rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity
f8435958ae
policycoreutils/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
Miroslav Grepl 998c56497f * Tue May 6 2014 Miroslav Grepl <mgreplh@redhat.com> - 2.2.5-15 
- Apply patch to use setcon in seunshare from luto@mit.edu
2014-05-06 18:55:08 +02:00

64 lines
2.1 KiB
Diff
Raw Blame History

From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001
Message-Id: <d355fd3326286a01f82c5c46a8eb99ae2f4a11bb.1398921725.git.luto@amacapital.net>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 30 Apr 2014 21:59:37 -0700
Subject: [PATCH] seunshare: Try to use setcurrent before setexec
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail. This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.
Note that this won't work without adjusting the system policy to
allow this use of setcurrent. This rule appears to work:
allow unconfined_t sandbox_t:process dyntransition;
although a better rule would probably relax the unconfined_t
restriction.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index 97f3920..fe40757 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
goto childerr;
}
- /* selinux context */
- if (execcon && setexeccon(execcon) != 0) {
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
- goto childerr;
- }
-
if (chdir(pwd->pw_dir)) {
perror(_("Failed to change dir to homedir"));
goto childerr;
}
setsid();
+
+ /* selinux context */
+ if (execcon) {
+ /* try dyntransition, since no_new_privs can interfere
+ * with setexeccon */
+ if (setcon(execcon) != 0) {
+ /* failed; fall back to setexeccon */
+ if (setexeccon(execcon) != 0) {
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+ goto childerr;
+ }
+ }
+ }
+
execv(argv[optind], argv + optind);
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
--
1.9.0
Reference in New Issue View Git Blame Copy Permalink