- (djm) [Makefile.in configure.ac session.c sshpty.c]

[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
   [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
   [openbsd-compat/port-linux.h] Add support for SELinux, setting
   the execution and TTY contexts. based on patch from Daniel Walsh,
   bz #880; ok dtucker@
This commit is contained in:
Damien Miller 2006-04-22 21:26:08 +10:00
parent 2eaf37d899
commit 73b42d2bb0
10 changed files with 247 additions and 10 deletions

View File

@ -1,6 +1,14 @@
20060421
- (djm) [Makefile.in configure.ac session.c sshpty.c]
[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
[openbsd-compat/port-linux.h] Add support for SELinux, setting
the execution and TTY contexts. based on patch from Daniel Walsh,
bz #880; ok dtucker@
20060418 20060418
- (djm) Reorder IP options check so that it isn't broken by - (djm) [canohost.c] Reorder IP options check so that it isn't broken
mapped addresses; bz #1179 reported by markw wtech-llc.com; by mapped addresses; bz #1179 reported by markw wtech-llc.com;
ok dtucker@ ok dtucker@
20060331 20060331
@ -4500,4 +4508,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.4301 2006/04/18 05:13:16 djm Exp $ $Id: ChangeLog,v 1.4302 2006/04/22 11:26:08 djm Exp $

View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.276 2006/03/15 02:09:18 djm Exp $ # $Id: Makefile.in,v 1.277 2006/04/22 11:26:08 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh # uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@ #SHELL = @SH@
@ -43,6 +43,7 @@ LD=@LD@
CFLAGS=@CFLAGS@ CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@ LIBS=@LIBS@
LIBSELINUX=@LIBSELINUX@
LIBEDIT=@LIBEDIT@ LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@ LIBPAM=@LIBPAM@
LIBWRAP=@LIBWRAP@ LIBWRAP=@LIBWRAP@
@ -136,7 +137,7 @@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)

View File

@ -1,4 +1,4 @@
# $Id: configure.ac,v 1.338 2006/03/15 21:14:34 dtucker Exp $ # $Id: configure.ac,v 1.339 2006/04/22 11:26:08 djm Exp $
# #
# Copyright (c) 1999-2004 Damien Miller # Copyright (c) 1999-2004 Damien Miller
# #
@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org)
AC_REVISION($Revision: 1.338 $) AC_REVISION($Revision: 1.339 $)
AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h) AC_CONFIG_HEADER(config.h)
@ -3000,6 +3000,23 @@ int main()
[#include <arpa/nameser.h>]) [#include <arpa/nameser.h>])
]) ])
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
[ --with-selinux Enable SELinux support],
[ if test "x$withval" != "xno" ; then
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
AC_MSG_ERROR(SELinux support requires selinux.h header))
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
fi ]
)
AC_SUBST(LIBSELINUX)
# Check whether user wants Kerberos 5 support # Check whether user wants Kerberos 5 support
KRB5_MSG="no" KRB5_MSG="no"
AC_ARG_WITH(kerberos5, AC_ARG_WITH(kerberos5,
@ -3818,6 +3835,7 @@ fi
echo " Manpage format: $MANTYPE" echo " Manpage format: $MANTYPE"
echo " PAM support: $PAM_MSG" echo " PAM support: $PAM_MSG"
echo " KerberosV support: $KRB5_MSG" echo " KerberosV support: $KRB5_MSG"
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG" echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG" echo " S/KEY support: $SKEY_MSG"
echo " TCP Wrappers support: $TCPW_MSG" echo " TCP Wrappers support: $TCPW_MSG"

View File

@ -35,6 +35,9 @@ do_rsa1_keygen() {
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub chmod 644 $RSA1_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA1_KEY.pub
fi
success $"RSA1 key generation" success $"RSA1 key generation"
echo echo
else else
@ -51,6 +54,9 @@ do_rsa_keygen() {
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub chmod 644 $RSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $RSA_KEY.pub
fi
success $"RSA key generation" success $"RSA key generation"
echo echo
else else
@ -67,6 +73,9 @@ do_dsa_keygen() {
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub chmod 644 $DSA_KEY.pub
if [ -x /sbin/restorecon ]; then
/sbin/restorecon $DSA_KEY.pub
fi
success $"DSA key generation" success $"DSA key generation"
echo echo
else else

View File

@ -1,4 +1,4 @@
# $Id: Makefile.in,v 1.38 2006/03/15 02:09:20 djm Exp $ # $Id: Makefile.in,v 1.39 2006/04/22 11:26:08 djm Exp $
sysconfdir=@sysconfdir@ sysconfdir=@sysconfdir@
piddir=@piddir@ piddir=@piddir@
@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgroupl
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-irix.o port-aix.o port-uw.o port-tun.o PORTS=port-irix.o port-linux.o port-aix.o port-uw.o port-tun.o
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<

View File

@ -1,4 +1,4 @@
/* $Id: openbsd-compat.h,v 1.35 2006/03/15 11:25:55 dtucker Exp $ */ /* $Id: openbsd-compat.h,v 1.36 2006/04/22 11:26:08 djm Exp $ */
/* /*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved. * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@ -185,6 +185,7 @@ char *shadow_pw(struct passwd *pw);
#include "bsd-cray.h" #include "bsd-cray.h"
#include "bsd-cygwin_util.h" #include "bsd-cygwin_util.h"
#include "port-irix.h" #include "port-irix.h"
#include "port-linux.h"
#include "port-aix.h" #include "port-aix.h"
#include "port-uw.h" #include "port-uw.h"
#include "port-tun.h" #include "port-tun.h"

165
openbsd-compat/port-linux.c Normal file
View File

@ -0,0 +1,165 @@
/* $Id: port-linux.c,v 1.1 2006/04/22 11:26:08 djm Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
* Copyright (c) 2006 Damien Miller <djm@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Linux-specific portability code - just SELinux support at present
*/
#include "includes.h"
#ifdef WITH_SELINUX
#include "log.h"
#include "port-linux.h"
#include <selinux/selinux.h>
#include <selinux/flask.h>
#include <selinux/get_context_list.h>
/* Wrapper around is_selinux_enabled() to log its return value once only */
static int
ssh_selinux_enabled(void)
{
static int enabled = -1;
if (enabled == -1) {
enabled = is_selinux_enabled();
debug("SELinux support %s", enabled ? "enabled" : "disabled");
}
return (enabled);
}
/* Return the default security context for the given username */
static security_context_t
ssh_selinux_getctxbyname(char *pwname)
{
security_context_t sc;
char *sename = NULL, *lvl = NULL;
int r;
#ifdef HAVE_GETSEUSERBYNAME
if (getseuserbyname(pwname, &sename, &lvl) != 0)
return NULL;
#else
sename = pwname;
lvl = NULL;
#endif
#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
r = get_default_context_with_level(sename, lvl, NULL, &sc);
#else
r = get_default_context(sename, NULL, &sc);
#endif
if (r != 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: ssh_selinux_getctxbyname: "
"security_getenforce() failed", __func__);
case 0:
error("%s: Failed to get default SELinux security "
"context for %s", __func__, pwname);
default:
fatal("%s: Failed to get default SELinux security "
"context for %s (in enforcing mode)",
__func__, pwname);
}
}
#ifdef HAVE_GETSEUSERBYNAME
if (sename != NULL)
xfree(sename);
if (lvl != NULL)
xfree(lvl);
#endif
return (sc);
}
/* Set the execution context to the default for the specified user */
void
ssh_selinux_setup_exec_context(char *pwname)
{
security_context_t user_ctx = NULL;
if (!ssh_selinux_enabled())
return;
debug3("%s: setting execution context", __func__);
user_ctx = ssh_selinux_getctxbyname(pwname);
if (setexeccon(user_ctx) != 0) {
switch (security_getenforce()) {
case -1:
fatal("%s: security_getenforce() failed", __func__);
case 0:
error("%s: Failed to set SELinux execution "
"context for %s", __func__, pwname);
default:
fatal("%s: Failed to set SELinux execution context "
"for %s (in enforcing mode)", __func__, pwname);
}
}
if (user_ctx != NULL)
freecon(user_ctx);
debug3("%s: done", __func__);
}
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
{
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
security_context_t old_tty_ctx = NULL;
if (!ssh_selinux_enabled())
return;
debug3("%s: setting TTY context on %s", __func__, tty);
user_ctx = ssh_selinux_getctxbyname(pwname);
/* XXX: should these calls fatal() upon failure in enforcing mode? */
if (getfilecon(tty, &old_tty_ctx) == -1) {
error("%s: getfilecon: %s", __func__, strerror(errno));
goto out;
}
if (security_compute_relabel(user_ctx, old_tty_ctx,
SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
error("%s: security_compute_relabel: %s",
__func__, strerror(errno));
goto out;
}
if (setfilecon(tty, new_tty_ctx) != 0)
error("%s: setfilecon: %s", __func__, strerror(errno));
out:
if (new_tty_ctx != NULL)
freecon(new_tty_ctx);
if (old_tty_ctx != NULL)
freecon(old_tty_ctx);
if (user_ctx != NULL)
freecon(user_ctx);
debug3("%s: done", __func__);
}
#endif /* WITH_SELINUX */

View File

@ -0,0 +1,27 @@
/* $Id: port-linux.h,v 1.1 2006/04/22 11:26:08 djm Exp $ */
/*
* Copyright (c) 2006 Damien Miller <djm@openbsd.org>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _PORT_LINUX_H
#define _PORT_LINUX_H
#ifdef WITH_SELINUX
void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *);
#endif
#endif /* ! _PORT_LINUX_H */

View File

@ -1352,6 +1352,10 @@ do_setusercontext(struct passwd *pw)
#endif #endif
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
#ifdef WITH_SELINUX
ssh_selinux_setup_exec_context(pw->pw_name);
#endif
} }
static void static void

View File

@ -210,6 +210,10 @@ pty_setowner(struct passwd *pw, const char *tty)
fatal("stat(%.100s) failed: %.100s", tty, fatal("stat(%.100s) failed: %.100s", tty,
strerror(errno)); strerror(errno));
#ifdef WITH_SELINUX
ssh_selinux_setup_pty(pw->pw_name, tty);
#endif
if (st.st_uid != pw->pw_uid || st.st_gid != gid) { if (st.st_uid != pw->pw_uid || st.st_gid != gid) {
if (chown(tty, pw->pw_uid, gid) < 0) { if (chown(tty, pw->pw_uid, gid) < 0) {
if (errno == EROFS && if (errno == EROFS &&