- Check if you have full privs and reset otherwise dont drop caps

2010-11-01 16:21:00 -04:00 · 2010-11-01 16:21:00 -04:00 · d7e1c238f4
commit d7e1c238f4
parent cdcc4526b7
2 changed files with 193 additions and 33 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -385,28 +385,167 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 
 INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
 
+Binary files nsapolicycoreutils/newrole/hashtab.o and policycoreutils-2.0.83/newrole/hashtab.o differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/Makefile policycoreutils-2.0.83/newrole/Makefile
+--- nsapolicycoreutils/newrole/Makefile	2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/newrole/Makefile	2010-11-01 15:32:24.000000000 -0400
+@@ -50,7 +50,7 @@
+ endif
+ ifeq (${IS_SUID},y)
+ 	MODE := 4555
+-	LDLIBS += -lcap
+	LDLIBS += -lcap-ng
+ else
+ 	MODE := 0555
+ endif
+Binary files nsapolicycoreutils/newrole/newrole and policycoreutils-2.0.83/newrole/newrole differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/newrole/newrole.c policycoreutils-2.0.83/newrole/newrole.c
 --- nsapolicycoreutils/newrole/newrole.c	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/newrole/newrole.c	2010-10-29 09:54:43.000000000 -0400
-@@ -537,7 +537,7 @@
-  *
-  * Returns zero on success, non-zero otherwise
-  */
-#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
-+#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
+++ policycoreutils-2.0.83/newrole/newrole.c	2010-11-01 16:14:01.000000000 -0400
+@@ -77,7 +77,7 @@
+ #endif
+ #if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
+ #include <sys/prctl.h>
+-#include <sys/capability.h>
+#include <cap-ng.h>
+ #endif
+ #ifdef USE_NLS
+ #include <locale.h>		/* for setlocale() */
+@@ -540,67 +540,23 @@
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
 static int drop_capabilities(void)
 {
- 	int rc = 0;
-@@ -602,7 +602,7 @@
- 		fprintf(stderr, _("Error freeing caps\n"));
- 	return rc;
+-	int rc = 0;
+-	cap_t new_caps, tmp_caps;
+-	cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
+-	cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
+-	uid_t uid = getuid();
+-
+-	if (!uid)
+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ 		return 0;
+ 
+-	/* Non-root caller, suid root path */
+-	new_caps = cap_init();
+-	tmp_caps = cap_init();
+-	if (!new_caps || !tmp_caps) {
+-		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+-		return -1;
+-	}
+-	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
+-	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
+-	rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
+-	rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
+-	if (rc) {
+-		fprintf(stderr, _("Error setting capabilities, aborting\n"));
+-		goto out;
+-	}
+-
+-	/* Keep capabilities across uid change */
+-	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
+-		fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
+-		rc = -1;
+-		goto out;
+-	}
+	capng_clear(CAPNG_SELECT_BOTH);
+ 
+-	/* Does this temporary change really buy us much? */
+-	/* We should still have root's caps, so drop most capabilities now */
+-	if ((rc = cap_set_proc(tmp_caps))) {
+-		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+-		goto out;
+-	}
+	if (capng_lock() < 0) 
+		return -1;
+	uid_t uid = getuid();
+	if (!uid) return 0;
+ 
+ 	/* Change uid */
+-	if ((rc = setresuid(uid, uid, uid))) {
+	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
+-		goto out;
+-	}
+-
+-	/* Now get rid of this ability */
+-	if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+-		fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+-		goto out;
+-	}
+-
+-	/* Finish dropping capabilities. */
+-	if ((rc = cap_set_proc(new_caps))) {
+-		fprintf(stderr,
+-			_("Error dropping SETUID capability, aborting\n"));
+-		goto out;
+		return -1;
+ 	}
+-      out:
+-	if (cap_free(tmp_caps) || cap_free(new_caps))
+-		fprintf(stderr, _("Error freeing caps\n"));
+-	return rc;
+	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
+	return capng_apply(CAPNG_SELECT_BOTH);
 }
-#elif defined(NAMESPACE_PRIV)
-+#elif defined(NAMESPACE_PRIV) && !defined(USE_FILECAP)
+ #elif defined(NAMESPACE_PRIV)
 /**
-  * This function will drop the capabilities so that we are left
-  * only with access to the audit system and the ability to raise
-@@ -1334,6 +1334,9 @@
+@@ -618,44 +574,22 @@
+  */
+ static int drop_capabilities(void)
+ {
+-	int rc = 0;
+-	cap_t new_caps;
+-	cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
+-		CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
+-		CAP_DAC_OVERRIDE
+-	};
+-
+-	if (!getuid())
+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+ 		return 0;
+ 
+-	/* Non-root caller, suid root path */
+-	new_caps = cap_init();
+-	if (!new_caps) {
+-		fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+-		return -1;
+-	}
+-	rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
+-	rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
+-	if (rc) {
+-		fprintf(stderr, _("Error setting capabilities, aborting\n"));
+-		goto out;
+-	}
+	capng_clear(CAPNG_SELECT_BOTH);
+ 
+-	/* Ensure that caps are dropped after setuid call */
+-	if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
+-		fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+-		goto out;
+-	}
+	if (capng_lock() < 0) 
+		return -1;
+ 
+-	/* We should still have root's caps, so drop most capabilities now */
+-	if ((rc = cap_set_proc(new_caps))) {
+-		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
+-		goto out;
+	uid_t uid = getuid();
+	/* Change uid */
+	if (setresuid(uid, uid, uid)) {
+		fprintf(stderr, _("Error changing uid, aborting.\n"));
+		return -1;
+ 	}
+-      out:
+-	if (cap_free(new_caps))
+-		fprintf(stderr, _("Error freeing caps\n"));
+-	return rc;
+	capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE | CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+	return capng_apply(CAPNG_SELECT_BOTH);
+ }
+ 
+ #else
+@@ -1334,6 +1268,9 @@
 
 	if (send_audit_message(1, old_context, new_context, ttyn))
 		goto err_close_pam_session;
@ -416,6 +555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #ifdef NAMESPACE_PRIV
 	if (transition_to_caller_uid())
 		goto err_close_pam_session;
+Binary files nsapolicycoreutils/newrole/newrole.o and policycoreutils-2.0.83/newrole/newrole.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.83/restorecond/Makefile
 --- nsapolicycoreutils/restorecond/Makefile	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/restorecond/Makefile	2010-10-29 09:54:43.000000000 -0400
@ -2147,6 +2287,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
     export EXITCODE=$?
     kill -HUP 0
     break
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
 --- nsapolicycoreutils/sandbox/seunshare.8	1969-12-31 19:00:00.000000000 -0500
 +++ policycoreutils-2.0.83/sandbox/seunshare.8	2010-10-29 09:54:43.000000000 -0400
@ -2190,7 +2331,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-10-29 09:54:43.000000000 -0400
+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-11-01 16:13:56.000000000 -0400
@@ -1,13 +1,21 @@
 +/*
 + * Authors: Dan Walsh <dwalsh@redhat.com>
@ -2230,7 +2371,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 #ifdef USE_NLS
 #include <locale.h>		/* for setlocale() */
 #include <libintl.h>		/* for gettext() */
-@@ -39,6 +44,12 @@
+@@ -39,16 +44,26 @@
 #define MS_PRIVATE 1<<18
 #endif
 
@ -2243,7 +2384,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 /**
  * This function will drop all capabilities 
  * Returns zero on success, non-zero otherwise
-@@ -134,42 +145,98 @@
+  */
+ static int drop_capabilities(uid_t uid)
+ {
+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) != CAPNG_FULL)
+		return 0;
+
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 
+ 	if (capng_lock() < 0) 
+ 		return -1;
+
+ 	/* Change uid */
+ 	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
+@@ -134,42 +149,98 @@
 static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
 	if (verbose)
 		printf("Mount %s on %s\n", src, dst);
@ -2302,9 +2457,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	syslog(LOG_AUTHPRIV | LOG_ALERT, string);
 +	exit(-1);
 +
- }
- 
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+}
+
 +
 +int match(const char *string, char *pattern) {
 +	int status;
@ -2318,8 +2472,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		return 0;
 +	}
 +	return 1;
-+}
-+
+ }
+ 
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
 +void config_error() {
 +	fprintf(stderr, "Error parsing config file.");
 +	exit(-1);
@ -2347,7 +2502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		{NULL, 0, 0, 0}
 	};
 
-@@ -180,6 +247,12 @@
+@@ -180,6 +251,12 @@
 		return -1;
 	}
 
@ -2360,7 +2515,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	struct passwd *pwd=getpwuid(uid);
 	if (!pwd) {
 		perror(_("getpwduid failed"));
-@@ -192,30 +265,30 @@
+@@ -192,30 +269,30 @@
 	}
 
 	while (1) {
@ -2400,7 +2555,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		default:
 			fprintf(stderr, "%s\n", USAGE_STRING);
 			return -1;
-@@ -223,21 +296,179 @@
+@@ -223,21 +300,179 @@
 	}
 
 	if (! homedir_s && ! tmpdir_s) {
@ -2586,7 +2741,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 
         if (unshare(CLONE_NEWNS) < 0) {
 		perror(_("Failed to unshare"));
-@@ -286,11 +517,13 @@
+@@ -286,11 +521,13 @@
 			exit(-1);
 		}
 		
@ -2605,7 +2760,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		}
 
 		if (display) 
-@@ -305,17 +538,14 @@
+@@ -305,17 +542,14 @@
 			perror(_("Failed to change dir to homedir"));
 			exit(-1);
 		}
@ -2624,6 +2779,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -
 	return status;
 }
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
 --- nsapolicycoreutils/scripts/chcat	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/scripts/chcat	2010-10-29 09:54:43.000000000 -0400
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 34%{?dist}
+Release: 35%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -64,7 +64,7 @@ context.
 %patch4 -p1 -b .sepolgen

 %build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE -DUSE_FILECAP" LDFLAGS="-pie -Wl,-z,relro" all 
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all 
 make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 

 %install
@ -192,7 +192,8 @@ or level of a logged in user.

 %files newrole
 %defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_audit_write=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+
 %{_mandir}/man1/newrole.1.gz
 %config(noreplace) %{_sysconfdir}/pam.d/newrole

@ -239,7 +240,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
-%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/setsebool
@ -326,6 +327,9 @@ fi
 exit 0

 %changelog
+* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-35
+- Check if you have full privs and reset otherwise dont drop caps
+
 * Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-34
 - Fix setools require line