Really apply patches, remove patch which refactors not existing code

2025-02-24 10:13:00 +00:00 · 2019-09-30 18:14:15 +03:00 · 2019-09-30 18:14:15 +03:00 · 3b6f385a11
commit 3b6f385a11
parent c392516891
3 changed files with 25 additions and 295 deletions
--- a/openssh-7.6p1-cleanup-selinux.patch
+++ b/openssh-7.6p1-cleanup-selinux.patch
@ -1,271 +0,0 @@
-diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor	2019-04-04 13:19:12.188821236 +0200
-+++ openssh/auth2-pubkey.c	2019-04-04 13:19:12.276822078 +0200
-@@ -72,6 +72,9 @@
- extern ServerOptions options;
- extern u_char *session_id2;
- extern u_int session_id2_len;
-+extern int inetd_flag;
-+extern int rexeced_flag;
-+extern Authctxt *the_authctxt;
- 
- static char *
- format_key(const struct sshkey *key)
-@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
- 
- 	if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
- 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
- 		goto out;
- 
- 	uid_swapped = 1;
-@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
- 
- 	if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
- 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
- 		goto out;
- 
- 	uid_swapped = 1;
-diff -up openssh/auth.c.refactor openssh/auth.c
--- openssh/auth.c.refactor	2019-04-04 13:19:12.235821686 +0200
-+++ openssh/auth.c	2019-04-04 13:19:12.276822078 +0200
-@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
-  */
- pid_t
- subprocess(const char *tag, struct passwd *pw, const char *command,
-    int ac, char **av, FILE **child, u_int flags)
-+    int ac, char **av, FILE **child, u_int flags, int inetd,
-+    void *the_authctxt)
- {
- 	FILE *f = NULL;
- 	struct stat st;
-@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
- 		}
- 
- #ifdef WITH_SELINUX
-		if (sshd_selinux_setup_env_variables() < 0) {
-+		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
- 			error ("failed to copy environment:  %s",
- 			    strerror(errno));
- 			_exit(127);
-diff -up openssh/auth.h.refactor openssh/auth.h
--- openssh/auth.h.refactor	2019-04-04 13:19:12.251821839 +0200
-+++ openssh/auth.h	2019-04-04 13:19:12.276822078 +0200
-@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
- #define	SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
- #define	SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
- pid_t	subprocess(const char *, struct passwd *,
-    const char *, int, char **, FILE **, u_int flags);
-+    const char *, int, char **, FILE **, u_int flags, int, void *);
- 
- int	 sys_auth_passwd(struct ssh *, const char *);
- 
-diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.refactor	2019-04-04 13:19:12.256821887 +0200
-+++ openssh/openbsd-compat/port-linux.h	2019-04-04 13:19:12.276822078 +0200
-@@ -26,8 +26,8 @@ void ssh_selinux_setfscreatecon(const ch
- 
- int sshd_selinux_enabled(void);
- void sshd_selinux_copy_context(void);
-void sshd_selinux_setup_exec_context(char *);
-int sshd_selinux_setup_env_variables(void);
-+void sshd_selinux_setup_exec_context(char *, int, int(char *, const char *), void *, int);
-+int sshd_selinux_setup_env_variables(int inetd, void *);
- void sshd_selinux_change_privsep_preauth_context(void);
- #endif
- 
-diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.refactor	2019-04-04 13:19:12.256821887 +0200
-+++ openssh/openbsd-compat/port-linux-sshd.c	2019-04-04 13:19:12.276822078 +0200
-@@ -49,11 +49,6 @@
- #include <unistd.h>
- #endif
- 
-extern ServerOptions options;
-extern Authctxt *the_authctxt;
-extern int inetd_flag;
-extern int rexeced_flag;
-
- /* Wrapper around is_selinux_enabled() to log its return value once only */
- int
- sshd_selinux_enabled(void)
-@@ -223,7 +218,8 @@ get_user_context(const char *sename, con
- }
- 
- static void
-ssh_selinux_get_role_level(char **role, const char **level)
-+ssh_selinux_get_role_level(char **role, const char **level,
-+    Authctxt *the_authctxt)
- {
- 	*role = NULL;
- 	*level = NULL;
-@@ -241,8 +237,8 @@ ssh_selinux_get_role_level(char **role,
- 
- /* Return the default security context for the given username */
- static int
-sshd_selinux_getctxbyname(char *pwname,
-	security_context_t *default_sc, security_context_t *user_sc)
-+sshd_selinux_getctxbyname(char *pwname, security_context_t *default_sc,
-+    security_context_t *user_sc, int inetd, Authctxt *the_authctxt)
- {
- 	char *sename, *lvl;
- 	char *role;
-@@ -250,7 +246,7 @@ sshd_selinux_getctxbyname(char *pwname,
- 	int r = 0;
- 	context_t con = NULL;
- 
-	ssh_selinux_get_role_level(&role, &reqlvl);
-+	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
- 
- #ifdef HAVE_GETSEUSERBYNAME
- 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
-@@ -272,7 +268,7 @@ sshd_selinux_getctxbyname(char *pwname,
- 
- 	if (r == 0) {
- 		/* If launched from xinetd, we must use current level */
-		if (inetd_flag && !rexeced_flag) {
-+		if (inetd) {
- 			security_context_t sshdsc=NULL;
- 
- 			if (getcon_raw(&sshdsc) < 0)
-@@ -333,7 +329,8 @@ sshd_selinux_getctxbyname(char *pwname,
- 
- /* Setup environment variables for pam_selinux */
- static int
-sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
-+sshd_selinux_setup_variables(int(*set_it)(char *, const char *), int inetd,
-+    Authctxt *the_authctxt)
- {
- 	const char *reqlvl;
- 	char *role;
-@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
- 
- 	debug3("%s: setting execution context", __func__);
- 
-	ssh_selinux_get_role_level(&role, &reqlvl);
-+	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
- 
- 	rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
- 
-	if (inetd_flag && !rexeced_flag) {
-+	if (inetd) {
- 		use_current = "1";
- 	} else {
- 		use_current = "";
-@@ -362,9 +359,10 @@ sshd_selinux_setup_variables(int(*set_it
- }
- 
- static int
-sshd_selinux_setup_pam_variables(void)
-+sshd_selinux_setup_pam_variables(int inetd,
-+    int(pam_setenv)(char *, const char *), Authctxt *the_authctxt)
- {
-	return sshd_selinux_setup_variables(do_pam_putenv);
-+	return sshd_selinux_setup_variables(pam_setenv, inetd, the_authctxt);
- }
- 
- static int
-@@ -374,25 +372,28 @@ do_setenv(char *name, const char *value)
- }
- 
- int
-sshd_selinux_setup_env_variables(void)
-+sshd_selinux_setup_env_variables(int inetd, void *the_authctxt)
- {
-	return sshd_selinux_setup_variables(do_setenv);
-+	Authctxt *authctxt = (Authctxt *) the_authctxt;
-+	return sshd_selinux_setup_variables(do_setenv, inetd, authctxt);
- }
- 
- /* Set the execution context to the default for the specified user */
- void
-sshd_selinux_setup_exec_context(char *pwname)
-+sshd_selinux_setup_exec_context(char *pwname, int inetd,
-+    int(pam_setenv)(char *, const char *), void *the_authctxt, int use_pam)
- {
- 	security_context_t user_ctx = NULL;
- 	int r = 0;
- 	security_context_t default_ctx = NULL;
-+	Authctxt *authctxt = (Authctxt *) the_authctxt;
- 
- 	if (!sshd_selinux_enabled())
- 		return;
- 
-	if (options.use_pam) {
-+	if (use_pam) {
- 		/* do not compute context, just setup environment for pam_selinux */
-		if (sshd_selinux_setup_pam_variables()) {
-+		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
- 			switch (security_getenforce()) {
- 			case -1:
- 				fatal("%s: security_getenforce() failed", __func__);
-@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
- 
- 	debug3("%s: setting execution context", __func__);
- 
-	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
-+	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
- 	if (r >= 0) {
- 		r = setexeccon(user_ctx);
- 		if (r < 0) {
-diff -up openssh/platform.c.refactor openssh/platform.c
--- openssh/platform.c.refactor	2019-04-04 13:19:12.204821389 +0200
-+++ openssh/platform.c	2019-04-04 13:19:12.277822088 +0200
-@@ -32,6 +32,9 @@
- 
- extern int use_privsep;
- extern ServerOptions options;
-+extern int inetd_flag;
-+extern int rexeced_flag;
-+extern Authctxt *the_authctxt;
- 
- void
- platform_pre_listen(void)
-@@ -183,7 +186,9 @@ platform_setusercontext_post_groups(stru
- 	}
- #endif /* HAVE_SETPCRED */
- #ifdef WITH_SELINUX
-	sshd_selinux_setup_exec_context(pw->pw_name);
-+	sshd_selinux_setup_exec_context(pw->pw_name,
-+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
-+	    options.use_pam);
- #endif
- }
- 
-diff -up openssh/sshd.c.refactor openssh/sshd.c
--- openssh/sshd.c.refactor	2019-04-04 13:19:12.275822068 +0200
-+++ openssh/sshd.c	2019-04-04 13:19:51.270195262 +0200
-@@ -158,7 +158,7 @@ int debug_flag = 0;
- static int test_flag = 0;
- 
- /* Flag indicating that the daemon is being started from inetd. */
-static int inetd_flag = 0;
-+int inetd_flag = 0;
- 
- /* Flag indicating that sshd should not detach and become a daemon. */
- static int no_daemon_flag = 0;
-@@ -171,7 +171,7 @@ static char **saved_argv;
- static int saved_argc;
- 
- /* re-exec */
-static int rexeced_flag = 0;
-+int rexeced_flag = 0;
- static int rexec_flag = 1;
- static int rexec_argc = 0;
- static char **rexec_argv;
-@@ -2192,7 +2192,9 @@ main(int ac, char **av)
- 	}
- #endif
- #ifdef WITH_SELINUX
-	sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
-+	sshd_selinux_setup_exec_context(authctxt->pw->pw_name,
-+	    (inetd_flag && !rexeced_flag), do_pam_putenv, the_authctxt,
-+	    options.use_pam);
- #endif
- #ifdef USE_PAM
- 	if (options.use_pam) {
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -4,11 +4,11 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
@@ -256,6 +256,9 @@ input_userauth_request(int type, u_int32
 	Authctxt *authctxt = ssh->authctxt;
 	Authmethod *m = NULL;
- 	char *user = NULL, *service = NULL, *method = NULL, *style = NULL;
+ 	char *user, *service, *method, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role = NULL;
 +#endif
- 	int r, authenticated = 0;
+ 	int authenticated = 0;
 	double tstart = monotime_double();
 
@@ -268,6 +271,11 @@ input_userauth_request(int type, u_int32
@ -37,9 +37,9 @@ diff -up openssh/auth2.c.role-mls openssh/auth2.c
 +			mm_inform_authrole(role);
 +#endif
 +		}
- 		userauth_banner(ssh);
+ 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
- 			ssh_packet_disconnect(ssh,
+ 			packet_disconnect("no authentication methods enabled");
 diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 --- openssh/auth2-gss.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/auth2-gss.c	2018-08-22 11:15:42.459799171 +0200
@ -57,7 +57,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 	mic.length = len;
 -	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
 +#ifdef WITH_SELINUX
-+	if (authctxt->role && authctxt->role[0] != 0)
+	if (authctxt->role && (strlen(authctxt->role) > 0))
 +		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
 +	else
 +#endif
@ -197,15 +197,15 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 --- openssh/monitor.c.role-mls	2018-08-20 07:57:29.000000000 +0200
 +++ openssh/monitor.c	2018-08-22 11:19:56.006844867 +0200
@@ -115,6 +115,9 @@ int mm_answer_sign(int, struct sshbuf *)
- int mm_answer_pwnamallow(struct ssh *, int, struct sshbuf *);
- int mm_answer_auth2_read_banner(struct ssh *, int, struct sshbuf *);
- int mm_answer_authserv(struct ssh *, int, struct sshbuf *);
+ int mm_answer_pwnamallow(int, struct sshbuf *);
+ int mm_answer_auth2_read_banner(int, struct sshbuf *);
+ int mm_answer_authserv(int, struct sshbuf *);
 +#ifdef WITH_SELINUX
-+int mm_answer_authrole(struct ssh *, int, struct sshbuf *);
+int mm_answer_authrole(int, struct sshbuf *);
 +#endif
- int mm_answer_authpassword(struct ssh *, int, struct sshbuf *);
- int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *);
- int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *);
+ int mm_answer_authpassword(int, struct sshbuf *);
+ int mm_answer_bsdauthquery(int, struct sshbuf *);
+ int mm_answer_bsdauthrespond(int, struct sshbuf *);
@@ -189,6 +192,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
@ -227,12 +227,12 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 
 #ifdef USE_PAM
@@ -842,6 +851,26 @@ mm_answer_authserv(int sock, struct sshb
- 	return found;
+ 	return (0);
 }
 
 +#ifdef WITH_SELINUX
 +int
-+mm_answer_authrole(struct ssh *ssh, int sock, struct sshbuf *m)
+mm_answer_authrole(int sock, struct sshbuf *m)
 +{
 +	int r;
 +	monitor_permit_authentications(1);
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 +#endif
 +
 int
- mm_answer_authpassword(struct ssh *ssh, int sock, struct sshbuf *m)
+ mm_answer_authpassword(int sock, struct sshbuf *m)
 {
@@ -1218,7 +1247,7 @@ monitor_valid_userblob(u_char *data, u_i
 {
@ -338,13 +338,13 @@ diff -up openssh/monitor_wrap.h.role-mls openssh/monitor_wrap.h
 --- openssh/monitor_wrap.h.role-mls	2018-08-22 11:14:56.818430941 +0200
 +++ openssh/monitor_wrap.h	2018-08-22 11:22:10.439929513 +0200
@@ -44,6 +44,9 @@ DH *mm_choose_dh(int, int, int);
- int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-     const u_char *, size_t, const char *, u_int compat);
+ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+     const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
 +#ifdef WITH_SELINUX
 +void mm_inform_authrole(char *);
 +#endif
- struct passwd *mm_getpwnamallow(struct ssh *, const char *);
+ struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct ssh *, char *);
 diff -up openssh/openbsd-compat/Makefile.in.role-mls openssh/openbsd-compat/Makefile.in
--- a/openssh.spec
+++ b/openssh.spec
@ -18,10 +18,12 @@
 %define XAUTH %{_bindir}/xauth
 %{?build_selinux}%{?!build_selinux:%bcond_with selinux}

+%define _default_patch_fuzz 3
+
 Summary:	OpenSSH free Secure Shell (SSH) implementation
 Name:		openssh
 Version:	7.9p1
-Release:	13
+Release:	14
 License:	BSD
 Group:		Networking/Remote access
 Url:		http://www.openssh.com/
@ -80,8 +82,6 @@ Patch28:	openssh-7.8p1-role-mls.patch
 Patch29:	openssh-6.6p1-privsep-selinux.patch
 # privsep_preauth: use SELinux context from selinux-policy (#1008580)
 Patch30:	openssh-6.6.1p1-selinux-contexts.patch
-# Pass inetd flags for SELinux down to openbsd compat level
-Patch31:	openssh-7.6p1-cleanup-selinux.patch
 # /

 BuildRequires:	groff-base
@ -309,9 +309,6 @@ update-alternatives --remove bssh-askpass %{_libdir}/ssh/gnome-ssh-askpass
 sed -i 's|UsePrivilegeSeparation yes|#UsePrivilegeSeparation yes|' sshd_config
 %patch6 -p1 -b .lpk
 rm -f README.lpk.lpk
-%define _default_patch_fuzz 3
-%else
-%define _default_patch_fuzz 2
 %endif
 %if %{with sftpcontrol}
 echo "This patch is broken or needs to be updated/rediffed"; exit 1
@ -335,6 +332,10 @@ install %{SOURCE21} .
 %patch24 -p1 -b .fingerprint
 %patch25 -p1 -b .systemd
 %patch26 -p1 -b .scp
+%patch27 -p1
+%patch28 -p1
+%patch29 -p1
+%patch30 -p1

 install %{SOURCE12} .