rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix the handling of namespaces in seunshare/sandbox.

Browse Source 
Currently mounting of directories within sandbox is propogating to the
parent namesspace.
This commit is contained in:
Dan Walsh 2011-12-23 10:08:38 +00:00
parent 6525007747
commit 42e269dd3c
2 changed files with 64 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
policycoreutils-rhat.patch
View File

@ -81,47 +81,72 @@ index 9db766c..92034be 100644
* Do not execvp the command directly from run_init; since it would run * Do not execvp the command directly from run_init; since it would run
* under with a pty under sysadm_devpts_t. Instead, we call open_init_tty, * under with a pty under sysadm_devpts_t. Instead, we call open_init_tty,
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index c493e98..0bc35f3 100644 index c493e98..902792e 100644
--- a/policycoreutils/sandbox/seunshare.c --- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c
@@ -59,7 +59,7 @@ static int verbose = 0; @@ -43,8 +43,8 @@
static int child = 0; #define MS_REC 1<<14
#endif
static capng_select_t cap_set = CAPNG_SELECT_BOTH; -#ifndef MS_PRIVATE
- -#define MS_PRIVATE 1<<18
+static int var_tmp_mounted = 0; +#ifndef MS_SLAVE
/** +#define MS_SLAVE 1<<19
* This function will drop all capabilities. #endif
#ifndef PACKAGE
@@ -255,7 +255,7 @@ static int verify_shell(const char *shell_name)
*/ */
@@ -292,6 +292,8 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno)); {
return -1; - int flags = MS_REC;
} + int flags = 0;
+ var_tmp_mounted = 1; int is_tmp = 0;
+
if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) { if (verbose)
fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno)); @@ -267,14 +267,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
return -1;
@@ -1031,12 +1033,18 @@ childerr:
exit(-1);
} }
- drop_caps(); /* mount directory */
- - if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
/* parent waits for child exit to do the cleanup */ - fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
waitpid(child, &status, 0); - return -1;
status_to_retval(status, status); - }
- if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
- return -1;
- }
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
return -1;
@@ -288,14 +280,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
if (verbose)
printf(_("Mounting /tmp on /var/tmp\n"));
+ if (var_tmp_mounted) { - if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
+ /* attempt to umount /var/tmp twice on exit */ - fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
+ if (umount("/var/tmp") < 0) perror("umount /var/tmp"); - return -1;
+ if (umount("/var/tmp") < 0) perror("umount /var/tmp"); - }
+ } - if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
- return -1;
- }
if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
return -1;
@@ -967,6 +951,13 @@ int main(int argc, char **argv) {
goto childerr;
}
+ /* Remount / as SLAVE so that nothing mounted in the namespace
+ shows up in the parent */
+ if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
+ fprintf(stderr, _("Failed to make / a SLAVE mountpoint\n"));
+ goto childerr;
+ }
+ +
+ drop_caps(); /* assume fsuid==ruid after this point */
+ setfsuid(uid);
/* Make sure all child processes exit */
kill(-child,SIGTERM);
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
index ab696a7..58b19cd 100644 index ab696a7..58b19cd 100644

7
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.1.10 Version: 2.1.10
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -356,6 +356,11 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog %changelog
* Fri Dec 23 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
- Fix the handling of namespaces in seunshare/sandbox.
- Currently mounting of directories within sandbox is propogating to the
- parent namesspace.
* Thu Dec 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3 * Thu Dec 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
- Add umount code to seunshare to cleanup left over mounts of /var/tmp - Add umount code to seunshare to cleanup left over mounts of /var/tmp