Updated patch for openssh

[Manoj Srivastava <srivasta@debian.org>]

Hi,

        Please find enclosed a more targeted patch that brings the
 SELinux code in openssh  to compatibility with the current SELinux
 code shipped in Debian. As before, after applying this patch one
 needs to run autoreconf (I did not want to bloat the code with the
 irrelevant changes that occur).  Alternately, you could just edit
 ./configure manually to just surgically change the selinux bits.

        The binary and source packages are now on:
deb     http://people.debian.org/~srivasta/ packages/ 
deb-src http://people.debian.org/~srivasta/ packages/
   http://people.debian.org/~srivasta/packages/pool/o/openssh/

        The patch, which is pretty minimal at 270 lines of unified
 diff, is below.

        manoj

diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac
--- ../debian-current/openssh-4.3p2/configure.ac	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/configure.ac	2006-10-24 15:25:30.000000000 -0500
@@ -2986,15 +2986,25 @@
 
 # Check whether user wants SELinux support
 SELINUX_MSG="no"
+LIBSELINUX=""
 AC_ARG_WITH(selinux,
-	[  --with-selinux          Enable SELinux support],
+	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
 	[ if test "x$withval" != "xno" ; then
+		if test "x$withval" != "xyes"; then
+			CPPFLAGS="$CPPFLAGS -I${withval}/include"
+			if test -n "${need_dash_r}"; then
+				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+			else
+				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+			fi
+               fi 
 		AC_DEFINE(WITH_SELINUX, 1, [Define if you want SELinux support.])
 		SELINUX_MSG="yes"
 		AC_CHECK_HEADERS(selinux/selinux.h)
-		LIBS="$LIBS -lselinux"
+		LIBSELINUX="-lselinux"
 	fi
 	])
+AC_SUBST(LIBSELINUX)
 
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in
--- ../debian-current/openssh-4.3p2/Makefile.in	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/Makefile.in	2006-10-20 15:34:48.000000000 -0500
@@ -43,6 +43,7 @@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.c openssh-4.3p2/monitor.c
--- ../debian-current/openssh-4.3p2/monitor.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.c	2006-10-20 15:34:48.000000000 -0500
@@ -111,6 +111,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -182,6 +183,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -638,6 +640,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -692,6 +695,23 @@
 }
 
 int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+
+int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.h openssh-4.3p2/monitor.h
--- ../debian-current/openssh-4.3p2/monitor.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.h	2006-10-20 15:34:48.000000000 -0500
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.c openssh-4.3p2/monitor_wrap.c
--- ../debian-current/openssh-4.3p2/monitor_wrap.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.c	2006-10-20 15:34:48.000000000 -0500
@@ -272,6 +272,23 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.h openssh-4.3p2/monitor_wrap.h
--- ../debian-current/openssh-4.3p2/monitor_wrap.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.h	2006-10-20 15:39:45.000000000 -0500
@@ -44,6 +44,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.c openssh-4.3p2/selinux.c
--- ../debian-current/openssh-4.3p2/selinux.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.c	2006-10-20 15:57:51.000000000 -0500
@@ -13,20 +11,24 @@
 
 extern Authctxt *the_authctxt;
 
-static security_context_t
+static const security_context_t 
 selinux_get_user_context(const char *name)
 {
 	security_context_t user_context = NULL;
 	char *role = NULL;
-	int ret = 0;
+	int ret = -1;
+	char *seuser=NULL;
+	char *level=NULL;
 
 	if (the_authctxt)
 		role = the_authctxt->role;
+        if (getseuserbyname(name, &seuser, &level)==0) {
 	if (role != NULL && role[0])
-		ret = get_default_context_with_role(name, role, NULL,
+            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
 		    &user_context);
 	else
-		ret = get_default_context(name, NULL, &user_context);
+            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+        }
 	if (ret < 0) {
 		if (security_getenforce() > 0)
 			fatal("Failed to get default security context for %s.",
@@ -42,12 +44,9 @@
 void
 setup_selinux_pty(const char *name, const char *tty)
 {
-	security_context_t new_tty_context, user_context, old_tty_context;
+  if (is_selinux_enabled() > 0) {
+    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
 
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	new_tty_context = old_tty_context = NULL;
 	user_context = selinux_get_user_context(name);
 
 	if (getfilecon(tty, &old_tty_context) < 0) {
@@ -66,20 +65,18 @@
 		}
 		freecon(old_tty_context);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
+  }
+}
 
 void
-setup_selinux_exec_context(const char *name)
+setup_selinux_exec_context(char *name)
 {
-	security_context_t user_context;
-
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	user_context = selinux_get_user_context(name);
 
+  if (is_selinux_enabled() > 0) {
+    security_context_t user_context=selinux_get_user_context(name);
 	if (setexeccon(user_context)) {
 		if (security_getenforce() > 0)
 			fatal("Failed to set exec security context %s for %s.",
@@ -89,23 +86,10 @@
 			    "Continuing in permissive mode",
 			    user_context, name);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
-
-#else /* WITH_SELINUX */
-
-void
-setup_selinux_pty(const char *name, const char *tty)
-{
-	(void) name;
-	(void) tty;
 }
-
-void
-setup_selinux_exec_context(const char *name)
-{
-	(void) name;
 }
 
 #endif /* WITH_SELINUX */
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.h openssh-4.3p2/selinux.h
--- ../debian-current/openssh-4.3p2/selinux.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.h	2006-10-20 15:41:29.000000000 -0500
@@ -1,7 +1,15 @@
 #ifndef SELINUX_H
 #define SELINUX_H
 
+#  ifdef WITH_SELINUX
+
 extern void setup_selinux_pty(const char *, const char *);
 extern void setup_selinux_exec_context(const char *);
 
+#  else
+
+static inline void setup_selinux_pty(const char *name, const char *tty) {}
+static inline void setup_selinux_exec_context(const char *name) {} 
+
+#endif /* WITH_SELINUX */
 #endif /* SELINUX_H */

-- 
Armstrong's Collection Law: If the check is truly in the mail, it is
surely made out to someone else.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C