Really apply patches, remove patch which refactors not existing code

2025-02-24 18:23:00 +00:00 · 2019-09-30 18:14:15 +03:00 · 2019-09-30 18:14:15 +03:00 · 3b6f385a11
commit 3b6f385a11
parent c392516891
3 changed files with 25 additions and 295 deletions
--- a/openssh-7.6p1-cleanup-selinux.patch
+++ b/openssh-7.6p1-cleanup-selinux.patch
@ -1,271 +0,0 @@
 diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.refactor	2019-04-04 13:19:12.188821236 +0200
 +++ openssh/auth2-pubkey.c	2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
 static char *
 format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
 	    ac, av, &f,
 -	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
 +	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
 	if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
 	    ac, av, &f,
 -	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
 +	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
 diff -up openssh/auth.c.refactor openssh/auth.c
 --- openssh/auth.c.refactor	2019-04-04 13:19:12.235821686 +0200
 +++ openssh/auth.c	2019-04-04 13:19:12.276822078 +0200
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
  */
 pid_t
 subprocess(const char *tag, struct passwd *pw, const char *command,
 -    int ac, char **av, FILE **child, u_int flags)
 +    int ac, char **av, FILE **child, u_int flags, int inetd,
 +    void *the_authctxt)
 {
 	FILE *f = NULL;
 	struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
 		}
 #ifdef WITH_SELINUX
 -		if (sshd_selinux_setup_env_variables() < 0) {
 +		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
 			error ("failed to copy environment:  %s",
 			    strerror(errno));
 			_exit(127);
 diff -up openssh/auth.h.refactor openssh/auth.h
 --- openssh/auth.h.refactor	2019-04-04 13:19:12.251821839 +0200
 +++ openssh/auth.h	2019-04-04 13:19:12.276822078 +0200
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
 #define	SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
 #define	SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
 pid_t	subprocess(const char *, struct passwd *,
 -    const char *, int, char **, FILE **, u_int flags);
 +    const char *, int, char **, FILE **, u_int flags, int, void *);
 int	 sys_auth_passwd(struct ssh *, const char *);
 diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.refactor	2019-04-04 13:19:12.256821887 +0200
 +++ openssh/openbsd-compat/port-linux.h	2019-04-04 13:19:12.276822078 +0200
@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
 int sshd_selinux_enabled(void);
 void sshd_selinux_copy_context(void);
 -void sshd_selinux_setup_exec_context(char *);
 -int sshd_selinux_setup_env_variables(void);
 +void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
 +int sshd_selinux_setup_env_variables(int inetd, void *);
 void sshd_selinux_change_privsep_preauth_context(void);
 #endif
 diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.refactor	2019-04-04 13:19:12.256821887 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2019-04-04 13:19:12.276822078 +0200
@@ -49,11 +49,6 @@
 #include <unistd.h>
 #endif
 -extern ServerOptions options;
 -extern Authctxt *the_authctxt;
 -extern int inetd_flag;
 -extern int rexeced_flag;
 -
 /* Wrapper around is_selinux_enabled() to log its return value once only */
 int
 sshd_selinux_enabled(void)
@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
 }
 static void
 -ssh_selinux_get_role_level(char **role, const char **level)
 +ssh_selinux_get_role_level(char **role, const char **level,
 +    Authctxt *the_authctxt)
 {
 	*role = NULL;
 	*level = NULL;
@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
 /* Return the default security context for the given username */
 static int
 -sshd_selinux_getctxbyname(char *pwname,
 -	security_context_t *default_sc, security_context_t *user_sc)
 +sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
 +    security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
 {
 	char *sename, *lvl;
 	char *role;
@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
 	int r = 0;
 	context_t con = NULL;
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
 #ifdef HAVE_GETSEUSERBYNAME
 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
 	if (r == 0) {
 		/* If launched from xinetd, we must use current level */
 -		if (inetd_flag && !rexeced_flag) {
 +		if (inetd) {
 			security_context_t sshdsc=NULL;
 			if (getcon_raw(&sshdsc) < 0)
@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
 /* Setup environment variables for pam_selinux */
 static int
 -sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
 +sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
 +    Authctxt *the_authctxt)
 {
 	const char *reqlvl;
 	char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
 	debug3("%s: setting execution context", __func__);
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
 	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
 -	if (inetd_flag && !rexeced_flag) {
 +	if (inetd) {
 		use_current = "1";
 	} else {
 		use_current = "";
@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
 }
 static int
 -sshd_selinux_setup_pam_variables(void)
 +sshd_selinux_setup_pam_variables(int inetd,
 +    int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
 {
 -	return sshd_selinux_setup_variables(do_pam_putenv);
 +	return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
 }
 static int
@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
 }
 int
 -sshd_selinux_setup_env_variables(void)
 +sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
 {
 -	return sshd_selinux_setup_variables(do_setenv);
 +	Authctxt *authctxt = (Authctxt *) the_authctxt;
 +	return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
 }
 /* Set the execution context to the default for the specified user */
 void
 -sshd_selinux_setup_exec_context(char *pwname)
 +sshd_selinux_setup_exec_context(char *pwname, int inetd,
 +    int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
 {
 	security_context_t user_ctx = NULL;
 	int r = 0;
 	security_context_t default_ctx = NULL;
 +	Authctxt *authctxt = (Authctxt *) the_authctxt;
 	if (!sshd_selinux_enabled())
 		return;
 -	if (options.use_pam) {
 +	if (use_pam) {
 		/* do not compute context, just setup environment for pam_selinux */
 -		if (sshd_selinux_setup_pam_variables()) {
 +		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
 			switch (security_getenforce()) {
 			case -1:
 				fatal("%s: security_getenforce() failed", __func__);
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
 	debug3("%s: setting execution context", __func__);
 -	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
 	if (r >= 0) {
 		r = setexeccon(user_ctx);
 		if (r < 0) {
 diff -up openssh/platform.c.refactor openssh/platform.c
 --- openssh/platform.c.refactor	2019-04-04 13:19:12.204821389 +0200
 +++ openssh/platform.c	2019-04-04 13:19:12.277822088 +0200
@@ -32,6 +32,9 @@
 extern int use_privsep;
 extern ServerOptions options;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
 void
 platform_pre_listen(void)
@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
 	}
 #endif /* HAVE_SETPCRED */
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(pw->pw_name);
 +	sshd_selinux_setup_exec_context(pw->pw_name,
 +	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 }
 diff -up openssh/sshd.c.refactor openssh/sshd.c
 --- openssh/sshd.c.refactor	2019-04-04 13:19:12.275822068 +0200
 +++ openssh/sshd.c	2019-04-04 13:19:51.270195262 +0200
@@ -158,7 +158,7 @@ int debug_flag = 0;
 static int test_flag = 0;
 /* Flag indicating that the daemon is being started from inetd. */
 -static int inetd_flag = 0;
 +int inetd_flag = 0;
 /* Flag indicating that sshd should not detach and become a daemon. */
 static int no_daemon_flag = 0;
@@ -171,7 +171,7 @@ static char **saved_argv;
 static int saved_argc;
 /* re-exec */
 -static int rexeced_flag = 0;
 +int rexeced_flag = 0;
 static int rexec_flag = 1;
 static int rexec_argc = 0;
 static char **rexec_argv;
@@ -2192,7 +2192,9 @@ main(int ac, char **av)
 	}
 #endif
 #ifdef WITH_SELINUX
 -	sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
 +	sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
 +	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
 +	    options.use_pam);
 #endif
 #ifdef USE_PAM
 	if (options.use_pam) {
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -4,11 +4,11 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ssh->authctxt;
 	Authmethod *m = NULL;
- 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ 	char *user, *service, *method, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role = NULL;
 +#endif
- 	int r, authenticated = 0;
+ 	int authenticated = 0;
 	double tstart = monotime_double();
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
@ -37,9 +37,9 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
 +			mm_inform_authrole(role);
 +#endif
 +		}
- 		userauth_banner(ssh);
+ 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
- 			ssh_packet_disconnect(ssh,
+ 			packet_disconnect("no authentication methods enabled");
 diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
@ -57,7 +57,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 	mic.length = len;
 -	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
-+	if (authctxt->role && authctxt->role[0] != 0)
+	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
@ -197,15 +197,15 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 --- openssh/monitor.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/monitor.c	2018-08-22 11:19:56.006844867 +0200
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
- int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
+ int mm_answer_pwnamallow(int, struct sshbuf *);
- int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
+ int mm_answer_auth2_read_banner(int, struct sshbuf *);
- int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authserv(int, struct sshbuf *);
 +#ifdef WITH_SELINUX
-+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+int mm_answer_authrole(int, struct sshbuf *);
 +#endif
- int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authpassword(int, struct sshbuf *);
- int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthquery(int, struct sshbuf *);
- int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
+ int mm_answer_bsdauthrespond(int, struct sshbuf *);
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
@ -227,12 +227,12 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 #ifdef USE_PAM
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
- 	return found;
+ 	return (0);
 }
 +#ifdef WITH_SELINUX
 +int
-+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+mm_answer_authrole(int sock, struct sshbuf *m)
 +{
 +	int r;
 +	monitor_permit_authentications(1);
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 +#endif
 +
 int
- mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
+ mm_answer_authpassword(int sock, struct sshbuf *m)
 {
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
 {
@ -338,13 +338,13 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 --- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
+ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
-     const u_char *, size_t, const char *, u_int compat);
+     const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
 +#endif
- struct passwd *mm_getpwnamallow(struct ssh *, const char *);
+ struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct ssh *, char *);
 diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
--- a/openssh.spec
+++ b/openssh.spec
@ -18,10 +18,12 @@
 %define XAUTH %{_bindir}/xauth
 %{?build_selinux}%{?!build_selinux:%bcond_with selinux}
 %define _default_patch_fuzz 3
 Summary:	OpenSSH free Secure Shell (SSH) implementation
 Name:		openssh
 Version:	7.9p1
-Release:	13
+Release:	14
 License:	BSD
 Group:		Networking/Remote access
 Url:		http://www.openssh.com/
@ -80,8 +82,6 @@ Patch28:	openssh-7.8p1-role-mls.patch
 Patch29:	openssh-6.6p1-privsep-selinux.patch
 # privsep_preauth: use SELinux context from selinux-policy (#1008580)
 Patch30:	openssh-6.6.1p1-selinux-contexts.patch
 # Pass inetd flags for SELinux down to openbsd compat level
 Patch31:	openssh-7.6p1-cleanup-selinux.patch
 # /
 BuildRequires:	groff-base
@ -309,9 +309,6 @@ update-alternatives --remove bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass
 sed -i 's|UsePrivilegeSeparation yes|#UsePrivilegeSeparation yes|' sshd_config
 %patch6 -p1 -b .lpk
 rm -f README.lpk.lpk
 %define _default_patch_fuzz 3
 %else
 %define _default_patch_fuzz 2
 %endif
 %if %{with sftpcontrol}
 echo "This patch is broken or needs to be updated/rediffed"; exit 1
@ -335,6 +332,10 @@ install %{SOURCE21} .
 %patch24 -p1 -b .fingerprint
 %patch25 -p1 -b .systemd
 %patch26 -p1 -b .scp
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 install %{SOURCE12} .