[policycoreutils] - Check if you have full privs and reset otherwise dont drop caps
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Nov 1 20:21:07 UTC 2010
commit d7e1c238f43afb08a3e56fdecab7ec47b2b858bb
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Nov 1 16:21:00 2010 -0400
- Check if you have full privs and reset otherwise dont drop caps
policycoreutils-rhat.patch | 214 ++++++++++++++++++++++++++++++++++++++------
policycoreutils.spec | 12 ++-
2 files changed, 193 insertions(+), 33 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 4c868d6..120fa90 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -385,28 +385,167 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
+Binary files nsapolicycoreutils/newrole/hashtab.o and policycoreutils-2.0.83/newrole/hashtab.o differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
+--- nsapolicycoreutils/newrole/Makefile 2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/newrole/Makefile 2010-11-01 15:32:24.000000000 -0400
+@@ -50,7 +50,7 @@
+ endif
+ ifeq (${IS_SUID},y)
+ MODE := 4555
+- LDLIBS += -lcap
++ LDLIBS += -lcap-ng
+ else
+ MODE := 0555
+ endif
+Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-2.0.83/newrole/newrole differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c 2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/newrole.c 2010-10-29 09:54:43.000000000 -0400
-@@ -537,7 +537,7 @@
- *
- * Returns zero on success, non-zero otherwise
- */
--#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
-+#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
++++ policycoreutils-2.0.83/newrole/newrole.c 2010-11-01 16:14:01.000000000 -0400
+@@ -77,7 +77,7 @@
+ #endif
+ #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
+ #include <sys/prctl.h>
+-#include <sys/capability.h>
++#include <cap-ng.h>
+ #endif
+ #ifdef USE_NLS
+ #include <locale.h> /* for setlocale() */
+@@ -540,67 +540,23 @@
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
static int drop_capabilities(void)
{
- int rc = 0;
-@@ -602,7 +602,7 @@
- fprintf(stderr, _("Error freeing caps\n"));
- return rc;
+- int rc = 0;
+- cap_t new_caps, tmp_caps;
+- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
+- uid_t uid = getuid();
+-
+- if (!uid)
++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ return 0;
+
+- /* Non-root caller, suid root path */
+- new_caps = cap_init();
+- tmp_caps = cap_init();
+- if (!new_caps || !tmp_caps) {
+- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+- return -1;
+- }
+- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
+- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
+- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
+- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+- if (rc) {
+- fprintf(stderr, _("Error setting capabilities, aborting\n"));
+- goto out;
+- }
+-
+- /* Keep capabilities across uid change */
+- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
+- rc = -1;
+- goto out;
+- }
++ capng_clear(CAPNG_SELECT_BOTH);
+
+- /* Does this temporary change really buy us much? */
+- /* We should still have root's caps, so drop most capabilities now */
+- if ((rc = cap_set_proc(tmp_caps))) {
+- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+- goto out;
+- }
++ if (capng_lock() < 0)
++ return -1;
++ uid_t uid = getuid();
++ if (!uid) return 0;
+
+ /* Change uid */
+- if ((rc = setresuid(uid, uid, uid))) {
++ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+- goto out;
+- }
+-
+- /* Now get rid of this ability */
+- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+- goto out;
+- }
+-
+- /* Finish dropping capabilities. */
+- if ((rc = cap_set_proc(new_caps))) {
+- fprintf(stderr,
+- _("Error dropping SETUID capability, aborting\n"));
+- goto out;
++ return -1;
+ }
+- out:
+- if (cap_free(tmp_caps) || cap_free(new_caps))
+- fprintf(stderr, _("Error freeing caps\n"));
+- return rc;
++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
++ return capng_apply(CAPNG_SELECT_BOTH);
}
--#elif defined(NAMESPACE_PRIV)
-+#elif defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
+ #elif defined(NAMESPACE_PRIV)
/**
- * This function will drop the capabilities so that we are left
- * only with access to the audit system and the ability to raise
-@@ -1334,6 +1334,9 @@
+@@ -618,44 +574,22 @@
+ */
+ static int drop_capabilities(void)
+ {
+- int rc = 0;
+- cap_t new_caps;
+- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
+- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
+- CAP_DAC_OVERRIDE
+- };
+-
+- if (!getuid())
++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ return 0;
+
+- /* Non-root caller, suid root path */
+- new_caps = cap_init();
+- if (!new_caps) {
+- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+- return -1;
+- }
+- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
+- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
+- if (rc) {
+- fprintf(stderr, _("Error setting capabilities, aborting\n"));
+- goto out;
+- }
++ capng_clear(CAPNG_SELECT_BOTH);
+
+- /* Ensure that caps are dropped after setuid call */
+- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+- goto out;
+- }
++ if (capng_lock() < 0)
++ return -1;
+
+- /* We should still have root's caps, so drop most capabilities now */
+- if ((rc = cap_set_proc(new_caps))) {
+- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+- goto out;
++ uid_t uid = getuid();
++ /* Change uid */
++ if (setresuid(uid, uid, uid)) {
++ fprintf(stderr, _("Error changing uid, aborting.\n"));
++ return -1;
+ }
+- out:
+- if (cap_free(new_caps))
+- fprintf(stderr, _("Error freeing caps\n"));
+- return rc;
++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE | CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
++ return capng_apply(CAPNG_SELECT_BOTH);
+ }
+
+ #else
+@@ -1334,6 +1268,9 @@
if (send_audit_message(1, old_context, new_context, ttyn))
goto err_close_pam_session;
@@ -416,6 +555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#ifdef NAMESPACE_PRIV
if (transition_to_caller_uid())
goto err_close_pam_session;
+Binary files nsapolicycoreutils/newrole/newrole.o and policycoreutils-2.0.83/newrole/newrole.o differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/restorecond/Makefile 2010-10-29 09:54:43.000000000 -0400
@@ -2147,6 +2287,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
export EXITCODE=$?
kill -HUP 0
break
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-10-29 09:54:43.000000000 -0400
@@ -2190,7 +2331,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-10-29 09:54:43.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-11-01 16:13:56.000000000 -0400
@@ -1,13 +1,21 @@
+/*
+ * Authors: Dan Walsh <dwalsh at redhat.com>
@@ -2230,7 +2371,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
-@@ -39,6 +44,12 @@
+@@ -39,16 +44,26 @@
#define MS_PRIVATE 1<<18
#endif
@@ -2243,7 +2384,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
/**
* This function will drop all capabilities
* Returns zero on success, non-zero otherwise
-@@ -134,42 +145,98 @@
+ */
+ static int drop_capabilities(uid_t uid)
+ {
++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
++ return 0;
++
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ if (capng_lock() < 0)
+ return -1;
++
+ /* Change uid */
+ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+@@ -134,42 +149,98 @@
static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
if (verbose)
printf("Mount %s on %s\n", src, dst);
@@ -2302,9 +2457,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ syslog(LOG_AUTHPRIV | LOG_ALERT, string);
+ exit(-1);
+
- }
-
--#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++}
++
+
+int match(const char *string, char *pattern) {
+ int status;
@@ -2318,8 +2472,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ return 0;
+ }
+ return 1;
-+}
-+
+ }
+
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+void config_error() {
+ fprintf(stderr, "Error parsing config file.");
+ exit(-1);
@@ -2347,7 +2502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
{NULL, 0, 0, 0}
};
-@@ -180,6 +247,12 @@
+@@ -180,6 +251,12 @@
return -1;
}
@@ -2360,7 +2515,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
-@@ -192,30 +265,30 @@
+@@ -192,30 +269,30 @@
}
while (1) {
@@ -2400,7 +2555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
default:
fprintf(stderr, "%s\n", USAGE_STRING);
return -1;
-@@ -223,21 +296,179 @@
+@@ -223,21 +300,179 @@
}
if (! homedir_s && ! tmpdir_s) {
@@ -2586,7 +2741,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
-@@ -286,11 +517,13 @@
+@@ -286,11 +521,13 @@
exit(-1);
}
@@ -2605,7 +2760,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
}
if (display)
-@@ -305,17 +538,14 @@
+@@ -305,17 +542,14 @@
perror(_("Failed to change dir to homedir"));
exit(-1);
}
@@ -2624,6 +2779,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
-
return status;
}
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/scripts/chcat 2010-10-29 09:54:43.000000000 -0400
diff --git a/policycoreutils.spec b/policycoreutils.spec
index c9689a0..b581c81 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.83
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -64,7 +64,7 @@ context.
%patch4 -p1 -b .sepolgen
%build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all
make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
@@ -192,7 +192,8 @@ or level of a logged in user.
%files newrole
%defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+
%{_mandir}/man1/newrole.1.gz
%config(noreplace) %{_sysconfdir}/pam.d/newrole
@@ -239,7 +240,7 @@ rm -rf %{buildroot}
/sbin/fixfiles
/sbin/setfiles
/sbin/load_policy
-%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_sbindir}/genhomedircon
%{_sbindir}/load_policy
%{_sbindir}/setsebool
@@ -326,6 +327,9 @@ fi
exit 0
%changelog
+* Mon Nov 1 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-35
+- Check if you have full privs and reset otherwise dont drop caps
+
* Mon Nov 1 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-34
- Fix setools require line
More information about the scm-commits
mailing list