[policycoreutils] - Check if you have full privs and reset otherwise dont drop caps

Mon Nov 1 20:21:07 UTC 2010

commit d7e1c238f43afb08a3e56fdecab7ec47b2b858bb
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Nov 1 16:21:00 2010 -0400

    - Check if you have full privs and reset otherwise dont drop caps

 policycoreutils-rhat.patch |  214 ++++++++++++++++++++++++++++++++++++++------
 policycoreutils.spec       |   12 ++-
 2 files changed, 193 insertions(+), 33 deletions(-)
---

diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 4c868d6..120fa90 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -385,28 +385,167 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  
  INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
  
+Binary files nsapolicycoreutils/newrole/hashtab.o and policycoreutils-2.0.83/newrole/hashtab.o differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
+--- nsapolicycoreutils/newrole/Makefile	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/newrole/Makefile	2010-11-01 15:32:24.000000000 -0400
+@@ -50,7 +50,7 @@
+ endif
+ ifeq (${IS_SUID},y)
+ 	MODE := 4555
+-	LDLIBS += -lcap
++	LDLIBS += -lcap-ng
+ else
+ 	MODE := 0555
+ endif
+Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-2.0.83/newrole/newrole differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
 --- nsapolicycoreutils/newrole/newrole.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/newrole.c	2010-10-29 09:54:43.000000000 -0400
-@@ -537,7 +537,7 @@
-  *
-  * Returns zero on success, non-zero otherwise
-  */
--#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
-+#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
++++ policycoreutils-2.0.83/newrole/newrole.c	2010-11-01 16:14:01.000000000 -0400
+@@ -77,7 +77,7 @@
+ #endif
+ #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
+ #include <sys/prctl.h>
+-#include <sys/capability.h>
++#include <cap-ng.h>
+ #endif
+ #ifdef USE_NLS
+ #include <locale.h>		/* for setlocale() */
+@@ -540,67 +540,23 @@
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
  static int drop_capabilities(void)
  {
- 	int rc = 0;
-@@ -602,7 +602,7 @@
- 		fprintf(stderr, _("Error freeing caps\n"));
- 	return rc;
+-	int rc = 0;
+-	cap_t new_caps, tmp_caps;
+-	cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+-	cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
+-	uid_t uid = getuid();
+-
+-	if (!uid)
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ 		return 0;
+ 
+-	/* Non-root caller, suid root path */
+-	new_caps = cap_init();
+-	tmp_caps = cap_init();
+-	if (!new_caps || !tmp_caps) {
+-		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+-		return -1;
+-	}
+-	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
+-	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
+-	rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
+-	rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+-	if (rc) {
+-		fprintf(stderr, _("Error setting capabilities, aborting\n"));
+-		goto out;
+-	}
+-
+-	/* Keep capabilities across uid change */
+-	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+-		fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
+-		rc = -1;
+-		goto out;
+-	}
++	capng_clear(CAPNG_SELECT_BOTH);
+ 
+-	/* Does this temporary change really buy us much? */
+-	/* We should still have root's caps, so drop most capabilities now */
+-	if ((rc = cap_set_proc(tmp_caps))) {
+-		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+-		goto out;
+-	}
++	if (capng_lock() < 0) 
++		return -1;
++	uid_t uid = getuid();
++	if (!uid) return 0;
+ 
+ 	/* Change uid */
+-	if ((rc = setresuid(uid, uid, uid))) {
++	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
+-		goto out;
+-	}
+-
+-	/* Now get rid of this ability */
+-	if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+-		fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+-		goto out;
+-	}
+-
+-	/* Finish dropping capabilities. */
+-	if ((rc = cap_set_proc(new_caps))) {
+-		fprintf(stderr,
+-			_("Error dropping SETUID capability, aborting\n"));
+-		goto out;
++		return -1;
+ 	}
+-      out:
+-	if (cap_free(tmp_caps) || cap_free(new_caps))
+-		fprintf(stderr, _("Error freeing caps\n"));
+-	return rc;
++	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
++	return capng_apply(CAPNG_SELECT_BOTH);
  }
--#elif defined(NAMESPACE_PRIV)
-+#elif defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
+ #elif defined(NAMESPACE_PRIV)
  /**
-  * This function will drop the capabilities so that we are left
-  * only with access to the audit system and the ability to raise
-@@ -1334,6 +1334,9 @@
+@@ -618,44 +574,22 @@
+  */
+ static int drop_capabilities(void)
+ {
+-	int rc = 0;
+-	cap_t new_caps;
+-	cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
+-		CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
+-		CAP_DAC_OVERRIDE
+-	};
+-
+-	if (!getuid())
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ 		return 0;
+ 
+-	/* Non-root caller, suid root path */
+-	new_caps = cap_init();
+-	if (!new_caps) {
+-		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+-		return -1;
+-	}
+-	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
+-	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
+-	if (rc) {
+-		fprintf(stderr, _("Error setting capabilities, aborting\n"));
+-		goto out;
+-	}
++	capng_clear(CAPNG_SELECT_BOTH);
+ 
+-	/* Ensure that caps are dropped after setuid call */
+-	if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+-		fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+-		goto out;
+-	}
++	if (capng_lock() < 0) 
++		return -1;
+ 
+-	/* We should still have root's caps, so drop most capabilities now */
+-	if ((rc = cap_set_proc(new_caps))) {
+-		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+-		goto out;
++	uid_t uid = getuid();
++	/* Change uid */
++	if (setresuid(uid, uid, uid)) {
++		fprintf(stderr, _("Error changing uid, aborting.\n"));
++		return -1;
+ 	}
+-      out:
+-	if (cap_free(new_caps))
+-		fprintf(stderr, _("Error freeing caps\n"));
+-	return rc;
++	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE | CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
++	return capng_apply(CAPNG_SELECT_BOTH);
+ }
+ 
+ #else
+@@ -1334,6 +1268,9 @@
  
  	if (send_audit_message(1, old_context, new_context, ttyn))
  		goto err_close_pam_session;
@@ -416,6 +555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  #ifdef NAMESPACE_PRIV
  	if (transition_to_caller_uid())
  		goto err_close_pam_session;
+Binary files nsapolicycoreutils/newrole/newrole.o and policycoreutils-2.0.83/newrole/newrole.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
 --- nsapolicycoreutils/restorecond/Makefile	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/restorecond/Makefile	2010-10-29 09:54:43.000000000 -0400
@@ -2147,6 +2287,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
      export EXITCODE=$?
      kill -HUP 0
      break
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
 --- nsapolicycoreutils/sandbox/seunshare.8	1969-12-31 19:00:00.000000000 -0500
 +++ policycoreutils-2.0.83/sandbox/seunshare.8	2010-10-29 09:54:43.000000000 -0400
@@ -2190,7 +2331,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu at fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-10-29 09:54:43.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-11-01 16:13:56.000000000 -0400
 @@ -1,13 +1,21 @@
 +/*
 + * Authors: Dan Walsh <dwalsh at redhat.com>
@@ -2230,7 +2371,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  #ifdef USE_NLS
  #include <locale.h>		/* for setlocale() */
  #include <libintl.h>		/* for gettext() */
-@@ -39,6 +44,12 @@
+@@ -39,16 +44,26 @@
  #define MS_PRIVATE 1<<18
  #endif
  
@@ -2243,7 +2384,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  /**
   * This function will drop all capabilities 
   * Returns zero on success, non-zero otherwise
-@@ -134,42 +145,98 @@
+  */
+ static int drop_capabilities(uid_t uid)
+ {
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
++		return 0;
++
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 
+ 	if (capng_lock() < 0) 
+ 		return -1;
++
+ 	/* Change uid */
+ 	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
+@@ -134,42 +149,98 @@
  static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
  	if (verbose)
  		printf("Mount %s on %s\n", src, dst);
@@ -2302,9 +2457,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	syslog(LOG_AUTHPRIV | LOG_ALERT, string);
 +	exit(-1);
 +
- }
- 
--#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++}
++
 +
 +int match(const char *string, char *pattern) {
 +	int status;
@@ -2318,8 +2472,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		return 0;
 +	}
 +	return 1;
-+}
-+
+ }
+ 
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
 +void config_error() {
 +	fprintf(stderr, "Error parsing config file.");
 +	exit(-1);
@@ -2347,7 +2502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		{NULL, 0, 0, 0}
  	};
  
-@@ -180,6 +247,12 @@
+@@ -180,6 +251,12 @@
  		return -1;
  	}
  
@@ -2360,7 +2515,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  	struct passwd *pwd=getpwuid(uid);
  	if (!pwd) {
  		perror(_("getpwduid failed"));
-@@ -192,30 +265,30 @@
+@@ -192,30 +269,30 @@
  	}
  
  	while (1) {
@@ -2400,7 +2555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		default:
  			fprintf(stderr, "%s\n", USAGE_STRING);
  			return -1;
-@@ -223,21 +296,179 @@
+@@ -223,21 +300,179 @@
  	}
  
  	if (! homedir_s && ! tmpdir_s) {
@@ -2586,7 +2741,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  
          if (unshare(CLONE_NEWNS) < 0) {
  		perror(_("Failed to unshare"));
-@@ -286,11 +517,13 @@
+@@ -286,11 +521,13 @@
  			exit(-1);
  		}
  		
@@ -2605,7 +2760,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		}
  
  		if (display) 
-@@ -305,17 +538,14 @@
+@@ -305,17 +542,14 @@
  			perror(_("Failed to change dir to homedir"));
  			exit(-1);
  		}
@@ -2624,6 +2779,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -
  	return status;
  }
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
 --- nsapolicycoreutils/scripts/chcat	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/scripts/chcat	2010-10-29 09:54:43.000000000 -0400
diff --git a/policycoreutils.spec b/policycoreutils.spec
index c9689a0..b581c81 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 34%{?dist}
+Release: 35%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -64,7 +64,7 @@ context.
 %patch4 -p1 -b .sepolgen
 
 %build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all 
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all 
 make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
 
 %install
@@ -192,7 +192,8 @@ or level of a logged in user.
 
 %files newrole
 %defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+
 %{_mandir}/man1/newrole.1.gz
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
 
@@ -239,7 +240,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
-%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/setsebool
@@ -326,6 +327,9 @@ fi
 exit 0
 
 %changelog
+* Mon Nov 1 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-35
+- Check if you have full privs and reset otherwise dont drop caps
+
 * Mon Nov 1 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-34
 - Fix setools require line
 
