[policycoreutils/f15] Do not drop capability bounding set in seunshare, this allows sandbox to run setuid apps. Cleanup po
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 13 18:00:40 UTC 2011
commit f415a12acc1f8354fdd86cfdff8b64546bcda903
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Jun 13 14:00:27 2011 -0400
Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
Cleanup policy generation template
Pass dpi settings to sandbox
Add .config/* to restorecond_users.conf
policycoreutils-sandbox.patch | 77 +++++++++++++++++++++++++++++++++++++++++
1 files changed, 77 insertions(+), 0 deletions(-)
---
diff --git a/policycoreutils-sandbox.patch b/policycoreutils-sandbox.patch
new file mode 100644
index 0000000..a9c61c3
--- /dev/null
+++ b/policycoreutils-sandbox.patch
@@ -0,0 +1,77 @@
+diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
+--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox 2011-06-13 13:47:06.552590955 -0400
++++ policycoreutils-2.0.86/restorecond/restorecond_user.conf 2011-06-13 13:47:27.757820459 -0400
+@@ -4,4 +4,4 @@
+ ~/local/*
+ ~/.fonts/*
+ ~/.cache/*
+-
++~/.config/*
+diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
+--- policycoreutils-2.0.86/sandbox/sandbox.sandbox 2011-06-13 13:44:44.678086035 -0400
++++ policycoreutils-2.0.86/sandbox/sandbox 2011-06-13 13:44:45.252092012 -0400
+@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
+
+ except shutil.Error, elist:
+ for e in elist.message:
+- # ignore files that are missing
+- if not e[2].startswith("[Errno 2]"):
+- sys.stderr.write(e[2])
++ sys.stderr.write(e[2])
+
+ SAVE_FILES[file] = (dest, os.path.getmtime(dest))
+
+@@ -321,7 +319,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+
+ if self.__options.X_ind:
+ self.setype = DEFAULT_X_TYPE
+-
++ self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
+ if self.__options.setype:
+ self.setype = self.__options.setype
+
+@@ -405,7 +403,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+
+ self.__setup_sandboxrc(self.__options.wm)
+
+- cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
++ cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
+ else:
+ cmds += [ "--" ] + self.__paths
+ return subprocess.Popen(cmds).wait()
+diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
+--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox 2011-06-13 13:44:44.684086096 -0400
++++ policycoreutils-2.0.86/sandbox/sandboxX.sh 2011-06-13 13:44:45.253092023 -0400
+@@ -1,10 +1,11 @@
+ #!/bin/bash
+-context=`id -Z | secon -t `
+-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
+-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
++context=`id -Z | secon -t -l -P`
++export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
++[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
++[ -z $2 ] && export DPI="96" || export DPI="$2"
+ trap "exit 0" HUP
+
+-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
++(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
+ export DISPLAY=:$D
+ cat > ~/seremote << __EOF
+ #!/bin/sh
+diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
+--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox 2011-06-13 13:44:44.687086129 -0400
++++ policycoreutils-2.0.86/sandbox/seunshare.c 2011-06-13 13:44:45.255092045 -0400
+@@ -63,10 +63,10 @@ static int verbose = 0;
+ */
+ static int drop_caps()
+ {
+- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
+ return 0;
+- capng_clear(CAPNG_SELECT_BOTH);
+- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
++ capng_clear(CAPNG_SELECT_CAPS);
++ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+ fprintf(stderr, _("Failed to drop all capabilities\n"));
+ return -1;
+ }
More information about the scm-commits
mailing list