cb1e3ca81e
- statically linked app can execute untrusted app Resolves: rhbz#2097077 - fapolicyd ineffective with systemd DynamicUser=yes Resolves: rhbz#2136802 - Starting manually fapolicyd while the service is already running breaks the system Resolves: rhbz#2160517 - Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled Resolves: rhbz#2160518 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
111 lines
2.8 KiB
Diff
111 lines
2.8 KiB
Diff
diff -up ./src/daemon/fapolicyd.c.already-started ./src/daemon/fapolicyd.c
|
|
--- ./src/daemon/fapolicyd.c.already-started 2023-01-12 17:40:45.366909652 +0100
|
|
+++ ./src/daemon/fapolicyd.c 2023-01-12 17:46:22.458139519 +0100
|
|
@@ -378,6 +378,58 @@ static void usage(void)
|
|
}
|
|
|
|
|
|
+int already_running(void)
|
|
+{
|
|
+ int pidfd = open(pidfile, O_RDONLY);
|
|
+ if (pidfd >= 0) {
|
|
+ char pid_buf[16];
|
|
+
|
|
+ if (fd_fgets(pid_buf, sizeof(pid_buf), pidfd)) {
|
|
+ int pid;
|
|
+ char exe_buf[80], my_path[80];
|
|
+
|
|
+ // Get our path
|
|
+ if (get_program_from_pid(getpid(),
|
|
+ sizeof(exe_buf), my_path) == NULL)
|
|
+ goto err_out; // shouldn't happen, but be safe
|
|
+
|
|
+ // convert pidfile to integer
|
|
+ errno = 0;
|
|
+ pid = strtoul(pid_buf, NULL, 10);
|
|
+ if (errno)
|
|
+ goto err_out; // shouldn't happen, but be safe
|
|
+
|
|
+ // verify it really is fapolicyd
|
|
+ if (get_program_from_pid(pid,
|
|
+ sizeof(exe_buf), exe_buf) == NULL)
|
|
+ goto good; //if pid doesn't exist, we're OK
|
|
+
|
|
+ // If the path doesn't have fapolicyd in it, we're OK
|
|
+ if (strstr(exe_buf, "fapolicyd") == NULL)
|
|
+ goto good;
|
|
+
|
|
+ if (strcmp(exe_buf, my_path) == 0)
|
|
+ goto err_out; // if the same, we need to exit
|
|
+
|
|
+ // one last sanity check in case path is unexpected
|
|
+ // for example: /sbin/fapolicyd & /home/test/fapolicyd
|
|
+ if (pid != getpid())
|
|
+ goto err_out;
|
|
+good:
|
|
+ close(pidfd);
|
|
+ unlink(pidfile);
|
|
+ return 0;
|
|
+ } else
|
|
+ msg(LOG_ERR, "fapolicyd pid file found but unreadable");
|
|
+err_out: // At this point, we have a pid file, let's just assume it's alive
|
|
+ // because if 2 are running, it deadlocks the machine
|
|
+ close(pidfd);
|
|
+ return 1;
|
|
+ }
|
|
+ return 0; // pid file doesn't exist, we're good to go
|
|
+}
|
|
+
|
|
+
|
|
int main(int argc, const char *argv[])
|
|
{
|
|
struct pollfd pfd[2];
|
|
@@ -428,6 +480,11 @@ int main(int argc, const char *argv[])
|
|
}
|
|
}
|
|
|
|
+ if (already_running()) {
|
|
+ msg(LOG_ERR, "fapolicyd is already running");
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
// Set a couple signal handlers
|
|
sa.sa_flags = 0;
|
|
sigemptyset(&sa.sa_mask);
|
|
@@ -446,9 +503,6 @@ int main(int argc, const char *argv[])
|
|
setrlimit(RLIMIT_FSIZE, &limit);
|
|
setrlimit(RLIMIT_NOFILE, &limit);
|
|
|
|
- // Set strict umask
|
|
- (void) umask( 0117 );
|
|
-
|
|
// get more time slices because everything is waiting on us
|
|
rc = nice(-config.nice_val);
|
|
if (rc == -1)
|
|
@@ -473,17 +527,20 @@ int main(int argc, const char *argv[])
|
|
exit(1);
|
|
}
|
|
|
|
- if (preconstruct_fifo(&config)) {
|
|
- msg(LOG_ERR, "Cannot contruct a pipe");
|
|
- exit(1);
|
|
- }
|
|
-
|
|
// Setup filesystem to watch list
|
|
init_fs_list(config.watch_fs);
|
|
|
|
// Write the pid file for the init system
|
|
write_pid_file();
|
|
|
|
+ // Set strict umask
|
|
+ (void) umask( 0117 );
|
|
+
|
|
+ if (preconstruct_fifo(&config)) {
|
|
+ msg(LOG_ERR, "Cannot contruct a pipe");
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
// If we are not going to be root, then setup necessary capabilities
|
|
if (config.uid != 0) {
|
|
capng_clear(CAPNG_SELECT_BOTH);
|