[policycoreutils/f14/master] - Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC; -
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 25 02:53:12 UTC 2010
commit b1b6c5eb24e004dd36c7dcc864f0870fecec5184
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Aug 24 22:53:08 2010 -0400
- Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC;
- Remove setsid on seunshare so ^c on sandbox will cause apps to exit
- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox
- Clean up error handling so error will get sent back to sandbox tool
policycoreutils-rhat.patch | 111 +++++++++++++++++++++++++++++++++++++------
policycoreutils.spec | 8 +++-
2 files changed, 102 insertions(+), 17 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index ad6bb3a..b83ee85 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1589,7 +1589,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
@python test_sandbox.py -v
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox 2010-08-13 15:05:03.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/sandbox 2010-08-24 22:50:26.000000000 -0400
@@ -1,5 +1,6 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -1682,7 +1682,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
%s &
WM_PID=$!
-%s
-+dbus-launch %s
++dbus-launch --exit-with-session %s
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
@@ -1883,6 +1883,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#
# Source function library.
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.83/sandbox/sandboxX.sh
+--- nsapolicycoreutils/sandbox/sandboxX.sh 2010-06-16 08:03:38.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/sandboxX.sh 2010-08-24 17:04:39.000000000 -0400
+@@ -7,7 +7,16 @@
+
+ (/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
+ export DISPLAY=:$D
+- python -c 'import gtk, os, commands; commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])'
++ python << __EOF
++import gtk, os, commands
++rc = [-1,'']
++try:
++ rc=commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])
++except:
++ pass
++if rc[0] == 0:
++ print rc[1]
++__EOF
+ export EXITCODE=$?
+ kill -HUP 0
+ break
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-07-30 13:50:40.000000000 -0400
@@ -1926,8 +1948,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-07-30 13:50:40.000000000 -0400
-@@ -1,13 +1,20 @@
++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-08-24 22:49:42.000000000 -0400
+@@ -1,13 +1,21 @@
+/*
+ * Authors: Dan Walsh <dwalsh at redhat.com>
+ * Authors: Thomas Liu <tliu at fedoraproject.org>
@@ -1936,6 +1958,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+#define _GNU_SOURCE
#include <signal.h>
#include <sys/types.h>
++#include <sys/stat.h>
#include <sys/wait.h>
#include <syslog.h>
#include <sys/mount.h>
@@ -1949,15 +1972,23 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#include <unistd.h>
#include <stdlib.h>
#include <cap-ng.h>
-@@ -21,7 +28,6 @@
+@@ -15,14 +23,11 @@
+ #include <limits.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <fcntl.h>
- #include <sys/types.h>
- #include <sys/stat.h>
--#include <unistd.h>
+ #include <selinux/selinux.h>
+ #include <selinux/context.h> /* for context-mangling functions */
+-#include <sys/types.h>
+-#include <sys/stat.h>
+-#include <unistd.h>
+-
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
-@@ -39,6 +45,12 @@
+ #include <libintl.h> /* for gettext() */
+@@ -39,6 +44,12 @@
#define MS_PRIVATE 1<<18
#endif
@@ -1970,12 +2001,56 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
/**
* This function will drop all capabilities
* Returns zero on success, non-zero otherwise
-@@ -151,25 +163,57 @@
+@@ -134,42 +145,98 @@
+ static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
+ if (verbose)
+ printf("Mount %s on %s\n", src, dst);
+- if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
++
++ int flags = MS_REC;
++ if (strcmp("/tmp", dst) == 0) {
++ flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
++ }
++
++ if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
+ return -1;
+ }
+
+- if (mount(dst, dst, NULL, MS_PRIVATE | MS_REC, NULL) < 0) {
++ if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
+ return -1;
+ }
+
+- if (mount(src, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
++ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+ return -1;
+ }
if (verify_mount(dst, pwd) < 0)
return -1;
+
++ if (strcmp("/tmp", dst) == 0) {
++ struct stat sb;
++ int fd = open(dst,O_RDONLY);
++ if ( fd == -1 ) goto err;
++ if (fstat(fd, &sb) == -1) {
++ close(fd);
++ goto err;
++ }
++ if (fchmod(fd, sb.st_mode | S_ISVTX) < 0) {
++ close(fd);
++ goto err;
++ }
++ close(fd);
++ }
++
+ return 0;
++err:
++ fprintf(stderr, _("Invalid mount point %s: %s\n"), src, strerror(errno));
++ return -1;
+}
+
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] -- executable [args] ")
@@ -2030,7 +2105,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
{NULL, 0, 0, 0}
};
-@@ -180,6 +224,12 @@
+@@ -180,6 +247,12 @@
return -1;
}
@@ -2043,7 +2118,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
-@@ -192,30 +242,30 @@
+@@ -192,30 +265,30 @@
}
while (1) {
@@ -2083,7 +2158,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
default:
fprintf(stderr, "%s\n", USAGE_STRING);
return -1;
-@@ -223,21 +273,179 @@
+@@ -223,21 +296,179 @@
}
if (! homedir_s && ! tmpdir_s) {
@@ -2269,7 +2344,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
-@@ -286,11 +494,13 @@
+@@ -286,11 +517,13 @@
exit(-1);
}
@@ -2288,8 +2363,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
}
if (display)
-@@ -308,14 +518,12 @@
- setsid();
+@@ -305,17 +538,14 @@
+ perror(_("Failed to change dir to homedir"));
+ exit(-1);
+ }
+- setsid();
execv(argv[optind], argv + optind);
free(display);
+ freecon(scontext);
@@ -2304,6 +2382,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-
return status;
}
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/scripts/chcat 2010-07-30 13:50:40.000000000 -0400
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 473b1d9..828e0a2 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.83
-Release: 19%{?dist}
+Release: 20%{?dist}
License: GPLv2
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -315,6 +315,12 @@ fi
exit 0
%changelog
+* Tue Aug 24 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-20
+- Tighten down seunshare to create /tmp dir with sticky bit and MS_NODEV | MS_NOSUID | MS_NOEXEC;
+- Remove setsid on seunshare so ^c on sandbox will cause apps to exit
+- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox
+- Clean up error handling so error will get sent back to sandbox tool
+
* Mon Aug 23 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-19
- Fix translation handling in file context page of system-config-selinux
More information about the scm-commits
mailing list