From 42e269dd3c4a7e9b2b3182c2691acbadef7e1d86 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 23 Dec 2011 10:08:38 +0000 Subject: [PATCH] Fix the handling of namespaces in seunshare/sandbox. Currently mounting of directories within sandbox is propogating to the parent namesspace. --- policycoreutils-rhat.patch | 91 ++++++++++++++++++++++++-------------- policycoreutils.spec | 7 ++- 2 files changed, 64 insertions(+), 34 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index f73410d..19ffd0b 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -81,47 +81,72 @@ index 9db766c..92034be 100644 * Do not execvp the command directly from run_init; since it would run * under with a pty under sysadm_devpts_t. Instead, we call open_init_tty, diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index c493e98..0bc35f3 100644 +index c493e98..902792e 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c -@@ -59,7 +59,7 @@ static int verbose = 0; - static int child = 0; +@@ -43,8 +43,8 @@ + #define MS_REC 1<<14 + #endif - static capng_select_t cap_set = CAPNG_SELECT_BOTH; -- -+static int var_tmp_mounted = 0; - /** - * This function will drop all capabilities. +-#ifndef MS_PRIVATE +-#define MS_PRIVATE 1<<18 ++#ifndef MS_SLAVE ++#define MS_SLAVE 1<<19 + #endif + + #ifndef PACKAGE +@@ -255,7 +255,7 @@ static int verify_shell(const char *shell_name) */ -@@ -292,6 +292,8 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st - fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno)); - return -1; - } -+ var_tmp_mounted = 1; -+ - if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) { - fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno)); - return -1; -@@ -1031,12 +1033,18 @@ childerr: - exit(-1); + static int seunshare_mount(const char *src, const char *dst, struct stat *src_st) + { +- int flags = MS_REC; ++ int flags = 0; + int is_tmp = 0; + + if (verbose) +@@ -267,14 +267,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st } -- drop_caps(); -- - /* parent waits for child exit to do the cleanup */ - waitpid(child, &status, 0); - status_to_retval(status, status); + /* mount directory */ +- if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) { +- fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno)); +- return -1; +- } +- if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) { +- fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno)); +- return -1; +- } + if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { + fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); + return -1; +@@ -288,14 +280,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st + if (verbose) + printf(_("Mounting /tmp on /var/tmp\n")); -+ if (var_tmp_mounted) { -+ /* attempt to umount /var/tmp twice on exit */ -+ if (umount("/var/tmp") < 0) perror("umount /var/tmp"); -+ if (umount("/var/tmp") < 0) perror("umount /var/tmp"); -+ } +- if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) { +- fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno)); +- return -1; +- } +- if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) { +- fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno)); +- return -1; +- } + if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) { + fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno)); + return -1; +@@ -967,6 +951,13 @@ int main(int argc, char **argv) { + goto childerr; + } + ++ /* Remount / as SLAVE so that nothing mounted in the namespace ++ shows up in the parent */ ++ if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) { ++ fprintf(stderr, _("Failed to make / a SLAVE mountpoint\n")); ++ goto childerr; ++ } + -+ drop_caps(); -+ - /* Make sure all child processes exit */ - kill(-child,SIGTERM); + /* assume fsuid==ruid after this point */ + setfsuid(uid); diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon index ab696a7..58b19cd 100644 diff --git a/policycoreutils.spec b/policycoreutils.spec index 4cd2c09..a89dbf8 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.10 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -356,6 +356,11 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Fri Dec 23 2011 Dan Walsh - 2.1.10-4 +- Fix the handling of namespaces in seunshare/sandbox. +- Currently mounting of directories within sandbox is propogating to the +- parent namesspace. + * Thu Dec 22 2011 Dan Walsh - 2.1.10-3 - Add umount code to seunshare to cleanup left over mounts of /var/tmp