[policycoreutils/f13/master] More fixes for seunshare
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Mar 24 21:57:18 UTC 2011
commit d04e8562ad7ae468d68d0ade0d859c5495fbdf4a
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Mar 24 17:57:06 2011 -0400
More fixes for seunshare
policycoreutils-rhat.patch | 150 ++++++++++++++++++++++++++------------------
policycoreutils.spec | 5 +-
2 files changed, 92 insertions(+), 63 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 2b1c533..d39c16f 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1749,7 +1749,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
@python test_sandbox.py -v
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox 2011-03-18 17:53:51.106277829 -0400
++++ policycoreutils-2.0.83/sandbox/sandbox 2011-03-24 17:54:19.483719915 -0400
@@ -1,5 +1,6 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -1779,7 +1779,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
-@@ -41,6 +44,7 @@
+@@ -41,11 +44,20 @@
import __builtin__
__builtin__.__dict__['_'] = unicode
@@ -1787,7 +1787,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
DEFAULT_TYPE = "sandbox_t"
DEFAULT_X_TYPE = "sandbox_x_t"
SAVE_FILES = {}
-@@ -63,15 +67,15 @@
+
+ random.seed(None)
++
++def chcon(path, context, recursive=False):
++ """ Set the SELinux context on a given path """
++ selinux.lsetfilecon(path, context)
++ if recursive:
++ for root, dirs, files in os.walk(path):
++ for name in files + dirs:
++ selinux.lsetfilecon(os.path.join(root,name), context)
+
+ def sighandler(signum, frame):
+ signal.signal(signum, signal.SIG_IGN)
+@@ -63,15 +75,15 @@
sys.stderr.flush()
sys.exit(1)
@@ -1807,7 +1820,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if not os.path.exists(newdir):
os.makedirs(newdir)
dest = newdir + "/" + bname
-@@ -81,9 +85,10 @@
+@@ -81,9 +93,10 @@
shutil.copytree(file, dest)
else:
shutil.copy2(file, dest)
@@ -1820,7 +1833,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
-@@ -161,10 +166,10 @@
+@@ -161,10 +174,10 @@
if not self.__options.homedir or not self.__options.tmpdir:
self.usage(_("Homedir and tempdir required for level mounts"))
@@ -1834,7 +1847,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
def __mount_callback(self, option, opt, value, parser):
self.__mount = True
-@@ -172,6 +177,15 @@
+@@ -172,6 +185,15 @@
def __x_callback(self, option, opt, value, parser):
self.__mount = True
setattr(parser.values, option.dest, True)
@@ -1850,7 +1863,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
def __validdir(self, option, opt, value, parser):
if not os.path.isdir(value):
-@@ -194,6 +208,8 @@
+@@ -194,6 +216,8 @@
self.__include(option, opt, i[:-1], parser)
except IOError, e:
sys.stderr.write(str(e))
@@ -1859,7 +1872,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
fd.close()
def __copyfiles(self):
-@@ -212,13 +228,15 @@
+@@ -212,13 +236,15 @@
/etc/gdm/Xsession
""")
else:
@@ -1877,7 +1890,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
-@@ -226,14 +244,25 @@
+@@ -226,14 +252,25 @@
def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message))
@@ -1907,7 +1920,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
-@@ -268,6 +297,10 @@
+@@ -268,6 +305,10 @@
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
@@ -1918,7 +1931,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no",
-@@ -276,13 +309,17 @@
+@@ -276,13 +317,17 @@
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
@@ -1937,7 +1950,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if self.__options.setype:
self.setype = self.__options.setype
-@@ -300,6 +337,10 @@
+@@ -300,6 +345,10 @@
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
else:
@@ -1948,7 +1961,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if len(cmds) == 0:
self.usage(_("Command required"))
cmds[0] = fullpath(cmds[0])
-@@ -329,44 +370,43 @@
+@@ -329,44 +378,43 @@
def __setup_dir(self):
if self.__options.level or self.__options.session:
return
@@ -1957,7 +1970,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
- os.mkdir(sandboxdir)
if self.__options.homedir:
- selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
+- selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
++ chcon(self.__options.homedir, self.__filecon, recursive=True)
self.__homedir = self.__options.homedir
else:
selinux.setfscreatecon(self.__filecon)
@@ -1965,7 +1979,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
if self.__options.tmpdir:
- selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
+- selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
++ chcon(self.__options.tmpdir, self.__filecon, recursive=True)
self.__tmpdir = self.__options.tmpdir
else:
selinux.setfscreatecon(self.__filecon)
@@ -2012,7 +2027,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
-@@ -404,7 +444,7 @@
+@@ -404,7 +452,7 @@
sandbox = Sandbox()
rc = sandbox.main()
except OSError, error:
@@ -2222,7 +2237,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c 2011-03-18 17:53:42.821186805 -0400
++++ policycoreutils-2.0.83/sandbox/seunshare.c 2011-03-24 17:53:45.207410252 -0400
@@ -1,28 +1,35 @@
+/*
+ * Authors: Dan Walsh <dwalsh at redhat.com>
@@ -2432,20 +2447,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
+ if (lstat(dir, st_out) == -1) {
+ fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
-+ return -1;
-+ }
-+ if (! S_ISDIR(st_out->st_mode)) {
-+ fprintf(stderr, _("Error: %s is not a directory: %s\n"), dir, strerror(errno));
return -1;
}
- if (sb.st_uid != pwd->pw_uid) {
- errno = EPERM;
- syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an invalid directory, %s", pwd->pw_name, mntdir);
- perror(_("Invalid mount point, reporting to administrator"));
-+ if (st_in && !equal_stats(st_in, st_out)) {
-+ fprintf(stderr, _("Error: %s was replaced by a different directory\n"), dir);
++ if (! S_ISDIR(st_out->st_mode)) {
++ fprintf(stderr, _("Error: %s is not a directory: %s\n"), dir, strerror(errno));
return -1;
}
++ if (st_in && !equal_stats(st_in, st_out)) {
++ fprintf(stderr, _("Error: %s was replaced by a different directory\n"), dir);
++ return -1;
++ }
+
return 0;
}
@@ -2459,7 +2474,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
break;
}
}
-@@ -131,45 +236,509 @@
+@@ -131,45 +236,520 @@
return rc;
}
@@ -2728,18 +2743,35 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ return rc;
+}
+
-+/*
-+ This function returns 0 on success and -1 on failure.
-+ The cmdbuf will contain the rsync command string to copy all files from
-+ src dir to tmp. cmdbuf can be NULL if no files need to be compied;
-+*/
++/*
++ If path is empy or ends with "/." or "/.. return -1 else return 0;
++ */
++static int bad_path(const char *path) {
++ const char *ptr;
++ ptr = path;
++ while (*ptr) ptr++;
++ if (ptr == path) return -1; // ptr null
++ ptr--;
++ if (ptr != path && *ptr == '.') {
++ ptr--;
++ if (*ptr == '/') return -1; // path ends in /.
++ if (*ptr == '.') {
++ if (ptr != path) {
++ ptr--;
++ if (*ptr == '/') return -1; // path ends in /..
++ }
++ }
++ }
++ return 0;
++}
++
+static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
+{
+ char *buf = NULL;
+ char *newbuf = NULL;
+ glob_t fglob;
+ fglob.gl_offs = 0;
-+ int flags = GLOB_DOOFFS | GLOB_TILDE;
++ int flags = GLOB_PERIOD;
+ unsigned int i = 0;
+ int rc = -1;
+
@@ -2749,43 +2781,36 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
return -1;
+ }
+
-+ if (glob(buf, flags, NULL, &fglob) < 0) {
++ if (glob(buf, flags, NULL, &fglob) != 0) {
+ free(buf); buf = NULL;
+ return -1;
+ }
+
+ free(buf); buf = NULL;
+
-+ /* append match glob for all hidden files in src dir exclude . and .. */
-+ if (asprintf(&buf, "%s/.[^.]*", src) == -1) {
-+ fprintf(stderr, "Out of memory\n");
-+ goto err;
-+ }
-+
-+ if (glob(buf, flags | GLOB_APPEND ,NULL, &fglob) < 0) {
-+ goto err;
-+ }
++ for ( i=0; i < fglob.gl_pathc; i++) {
++ const char *path = fglob.gl_pathv[i];
+
-+ free(buf); buf = NULL;
++ if (bad_path(path)) continue;
+
-+ for ( i=0; i < fglob.gl_pathc; i++) {
+ if (!buf) {
-+ if (asprintf(&newbuf, "%s", fglob.gl_pathv[i]) == -1) {
++ if (asprintf(&newbuf, "\'%s\'", path) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
+ } else {
-+ if (asprintf(&newbuf, "%s %s", buf, fglob.gl_pathv[i]) == -1) {
++ if (asprintf(&newbuf, "%s \'%s\'", buf, path) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
+ }
++
+ free(buf); buf = newbuf;
+ newbuf = NULL;
+ }
+
+ if (buf) {
-+ if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s/'", buf, dst) == -1) {
++ if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
+ fprintf(stderr, "Out of memory\n");
+ goto err;
+ }
@@ -2800,8 +2825,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ free(buf); buf = NULL;
+ globfree(&fglob);
+ return rc;
-+}
-+
+ }
+
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+/**
+ * Clean up runtime temporary directory. Returns 0 if no problem was detected,
+ * >0 if some error was detected, but errors here are treated as non-fatal and
@@ -2844,9 +2870,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ setfsuid(pwd->pw_uid);
+
+ return 0;
- }
-
--#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++}
++
+/**
+ * seunshare will create a tmpdir in /tmp, with root ownership. The parent
+ * process waits for it child to exit to attempt to remove the directory. If
@@ -2881,6 +2906,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ fprintf(stderr, _("Failed to get context of the directory %s: %s\n"), src, strerror(errno));
+ goto err;
+ }
++
++ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
++ goto err;
++ }
++
+ /* ok to not reach this if there is an error */
+ setfsuid(0);
+ }
@@ -2933,10 +2963,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ }
+ }
+
-+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
-+ goto err;
-+ }
-+
+ if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
+ fprintf(stderr, _("Failed to populate runtime temporary directory\n"));
+ cleanup_tmpdir(tmpdir, src, pwd, 0);
@@ -2983,7 +3009,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
{NULL, 0, 0, 0}
};
-@@ -180,6 +749,12 @@
+@@ -180,6 +760,12 @@
return -1;
}
@@ -2996,7 +3022,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
-@@ -187,34 +762,30 @@
+@@ -187,34 +773,30 @@
}
if (verify_shell(pwd->pw_shell) < 0) {
@@ -3042,7 +3068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
break;
default:
fprintf(stderr, "%s\n", USAGE_STRING);
-@@ -223,76 +794,84 @@
+@@ -223,76 +805,84 @@
}
if (! homedir_s && ! tmpdir_s) {
@@ -3093,7 +3119,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ * on an NFS mount. It's also desired to avoid leaking info about
+ * existence of the files not accessible to the user. */
+ setfsuid(uid);
-+
+
+- if (drop_capabilities(uid)) {
+- perror(_("Failed to drop all capabilities"));
+ /* verify homedir and tmpdir */
+ if (homedir_s && (
+ verify_directory(homedir_s, NULL, &st_homedir) < 0 ||
@@ -3102,9 +3130,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
+ check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
+ setfsuid(0);
-
-- if (drop_capabilities(uid)) {
-- perror(_("Failed to drop all capabilities"));
++
+ /* create runtime tmpdir */
+ if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
+ &st_tmpdir_r, pwd, execcon)) == NULL) {
@@ -3175,7 +3201,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if (display)
rc |= setenv("DISPLAY", display, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
-@@ -300,22 +879,41 @@
+@@ -300,22 +890,41 @@
rc |= setenv("USER", pwd->pw_name, 1);
rc |= setenv("LOGNAME", pwd->pw_name, 1);
rc |= setenv("PATH", DEFAULT_PATH, 1);
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 71c3042..b9f4fb2 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.83
-Release: 33.6%{?dist}
+Release: 33.7%{?dist}
License: GPLv2
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -316,6 +316,9 @@ fi
exit 0
%changelog
+* Thu Mar 24 2011 Dan Walsh <dwalsh at redhat.com> 2.0.83-33.5
+- More fixes for seunshare
+
* Fri Mar 18 2011 Dan Walsh <dwalsh at redhat.com> 2.0.83-33.5
- Fix rsync command to work if the directory is old.
- Fix all tests
More information about the scm-commits
mailing list