Accepting request 1317055 from security

OBS-URL: https://build.opensuse.org/request/show/1317055
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/google-authenticator-libpam?expand=0&rev=9

267cbfa31bc17805c4850afd39788d97a7b5374c.patch

@@ -0,0 +1,28 @@
+commit 267cbfa31bc17805c4850afd39788d97a7b5374c
+Author: Thomas Habets <habets@google.com>
+Date:   Mon Nov 10 18:09:12 2025 +0000
+
+    SELinux: conditionally link demo to SELinux
+
+diff --git a/Makefile.am b/Makefile.am
+index db3412e..cd49517 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -43,7 +43,7 @@ EXTRA_DIST        = tests/base32_test.sh
+ libpam_google_authenticator_testing_la_SOURCES = \
+ 	src/pam_google_authenticator.c \
+ 	$(CORE_SRC)
+-libpam_google_authenticator_testing_la_CFLAGS  = $(AM_CFLAGS) -DTESTING=1
++libpam_google_authenticator_testing_la_CFLAGS  = $(AM_CFLAGS) -DTESTING=1 $(SELINUX_CFLAGS)
+ libpam_google_authenticator_testing_la_LDFLAGS = $(AM_LDFLAGS) $(MODULES_LDFLAGS) -rpath $(abs_top_builddir) -lpam
+ 
+ tests_pam_google_authenticator_unittest_SOURCES = \
+@@ -59,7 +59,7 @@ examples_demo_SOURCES = \
+ 	src/pam_google_authenticator.c \
+ 	$(CORE_SRC) \
+ 	examples/demo.c
+-examples_demo_LDADD  = -lpam -lselinux
++examples_demo_LDADD  = -lpam $(SELINUX_LIBS)
+ examples_demo_CFLAGS = $(AM_CFLAGS) -DDEMO=1
+ 
+ 

2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch

@@ -0,0 +1,24 @@
+commit 2a1f725e83d3ffc11d229543c4c2980dffd637b9
+Author: Johannes Segitz <jsegitz@suse.de>
+Date:   Mon Nov 10 17:09:42 2025 +0100
+
+    Log filure to set SELinux type on secret file at LOG_DEBUG
+
+diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
+index ee65e66..c9fa68a 100644
+--- a/src/pam_google_authenticator.c
++++ b/src/pam_google_authenticator.c
+@@ -698,10 +698,9 @@ static int write_file_contents(pam_handle_t *pamh,
+     log_message(LOG_ERR, pamh, "write(): %s", strerror(err));
+     goto cleanup;
+   }
+-  // adjust SELinux context. No error handling here as this can fail if SELinux
+-  // is not enable, which is fine in this case. If it fails when SELinux is
+-  // available this will result in AVCs that can be debugged
+-  set_selinux_context(fd);
++  if (set_selinux_context(fd)) {
++    log_message(LOG_DEBUG, pamh, "setting SELinux type \"%s\" on file \"%s\" failed. Okay if SELinux is disabled", SECRET_SELINUX_TYPE, secret_filename);
++  }
+ 
+   if (fsync(fd)) {
+     err = errno;

6313ae4c2b475e1b73fd272434089cfc4631e14d.patch

@@ -0,0 +1,98 @@
+commit 6313ae4c2b475e1b73fd272434089cfc4631e14d
+Author: Thomas Habets <habets@google.com>
+Date:   Mon Nov 10 17:57:39 2025 +0000
+
+    SELinux: fix build when SELinux is not present
+
+diff --git a/Makefile.am b/Makefile.am
+index 911d146..db3412e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -31,7 +31,7 @@ pam_google_authenticator_la_SOURCES = \
+ 	src/pam_google_authenticator.c \
+ 	$(CORE_SRC)
+ pam_google_authenticator_la_LIBADD  = -lpam
+-pam_google_authenticator_la_CFLAGS  = $(AM_CFLAGS)
++pam_google_authenticator_la_CFLAGS  = $(AM_CFLAGS) $(SELINUX_CFLAGS)
+ pam_google_authenticator_la_LDFLAGS = $(AM_LDFLAGS) $(MODULES_LDFLAGS) -export-symbols-regex "pam_sm_(setcred|open_session|authenticate)"
+ 
+ 
+diff --git a/configure.ac b/configure.ac
+index e4b2839..e3bce7b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -17,7 +17,11 @@ LT_INIT
+ AC_PROG_CC
+ AC_PROG_CC_STDC
+ 
+-AC_CHECK_HEADERS([sys/fsuid.h])
++AC_CHECK_HEADERS([
++        sys/fsuid.h
++        selinux/selinux.h
++        selinux/context.h
++])
+ AC_CHECK_FUNCS([ \
+ 	explicit_bzero \
+ 	setfsuid \
+@@ -84,7 +88,6 @@ have_selinux=no
+ if test "x$enable_selinux" != "xno"; then
+     PKG_CHECK_MODULES([SELINUX], [libselinux], [
+         have_selinux=yes
+-        SELINUX_LIBS="-lselinux"
+         AC_DEFINE([HAVE_SELINUX], [1], [Define if SELinux is available])
+     ], [
+         if test "x$enable_selinux" = "xyes"; then
+@@ -94,6 +97,7 @@ if test "x$enable_selinux" != "xno"; then
+     ])
+ fi
+ 
++AC_SUBST([SELINUX_CFLAGS])
+ AC_SUBST([SELINUX_LIBS])
+ AM_CONDITIONAL([HAVE_SELINUX], [test "x$have_selinux" = "xyes"])
+ 
+@@ -110,4 +114,6 @@ echo "
+   Debug Build....: $debug
+   C Compiler.....: $CC $CFLAGS $CPPFLAGS
+   Linker.........: $LD $LDFLAGS $LIBS
++  SELinux CFlags.: $SELINUX_CFLAGS
++  SELinux libs...: $SELINUX_LIBS
+ "
+diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
+index c9fa68a..d37374b 100644
+--- a/src/pam_google_authenticator.c
++++ b/src/pam_google_authenticator.c
+@@ -30,8 +30,14 @@
+ #include <time.h>
+ #include <unistd.h>
+ 
++#ifdef HAVE_SELINUX
++#ifdef HAVE_SELINUX_SELINUX_H
+ #include <selinux/selinux.h>
++#endif
++#ifdef HAVE_SELINUX_CONTEXT_H
+ #include <selinux/context.h>
++#endif
++#endif
+ 
+ #ifdef HAVE_SYS_FSUID_H
+ // We much rather prefer to use setfsuid(), but this function is unfortunately
+@@ -579,8 +585,9 @@ full_write(int fd, const char* buf, size_t len) {
+ }
+ 
+ static int set_selinux_context(int fd) {
+-  char *old_context = NULL;
+   int err = 0;
++#ifdef HAVE_SELINUX
++  char *old_context = NULL;
+ 
+   // skip if SELinux is not enabled
+   if (!is_selinux_enabled()) {
+@@ -624,7 +631,7 @@ cleanup:
+   if (old_context) {
+     freecon(old_context);
+   }
+-
++#endif
+   return err;
+ }
+ 

665012cf90acadac882db4738b21b7246965ee2a.patch

@@ -0,0 +1,40 @@
+commit 665012cf90acadac882db4738b21b7246965ee2a
+Author: Thomas Habets <habets@google.com>
+Date:   Mon Nov 10 18:05:22 2025 +0000
+
+    SELinux: don't jump past variable initialization
+
+diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
+index d37374b..d991839 100644
+--- a/src/pam_google_authenticator.c
++++ b/src/pam_google_authenticator.c
+@@ -588,17 +588,16 @@ static int set_selinux_context(int fd) {
+   int err = 0;
+ #ifdef HAVE_SELINUX
+   char *old_context = NULL;
++  const char *new_context = NULL;
+ 
+   // skip if SELinux is not enabled
+   if (!is_selinux_enabled()) {
+-    err = 1;
+-    goto cleanup;
++    return 1;
+   }
+ 
+   // Get the current context
+   if (fgetfilecon(fd, &old_context) < 0) {
+-    err = errno;
+-    goto cleanup;
++    return errno;
+   }
+ 
+   // Create a new context with the type changed
+@@ -613,7 +612,7 @@ static int set_selinux_context(int fd) {
+   }
+ 
+   // Get the SC as string
+-  const char *new_context = context_str(ctx);
++  new_context = context_str(ctx);
+   if (!new_context) {
+     err = errno;
+     goto cleanup;

75151df21a19e7182c09ae0118379fae890bdf5b.patch

@@ -0,0 +1,54 @@
+commit 75151df21a19e7182c09ae0118379fae890bdf5b
+Author: Johannes Segitz <jsegitz@suse.de>
+Date:   Mon Nov 10 17:34:57 2025 +0100
+
+    Detect and use libselinux if available
+
+diff --git a/Makefile.am b/Makefile.am
+index 18359f7..911d146 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -12,7 +12,7 @@ pam_LTLIBRARIES   = pam_google_authenticator.la
+ dist_doc_DATA  = FILEFORMAT README.md
+ dist_html_DATA = totp.html
+ 
+-MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic -lselinux
++MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic $(SELINUX_LIBS)
+ 
+ CORE_SRC  = src/util.h   src/util.c
+ CORE_SRC += src/base32.h src/base32.c
+diff --git a/configure.ac b/configure.ac
+index 881b00b..e4b2839 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -72,6 +72,30 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ 
+ AC_LANG_POP(C)
+ 
++# SELinux support (optional)
++AC_ARG_ENABLE([selinux],
++    AS_HELP_STRING([--disable-selinux], [Disable SELinux support]),
++    [enable_selinux=$enableval],
++    [enable_selinux=auto])
++
++SELINUX_LIBS=""
++have_selinux=no
++
++if test "x$enable_selinux" != "xno"; then
++    PKG_CHECK_MODULES([SELINUX], [libselinux], [
++        have_selinux=yes
++        SELINUX_LIBS="-lselinux"
++        AC_DEFINE([HAVE_SELINUX], [1], [Define if SELinux is available])
++    ], [
++        if test "x$enable_selinux" = "xyes"; then
++            AC_MSG_ERROR([SELinux support requested but libselinux not found])
++        fi
++        have_selinux=no
++    ])
++fi
++
++AC_SUBST([SELINUX_LIBS])
++AM_CONDITIONAL([HAVE_SELINUX], [test "x$have_selinux" = "xyes"])
+ 
+ 
+ AC_SEARCH_LIBS([dlopen], [dl])

a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch

@@ -0,0 +1,135 @@
+commit a0b6cf1f022f987d21d3d9c597e9f7f9759968ba
+Author: Johannes Segitz <jsegitz@suse.de>
+Date:   Mon Nov 3 13:20:54 2025 +0100
+
+    Set SELinux type for secret file explicitly
+    
+    Since the file is changed by creating a temporary file and then
+    atomically renaming it the normal file handling rules of SELinux
+    don't work properly. Therefor set the SELinux type explicitly on
+    the temporary file.
+    
+    See https://bugzilla.suse.com/show_bug.cgi?id=1252092 for more details
+
+diff --git a/Makefile.am b/Makefile.am
+index 6be2379..18359f7 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -12,7 +12,7 @@ pam_LTLIBRARIES   = pam_google_authenticator.la
+ dist_doc_DATA  = FILEFORMAT README.md
+ dist_html_DATA = totp.html
+ 
+-MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic
++MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic -lselinux
+ 
+ CORE_SRC  = src/util.h   src/util.c
+ CORE_SRC += src/base32.h src/base32.c
+@@ -59,7 +59,7 @@ examples_demo_SOURCES = \
+ 	src/pam_google_authenticator.c \
+ 	$(CORE_SRC) \
+ 	examples/demo.c
+-examples_demo_LDADD  = -lpam
++examples_demo_LDADD  = -lpam -lselinux
+ examples_demo_CFLAGS = $(AM_CFLAGS) -DDEMO=1
+ 
+ 
+diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
+index b6fdef0..ee65e66 100644
+--- a/src/pam_google_authenticator.c
++++ b/src/pam_google_authenticator.c
+@@ -30,6 +30,9 @@
+ #include <time.h>
+ #include <unistd.h>
+ 
++#include <selinux/selinux.h>
++#include <selinux/context.h>
++
+ #ifdef HAVE_SYS_FSUID_H
+ // We much rather prefer to use setfsuid(), but this function is unfortunately
+ // not available on all systems.
+@@ -55,11 +58,12 @@
+ 
+ // Module name shortened to work with rsyslog.
+ // See https://github.com/google/google-authenticator-libpam/issues/172
+-#define MODULE_NAME   "pam_google_auth"
++#define MODULE_NAME          "pam_google_auth"
+ 
+-#define SECRET        "~/.google_authenticator"
+-#define CODE_PROMPT   "Verification code: "
+-#define PWCODE_PROMPT "Password & verification code: "
++#define SECRET               "~/.google_authenticator"
++#define SECRET_SELINUX_TYPE  "auth_home_t"
++#define CODE_PROMPT          "Verification code: "
++#define PWCODE_PROMPT        "Password & verification code: "
+ 
+ typedef struct Params {
+   const char *secret_filename_spec;
+@@ -574,6 +578,56 @@ full_write(int fd, const char* buf, size_t len) {
+   }
+ }
+ 
++static int set_selinux_context(int fd) {
++  char *old_context = NULL;
++  int err = 0;
++
++  // skip if SELinux is not enabled
++  if (!is_selinux_enabled()) {
++    err = 1;
++    goto cleanup;
++  }
++
++  // Get the current context
++  if (fgetfilecon(fd, &old_context) < 0) {
++    err = errno;
++    goto cleanup;
++  }
++
++  // Create a new context with the type changed
++  context_t ctx = context_new(old_context);
++  if (!ctx) {
++    err = errno;
++    goto cleanup;
++  }
++  if (context_type_set(ctx, SECRET_SELINUX_TYPE) < 0) {
++    err = errno;
++    goto cleanup;
++  }
++
++  // Get the SC as string
++  const char *new_context = context_str(ctx);
++  if (!new_context) {
++    err = errno;
++    goto cleanup;
++  }
++
++  if (fsetfilecon(fd, new_context) < 0) {
++    err = errno;
++    goto cleanup;
++  }
++
++cleanup:
++  if (ctx) {
++    context_free(ctx);
++  }
++  if (old_context) {
++    freecon(old_context);
++  }
++
++  return err;
++}
++
+ // Safely overwrite the old secret file.
+ // Return 0 on success, errno otherwise.
+ static int write_file_contents(pam_handle_t *pamh,
+@@ -644,6 +698,11 @@ static int write_file_contents(pam_handle_t *pamh,
+     log_message(LOG_ERR, pamh, "write(): %s", strerror(err));
+     goto cleanup;
+   }
++  // adjust SELinux context. No error handling here as this can fail if SELinux
++  // is not enable, which is fine in this case. If it fails when SELinux is
++  // available this will result in AVCs that can be debugged
++  set_selinux_context(fd);
++
+   if (fsync(fd)) {
+     err = errno;
+     log_message(LOG_ERR, pamh, "fsync(): %s", strerror(err));

google-authenticator-libpam.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Nov 11 09:26:21 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Added
+  * 267cbfa31bc17805c4850afd39788d97a7b5374c.patch
+  * 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
+  * 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
+  * 665012cf90acadac882db4738b21b7246965ee2a.patch
+  * 75151df21a19e7182c09ae0118379fae890bdf5b.patch
+  * a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
+  to get proper SELinux type on secrets file (bsc#1252092)
+  Already upstream via
+  https://github.com/google/google-authenticator-libpam/pull/280
+  can be dropped with the next release
+
 -------------------------------------------------------------------
 Wed Jul 24 13:13:46 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 

google-authenticator-libpam.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package google-authenticator-libpam
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,13 @@ Group:          Productivity/Security
 URL:            https://github.com/google/google-authenticator-libpam
 Source:         %{name}-%{version}.tar.xz
 Source99:       baselibs.conf
+Patch0:         a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
+Patch1:         2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
+Patch2:         75151df21a19e7182c09ae0118379fae890bdf5b.patch
+Patch3:         267cbfa31bc17805c4850afd39788d97a7b5374c.patch
+Patch4:         6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
+Patch5:         665012cf90acadac882db4738b21b7246965ee2a.patch
+BuildRequires:  libselinux-devel
 BuildRequires:  libtool
 BuildRequires:  pam-devel
 # libqrencode.so.[234] are dynamically loaded if present in order to show a QR code
@@ -41,6 +48,12 @@ Integrate GOOGLE Authenticator into your login process for full 2FA.
 
 %prep
 %setup -q
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
 
 %build
 ./bootstrap.sh