From 51fa929a90af082f6f53f1c85ea99570bf7e0132 Mon Sep 17 00:00:00 2001 From: dtucker Date: Sat, 24 Oct 2009 04:04:12 +0000 Subject: [PATCH] - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux is enabled set the security context to "sftpd_t" before running the internal sftp server Based on a patch from jchadima at redhat. --- ChangeLog | 3 +++ openbsd-compat/port-linux.c | 35 +++++++++++++++++++++++++++++++++++ openbsd-compat/port-linux.h | 1 + session.c | 3 +++ 4 files changed, 42 insertions(+) diff --git a/ChangeLog b/ChangeLog index 1b06168a..37c92818 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ [ssh-keygen.1] ssh-keygen now uses AES-128 for private keys - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro. + - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux + is enabled set the security context to "sftpd_t" before running the + internal sftp server Based on a patch from jchadima at redhat. 20091011 - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index 2e7970e6..eea6b19b 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -29,6 +29,7 @@ #ifdef WITH_SELINUX #include "log.h" +#include "xmalloc.h" #include "port-linux.h" #include @@ -168,4 +169,38 @@ ssh_selinux_setup_pty(char *pwname, const char *tty) freecon(user_ctx); debug3("%s: done", __func__); } + +void +ssh_selinux_change_context(const char *newname) +{ + int len, newlen; + char *oldctx, *newctx, *cx; + + if (!ssh_selinux_enabled()) + return; + + if (getcon((security_context_t *)&oldctx) < 0) { + logit("%s: getcon failed with %s", __func__, strerror (errno)); + return; + } + if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == + NULL) { + logit ("%s: unparseable context %s", __func__, oldctx); + return; + } + + newlen = strlen(oldctx) + strlen(newname) + 1; + newctx = xmalloc(newlen); + len = cx - oldctx + 1; + memcpy(newctx, oldctx, len); + strlcpy(newctx + len, newname, newlen - len); + if ((cx = index(cx + 1, ':'))) + strlcat(newctx, cx, newlen); + debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, + newctx); + if (setcon(newctx) < 0) + logit("%s: setcon failed with %s", __func__, strerror (errno)); + xfree(oldctx); + xfree(newctx); +} #endif /* WITH_SELINUX */ diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h index 36edd554..6b59d84b 100644 --- a/openbsd-compat/port-linux.h +++ b/openbsd-compat/port-linux.h @@ -23,6 +23,7 @@ int ssh_selinux_enabled(void); void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_exec_context(char *); +void ssh_selinux_change_context(const char *); #endif #endif /* ! _PORT_LINUX_H */ diff --git a/session.c b/session.c index d55419fb..78192314 100644 --- a/session.c +++ b/session.c @@ -1796,6 +1796,9 @@ do_child(Session *s, const char *command) argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; +#ifdef WITH_SELINUX + ssh_selinux_change_context("sftpd_t"); +#endif exit(sftp_server_main(i, argv, s->pw)); } -- 2.45.1