74e20db9ed
- Enhanced SELinux functionality. Added Fedora patches: * openssh-7.8p1-role-mls.patch Proper handling of MLS systems and basis for other SELinux improvements * openssh-6.6p1-privsep-selinux.patch Properly set contexts during privilege separation * openssh-6.6p1-keycat.patch Add ssh-keycat command to allow retrival of authorized_keys on MLS setups with polyinstantiation * openssh-6.6.1p1-selinux-contexts.patch Additional changes to set the proper context during privilege separation * openssh-7.6p1-cleanup-selinux.patch Various changes and putting the pieces together For now we don't ship the ssh-keycat command, but we need the patch for the other SELinux infrastructure This change fixes issues like bsc#1214788, where the ssh daemon needs to act on behalf of a user and needs a proper context for this OBS-URL: https://build.opensuse.org/request/show/1123220 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=252
133 lines
3.7 KiB
Diff
133 lines
3.7 KiB
Diff
Index: openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
|
===================================================================
|
|
--- openssh-9.3p2.orig/openbsd-compat/port-linux-sshd.c
|
|
+++ openssh-9.3p2/openbsd-compat/port-linux-sshd.c
|
|
@@ -33,6 +33,7 @@
|
|
#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
|
|
#include "servconf.h"
|
|
#include "port-linux.h"
|
|
+#include "misc.h"
|
|
#include "sshkey.h"
|
|
#include "hostfile.h"
|
|
#include "auth.h"
|
|
@@ -451,7 +452,7 @@ sshd_selinux_setup_exec_context(char *pw
|
|
void
|
|
sshd_selinux_copy_context(void)
|
|
{
|
|
- security_context_t *ctx;
|
|
+ char *ctx;
|
|
|
|
if (!sshd_selinux_enabled())
|
|
return;
|
|
@@ -470,6 +471,72 @@ sshd_selinux_copy_context(void)
|
|
}
|
|
}
|
|
|
|
+void
|
|
+sshd_selinux_change_privsep_preauth_context(void)
|
|
+{
|
|
+ int len;
|
|
+ char line[1024], *preauth_context = NULL, *cp, *arg;
|
|
+ const char *contexts_path;
|
|
+ FILE *contexts_file;
|
|
+ struct stat sb;
|
|
+
|
|
+ contexts_path = selinux_openssh_contexts_path();
|
|
+ if (contexts_path == NULL) {
|
|
+ debug3_f("Failed to get the path to SELinux context");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
|
|
+ debug_f("Failed to open SELinux context file");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ if (fstat(fileno(contexts_file), &sb) != 0 ||
|
|
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
|
|
+ logit_f("SELinux context file needs to be owned by root"
|
|
+ " and not writable by anyone else");
|
|
+ fclose(contexts_file);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ while (fgets(line, sizeof(line), contexts_file)) {
|
|
+ /* Strip trailing whitespace */
|
|
+ for (len = strlen(line) - 1; len > 0; len--) {
|
|
+ if (strchr(" \t\r\n", line[len]) == NULL)
|
|
+ break;
|
|
+ line[len] = '\0';
|
|
+ }
|
|
+
|
|
+ if (line[0] == '\0')
|
|
+ continue;
|
|
+
|
|
+ cp = line;
|
|
+ arg = strdelim(&cp);
|
|
+ if (arg && *arg == '\0')
|
|
+ arg = strdelim(&cp);
|
|
+
|
|
+ if (arg && strcmp(arg, "privsep_preauth") == 0) {
|
|
+ arg = strdelim(&cp);
|
|
+ if (!arg || *arg == '\0') {
|
|
+ debug_f("privsep_preauth is empty");
|
|
+ fclose(contexts_file);
|
|
+ return;
|
|
+ }
|
|
+ preauth_context = xstrdup(arg);
|
|
+ }
|
|
+ }
|
|
+ fclose(contexts_file);
|
|
+
|
|
+ if (preauth_context == NULL) {
|
|
+ debug_f("Unable to find 'privsep_preauth' option in"
|
|
+ " SELinux context file");
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ ssh_selinux_change_context(preauth_context);
|
|
+ free(preauth_context);
|
|
+}
|
|
+
|
|
#endif
|
|
#endif
|
|
|
|
Index: openssh-9.3p2/openbsd-compat/port-linux.c
|
|
===================================================================
|
|
--- openssh-9.3p2.orig/openbsd-compat/port-linux.c
|
|
+++ openssh-9.3p2/openbsd-compat/port-linux.c
|
|
@@ -182,7 +182,7 @@ ssh_selinux_change_context(const char *n
|
|
strlcpy(newctx + len, newname, newlen - len);
|
|
if ((cx = index(cx + 1, ':')))
|
|
strlcat(newctx, cx, newlen);
|
|
- debug3("%s: setting context from '%s' to '%s'", __func__,
|
|
+ debug_f("setting context from '%s' to '%s'",
|
|
oldctx, newctx);
|
|
if (setcon(newctx) < 0)
|
|
do_log2(log_level, "%s: setcon %s from %s failed with %s",
|
|
Index: openssh-9.3p2/openbsd-compat/port-linux.h
|
|
===================================================================
|
|
--- openssh-9.3p2.orig/openbsd-compat/port-linux.h
|
|
+++ openssh-9.3p2/openbsd-compat/port-linux.h
|
|
@@ -27,6 +27,7 @@ int sshd_selinux_enabled(void);
|
|
void sshd_selinux_copy_context(void);
|
|
void sshd_selinux_setup_exec_context(char *);
|
|
int sshd_selinux_setup_env_variables(void);
|
|
+void sshd_selinux_change_privsep_preauth_context(void);
|
|
#endif
|
|
|
|
#ifdef LINUX_OOM_ADJUST
|
|
Index: openssh-9.3p2/sshd.c
|
|
===================================================================
|
|
--- openssh-9.3p2.orig/sshd.c
|
|
+++ openssh-9.3p2/sshd.c
|
|
@@ -511,7 +511,7 @@ privsep_preauth_child(struct ssh *ssh)
|
|
demote_sensitive_data(ssh);
|
|
|
|
#ifdef WITH_SELINUX
|
|
- ssh_selinux_change_context("sshd_net_t");
|
|
+ sshd_selinux_change_privsep_preauth_context();
|
|
#endif
|
|
|
|
/* Demote the child */
|