vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 5296a7
index 0077dd7..e3f2ced 100644
Petr Lautrbach 5296a7
--- a/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 5296a7
+++ b/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 5296a7
@@ -31,6 +31,7 @@
Petr Lautrbach 5296a7
 #include "xmalloc.h"
Petr Lautrbach 5296a7
 #include "servconf.h"
Petr Lautrbach 5296a7
 #include "port-linux.h"
Petr Lautrbach 5296a7
+#include "misc.h"
Petr Lautrbach 5296a7
 #include "key.h"
Petr Lautrbach 5296a7
 #include "hostfile.h"
Petr Lautrbach 5296a7
 #include "auth.h"
Petr Lautrbach 5296a7
@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
Petr Lautrbach 5296a7
 void
Petr Lautrbach 5296a7
 sshd_selinux_copy_context(void)
Petr Lautrbach 5296a7
 {
Petr Lautrbach 5296a7
-	security_context_t *ctx;
Petr Lautrbach 5296a7
+	char *ctx;
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 	if (!sshd_selinux_enabled())
Petr Lautrbach 5296a7
 		return;
Petr Lautrbach 5296a7
@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
Petr Lautrbach 5296a7
 	}
Petr Lautrbach 5296a7
 }
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
+void
Petr Lautrbach 5296a7
+sshd_selinux_change_privsep_preauth_context(void)
Petr Lautrbach 5296a7
+{
Petr Lautrbach 5296a7
+	int len;
Petr Lautrbach 5296a7
+	char line[1024], *preauth_context = NULL, *cp, *arg;
Petr Lautrbach 5296a7
+	const char *contexts_path;
Petr Lautrbach 5296a7
+	FILE *contexts_file;
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+	contexts_path = selinux_openssh_contexts_path();
Petr Lautrbach 5296a7
+	if (contexts_path != NULL) {
Petr Lautrbach 5296a7
+		if ((contexts_file = fopen(contexts_path, "r")) != NULL) {
Petr Lautrbach 5296a7
+			struct stat sb;
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+			if (fstat(fileno(contexts_file), &sb) == 0 && ((sb.st_uid == 0) && ((sb.st_mode & 022) == 0))) {
Petr Lautrbach 5296a7
+				while (fgets(line, sizeof(line), contexts_file)) {
Petr Lautrbach 5296a7
+					/* Strip trailing whitespace */
Petr Lautrbach 5296a7
+					for (len = strlen(line) - 1; len > 0; len--) {
Petr Lautrbach 5296a7
+						if (strchr(" \t\r\n", line[len]) == NULL)
Petr Lautrbach 5296a7
+							break;
Petr Lautrbach 5296a7
+						line[len] = '\0';
Petr Lautrbach 5296a7
+					}
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+					if (line[0] == '\0')
Petr Lautrbach 5296a7
+						continue;
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+					cp = line;
Petr Lautrbach 5296a7
+					arg = strdelim(&cp;;
Petr Lautrbach 5296a7
+					if (*arg == '\0')
Petr Lautrbach 5296a7
+						arg = strdelim(&cp;;
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+					if (strcmp(arg, "privsep_preauth") == 0) {
Petr Lautrbach 5296a7
+						arg = strdelim(&cp;;
Petr Lautrbach 5296a7
+						if (!arg || *arg == '\0') {
Petr Lautrbach 5296a7
+							debug("%s: privsep_preauth is empty", __func__);
Petr Lautrbach 5296a7
+							fclose(contexts_file);
Petr Lautrbach 5296a7
+							return;
Petr Lautrbach 5296a7
+						}
Petr Lautrbach 5296a7
+						preauth_context = xstrdup(arg);
Petr Lautrbach 5296a7
+					}
Petr Lautrbach 5296a7
+				}
Petr Lautrbach 5296a7
+			}
Petr Lautrbach 5296a7
+			fclose(contexts_file);
Petr Lautrbach 5296a7
+		}
Petr Lautrbach 5296a7
+	}
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+	if (preauth_context == NULL)
Petr Lautrbach 5296a7
+		preauth_context = xstrdup("sshd_net_t");
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+	ssh_selinux_change_context(preauth_context);
Petr Lautrbach 5296a7
+	free(preauth_context);
Petr Lautrbach 5296a7
+}
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
Petr Lautrbach 5296a7
index 22ea8ef..1fc963d 100644
Petr Lautrbach 5296a7
--- a/openbsd-compat/port-linux.c
Petr Lautrbach 5296a7
+++ b/openbsd-compat/port-linux.c
Petr Lautrbach 5296a7
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
Petr Lautrbach 5296a7
 	strlcpy(newctx + len, newname, newlen - len);
Petr Lautrbach 5296a7
 	if ((cx = index(cx + 1, ':')))
Petr Lautrbach 5296a7
 		strlcat(newctx, cx, newlen);
Petr Lautrbach 5296a7
-	debug3("%s: setting context from '%s' to '%s'", __func__,
Petr Lautrbach 5296a7
+	debug("%s: setting context from '%s' to '%s'", __func__,
Petr Lautrbach 5296a7
 	    oldctx, newctx);
Petr Lautrbach 5296a7
 	if (setcon(newctx) < 0)
Petr Lautrbach 5296a7
 		switchlog("%s: setcon %s from %s failed with %s", __func__,
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
index cb51f99..8b7cda2 100644
Petr Lautrbach 5296a7
--- a/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
+++ b/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
Petr Lautrbach 5296a7
 void sshd_selinux_copy_context(void);
Petr Lautrbach 5296a7
 void sshd_selinux_setup_exec_context(char *);
Petr Lautrbach 5296a7
 int sshd_selinux_setup_env_variables(void);
Petr Lautrbach 5296a7
+void sshd_selinux_change_privsep_preauth_context(void);
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 #ifdef LINUX_OOM_ADJUST
Petr Lautrbach 5296a7
diff --git a/sshd.c b/sshd.c
Petr Lautrbach 5296a7
index 512c7ed..3eee75a 100644
Petr Lautrbach 5296a7
--- a/sshd.c
Petr Lautrbach 5296a7
+++ b/sshd.c
Petr Lautrbach 5296a7
@@ -637,7 +637,7 @@ privsep_preauth_child(void)
Petr Lautrbach 5296a7
 	demote_sensitive_data();
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 #ifdef WITH_SELINUX
Petr Lautrbach 5296a7
-	ssh_selinux_change_context("sshd_net_t");
Petr Lautrbach 5296a7
+	sshd_selinux_change_privsep_preauth_context();
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 	/* Change our root directory */