diff options
author | Damien Miller <djm@mindrot.org> | 2006-04-22 21:26:08 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-04-22 21:26:08 +1000 |
commit | 73b42d2bb058da914828b53f2951954560a5b6eb (patch) | |
tree | 7271e92211fab0a06b0d36f162801b073220c5bf /openbsd-compat | |
parent | 2eaf37d899a55c253ad42d13534a824bce9c8ed2 (diff) |
- (djm) [Makefile.in configure.ac session.c sshpty.c]
[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
[openbsd-compat/port-linux.h] Add support for SELinux, setting
the execution and TTY contexts. based on patch from Daniel Walsh,
bz #880; ok dtucker@
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/Makefile.in | 4 | ||||
-rw-r--r-- | openbsd-compat/openbsd-compat.h | 3 | ||||
-rw-r--r-- | openbsd-compat/port-linux.c | 165 | ||||
-rw-r--r-- | openbsd-compat/port-linux.h | 27 |
4 files changed, 196 insertions, 3 deletions
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index f1a70624..67e521bf 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.38 2006/03/15 02:09:20 djm Exp $ +# $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o -PORTS=port-irix.o port-aix.o port-uw.o port-tun.o +PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 432b183e..eda9c49e 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.35 2006/03/15 11:25:55 dtucker Exp $ */ +/* $Id: openbsd-compat.h,v 1.36 2006/04/22 11:26:08 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -185,6 +185,7 @@ char *shadow_pw(struct passwd *pw); #include "bsd-cray.h" #include "bsd-cygwin_util.h" #include "port-irix.h" +#include "port-linux.h" #include "port-aix.h" #include "port-uw.h" #include "port-tun.h" diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c new file mode 100644 index 00000000..54ec2910 --- /dev/null +++ b/openbsd-compat/port-linux.c @@ -0,0 +1,165 @@ +/* $Id: port-linux.c,v 1.1 2006/04/22 11:26:08 djm Exp $ */ + +/* + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2006 Damien Miller <djm@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Linux-specific portability code - just SELinux support at present + */ + +#include "includes.h" + +#ifdef WITH_SELINUX +#include "log.h" +#include "port-linux.h" + +#include <selinux/selinux.h> +#include <selinux/flask.h> +#include <selinux/get_context_list.h> + +/* Wrapper around is_selinux_enabled() to log its return value once only */ +static int +ssh_selinux_enabled(void) +{ + static int enabled = -1; + + if (enabled == -1) { + enabled = is_selinux_enabled(); + debug("SELinux support %s", enabled ? "enabled" : "disabled"); + } + + return (enabled); +} + +/* Return the default security context for the given username */ +static security_context_t +ssh_selinux_getctxbyname(char *pwname) +{ + security_context_t sc; + char *sename = NULL, *lvl = NULL; + int r; + +#ifdef HAVE_GETSEUSERBYNAME + if (getseuserbyname(pwname, &sename, &lvl) != 0) + return NULL; +#else + sename = pwname; + lvl = NULL; +#endif + +#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL + r = get_default_context_with_level(sename, lvl, NULL, &sc); +#else + r = get_default_context(sename, NULL, &sc); +#endif + + if (r != 0) { + switch (security_getenforce()) { + case -1: + fatal("%s: ssh_selinux_getctxbyname: " + "security_getenforce() failed", __func__); + case 0: + error("%s: Failed to get default SELinux security " + "context for %s", __func__, pwname); + default: + fatal("%s: Failed to get default SELinux security " + "context for %s (in enforcing mode)", + __func__, pwname); + } + } + +#ifdef HAVE_GETSEUSERBYNAME + if (sename != NULL) + xfree(sename); + if (lvl != NULL) + xfree(lvl); +#endif + + return (sc); +} + +/* Set the execution context to the default for the specified user */ +void +ssh_selinux_setup_exec_context(char *pwname) +{ + security_context_t user_ctx = NULL; + + if (!ssh_selinux_enabled()) + return; + + debug3("%s: setting execution context", __func__); + + user_ctx = ssh_selinux_getctxbyname(pwname); + if (setexeccon(user_ctx) != 0) { + switch (security_getenforce()) { + case -1: + fatal("%s: security_getenforce() failed", __func__); + case 0: + error("%s: Failed to set SELinux execution " + "context for %s", __func__, pwname); + default: + fatal("%s: Failed to set SELinux execution context " + "for %s (in enforcing mode)", __func__, pwname); + } + } + if (user_ctx != NULL) + freecon(user_ctx); + + debug3("%s: done", __func__); +} + +/* Set the TTY context for the specified user */ +void +ssh_selinux_setup_pty(char *pwname, const char *tty) +{ + security_context_t new_tty_ctx = NULL; + security_context_t user_ctx = NULL; + security_context_t old_tty_ctx = NULL; + + if (!ssh_selinux_enabled()) + return; + + debug3("%s: setting TTY context on %s", __func__, tty); + + user_ctx = ssh_selinux_getctxbyname(pwname); + + /* XXX: should these calls fatal() upon failure in enforcing mode? */ + + if (getfilecon(tty, &old_tty_ctx) == -1) { + error("%s: getfilecon: %s", __func__, strerror(errno)); + goto out; + } + + if (security_compute_relabel(user_ctx, old_tty_ctx, + SECCLASS_CHR_FILE, &new_tty_ctx) != 0) { + error("%s: security_compute_relabel: %s", + __func__, strerror(errno)); + goto out; + } + + if (setfilecon(tty, new_tty_ctx) != 0) + error("%s: setfilecon: %s", __func__, strerror(errno)); + out: + if (new_tty_ctx != NULL) + freecon(new_tty_ctx); + if (old_tty_ctx != NULL) + freecon(old_tty_ctx); + if (user_ctx != NULL) + freecon(user_ctx); + debug3("%s: done", __func__); +} +#endif /* WITH_SELINUX */ diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h new file mode 100644 index 00000000..05e520e1 --- /dev/null +++ b/openbsd-compat/port-linux.h @@ -0,0 +1,27 @@ +/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */ + +/* + * Copyright (c) 2006 Damien Miller <djm@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _PORT_LINUX_H +#define _PORT_LINUX_H + +#ifdef WITH_SELINUX +void ssh_selinux_setup_pty(char *, const char *); +void ssh_selinux_setup_exec_context(char *); +#endif + +#endif /* ! _PORT_LINUX_H */ |