[policycoreutils] Do not drop capability bounding set in seunshare, this allows sandbox to run setuid apps.
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 13 17:37:17 UTC 2011
commit 173e9f90db2be181dea94f8bb5a334476b4d82bd
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Jun 13 13:37:04 2011 -0400
Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
policycoreutils-rhat.patch | 33 ++++++++++++++++++++++++++++-----
policycoreutils.spec | 6 +++++-
2 files changed, 33 insertions(+), 6 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 7906d75..153e0a3 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1603,6 +1603,28 @@ index 540860a..10175dd 100644
connects the physical terminal it was invoked upon with the pseudo
terminal, passing keyboard input into to the child process, and passing the
output of the child process to the physical terminal.
+diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
+index 9db766c..068e24c 100644
+--- a/policycoreutils/run_init/run_init.c
++++ b/policycoreutils/run_init/run_init.c
+@@ -414,10 +414,17 @@ int main(int argc, char *argv[])
+ * execvp or using a exec(1) recycles pty's, and does not open a new
+ * one.
+ */
++#ifdef USE_OPEN_INIT_PTY
+ if (execvp("/usr/sbin/open_init_pty", argv)) {
+ perror("execvp");
+ exit(-1);
+ }
++#else
++ if (execvp(argv[1], argv + 1)) {
++ perror("execvp");
++ exit(-1);
++ }
++#endif
+ return 0;
+
+ } /* main() */
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
index ff0ee7c..0c8a085 100644
--- a/policycoreutils/sandbox/Makefile
@@ -2143,7 +2165,7 @@ index 0000000..e7b8991
+and
+.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index ec692e7..49dad71 100644
+index ec692e7..52362e0 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1,28 +1,35 @@
@@ -2211,16 +2233,17 @@ index ec692e7..49dad71 100644
-static int drop_capabilities(uid_t uid)
+static int drop_caps()
{
-+ if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
-+ return 0;
- capng_clear(CAPNG_SELECT_BOTH);
+- capng_clear(CAPNG_SELECT_BOTH);
-
- if (capng_lock() < 0)
- return -1;
- /* Change uid */
- if (setresuid(uid, uid, uid)) {
- fprintf(stderr, _("Error changing uid, aborting.\n"));
-+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
++ return 0;
++ capng_clear(CAPNG_SELECT_CAPS);
++ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+ fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}
diff --git a/policycoreutils.spec b/policycoreutils.spec
index fd0163d..b0d58f9 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.86
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -336,6 +336,10 @@ fi
exit 0
%changelog
+* Mon Jun 13 2011 Dan Walsh <dwalsh at redhat.com> 2.0.86-14
+- Do not drop capability bounding set in seunshare, this allows sandbox to
+- run setuid apps.
+
* Fri Jun 10 2011 Dan Walsh <dwalsh at redhat.com> 2.0.86-13
- Add semanage-bash-completion.sh script
More information about the scm-commits
mailing list