File openssh-6.6.1p1-selinux-contexts.patch of Package openssh

Overview Repositories Revisions Requests Users Attributes Meta

File openssh-6.6.1p1-selinux-contexts.patch of Package openssh

Index: openssh-8.4p1/openbsd-compat/port-linux-sshd.c
===================================================================
--- openssh-8.4p1.orig/openbsd-compat/port-linux-sshd.c
+++ openssh-8.4p1/openbsd-compat/port-linux-sshd.c
@@ -33,6 +33,7 @@
 #include "misc.h"      /* servconf.h needs misc.h for struct ForwardOptions */
 #include "servconf.h"
 #include "port-linux.h"
+#include "misc.h"
 #include "sshkey.h"
 #include "hostfile.h"
 #include "auth.h"
@@ -455,7 +456,7 @@ sshd_selinux_setup_exec_context(char *pw
 void
 sshd_selinux_copy_context(void)
 {
-	security_context_t *ctx;
+	char *ctx;
 
 	if (!sshd_selinux_enabled())
 		return;
@@ -474,6 +475,72 @@ sshd_selinux_copy_context(void)
 	}
 }
 
+void
+sshd_selinux_change_privsep_preauth_context(void)
+{
+	int len;
+	char line[1024], *preauth_context = NULL, *cp, *arg;
+	const char *contexts_path;
+	FILE *contexts_file;
+	struct stat sb;
+
+	contexts_path = selinux_openssh_contexts_path();
+	if (contexts_path == NULL) {
+		debug3("%s: Failed to get the path to SELinux context", __func__);
+		return;
+	}
+
+	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+		debug("%s: Failed to open SELinux context file", __func__);
+		return;
+	}
+
+	if (fstat(fileno(contexts_file), &sb) != 0 ||
+	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+		logit("%s: SELinux context file needs to be owned by root"
+		    " and not writable by anyone else", __func__);
+		fclose(contexts_file);
+		return;
+	}
+
+	while (fgets(line, sizeof(line), contexts_file)) {
+		/* Strip trailing whitespace */
+		for (len = strlen(line) - 1; len > 0; len--) {
+			if (strchr(" \t\r\n", line[len]) == NULL)
+				break;
+			line[len] = '\0';
+		}
+
+		if (line[0] == '\0')
+			continue;
+
+		cp = line;
+		arg = strdelim(&cp);
+		if (arg && *arg == '\0')
+			arg = strdelim(&cp);
+
+		if (arg && strcmp(arg, "privsep_preauth") == 0) {
+			arg = strdelim(&cp);
+			if (!arg || *arg == '\0') {
+				debug("%s: privsep_preauth is empty", __func__);
+				fclose(contexts_file);
+				return;
+			}
+			preauth_context = xstrdup(arg);
+		}
+	}
+	fclose(contexts_file);
+
+	if (preauth_context == NULL) {
+		debug("%s: Unable to find 'privsep_preauth' option in"
+		    " SELinux context file", __func__);
+		return;
+	}
+
+	ssh_selinux_change_context(preauth_context);
+	free(preauth_context);
+}
+
 #endif
 #endif
 
Index: openssh-8.4p1/openbsd-compat/port-linux.c
===================================================================
--- openssh-8.4p1.orig/openbsd-compat/port-linux.c
+++ openssh-8.4p1/openbsd-compat/port-linux.c
@@ -185,7 +185,7 @@ ssh_selinux_change_context(const char *n
 	strlcpy(newctx + len, newname, newlen - len);
 	if ((cx = index(cx + 1, ':')))
 		strlcat(newctx, cx, newlen);
-	debug3("%s: setting context from '%s' to '%s'", __func__,
+	debug("%s: setting context from '%s' to '%s'", __func__,
 	    oldctx, newctx);
 	if (setcon(newctx) < 0)
 		switchlog("%s: setcon %s from %s failed with %s", __func__,
Index: openssh-8.4p1/openbsd-compat/port-linux.h
===================================================================
--- openssh-8.4p1.orig/openbsd-compat/port-linux.h
+++ openssh-8.4p1/openbsd-compat/port-linux.h
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
 void sshd_selinux_copy_context(void);
 void sshd_selinux_setup_exec_context(char *);
 int sshd_selinux_setup_env_variables(void);
+void sshd_selinux_change_privsep_preauth_context(void);
 #endif
 
 #ifdef LINUX_OOM_ADJUST
Index: openssh-8.4p1/sshd.c
===================================================================
--- openssh-8.4p1.orig/sshd.c
+++ openssh-8.4p1/sshd.c
@@ -540,7 +540,7 @@ privsep_preauth_child(struct ssh *ssh)
 	demote_sensitive_data(ssh);
 
 #ifdef WITH_SELINUX
-	ssh_selinux_change_context("sshd_net_t");
+	sshd_selinux_change_privsep_preauth_context();
 #endif
 
 	/* Demote the child */

Places

File openssh-6.6.1p1-selinux-contexts.patch of Package openssh

Places