vishalmishra434 / rpms / openssh

Forked from rpms/openssh a month ago
Clone
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 190035
index 8f32464..18a2ca4 100644
Petr Lautrbach 5296a7
--- a/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 5296a7
+++ b/openbsd-compat/port-linux-sshd.c
Petr Lautrbach 190035
@@ -32,6 +32,7 @@
Petr Lautrbach 190035
 #include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
Petr Lautrbach 5296a7
 #include "servconf.h"
Petr Lautrbach 5296a7
 #include "port-linux.h"
Petr Lautrbach 5296a7
+#include "misc.h"
Jakub Jelen bbf61d
 #include "sshkey.h"
Petr Lautrbach 5296a7
 #include "hostfile.h"
Petr Lautrbach 5296a7
 #include "auth.h"
Petr Lautrbach 190035
@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
Petr Lautrbach 5296a7
 void
Petr Lautrbach 5296a7
 sshd_selinux_copy_context(void)
Petr Lautrbach 5296a7
 {
Petr Lautrbach 5296a7
-	security_context_t *ctx;
Petr Lautrbach 5296a7
+	char *ctx;
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 	if (!sshd_selinux_enabled())
Petr Lautrbach 5296a7
 		return;
Jakub Jelen 3339ef
@@ -461,6 +462,72 @@ sshd_selinux_copy_context(void)
Petr Lautrbach 5296a7
 	}
Petr Lautrbach 5296a7
 }
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
+void
Petr Lautrbach 5296a7
+sshd_selinux_change_privsep_preauth_context(void)
Petr Lautrbach 5296a7
+{
Petr Lautrbach 5296a7
+	int len;
Petr Lautrbach 5296a7
+	char line[1024], *preauth_context = NULL, *cp, *arg;
Petr Lautrbach 5296a7
+	const char *contexts_path;
Petr Lautrbach 5296a7
+	FILE *contexts_file;
Jakub Jelen 3339ef
+	struct stat sb;
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+	contexts_path = selinux_openssh_contexts_path();
Jakub Jelen 3339ef
+	if (contexts_path == NULL) {
Jakub Jelen 25c16c
+		debug3_f("Failed to get the path to SELinux context");
Jakub Jelen 3339ef
+		return;
Jakub Jelen 3339ef
+	}
Petr Lautrbach 5296a7
+
Jakub Jelen 3339ef
+	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
Jakub Jelen 25c16c
+		debug_f("Failed to open SELinux context file");
Jakub Jelen 3339ef
+		return;
Jakub Jelen 3339ef
+	}
Petr Lautrbach 5296a7
+
Jakub Jelen 3339ef
+	if (fstat(fileno(contexts_file), &sb) != 0 ||
Jakub Jelen 3339ef
+	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
Jakub Jelen 25c16c
+		logit_f("SELinux context file needs to be owned by root"
Jakub Jelen 25c16c
+		    " and not writable by anyone else");
Jakub Jelen 3339ef
+		fclose(contexts_file);
Jakub Jelen 3339ef
+		return;
Jakub Jelen 3339ef
+	}
Petr Lautrbach 5296a7
+
Jakub Jelen 3339ef
+	while (fgets(line, sizeof(line), contexts_file)) {
Jakub Jelen 3339ef
+		/* Strip trailing whitespace */
Jakub Jelen 3339ef
+		for (len = strlen(line) - 1; len > 0; len--) {
Jakub Jelen 3339ef
+			if (strchr(" \t\r\n", line[len]) == NULL)
Jakub Jelen 3339ef
+				break;
Jakub Jelen 3339ef
+			line[len] = '\0';
Jakub Jelen 3339ef
+		}
Petr Lautrbach 5296a7
+
Jakub Jelen 3339ef
+		if (line[0] == '\0')
Jakub Jelen 3339ef
+			continue;
Jakub Jelen 3339ef
+
Jakub Jelen 3339ef
+		cp = line;
Jakub Jelen 3339ef
+		arg = strdelim(&cp;;
Jakub Jelen 3339ef
+		if (arg && *arg == '\0')
Jakub Jelen 3339ef
+			arg = strdelim(&cp;;
Jakub Jelen 3339ef
+
Jakub Jelen 3339ef
+		if (arg && strcmp(arg, "privsep_preauth") == 0) {
Jakub Jelen 3339ef
+			arg = strdelim(&cp;;
Jakub Jelen 3339ef
+			if (!arg || *arg == '\0') {
Jakub Jelen 25c16c
+				debug_f("privsep_preauth is empty");
Jakub Jelen 3339ef
+				fclose(contexts_file);
Jakub Jelen 3339ef
+				return;
Petr Lautrbach 5296a7
+			}
Jakub Jelen 3339ef
+			preauth_context = xstrdup(arg);
Petr Lautrbach 5296a7
+		}
Petr Lautrbach 5296a7
+	}
Jakub Jelen 3339ef
+	fclose(contexts_file);
Petr Lautrbach 5296a7
+
Jakub Jelen 3339ef
+	if (preauth_context == NULL) {
Jakub Jelen 25c16c
+		debug_f("Unable to find 'privsep_preauth' option in"
Jakub Jelen 25c16c
+		    " SELinux context file");
Jakub Jelen 3339ef
+		return;
Jakub Jelen 3339ef
+	}
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
+	ssh_selinux_change_context(preauth_context);
Petr Lautrbach 5296a7
+	free(preauth_context);
Petr Lautrbach 5296a7
+}
Petr Lautrbach 5296a7
+
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
Dmitry Belyavskiy f23830
--- a/openbsd-compat/port-linux.c	(revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)
Dmitry Belyavskiy f23830
+++ b/openbsd-compat/port-linux.c	(date 1703108053912)
Dmitry Belyavskiy f23830
@@ -207,7 +207,7 @@
Dmitry Belyavskiy f23830
 	xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,
Dmitry Belyavskiy f23830
 	    newname, cx2 == NULL ? "" : cx2);
Dmitry Belyavskiy f23830
Dmitry Belyavskiy f23830
-	debug3_f("setting context from '%s' to '%s'", oldctx, newctx);
Dmitry Belyavskiy f23830
+	debug_f("setting context from '%s' to '%s'", oldctx, newctx);
Petr Lautrbach 5296a7
 	if (setcon(newctx) < 0)
Dmitry Belyavskiy f23830
 		do_log2_f(log_level, "setcon %s from %s failed with %s",
Dmitry Belyavskiy f23830
 		    newctx, oldctx, strerror(errno));
Petr Lautrbach 5296a7
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
index cb51f99..8b7cda2 100644
Petr Lautrbach 5296a7
--- a/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
+++ b/openbsd-compat/port-linux.h
Petr Lautrbach 5296a7
@@ -29,6 +29,7 @@ int sshd_selinux_enabled(void);
Petr Lautrbach 5296a7
 void sshd_selinux_copy_context(void);
Petr Lautrbach 5296a7
 void sshd_selinux_setup_exec_context(char *);
Petr Lautrbach 5296a7
 int sshd_selinux_setup_env_variables(void);
Petr Lautrbach 5296a7
+void sshd_selinux_change_privsep_preauth_context(void);
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 #ifdef LINUX_OOM_ADJUST
Dmitry Belyavskiy 089d79
diff --git a/sshd-session.c b/sshd-session.c
Petr Lautrbach 190035
index 2871fe9..39b9c08 100644
Dmitry Belyavskiy 089d79
--- a/sshd-session.c
Dmitry Belyavskiy 089d79
+++ b/sshd-session.c
Petr Lautrbach 190035
@@ -629,7 +629,7 @@ privsep_preauth_child(void)
Petr Lautrbach 5296a7
 	demote_sensitive_data();
Petr Lautrbach 5296a7
 
Petr Lautrbach 5296a7
 #ifdef WITH_SELINUX
Petr Lautrbach 5296a7
-	ssh_selinux_change_context("sshd_net_t");
Petr Lautrbach 5296a7
+	sshd_selinux_change_privsep_preauth_context();
Petr Lautrbach 5296a7
 #endif
Petr Lautrbach 5296a7
 
Jakub Jelen 13073f
 	/* Demote the child */