Add -C option to sandbox and seunshare to maintain capabilities, otherwise

the bounding set will be dropped.
Change --cgroups short name -c rather then -C for consistancy
Fix memory and fd leaks in seunshare
This commit is contained in:
Dan Walsh 2011-07-05 16:51:18 -04:00
parent 173e9f90db
commit 759501823b
3 changed files with 100 additions and 38 deletions

View File

@ -1664,7 +1664,7 @@ index ff0ee7c..0c8a085 100644
test:
@python test_sandbox.py -v
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 48a26c2..b1e683b 100644
index 48a26c2..41a3204 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@
@ -1835,13 +1835,17 @@ index 48a26c2..b1e683b 100644
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no",
@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -276,13 +309,21 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
+ parser.add_option("-C", "--cgroups",
+ parser.add_option("-c", "--cgroups",
+ action="store_true", dest="usecgroup", default=False,
+ help="Use cgroups to limit this sandbox.")
+
+ parser.add_option("-C", "--capabilities",
+ action="store_true", dest="usecaps", default=False,
+ help="Allow apps requiring capabilities to run within the sandbox.")
+
self.__parser=parser
@ -1854,7 +1858,7 @@ index 48a26c2..b1e683b 100644
if self.__options.setype:
self.setype = self.__options.setype
@@ -300,6 +337,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -300,6 +341,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
else:
@ -1865,7 +1869,7 @@ index 48a26c2..b1e683b 100644
if len(cmds) == 0:
self.usage(_("Command required"))
cmds[0] = fullpath(cmds[0])
@@ -329,44 +370,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
@@ -329,44 +374,45 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
def __setup_dir(self):
if self.__options.level or self.__options.session:
return
@ -1908,6 +1912,8 @@ index 48a26c2..b1e683b 100644
+ cmds = [ SEUNSHARE, "-Z", self.__execcon ]
+ if self.__options.usecgroup == True:
+ cmds.append('-c')
+ if self.__options.usecaps == True:
+ cmds.append('-C')
if self.__mount:
- cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
- rc = subprocess.Popen(cmds).wait()
@ -1929,7 +1935,7 @@ index 48a26c2..b1e683b 100644
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
@@ -404,7 +444,7 @@ if __name__ == '__main__':
@@ -404,7 +450,7 @@ if __name__ == '__main__':
sandbox = Sandbox()
rc = sandbox.main()
except OSError, error:
@ -1939,7 +1945,7 @@ index 48a26c2..b1e683b 100644
error_exit(error.args[0])
except KeyError, error:
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 1479364..73d33b3 100644
index 1479364..3deb4b2 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -1,10 +1,13 @@
@ -1951,11 +1957,11 @@ index 1479364..73d33b3 100644
.B sandbox
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] cmd
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] -S
+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+
+.br
+.B sandbox
+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
.br
.SH DESCRIPTION
.PP
@ -1972,13 +1978,16 @@ index 1479364..73d33b3 100644
\fB\-W windowmanager\fR
Select alternative window manager to run within
.B sandbox -X.
@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-manager.
@@ -50,8 +59,20 @@ Default to /usr/bin/matchbox-window-manager.
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+.TP
+\fB\-C\fR
+\fB\-c\fR
+Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
@ -2123,16 +2132,16 @@ index 8338203..9648100 100644
break
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
new file mode 100644
index 0000000..e7b8991
index 0000000..eeb2218
--- /dev/null
+++ b/policycoreutils/sandbox/seunshare.8
@@ -0,0 +1,37 @@
@@ -0,0 +1,40 @@
+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
+.SH NAME
+seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
+.SH SYNOPSIS
+.B seunshare
+[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [-c] [-C] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+.br
+.SH DESCRIPTION
+.PP
@ -2147,9 +2156,12 @@ index 0000000..e7b8991
+\fB\-t\ tmpdir
+Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
+.TP
+\fB\-c cgroups\fR
+\fB\-c --cgroups\fR
+Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities. Default is no capabilities.
+.TP
+\fB\-Z\ context
+Use alternate SELinux context while runing the executable.
+.TP
@ -2165,7 +2177,7 @@ index 0000000..e7b8991
+and
+.I Thomas Liu <tliu@fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index ec692e7..52362e0 100644
index ec692e7..ff61262 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1,28 +1,35 @@
@ -2209,7 +2221,7 @@ index ec692e7..52362e0 100644
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
@@ -39,29 +46,47 @@
@@ -39,29 +46,48 @@
#define MS_PRIVATE 1<<18
#endif
@ -2220,10 +2232,11 @@ index ec692e7..52362e0 100644
+#define BUF_SIZE 1024
+#define DEFAULT_PATH "/usr/bin:/bin"
+
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]")
+
+static int verbose = 0;
+
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+
/**
- * This function will drop all capabilities
@ -2240,10 +2253,10 @@ index ec692e7..52362e0 100644
- /* Change uid */
- if (setresuid(uid, uid, uid)) {
- fprintf(stderr, _("Error changing uid, aborting.\n"));
+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
+ if (capng_have_capabilities(cap_set) == CAPNG_NONE)
+ return 0;
+ capng_clear(CAPNG_SELECT_CAPS);
+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+ capng_clear(cap_set);
+ if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
+ fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}
@ -2271,7 +2284,7 @@ index ec692e7..52362e0 100644
*/
static int set_signal_handles(void)
{
@@ -75,8 +100,8 @@ static int set_signal_handles(void)
@@ -75,8 +101,8 @@ static int set_signal_handles(void)
(void)sigprocmask(SIG_SETMASK, &empty, NULL);
@ -2282,7 +2295,7 @@ index ec692e7..52362e0 100644
perror("Unable to set SIGHUP handler");
return -1;
}
@@ -84,23 +109,103 @@ static int set_signal_handles(void)
@@ -84,23 +110,103 @@ static int set_signal_handles(void)
return 0;
}
@ -2396,7 +2409,7 @@ index ec692e7..52362e0 100644
return 0;
}
@@ -123,7 +228,7 @@ static int verify_shell(const char *shell_name)
@@ -123,7 +229,7 @@ static int verify_shell(const char *shell_name)
/* check the shell skipping newline char */
if (!strcmp(shell_name, buf)) {
@ -2405,7 +2418,7 @@ index ec692e7..52362e0 100644
break;
}
}
@@ -131,45 +236,525 @@ static int verify_shell(const char *shell_name)
@@ -131,45 +237,530 @@ static int verify_shell(const char *shell_name)
return rc;
}
@ -2515,6 +2528,7 @@ index ec692e7..52362e0 100644
+ char buf[BUF_SIZE];
+ char *tok = NULL;
+ int rc = -1;
+ char *str = NULL;
+ const char* fname = "/etc/sysconfig/sandbox";
+
+ if ((fp = fopen(fname, "rt")) == NULL) {
@ -2527,7 +2541,8 @@ index ec692e7..52362e0 100644
+
+ /* Copy the string, ignoring whitespace */
+ int len = strlen(buf);
+ char *str = malloc((len + 1) * sizeof(char));
+ free(str);
+ str = malloc((len + 1) * sizeof(char));
+
+ int ind = 0;
+ int i;
@ -2668,6 +2683,8 @@ index ec692e7..52362e0 100644
+
+ rc = 0;
+err:
+ fclose(fp)
+ free(str);
+ free(mem);
+ free(cgroupname);
+ free(cpus);
@ -2756,9 +2773,8 @@ index ec692e7..52362e0 100644
+ free(buf); buf = NULL;
+ globfree(&fglob);
+ return rc;
}
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+}
+
+/**
+ * Clean up runtime temporary directory. Returns 0 if no problem was detected,
+ * >0 if some error was detected, but errors here are treated as non-fatal and
@ -2801,8 +2817,9 @@ index ec692e7..52362e0 100644
+ setfsuid(pwd->pw_uid);
+
+ return 0;
+}
+
}
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+/**
+ * seunshare will create a tmpdir in /tmp, with root ownership. The parent
+ * process waits for it child to exit to attempt to remove the directory. If
@ -2942,10 +2959,11 @@ index ec692e7..52362e0 100644
{"verbose", 1, 0, 'v'},
+ {"cgroups", 1, 0, 'c'},
+ {"context", 1, 0, 'Z'},
+ {"capabilities", 1, 0, 'C'},
{NULL, 0, 0, 0}
};
@@ -180,6 +765,12 @@ int main(int argc, char **argv) {
@@ -180,6 +771,12 @@ int main(int argc, char **argv) {
return -1;
}
@ -2958,7 +2976,7 @@ index ec692e7..52362e0 100644
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
@@ -187,34 +778,30 @@ int main(int argc, char **argv) {
@@ -187,34 +784,33 @@ int main(int argc, char **argv) {
}
if (verify_shell(pwd->pw_shell) < 0) {
@ -2970,7 +2988,7 @@ index ec692e7..52362e0 100644
while (1) {
- clflag = getopt_long(argc, argv, "h:t:", long_options,
- &flag_index);
+ clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
if (clflag == -1)
break;
@ -2999,12 +3017,15 @@ index ec692e7..52362e0 100644
+ case 'c':
+ usecgroups = 1;
+ break;
+ case 'C':
+ cap_set = CAPNG_SELECT_CAPS;
+ break;
+ case 'Z':
+ execcon = optarg;
break;
default:
fprintf(stderr, "%s\n", USAGE_STRING);
@@ -223,76 +810,84 @@ int main(int argc, char **argv) {
@@ -223,76 +819,84 @@ int main(int argc, char **argv) {
}
if (! homedir_s && ! tmpdir_s) {
@ -3138,7 +3159,7 @@ index ec692e7..52362e0 100644
if (display)
rc |= setenv("DISPLAY", display, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
@@ -300,22 +895,41 @@ int main(int argc, char **argv) {
@@ -300,22 +904,41 @@ int main(int argc, char **argv) {
rc |= setenv("USER", pwd->pw_name, 1);
rc |= setenv("LOGNAME", pwd->pw_name, 1);
rc |= setenv("PATH", DEFAULT_PATH, 1);
@ -5123,6 +5144,41 @@ index 059f629..81d6a3c 100644
case 'u':
set_mode(UPGRADE_M, optarg);
break;
diff --git a/policycoreutils/semodule_expand/semodule_expand.8 b/policycoreutils/semodule_expand/semodule_expand.8
index 22ad3be..35df2ed 100644
--- a/policycoreutils/semodule_expand/semodule_expand.8
+++ b/policycoreutils/semodule_expand/semodule_expand.8
@@ -3,7 +3,7 @@
semodule_expand \- Expand a SELinux policy module package.
.SH SYNOPSIS
-.B semodule_expand [-V -c [version]] basemodpkg outputfile
+.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile
.br
.SH DESCRIPTION
.PP
@@ -22,6 +22,9 @@ show version
.TP
.B \-c [version]
policy version to create
+.TP
+.B \-a
+Check assertions. This will cause the policy to check all neverallow rules.
.SH SEE ALSO
.B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
index fb41480..29c9eb2 100644
--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
@@ -45,7 +45,6 @@ netfilter context file to be included in the package.
.SH SEE ALSO
.B checkmodule(8), semodule(8)
-(8),
.SH AUTHORS
.nf
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
new file mode 100644
index 0000000..211580d

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.86
Release: 14%{?dist}
Release: 15%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -336,6 +336,12 @@ fi
exit 0
%changelog
* Mon Jul 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-15
- Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
- Change --cgroups short name -c rather then -C for consistancy
- Fix memory and fd leaks in seunshare
* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-14
- Do not drop capability bounding set in seunshare, this allows sandbox to
- run setuid apps.

View File

@ -59,7 +59,7 @@ __get_user_opts () { echo '$ALL_OPTS $MANAGED_OPTS -L -r -R --role '; }
__get_login_opts () { echo '$ALL_OPTS $MANAGED_OPTS -s -r '; }
__get_port_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t -type -r --range -p --proto'; }
__get_interface_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; }
__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; }
__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -M --mask -p --proto'; }
__get_fcontext_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -e --equal -f --ftype '; }
__get_module_opts () { echo '$ALL_OPTS --enable --disable '; }
__get_dontaudit_opts () { echo '-S on off' ; }