rpms/policycoreutils
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Do not drop capability bounding set in seunshare, this allows sandbox to

Browse Source 
run setuid apps.
This commit is contained in:
Dan Walsh 2011-06-13 13:37:04 -04:00
parent 24d29a5015
commit 173e9f90db
2 changed files with 33 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
policycoreutils-rhat.patch
View File

@ -1603,6 +1603,28 @@ index 540860a..10175dd 100644
connects the physical terminal it was invoked upon with the pseudo connects the physical terminal it was invoked upon with the pseudo
terminal, passing keyboard input into to the child process, and passing the terminal, passing keyboard input into to the child process, and passing the
output of the child process to the physical terminal. output of the child process to the physical terminal.
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 9db766c..068e24c 100644
--- a/policycoreutils/run_init/run_init.c
+++ b/policycoreutils/run_init/run_init.c
@@ -414,10 +414,17 @@ int main(int argc, char *argv[])
* execvp or using a exec(1) recycles pty's, and does not open a new
* one.
*/
+#ifdef USE_OPEN_INIT_PTY
if (execvp("/usr/sbin/open_init_pty", argv)) {
perror("execvp");
exit(-1);
}
+#else
+ if (execvp(argv[1], argv + 1)) {
+ perror("execvp");
+ exit(-1);
+ }
+#endif
return 0;
} /* main() */
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
index ff0ee7c..0c8a085 100644 index ff0ee7c..0c8a085 100644
--- a/policycoreutils/sandbox/Makefile --- a/policycoreutils/sandbox/Makefile
@ -2143,7 +2165,7 @@ index 0000000..e7b8991
+and +and
+.I Thomas Liu <tliu@fedoraproject.org> +.I Thomas Liu <tliu@fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index ec692e7..49dad71 100644 index ec692e7..52362e0 100644
--- a/policycoreutils/sandbox/seunshare.c --- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c
@@ -1,28 +1,35 @@ @@ -1,28 +1,35 @@
@ -2211,16 +2233,17 @@ index ec692e7..49dad71 100644
-static int drop_capabilities(uid_t uid) -static int drop_capabilities(uid_t uid)
+static int drop_caps() +static int drop_caps()
{ {
+ if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE) - capng_clear(CAPNG_SELECT_BOTH);
+ return 0;
capng_clear(CAPNG_SELECT_BOTH);
- -
- if (capng_lock() < 0) - if (capng_lock() < 0)
- return -1; - return -1;
- /* Change uid */ - /* Change uid */
- if (setresuid(uid, uid, uid)) { - if (setresuid(uid, uid, uid)) {
- fprintf(stderr, _("Error changing uid, aborting.\n")); - fprintf(stderr, _("Error changing uid, aborting.\n"));
+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) { + if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
+ return 0;
+ capng_clear(CAPNG_SELECT_CAPS);
+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+ fprintf(stderr, _("Failed to drop all capabilities\n")); + fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1; return -1;
} }

6
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.86 Version: 2.0.86
Release: 13%{?dist} Release: 14%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -336,6 +336,10 @@ fi
exit 0 exit 0
%changelog %changelog
* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-14
- Do not drop capability bounding set in seunshare, this allows sandbox to
- run setuid apps.
* Fri Jun 10 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-13 * Fri Jun 10 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-13
- Add semanage-bash-completion.sh script - Add semanage-bash-completion.sh script