[policycoreutils/f15] Do not drop capability bounding set in seunshare, this allows sandbox to run setuid apps. Cleanup po

Daniel J Walsh dwalsh at fedoraproject.org
Mon Jun 13 18:00:40 UTC 2011 

commit f415a12acc1f8354fdd86cfdff8b64546bcda903
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Jun 13 14:00:27 2011 -0400

    Do not drop capability bounding set in seunshare, this allows sandbox to
    run setuid apps.
    Cleanup policy generation template
    Pass dpi settings to sandbox
    Add .config/* to restorecond_users.conf

 policycoreutils-sandbox.patch |   77 +++++++++++++++++++++++++++++++++++++++++
 1 files changed, 77 insertions(+), 0 deletions(-)
---
diff --git a/policycoreutils-sandbox.patch b/policycoreutils-sandbox.patch
new file mode 100644
index 0000000..a9c61c3
--- /dev/null
+++ b/policycoreutils-sandbox.patch
@@ -0,0 +1,77 @@
+diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
+--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox	2011-06-13 13:47:06.552590955 -0400
++++ policycoreutils-2.0.86/restorecond/restorecond_user.conf	2011-06-13 13:47:27.757820459 -0400
+@@ -4,4 +4,4 @@
+ ~/local/*
+ ~/.fonts/*
+ ~/.cache/*
+-
++~/.config/*
+diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
+--- policycoreutils-2.0.86/sandbox/sandbox.sandbox	2011-06-13 13:44:44.678086035 -0400
++++ policycoreutils-2.0.86/sandbox/sandbox	2011-06-13 13:44:45.252092012 -0400
+@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
+ 
+               except shutil.Error, elist:
+                      for e in elist.message:
+-                            # ignore files that are missing 
+-                            if not e[2].startswith("[Errno 2]"):
+-                                   sys.stderr.write(e[2])
++                            sys.stderr.write(e[2])
+                      
+               SAVE_FILES[file] = (dest, os.path.getmtime(dest))
+ 
+@@ -321,7 +319,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+ 
+         if self.__options.X_ind:
+                self.setype = DEFAULT_X_TYPE
+-
++               self.dpi=commands.getoutput("xrdb -query | grep dpi  | /bin/cut -f 2")
+         if self.__options.setype:
+                self.setype = self.__options.setype
+ 
+@@ -405,7 +403,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+ 
+                                 self.__setup_sandboxrc(self.__options.wm)
+ 
+-                                cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
++                                cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
+                          else:
+                                 cmds += [ "--" ] + self.__paths
+                          return subprocess.Popen(cmds).wait()
+diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
+--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox	2011-06-13 13:44:44.684086096 -0400
++++ policycoreutils-2.0.86/sandbox/sandboxX.sh	2011-06-13 13:44:45.253092023 -0400
+@@ -1,10 +1,11 @@
+ #!/bin/bash 
+-context=`id -Z | secon -t `
+-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
+-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
++context=`id -Z | secon -t -l -P`
++export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
++[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" 
++[ -z $2 ] && export DPI="96" || export DPI="$2" 
+ trap "exit 0" HUP
+ 
+-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do 
++(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do 
+     export DISPLAY=:$D
+     cat > ~/seremote << __EOF
+ #!/bin/sh
+diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
+--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox	2011-06-13 13:44:44.687086129 -0400
++++ policycoreutils-2.0.86/sandbox/seunshare.c	2011-06-13 13:44:45.255092045 -0400
+@@ -63,10 +63,10 @@ static int verbose = 0;
+  */
+ static int drop_caps()
+ {
+-	if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
+ 		return 0;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
++	capng_clear(CAPNG_SELECT_CAPS);
++	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+ 		fprintf(stderr, _("Failed to drop all capabilities\n"));
+ 		return -1;
+ 	}

More information about the scm-commits mailing list