Remove setpriv patch and adjust SELinux policy to match.

This commit is contained in:
Bojan Smojver 2021-01-02 11:19:51 +11:00
parent f569bf929f
commit 0b41ec2904
3 changed files with 16 additions and 68 deletions

View File

@ -1,54 +0,0 @@
diff -ruN xrdp-0.9.15-v/sesman/session.c xrdp-0.9.15/sesman/session.c
--- xrdp-0.9.15-v/sesman/session.c 2020-12-29 01:03:43.000000000 +1100
+++ xrdp-0.9.15/sesman/session.c 2020-12-29 10:31:37.895699198 +1100
@@ -33,10 +33,6 @@
#include "config_ac.h"
#endif
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#endif
-
#include "sesman.h"
#include "libscp_types.h"
#include "xauth.h"
@@ -668,20 +664,7 @@
if (type == SESMAN_SESSION_TYPE_XORG)
{
-#ifdef HAVE_SYS_PRCTL_H
- /*
- * Make sure Xorg doesn't run setuid root. Root access is not
- * needed. Xorg can fail when run as root and the user has no
- * console permissions.
- * PR_SET_NO_NEW_PRIVS requires Linux kernel 3.5 and newer.
- */
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
- {
- LOG(LOG_LEVEL_WARNING,
- "Failed to disable setuid on X server: %s",
- g_get_strerror());
- }
-#endif
+ char *setpriv = g_strdup("setpriv");
xserver_params = list_create();
xserver_params->auto_free = 1;
@@ -690,6 +673,8 @@
xserver = g_strdup((const char *)list_get_item(g_cfg->xorg_params, 0));
/* these are the must have parameters */
+ list_add_item(xserver_params, (tintptr) setpriv);
+ list_add_item(xserver_params, (tintptr) g_strdup("--no-new-privs"));
list_add_item(xserver_params, (tintptr) g_strdup(xserver));
list_add_item(xserver_params, (tintptr) g_strdup(screen));
list_add_item(xserver_params, (tintptr) g_strdup("-auth"));
@@ -713,7 +698,7 @@
g_setenv("XRDP_START_HEIGHT", geometry, 1);
/* fire up Xorg */
- g_execvp(xserver, pp1);
+ g_execvp(setpriv, pp1);
}
else if (type == SESMAN_SESSION_TYPE_XVNC)
{

View File

@ -13,7 +13,7 @@ Summary: Open source remote desktop protocol (RDP) server
Name: xrdp
Epoch: 1
Version: 0.9.15
Release: 2%{?dist}
Release: 3%{?dist}
License: ASL 2.0 and GPLv2+ and MIT
URL: http://www.xrdp.org/
Source0: https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz
@ -27,13 +27,12 @@ Source7: xrdp-polkit-1.rules
Patch0: xrdp-0.9.9-sesman.patch
Patch1: xrdp-0.9.14-xrdp-ini.patch
Patch2: xrdp-0.9.4-service.patch
Patch3: xrdp-0.9.15-setpriv.patch
Patch4: xrdp-0.9.10-scripts-libexec.patch
Patch5: xrdp-0.9.6-script-interpreter.patch
Patch6: xrdp-0.9.15-arch.patch
Patch7: xrdp-0.9.14-vnc-uninit.patch
Patch3: xrdp-0.9.10-scripts-libexec.patch
Patch4: xrdp-0.9.6-script-interpreter.patch
Patch5: xrdp-0.9.15-arch.patch
Patch6: xrdp-0.9.14-vnc-uninit.patch
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 8
Patch8: xrdp-0.9.15-sesman-ini.patch
Patch7: xrdp-0.9.15-sesman-ini.patch
%endif
BuildRequires: gcc
@ -280,6 +279,9 @@ fi
%{_datadir}/selinux/*/%{name}.pp
%changelog
* Sat Jan 2 2021 Bojan Smojver <bojan@rexurive.com> - 1:0.9.15-3
- Remove setpriv patch and adjust SELinux policy to match
* Fri Jan 1 2021 Bojan Smojver <bojan@rexurive.com> - 1:0.9.15-2
- Use /usr/libexec/Xorg or Xorg session of Fedora and RHEL8+

14
xrdp.te
View File

@ -1,27 +1,27 @@
module xrdp 1.0.2;
module xrdp 1.0.3;
require {
type unconfined_service_t;
type unconfined_t;
type unlabeled_t;
type xserver_exec_t;
type xserver_t;
type oddjob_t;
type oddjob_mkhomedir_exec_t;
class process transition;
class process2 nnp_transition;
class file entrypoint;
class process2 nnp_transition;
class vsock_socket { getattr read write };
}
#============= unconfined_service_t ==============
allow unconfined_service_t unconfined_t:process transition;
allow unconfined_service_t unconfined_t:process2 nnp_transition;
allow unconfined_service_t oddjob_mkhomedir_exec_t:file entrypoint;
allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
#============= unconfined_t ==============
allow unconfined_t xserver_exec_t:file entrypoint;
allow unconfined_t xserver_t:process2 nnp_transition;
#============= oddjob_t ==============
allow oddjob_t unconfined_service_t:process transition;