* Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-3

- Security fixes for seunshare - Fix Sandbox to handle non file input to command.
2009-09-19 01:40:53 +00:00 · 2009-09-19 01:40:53 +00:00 · 425e7d2796
commit 425e7d2796
parent b98d816316
2 changed files with 24 additions and 34 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1222,8 +1222,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +relabel:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/sandbox	2009-09-17 15:05:17.000000000 -0400
+++ policycoreutils-2.0.74/sandbox/sandbox	2009-09-18 21:38:37.000000000 -0400
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,207 @@
 +#!/usr/bin/python -E
 +import os, sys, getopt, socket, random, fcntl, shutil
 +import selinux
@ -1390,7 +1390,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +                         warnings.resetwarnings()
 +                         paths = []
 +                         for i in cmds:
-+                                paths.append(os.path.realpath(i))
+                                f = os.path.realpath(i)
 +                                if os.path.exists(f):
 +                                       paths.append(f)
 +                                else:
 +                                       paths.append(i)
 +                                       
 +                         copyfiles(newhomedir, newtmpdir, init_files + paths)
 +                         execfile = newhomedir + "/.sandboxrc"
 +                         fd = open(execfile, "w+")
@ -1478,8 +1483,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +done
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.74/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/seunshare.c	2009-09-17 15:05:44.000000000 -0400
+++ policycoreutils-2.0.74/sandbox/seunshare.c	2009-09-18 09:58:46.000000000 -0400
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,265 @@
 +#include <signal.h>
 +#include <sys/types.h>
 +#include <sys/wait.h>
@ -1506,33 +1511,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +#include <unistd.h>
 +
 +/**
-+ * This function will drop the capabilities so that we are left
+ * This function will drop all capabilities 
 + * only with access to the audit system and the ability to raise
 + * CAP_SYS_ADMIN before invoking unshare and mounting a couple of directories. 
 + * These capabilities are needed for performing bind mounts/unmounts 
 + * and to create potential new instance directories with appropriate 
 + * DAC attributes. 
 + *
 + * Returns zero on success, non-zero otherwise
 + */
-+static int drop_capabilities(int all, uid_t uid)
+static int drop_capabilities(uid_t uid)
 +{
 +	capng_clear(CAPNG_SELECT_BOTH);
 +
-+	if (all) {
+	if (capng_lock() < 0) 
-+		if (capng_lock() < 0) 
+		return -1;
-+			return -1;
+	/* Change uid */
-+		/* Change uid */
+	if (setresuid(uid, uid, uid)) {
-+		if (setresuid(uid, uid, uid)) {
+		fprintf(stderr, "Error changing uid, aborting.\n");
-+			fprintf(stderr, "Error changing uid, aborting.\n");
+		return -1;
 +			return -1;
 +		}
 +	} else {
 +		if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_SETUID, -1) < 0) { 
 +			fprintf(stderr, "Error running capng_updatev\n");
 +			return -1;
 +		}
 +	}
 +
 +	return capng_apply(CAPNG_SELECT_BOTH);
 +}
@ -1626,7 +1617,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +		{"tmpdir", 1, 0, 't'},
 +		{NULL, 0, 0, 0}
 +	};
 +	capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_EFFECTIVE);
 +
 +	uid_t uid = getuid();
 +
@ -1643,10 +1633,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 +	if (verify_shell(pwd->pw_shell) == 0) {
 +		fprintf(stderr, "Error!  Shell is not valid.\n");
 +	}
 +
 +	if (drop_capabilities(FALSE, uid)) {
 +		perror("Failed to drop capabilities");
 +		return -1;
 +	}
 +
@ -1710,7 +1696,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +	if (tmpdir_s && verify_mount("/tmp", pwd) < 0) 
 +		return -1;
 +
-+	if (drop_capabilities(TRUE, uid)) {
+	if (drop_capabilities(uid)) {
 +		perror("Failed to drop all capabilities");
 +		return -1;
 +	}
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.74
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -297,6 +297,10 @@ fi
 exit 0
 %changelog
 * Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-3
 - Security fixes for seunshare
 - Fix Sandbox to handle non file input to command.
 * Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-2
 - Security fixes for seunshare