7 |
#include "auth.h"
|
|
Petr Lautrbach |
190035 |
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
|
|
Petr Lautrbach |
5296a7 |
void
|
|
Petr Lautrbach |
5296a7 |
sshd_selinux_copy_context(void)
|
|
Petr Lautrbach |
5296a7 |
{
|
|
Petr Lautrbach |
5296a7 |
- security_context_t *ctx;
|
|
Petr Lautrbach |
5296a7 |
+ char *ctx;
|
|
Petr Lautrbach |
5296a7 |
|
|
Petr Lautrbach |
5296a7 |
if (!sshd_selinux_enabled())
|
|
Petr Lautrbach |
5296a7 |
return;
|
|
Jakub Jelen |
3339ef |
@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
|
|
Petr Lautrbach |
5296a7 |
}
|
|
Petr Lautrbach |
5296a7 |
}
|
|
Petr Lautrbach |
5296a7 |
|
|
Petr Lautrbach |
5296a7 |
+void
|
|
Petr Lautrbach |
5296a7 |
+sshd_selinux_change_privsep_preauth_context(void)
|
|
Petr Lautrbach |
5296a7 |
+{
|
|
Petr Lautrbach |
5296a7 |
+ int len;
|
|
Petr Lautrbach |
5296a7 |
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
|
Petr Lautrbach |
5296a7 |
+ const char *contexts_path;
|
|
Petr Lautrbach |
5296a7 |
+ FILE *contexts_file;
|
|
Jakub Jelen |
3339ef |
+ struct stat sb;
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Petr Lautrbach |
5296a7 |
+ contexts_path = selinux_openssh_contexts_path();
|
|
Jakub Jelen |
3339ef |
+ if (contexts_path == NULL) {
|
|
Jakub Jelen |
25c16c |
+ debug3_f("Failed to get the path to SELinux context");
|
|
Jakub Jelen |
3339ef |
+ return;
|
|
Jakub Jelen |
3339ef |
+ }
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Jakub Jelen |
3339ef |
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
|
Jakub Jelen |
25c16c |
+ debug_f("Failed to open SELinux context file");
|
|
Jakub Jelen |
3339ef |
+ return;
|
|
Jakub Jelen |
3339ef |
+ }
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Jakub Jelen |
3339ef |
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
|
Jakub Jelen |
3339ef |
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
|
Jakub Jelen |
25c16c |
+ logit_f("SELinux context file needs to be owned by root"
|
|
Jakub Jelen |
25c16c |
+ " and not writable by anyone else");
|
|
Jakub Jelen |
3339ef |
+ fclose(contexts_file);
|
|
Jakub Jelen |
3339ef |
+ return;
|
|
Jakub Jelen |
3339ef |
+ }
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Jakub Jelen |
3339ef |
+ while (fgets(line, sizeof(line), contexts_file)) {
|
|
Jakub Jelen |
3339ef |
+ /* Strip trailing whitespace */
|
|
Jakub Jelen |
3339ef |
+ for (len = strlen(line) - 1; len > 0; len--) {
|
|
Jakub Jelen |
3339ef |
+ if (strchr(" \t\r\n", line[len]) == NULL)
|
|
Jakub Jelen |
3339ef |
+ break;
|
|
Jakub Jelen |
3339ef |
+ line[len] = '\0';
|
|
Jakub Jelen |
3339ef |
+ }
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Jakub Jelen |
3339ef |
+ if (line[0] == '\0')
|
|
Jakub Jelen |
3339ef |
+ continue;
|
|
Jakub Jelen |
3339ef |
+
|
|
Jakub Jelen |
3339ef |
+ cp = line;
|
|
Jakub Jelen |
3339ef |
+ arg = strdelim(&cp;;
|
|
Jakub Jelen |
3339ef |
+ if (arg && *arg == '\0')
|
|
Jakub Jelen |
3339ef |
+ arg = strdelim(&cp;;
|
|
Jakub Jelen |
3339ef |
+
|
|
Jakub Jelen |
3339ef |
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
|
Jakub Jelen |
3339ef |
+ arg = strdelim(&cp;;
|
|
Jakub Jelen |
3339ef |
+ if (!arg || *arg == '\0') {
|
|
Jakub Jelen |
25c16c |
+ debug_f("privsep_preauth is empty");
|
|
Jakub Jelen |
3339ef |
+ fclose(contexts_file);
|
|
Jakub Jelen |
3339ef |
+ return;
|
|
Petr Lautrbach |
5296a7 |
+ }
|
|
Jakub Jelen |
3339ef |
+ preauth_context = xstrdup(arg);
|
|
Petr Lautrbach |
5296a7 |
+ }
|
|
Petr Lautrbach |
5296a7 |
+ }
|
|
Jakub Jelen |
3339ef |
+ fclose(contexts_file);
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Jakub Jelen |
3339ef |
+ if (preauth_context == NULL) {
|
|
Jakub Jelen |
25c16c |
+ debug_f("Unable to find 'privsep_preauth' option in"
|
|
Jakub Jelen |
25c16c |
+ " SELinux context file");
|
|
Jakub Jelen |
3339ef |
+ return;
|
|
Jakub Jelen |
3339ef |
+ }
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Petr Lautrbach |
5296a7 |
+ ssh_selinux_change_context(preauth_context);
|
|
Petr Lautrbach |
5296a7 |
+ free(preauth_context);
|
|
Petr Lautrbach |
5296a7 |
+}
|
|
Petr Lautrbach |
5296a7 |
+
|
|
Petr Lautrbach |
5296a7 |
#endif
|
|
Petr Lautrbach |
5296a7 |
#endif
|
|
Petr Lautrbach |
5296a7 |
|
|
Petr Lautrbach |
5296a7 |
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
|
|
Dmitry Belyavskiy |
f23830 |
--- a/openbsd-compat/port-linux.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
|
|
Dmitry Belyavskiy |
f23830 |
+++ b/openbsd-compat/port-linux.c (date 1703108053912)
|
|
Dmitry Belyavskiy |
f23830 |
@@ -207,7 +207,7 @@
|
|
Dmitry Belyavskiy |
f23830 |
xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
|
|
Dmitry Belyavskiy |
f23830 |
newname, cx2 == NULL ? "" : cx2);
|
|
Dmitry Belyavskiy |
f23830 |
|
|
Dmitry Belyavskiy |
f23830 |
- debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
|
|
Dmitry Belyavskiy |
f23830 |
+ debug_f("setting context from '%s' to '%s'", oldctx, newctx);
|
|
Petr Lautrbach |
5296a7 |
if (setcon(newctx) < 0)
|
|
Dmitry Belyavskiy |
f23830 |
do_log2_f(log_level, "setcon %s from %s failed with %s",
|
|
Dmitry Belyavskiy |
f23830 |
newctx, oldctx, strerror(errno));
|
|
Petr Lautrbach |
5296a7 |
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
|
|
Petr Lautrbach |
5296a7 |
index cb51f99..8b7cda2 100644
|
|
Petr Lautrbach |
5296a7 |
--- a/openbsd-compat/port-linux.h
|
|
Petr Lautrbach |
5296a7 |
+++ b/openbsd-compat/port-linux.h
|
|
Petr Lautrbach |
5296a7 |
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
|
|
Petr Lautrbach |
5296a7 |
void sshd_selinux_copy_context(void);
|
|
Petr Lautrbach |
5296a7 |
void sshd_selinux_setup_exec_context(char *);
|
|
Petr Lautrbach |
5296a7 |
int sshd_selinux_setup_env_variables(void);
|
|
Petr Lautrbach |
5296a7 |
+void sshd_selinux_change_privsep_preauth_context(void);
|
|
Petr Lautrbach |
5296a7 |
#endif
|
|
Petr Lautrbach |
5296a7 |
|
|
Petr Lautrbach |
5296a7 |
#ifdef LINUX_OOM_ADJUST
|
|
Dmitry Belyavskiy |
089d79 |
diff --git a/sshd-session.c b/sshd-session.c
|
|
Petr Lautrbach |
190035 |
index 2871fe9..39b9c08 100644
|
|
Dmitry Belyavskiy |
089d79 |
--- a/sshd-session.c
|
|
Dmitry Belyavskiy |
089d79 |
+++ b/sshd-session.c
|
|
Petr Lautrbach |
190035 |
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
|
|
Petr Lautrbach |
5296a7 |
demote_sensitive_data();
|
|
Petr Lautrbach |
5296a7 |
|
|
Petr Lautrbach |
5296a7 |
#ifdef WITH_SELINUX
|
|
Petr Lautrbach |
5296a7 |
- ssh_selinux_change_context("sshd_net_t");
|
|
Petr Lautrbach |
5296a7 |
+ sshd_selinux_change_privsep_preauth_context();
|
|
Petr Lautrbach |
5296a7 |
#endif
|
|
Petr Lautrbach |
5296a7 |
|
|
Jakub Jelen |
13073f |
/* Demote the child */
|