113 lines
3.8 KiB
Diff
113 lines
3.8 KiB
Diff
diff -up at-3.1.14/atd.c.selinux2 at-3.1.14/atd.c
|
|
--- at-3.1.14/atd.c.selinux2 2013-12-04 11:27:28.729005384 +0100
|
|
+++ at-3.1.14/atd.c 2013-12-04 11:30:17.709091150 +0100
|
|
@@ -83,6 +83,14 @@
|
|
#include "getloadavg.h"
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/get_context_list.h>
|
|
+int selinux_enabled=0;
|
|
+#include <selinux/flask.h>
|
|
+#include <selinux/av_permissions.h>
|
|
+#endif
|
|
+
|
|
#ifndef LOG_ATD
|
|
#define LOG_ATD LOG_DAEMON
|
|
#endif
|
|
@@ -191,6 +199,68 @@ myfork()
|
|
#define fork myfork
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+static int set_selinux_context(const char *name, const char *filename) {
|
|
+ security_context_t user_context=NULL;
|
|
+ security_context_t file_context=NULL;
|
|
+ struct av_decision avd;
|
|
+ int retval=-1;
|
|
+ char *seuser=NULL;
|
|
+ char *level=NULL;
|
|
+
|
|
+ if (getseuserbyname(name, &seuser, &level) == 0) {
|
|
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ if (retval) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("execle: couldn't get security context for user %s\n", name);
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Since crontab files are not directly executed,
|
|
+ * crond must ensure that the crontab file has
|
|
+ * a context that is appropriate for the context of
|
|
+ * the user cron job. It performs an entrypoint
|
|
+ * permission check for this purpose.
|
|
+ */
|
|
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
|
|
+ perr("fgetfilecon FAILED %s", filename);
|
|
+
|
|
+ retval = security_compute_av(user_context,
|
|
+ file_context,
|
|
+ SECCLASS_FILE,
|
|
+ FILE__ENTRYPOINT,
|
|
+ &avd);
|
|
+ freecon(file_context);
|
|
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
+ retval = -1;
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+ if (setexeccon(user_context) < 0) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
|
|
+ retval = -1;
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
|
|
+ }
|
|
+ }
|
|
+ err:
|
|
+ freecon(user_context);
|
|
+ return 0;
|
|
+}
|
|
+#endif
|
|
+
|
|
static void
|
|
run_file(const char *filename, uid_t uid, gid_t gid)
|
|
{
|
|
@@ -419,6 +489,13 @@ run_file(const char *filename, uid_t uid
|
|
|
|
nice((tolower((int) queue) - 'a' + 1) * 2);
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ if (selinux_enabled > 0) {
|
|
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
|
|
+ perr("SELinux Failed to set context\n");
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (initgroups(pentry->pw_name, pentry->pw_gid))
|
|
perr("Cannot initialize the supplementary group access list");
|
|
|
|
@@ -712,6 +789,10 @@ main(int argc, char *argv[])
|
|
struct passwd *pwe;
|
|
struct group *ge;
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ selinux_enabled=is_selinux_enabled();
|
|
+#endif
|
|
+
|
|
/* We don't need root privileges all the time; running under uid and gid
|
|
* daemon is fine.
|
|
*/
|