From d7e1c238f43afb08a3e56fdecab7ec47b2b858bb Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 1 Nov 2010 16:21:00 -0400 Subject: [PATCH] - Check if you have full privs and reset otherwise dont drop caps --- policycoreutils-rhat.patch | 214 ++++++++++++++++++++++++++++++++----- policycoreutils.spec | 12 ++- 2 files changed, 193 insertions(+), 33 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 4c868d6..120fa90 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -385,28 +385,167 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) +Binary files nsapolicycoreutils/newrole/hashtab.o and policycoreutils-2.0.83/newrole/hashtab.o differ +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile +--- nsapolicycoreutils/newrole/Makefile 2010-05-19 14:45:51.000000000 -0400 ++++ policycoreutils-2.0.83/newrole/Makefile 2010-11-01 15:32:24.000000000 -0400 +@@ -50,7 +50,7 @@ + endif + ifeq (${IS_SUID},y) + MODE := 4555 +- LDLIBS += -lcap ++ LDLIBS += -lcap-ng + else + MODE := 0555 + endif +Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-2.0.83/newrole/newrole differ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c --- nsapolicycoreutils/newrole/newrole.c 2010-05-19 14:45:51.000000000 -0400 -+++ policycoreutils-2.0.83/newrole/newrole.c 2010-10-29 09:54:43.000000000 -0400 -@@ -537,7 +537,7 @@ - * - * Returns zero on success, non-zero otherwise - */ --#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) -+#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) && !defined(USE_FILECAP) ++++ policycoreutils-2.0.83/newrole/newrole.c 2010-11-01 16:14:01.000000000 -0400 +@@ -77,7 +77,7 @@ + #endif + #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV) + #include +-#include ++#include + #endif + #ifdef USE_NLS + #include /* for setlocale() */ +@@ -540,67 +540,23 @@ + #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) static int drop_capabilities(void) { - int rc = 0; -@@ -602,7 +602,7 @@ - fprintf(stderr, _("Error freeing caps\n")); - return rc; +- int rc = 0; +- cap_t new_caps, tmp_caps; +- cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; +- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID }; +- uid_t uid = getuid(); +- +- if (!uid) ++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL) + return 0; + +- /* Non-root caller, suid root path */ +- new_caps = cap_init(); +- tmp_caps = cap_init(); +- if (!new_caps || !tmp_caps) { +- fprintf(stderr, _("Error initializing capabilities, aborting.\n")); +- return -1; +- } +- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET); +- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET); +- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET); +- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET); +- if (rc) { +- fprintf(stderr, _("Error setting capabilities, aborting\n")); +- goto out; +- } +- +- /* Keep capabilities across uid change */ +- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { +- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n")); +- rc = -1; +- goto out; +- } ++ capng_clear(CAPNG_SELECT_BOTH); + +- /* Does this temporary change really buy us much? */ +- /* We should still have root's caps, so drop most capabilities now */ +- if ((rc = cap_set_proc(tmp_caps))) { +- fprintf(stderr, _("Error dropping capabilities, aborting\n")); +- goto out; +- } ++ if (capng_lock() < 0) ++ return -1; ++ uid_t uid = getuid(); ++ if (!uid) return 0; + + /* Change uid */ +- if ((rc = setresuid(uid, uid, uid))) { ++ if (setresuid(uid, uid, uid)) { + fprintf(stderr, _("Error changing uid, aborting.\n")); +- goto out; +- } +- +- /* Now get rid of this ability */ +- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) { +- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); +- goto out; +- } +- +- /* Finish dropping capabilities. */ +- if ((rc = cap_set_proc(new_caps))) { +- fprintf(stderr, +- _("Error dropping SETUID capability, aborting\n")); +- goto out; ++ return -1; + } +- out: +- if (cap_free(tmp_caps) || cap_free(new_caps)) +- fprintf(stderr, _("Error freeing caps\n")); +- return rc; ++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); ++ return capng_apply(CAPNG_SELECT_BOTH); } --#elif defined(NAMESPACE_PRIV) -+#elif defined(NAMESPACE_PRIV) && !defined(USE_FILECAP) + #elif defined(NAMESPACE_PRIV) /** - * This function will drop the capabilities so that we are left - * only with access to the audit system and the ability to raise -@@ -1334,6 +1334,9 @@ +@@ -618,44 +574,22 @@ + */ + static int drop_capabilities(void) + { +- int rc = 0; +- cap_t new_caps; +- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID, +- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN, +- CAP_DAC_OVERRIDE +- }; +- +- if (!getuid()) ++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL) + return 0; + +- /* Non-root caller, suid root path */ +- new_caps = cap_init(); +- if (!new_caps) { +- fprintf(stderr, _("Error initializing capabilities, aborting.\n")); +- return -1; +- } +- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET); +- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET); +- if (rc) { +- fprintf(stderr, _("Error setting capabilities, aborting\n")); +- goto out; +- } ++ capng_clear(CAPNG_SELECT_BOTH); + +- /* Ensure that caps are dropped after setuid call */ +- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) { +- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); +- goto out; +- } ++ if (capng_lock() < 0) ++ return -1; + +- /* We should still have root's caps, so drop most capabilities now */ +- if ((rc = cap_set_proc(new_caps))) { +- fprintf(stderr, _("Error dropping capabilities, aborting\n")); +- goto out; ++ uid_t uid = getuid(); ++ /* Change uid */ ++ if (setresuid(uid, uid, uid)) { ++ fprintf(stderr, _("Error changing uid, aborting.\n")); ++ return -1; + } +- out: +- if (cap_free(new_caps)) +- fprintf(stderr, _("Error freeing caps\n")); +- return rc; ++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE | CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE); ++ return capng_apply(CAPNG_SELECT_BOTH); + } + + #else +@@ -1334,6 +1268,9 @@ if (send_audit_message(1, old_context, new_context, ttyn)) goto err_close_pam_session; @@ -416,6 +555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #ifdef NAMESPACE_PRIV if (transition_to_caller_uid()) goto err_close_pam_session; +Binary files nsapolicycoreutils/newrole/newrole.o and policycoreutils-2.0.83/newrole/newrole.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.83/restorecond/Makefile 2010-10-29 09:54:43.000000000 -0400 @@ -2147,6 +2287,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po export EXITCODE=$? kill -HUP 0 break +Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8 --- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.83/sandbox/seunshare.8 2010-10-29 09:54:43.000000000 -0400 @@ -2190,7 +2331,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.I Thomas Liu diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400 -+++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-10-29 09:54:43.000000000 -0400 ++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-11-01 16:13:56.000000000 -0400 @@ -1,13 +1,21 @@ +/* + * Authors: Dan Walsh @@ -2230,7 +2371,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po #ifdef USE_NLS #include /* for setlocale() */ #include /* for gettext() */ -@@ -39,6 +44,12 @@ +@@ -39,16 +44,26 @@ #define MS_PRIVATE 1<<18 #endif @@ -2243,7 +2384,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po /** * This function will drop all capabilities * Returns zero on success, non-zero otherwise -@@ -134,42 +145,98 @@ + */ + static int drop_capabilities(uid_t uid) + { ++ if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL) ++ return 0; ++ + capng_clear(CAPNG_SELECT_BOTH); + + if (capng_lock() < 0) + return -1; ++ + /* Change uid */ + if (setresuid(uid, uid, uid)) { + fprintf(stderr, _("Error changing uid, aborting.\n")); +@@ -134,42 +149,98 @@ static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { if (verbose) printf("Mount %s on %s\n", src, dst); @@ -2302,9 +2457,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + syslog(LOG_AUTHPRIV | LOG_ALERT, string); + exit(-1); + - } - --#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") ++} ++ + +int match(const char *string, char *pattern) { + int status; @@ -2318,8 +2472,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; + } + return 1; -+} -+ + } + +-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") +void config_error() { + fprintf(stderr, "Error parsing config file."); + exit(-1); @@ -2347,7 +2502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po {NULL, 0, 0, 0} }; -@@ -180,6 +247,12 @@ +@@ -180,6 +251,12 @@ return -1; } @@ -2360,7 +2515,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -192,30 +265,30 @@ +@@ -192,30 +269,30 @@ } while (1) { @@ -2400,7 +2555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po default: fprintf(stderr, "%s\n", USAGE_STRING); return -1; -@@ -223,21 +296,179 @@ +@@ -223,21 +300,179 @@ } if (! homedir_s && ! tmpdir_s) { @@ -2586,7 +2741,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); -@@ -286,11 +517,13 @@ +@@ -286,11 +521,13 @@ exit(-1); } @@ -2605,7 +2760,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po } if (display) -@@ -305,17 +538,14 @@ +@@ -305,17 +542,14 @@ perror(_("Failed to change dir to homedir")); exit(-1); } @@ -2624,6 +2779,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po - return status; } +Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2010-05-19 14:45:51.000000000 -0400 +++ policycoreutils-2.0.83/scripts/chcat 2010-10-29 09:54:43.000000000 -0400 diff --git a/policycoreutils.spec b/policycoreutils.spec index c9689a0..b581c81 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.83 -Release: 34%{?dist} +Release: 35%{?dist} License: GPLv2 Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -64,7 +64,7 @@ context. %patch4 -p1 -b .sepolgen %build -make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all +make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all %install @@ -192,7 +192,8 @@ or level of a logged in user. %files newrole %defattr(-,root,root) -%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole +%attr(0755,root,root) %caps(cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole + %{_mandir}/man1/newrole.1.gz %config(noreplace) %{_sysconfdir}/pam.d/newrole @@ -239,7 +240,7 @@ rm -rf %{buildroot} /sbin/fixfiles /sbin/setfiles /sbin/load_policy -%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare +%attr(0755,root,root) %caps(cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare %{_sbindir}/genhomedircon %{_sbindir}/load_policy %{_sbindir}/setsebool @@ -326,6 +327,9 @@ fi exit 0 %changelog +* Mon Nov 1 2010 Dan Walsh 2.0.83-35 +- Check if you have full privs and reset otherwise dont drop caps + * Mon Nov 1 2010 Dan Walsh 2.0.83-34 - Fix setools require line