rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-30

Browse Source 
- Add cgroup support for sandbox
This commit is contained in:
Daniel J Walsh 2010-06-08 19:13:40 +00:00
parent c6d112a36e
commit 73342918cd
2 changed files with 326 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

361
policycoreutils-rhat.patch
View File

@ -1549,8 +1549,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.82/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/Makefile 2010-05-25 16:18:41.000000000 -0400
@@ -0,0 +1,42 @@
+++ policycoreutils-2.0.82/sandbox/Makefile 2010-06-08 15:05:27.000000000 -0400
@@ -0,0 +1,44 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/
@ -1561,7 +1561,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+LOCALEDIR ?= /usr/share/locale
+SHAREDIR ?= $(PREFIX)/share/sandbox
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
+LDLIBS += -lselinux -lcap-ng
+LDLIBS += -lcgroup -lselinux -lcap-ng
+
+all: sandbox seunshare sandboxX.sh
+
@ -1574,6 +1574,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ -mkdir -p $(MANDIR)/man8
+ install -m 644 sandbox.8 $(MANDIR)/man8/
+ install -m 644 seunshare.8 $(MANDIR)/man8/
+ -mkdir -p $(MANDIR)/man5
+ install -m 644 sandbox.conf.5 $(MANDIR)/man5/
+ -mkdir -p $(SBINDIR)
+ install -m 4755 seunshare $(SBINDIR)/
+ -mkdir -p $(SHAREDIR)
@ -1581,7 +1583,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ -mkdir -p $(INITDIR)
+ install -m 755 sandbox.init $(INITDIR)/sandbox
+ -mkdir -p $(SYSCONFDIR)
+ install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
+ install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox
+
+test:
+ @python test_sandbox.py -v
@ -1595,10 +1597,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.82/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-03 16:30:17.000000000 -0400
@@ -0,0 +1,427 @@
+++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-08 15:12:00.000000000 -0400
@@ -0,0 +1,434 @@
+#! /usr/bin/python -E
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Authors: Thomas Liu <tliu@fedoraproject.org>
+# Authors: Josh Cogliati
+#
+# Copyright (C) 2009,2010 Red Hat
@ -1885,6 +1888,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ parser.add_option("-l", "--level", dest="level",
+ help=_("MCS/MLS level for the sandbox"))
+
+ parser.add_option("-C", "--cgroups",
+ action="store_true", dest="usecgroup", default=False,
+ help="Use cgroups to limit this sandbox.")
+
+ self.__parser=parser
+
+ self.__options, cmds = parser.parse_args()
@ -1960,22 +1967,24 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+
+ def __execute(self):
+ try:
+ if self.__options.X_ind:
+ xmodmapfile = self.__homedir + "/.xmodmap"
+ xd = open(xmodmapfile,"w")
+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
+ xd.close()
+
+ self.__setup_sandboxrc(self.__options.wm)
+
+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ]
+ rc = subprocess.Popen(cmds).wait()
+ return rc
+
+ cmds = [ '/usr/sbin/seunshare', "-Z", self.__execcon ]
+ if self.__options.usecgroup == True:
+ cmds.append('-c')
+ if self.__mount:
+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
+ rc = subprocess.Popen(cmds).wait()
+ return rc
+ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
+
+ if self.__options.X_ind:
+ xmodmapfile = self.__homedir + "/.xmodmap"
+ xd = open(xmodmapfile,"w")
+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
+ xd.close()
+
+ self.__setup_sandboxrc(self.__options.wm)
+
+ cmds += [ "--", "/usr/share/sandbox/sandboxX.sh" ]
+ else:
+ cmds += [ "--" ] + self.__paths
+ return subprocess.Popen(cmds).wait()
+
+ selinux.setexeccon(self.__execcon)
+ rc = subprocess.Popen(self.__cmds).wait()
@ -2026,8 +2035,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.82/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-05-27 13:42:03.000000000 -0400
@@ -0,0 +1,64 @@
+++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-06-08 14:41:10.000000000 -0400
@@ -0,0 +1,69 @@
+.TH SANDBOX "8" "May 2010" "sandbox" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
@ -2083,6 +2092,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for
+$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+.TP
+\fB\-C\fR
+Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.PP
+.SH "SEE ALSO"
+.TP
@ -2092,12 +2104,63 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.SH AUTHOR
+This manual page was written by
+.I Dan Walsh <dwalsh@redhat.com>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.82/sandbox/sandbox.config
--- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.config 2010-04-28 17:12:19.000000000 -0400
@@ -0,0 +1,2 @@
+and
+.I Thomas Liu <tliu@fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.82/sandbox/sandbox.conf
--- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.conf 2010-06-08 14:41:59.000000000 -0400
@@ -0,0 +1,7 @@
+# Space separate list of homedirs
+HOMEDIRS="/home"
+# Control group configuration
+NAME=sandbox
+CPUAFFINITY=ALL
+MEMUSAGE=80%
+CPUUSAGE=80%
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.82/sandbox/sandbox.conf.5
--- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.conf.5 2010-06-08 14:41:19.000000000 -0400
@@ -0,0 +1,40 @@
+.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
+.SH NAME
+sandbox.conf \- user config file for the SELinux sandbox
+.SH DESCRIPTION
+.PP
+When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
+
+.PP
+Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
+
+.PP
+These keywords are allowed.
+
+.RS
+.TP
+.B NAME
+The name of the sandbox control group. Default is "sandbox".
+
+.TP
+.B CPUAFFINITY
+Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
+
+.TP
+.B MEMUSAGE
+How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
+
+.TP
+.B CPUUSAGE
+Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
+
+
+
+.SH "SEE ALSO"
+.TP
+sandbox(8)
+.PP
+
+.SH AUTHOR
+This manual page was written by
+.I Thomas Liu <tliu@fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.82/sandbox/sandbox.init
--- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.init 2010-06-03 17:11:59.000000000 -0400
@ -2195,8 +2258,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+exit 0
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.82/sandbox/seunshare.8
--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-05-21 08:12:39.000000000 -0400
@@ -0,0 +1,29 @@
+++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-06-08 14:41:19.000000000 -0400
@@ -0,0 +1,34 @@
+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
+.SH NAME
+seunshare \- Run cmd under an SELinux context
@ -2217,6 +2280,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+\fB\-t\ tmpdir
+Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
+.TP
+\fB\-c cgroups\fR
+Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-v\fR
+Verbose output
+.SH "SEE ALSO"
@ -2226,10 +2292,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.SH AUTHOR
+This manual page was written by
+.I Dan Walsh <dwalsh@redhat.com>
+and
+.I Thomas Liu <tliu@fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.82/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-05-25 13:37:30.000000000 -0400
@@ -0,0 +1,313 @@
+++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-06-08 14:56:09.000000000 -0400
@@ -0,0 +1,522 @@
+/*
+ * Authors: Dan Walsh <dwalsh@redhat.com>
+ * Authors: Thomas Liu <tliu@fedoraproject.org>
+ */
+
+#define _GNU_SOURCE
+#include <signal.h>
+#include <sys/types.h>
@ -2239,8 +2312,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+#include <pwd.h>
+#include <unistd.h>
+#include <sched.h>
+#include <libcgroup.h>
+#include <string.h>
+#include <stdio.h>
+#include <regex.h>
+#include <stdlib.h>
+#include <cap-ng.h>
+#include <getopt.h> /* for getopt_long() form of getopt() */
@ -2265,6 +2340,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+#define PACKAGE "policycoreutils" /* the name of this package lang translation */
+#endif
+
+#define BUF_SIZE 1024
+
+/**
+ * This function will drop all capabilities
+ * Returns zero on success, non-zero otherwise
@ -2382,23 +2459,53 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ return 0;
+}
+
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] -- executable [args] ")
+
+int sandbox_error(const char *string) {
+ fprintf(stderr, string);
+ syslog(LOG_AUTHPRIV | LOG_ALERT, string);
+ exit(-1);
+
+}
+
+
+int match(const char *string, char *pattern) {
+ int status;
+ regex_t re;
+ if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
+ return 0;
+ }
+ status = regexec(&re, string, (size_t)0, NULL, 0);
+ regfree(&re);
+ if (status != 0) {
+ return 0;
+ }
+ return 1;
+}
+
+void config_error() {
+ fprintf(stderr, "Error parsing config file.");
+ exit(-1);
+}
+
+int main(int argc, char **argv) {
+ int rc;
+ int status = -1;
+
+ security_context_t scontext;
+ security_context_t scontext = NULL;
+
+ int flag_index; /* flag index in argv[] */
+ int clflag; /* holds codes for command line flags */
+ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
+ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
+ int usecgroups = 0;
+
+ const struct option long_options[] = {
+ {"homedir", 1, 0, 'h'},
+ {"tmpdir", 1, 0, 't'},
+ {"verbose", 1, 0, 'v'},
+ {"cgroups", 1, 0, 'c'},
+ {"context", 1, 0, 'Z'},
+ {NULL, 0, 0, 0}
+ };
+
@ -2427,7 +2534,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ }
+
+ while (1) {
+ clflag = getopt_long(argc, argv, "vh:t:", long_options,
+ clflag = getopt_long(argc, argv, "cvh:t:c:m:p:Z:", long_options,
+ &flag_index);
+ if (clflag == -1)
+ break;
@ -2445,6 +2552,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ case 'v':
+ verbose = 1;
+ break;
+ case 'c':
+ usecgroups = 1;
+ break;
+ case 'Z':
+ scontext = strdup(optarg);
+ break;
+ default:
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ return -1;
@ -2456,15 +2569,175 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ return -1;
+ }
+
+ if (argc - optind < 2) {
+ fprintf(stderr, _("Error: context and executable required \n %s \n"), USAGE_STRING);
+ if (argc - optind < 1) {
+ fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING);
+ return -1;
+ }
+
+ scontext = argv[optind++];
+
+ if (set_signal_handles())
+ return -1;
+ if (usecgroups) {
+ char *cpus = NULL; /* which CPUs to use */
+ char *cgroupname = NULL;/* name for the cgroup */
+ char *mem = NULL; /* string for memory amount to pass to cgroup */
+ int64_t memusage = 0; /* amount of memory to use max (percent) */
+ int cpupercentage = 0; /* what percentage of cpu to allow usage */
+ FILE* fp;
+ char buf[BUF_SIZE];
+ char *tok = NULL;
+ const char* fname = "/etc/sysconfig/sandbox";
+
+ if ((fp = fopen(fname, "rt")) == NULL) {
+ fprintf(stderr, "Error opening sandbox config file.");
+ exit(-1);
+ }
+ while(fgets(buf, BUF_SIZE, fp) != NULL) {
+ /* Skip comments */
+ if (buf[0] == '#') continue;
+
+ /* Copy the string, ignoring whitespace */
+ int len = strlen(buf);
+ char *str = malloc((len + 1) * sizeof(char));
+
+ int ind = 0;
+ int i;
+ for (i = 0; i < len; i++) {
+ char cur = buf[i];
+ if (cur != ' ' && cur != '\t') {
+ str[ind] = cur;
+ ind++;
+ }
+ }
+ str[ind] = '\0';
+
+ tok = strtok(str, "=\n");
+ if (tok != NULL) {
+ if (!strcmp(tok, "CPUAFFINITY")) {
+ tok = strtok(NULL, "=\n");
+ cpus = strdup(tok);
+ if (!strcmp(cpus, "ALL")) {
+ cpus = NULL;
+ }
+ } else if (!strcmp(tok, "MEMUSAGE")) {
+ tok = strtok(NULL, "=\n");
+ if (match(tok, "^[0-9]+[kKmMgG%]")) {
+ char *ind = strchr(tok, '%');
+ if (ind != NULL) {
+ *ind = '\0';;
+ memusage = atoi(tok);
+ } else {
+ mem = strdup(tok);
+ }
+ } else {
+ config_error();
+ }
+
+ } else if (!strcmp(tok, "CPUUSAGE")) {
+ tok = strtok(NULL, "=\n");
+ if (match(tok, "^[0-9]+\%")) {
+ char* ind = strchr(tok, '%');
+ *ind = '\0';
+ cpupercentage = atoi(tok);
+ } else {
+ config_error();
+ }
+ } else if (!strcmp(tok, "NAME")) {
+ tok = strtok(NULL, "=\n");
+ cgroupname = strdup(tok);
+ } else {
+ continue;
+ }
+ }
+
+
+ }
+ if (mem == NULL) {
+ long phypz = sysconf(_SC_PHYS_PAGES);
+ long psize = sysconf(_SC_PAGE_SIZE);
+ memusage = phypz * psize * (float) memusage / 100.0;
+ }
+
+ cgroup_init();
+
+ int64_t current_runtime = 0;
+ int64_t current_period = 0 ;
+ int64_t current_mem = 0;
+ char *curr_cpu_path = NULL;
+ char *curr_mem_path = NULL;
+ int ret = cgroup_get_current_controller_path(getpid(), "cpu", &curr_cpu_path);
+ if (ret) {
+ sandbox_error("Error while trying to get current controller path.\n");
+ } else {
+ struct cgroup *curr = cgroup_new_cgroup(curr_cpu_path);
+ cgroup_get_cgroup(curr);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", &current_runtime);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", &current_period);
+ }
+
+ ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
+ if (ret) {
+ sandbox_error("Error while trying to get current controller path.\n");
+ } else {
+ struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
+ cgroup_get_cgroup(curr);
+ cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", &current_mem);
+ }
+
+ if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) {
+ sandbox_error("CPU usage restricted!\n");
+ exit(-1);
+ }
+
+ if (mem == NULL) {
+ if (memusage > current_mem) {
+ sandbox_error("Attempting to use more memory than allowed!");
+ exit(-1);
+ }
+ }
+
+ long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
+
+ struct sched_param sp;
+ sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
+ sched_setscheduler(getpid(), SCHED_FIFO, &sp);
+ struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
+ cgroup_add_controller(sandbox_group, "memory");
+ cgroup_add_controller(sandbox_group, "cpu");
+
+ if (mem == NULL) {
+ if (memusage > 0) {
+ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
+ }
+ } else {
+ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
+ }
+ if (cpupercentage > 0) {
+ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_runtime_us",
+ (float) cpupercentage / 100.0 * 60000);
+ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_period_us",60000 * nprocs);
+ }
+ if (cpus != NULL) {
+ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
+ }
+
+ uint64_t allocated_mem;
+ if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
+ sandbox_error("Attempting to use more memory than allowed!\n");
+ exit(-1);
+ }
+
+
+ int r = cgroup_create_cgroup(sandbox_group, 1);
+ if (r != 0) {
+ sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n");
+ exit(-1);
+ }
+
+
+ cgroup_attach_task(sandbox_group);
+
+ }
+
+ if (unshare(CLONE_NEWNS) < 0) {
+ perror(_("Failed to unshare"));
@ -2513,11 +2786,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ exit(-1);
+ }
+
+ if (setexeccon(scontext)) {
+ fprintf(stderr, _("Could not set exec context to %s.\n"),
+ scontext);
+ free(display);
+ exit(-1);
+ if (scontext) {
+ if (setexeccon(scontext)) {
+ fprintf(stderr, _("Could not set exec context to %s.\n"),
+ scontext);
+ free(display);
+ exit(-1);
+ }
+ }
+
+ if (display)
@ -2533,8 +2808,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ exit(-1);
+ }
+ setsid();
+
+ execv(argv[optind], argv + optind);
+ free(display);
+ freecon(scontext);
+ perror("execv");
+ exit(-1);
+ } else {

10
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.82
Release: 29%{?dist}
Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -30,7 +30,7 @@ Obsoletes: policycoreutils < 2.0.61-2
%global pkgpythondir %{python_sitelib}/%{name}
BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python-devel
Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff rpm /bin/sed
@ -111,7 +111,7 @@ desktop-file-install --vendor fedora \
Summary: SELinux policy core python utilities
Group: System Environment/Base
Requires: policycoreutils = %{version}-%{release}
Requires: libsemanage-python >= %{libsemanagever} libselinux-python
Requires: libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
Requires: audit-libs-python >= %{libauditver}
Requires: /usr/bin/make
Requires(pre): python >= 2.6
@ -140,6 +140,7 @@ The policycoreutils-python package contains the management tools use to manage a
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_mandir}/man5/sandbox.conf.5*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
@ -313,6 +314,9 @@ fi
exit 0
%changelog
* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-30
- Add cgroup support for sandbox
* Mon Jun 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-29
- Allow creation of /var/cache/DOMAIN from sepolgen