Add -C option to sandbox and seunshare to maintain capabilities, otherwise

the bounding set will be dropped. Change --cgroups short name -c rather then -C for consistancy Fix memory and fd leaks in seunshare
2011-07-05 16:51:18 -04:00 · 2011-07-05 16:51:18 -04:00 · 759501823b
parent 173e9f90db
commit 759501823b
3 changed files with 100 additions and 38 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1664,7 +1664,7 @@ index ff0ee7c..0c8a085 100644
 test:
 	@python test_sandbox.py -v
 diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 48a26c2..b1e683b 100644
+index 48a26c2..41a3204 100644
 --- a/policycoreutils/sandbox/sandbox
 +++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@
@ -1835,13 +1835,17 @@ index 48a26c2..b1e683b 100644
         parser.add_option("-W", "--windowmanager", dest="wm",  
                           type="string",
                           default="/usr/bin/matchbox-window-manager -use_titlebar no",
-@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -276,13 +309,21 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
         parser.add_option("-l", "--level", dest="level", 
                           help=_("MCS/MLS level for the sandbox"))
 
-+        parser.add_option("-C", "--cgroups",
+        parser.add_option("-c", "--cgroups",
 +                         action="store_true", dest="usecgroup", default=False,
 +                         help="Use cgroups to limit this sandbox.")
+
+        parser.add_option("-C", "--capabilities",
+                         action="store_true", dest="usecaps", default=False,
+                         help="Allow apps requiring capabilities to run within the sandbox.")
 +
         self.__parser=parser
 
@ -1854,7 +1858,7 @@ index 48a26c2..b1e683b 100644
         if self.__options.setype:
                self.setype = self.__options.setype
 
-@@ -300,6 +337,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -300,6 +341,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
                self.__homedir = self.__options.homedir
                self.__tmpdir = self.__options.tmpdir
         else:
@ -1865,7 +1869,7 @@ index 48a26c2..b1e683b 100644
                if len(cmds) == 0:
                       self.usage(_("Command required"))
                cmds[0] = fullpath(cmds[0])
-@@ -329,44 +370,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -329,44 +374,45 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
     def __setup_dir(self):
            if self.__options.level or self.__options.session:
                   return
@ -1908,6 +1912,8 @@ index 48a26c2..b1e683b 100644
 +                  cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
 +                  if self.__options.usecgroup == True:
 +                         cmds.append('-c')
+                  if self.__options.usecaps == True:
+                         cmds.append('-C')
                   if self.__mount:
 -                         cmds =  [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
 -                         rc = subprocess.Popen(cmds).wait()
@ -1929,7 +1935,7 @@ index 48a26c2..b1e683b 100644
 
                   selinux.setexeccon(self.__execcon)
                   rc = subprocess.Popen(self.__cmds).wait()
-@@ -404,7 +444,7 @@ if __name__ == '__main__':
+@@ -404,7 +450,7 @@ if __name__ == '__main__':
            sandbox = Sandbox()
            rc = sandbox.main()
     except OSError, error:
@ -1939,7 +1945,7 @@ index 48a26c2..b1e683b 100644
            error_exit(error.args[0])
     except KeyError, error:
 diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
-index 1479364..73d33b3 100644
+index 1479364..3deb4b2 100644
 --- a/policycoreutils/sandbox/sandbox.8
 +++ b/policycoreutils/sandbox/sandbox.8
@@ -1,10 +1,13 @@
@ -1951,11 +1957,11 @@ index 1479364..73d33b3 100644
 .B sandbox
 -[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] cmd
 -[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] -S
-+[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
 +
 +.br
 +.B sandbox
-+[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
 .br
 .SH DESCRIPTION
 .PP
@ -1972,13 +1978,16 @@ index 1479364..73d33b3 100644
 \fB\-W windowmanager\fR
 Select alternative window manager to run within 
 .B sandbox -X.
-@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-manager.
+@@ -50,8 +59,20 @@ Default to /usr/bin/matchbox-window-manager.
 \fB\-X\fR 
 Create an X based Sandbox for gui apps, temporary files for
 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
 +.TP
-+\fB\-C\fR
+\fB\-c\fR
 +Use control groups to control this copy of sandbox.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox.  By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
 .PP
 .SH "SEE ALSO"
 .TP
@ -2123,16 +2132,16 @@ index 8338203..9648100 100644
     break
 diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
 new file mode 100644
-index 0000000..e7b8991
+index 0000000..eeb2218
 --- /dev/null
 +++ b/policycoreutils/sandbox/seunshare.8
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,40 @@
 +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
 +.SH NAME
 +seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 +.SH SYNOPSIS
 +.B seunshare
-+[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [-c] [-C] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
 +.br
 +.SH DESCRIPTION
 +.PP
@ -2147,9 +2156,12 @@ index 0000000..e7b8991
 +\fB\-t\ tmpdir
 +Use alternate tempory directory to mount on /tmp.  tmpdir must be owned by the user.
 +.TP
-+\fB\-c cgroups\fR
+\fB\-c --cgroups\fR
 +Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
 +.TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
+.TP
 +\fB\-Z\ context
 +Use alternate SELinux context while runing the executable.
 +.TP
@ -2165,7 +2177,7 @@ index 0000000..e7b8991
 +and
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index ec692e7..52362e0 100644
+index ec692e7..ff61262 100644
 --- a/policycoreutils/sandbox/seunshare.c
 +++ b/policycoreutils/sandbox/seunshare.c
@@ -1,28 +1,35 @@
@ -2209,7 +2221,7 @@ index ec692e7..52362e0 100644
 #ifdef USE_NLS
 #include <locale.h>		/* for setlocale() */
 #include <libintl.h>		/* for gettext() */
-@@ -39,29 +46,47 @@
+@@ -39,29 +46,48 @@
 #define MS_PRIVATE 1<<18
 #endif
 
@ -2220,10 +2232,11 @@ index ec692e7..52362e0 100644
 +#define BUF_SIZE 1024
 +#define DEFAULT_PATH "/usr/bin:/bin"
 +
-+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]")
 +
 +static int verbose = 0;
 +
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
 +
 /**
 - * This function will drop all capabilities 
@ -2240,10 +2253,10 @@ index ec692e7..52362e0 100644
 -	/* Change uid */
 -	if (setresuid(uid, uid, uid)) {
 -		fprintf(stderr, _("Error changing uid, aborting.\n"));
-+	if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
+	if (capng_have_capabilities(cap_set) == CAPNG_NONE)
 +		return 0;
-+	capng_clear(CAPNG_SELECT_CAPS);
-+	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
+	capng_clear(cap_set);
+	if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
 +		fprintf(stderr, _("Failed to drop all capabilities\n"));
 		return -1;
 	}
@ -2271,7 +2284,7 @@ index ec692e7..52362e0 100644
  */
 static int set_signal_handles(void)
 {
-@@ -75,8 +100,8 @@ static int set_signal_handles(void)
+@@ -75,8 +101,8 @@ static int set_signal_handles(void)
 
 	(void)sigprocmask(SIG_SETMASK, &empty, NULL);
 
@ -2282,7 +2295,7 @@ index ec692e7..52362e0 100644
 		perror("Unable to set SIGHUP handler");
 		return -1;
 	}
-@@ -84,23 +109,103 @@ static int set_signal_handles(void)
+@@ -84,23 +110,103 @@ static int set_signal_handles(void)
 	return 0;
 }
 
@ -2396,7 +2409,7 @@ index ec692e7..52362e0 100644
 	return 0;
 }
 
-@@ -123,7 +228,7 @@ static int verify_shell(const char *shell_name)
+@@ -123,7 +229,7 @@ static int verify_shell(const char *shell_name)
 
 		/* check the shell skipping newline char */
 		if (!strcmp(shell_name, buf)) {
@ -2405,7 +2418,7 @@ index ec692e7..52362e0 100644
 			break;
 		}
 	}
-@@ -131,45 +236,525 @@ static int verify_shell(const char *shell_name)
+@@ -131,45 +237,530 @@ static int verify_shell(const char *shell_name)
 	return rc;
 }
 
@ -2515,6 +2528,7 @@ index ec692e7..52362e0 100644
 +	char buf[BUF_SIZE];
 +	char *tok = NULL;
 +	int rc = -1;
+	char *str = NULL;
 +	const char* fname = "/etc/sysconfig/sandbox";	
 +	
 +	if ((fp = fopen(fname, "rt")) == NULL) {
@ -2527,7 +2541,8 @@ index ec692e7..52362e0 100644
 +		
 +		/* Copy the string, ignoring whitespace */
 +		int len = strlen(buf);
-+		char *str = malloc((len + 1) * sizeof(char));
+		free(str);
+		str = malloc((len + 1) * sizeof(char));
 +		
 +		int ind = 0;	
 +		int i;
@ -2668,6 +2683,8 @@ index ec692e7..52362e0 100644
 +
 +	rc = 0;
 +err:
+	fclose(fp)
+	free(str);
 +	free(mem);
 +	free(cgroupname);
 +	free(cpus);
@ -2756,9 +2773,8 @@ index ec692e7..52362e0 100644
 +	free(buf); buf = NULL;
 +	globfree(&fglob);
 +	return rc;
- }
- 
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+}
+
 +/**
 + * Clean up runtime temporary directory.  Returns 0 if no problem was detected,
 + * >0 if some error was detected, but errors here are treated as non-fatal and
@ -2801,8 +2817,9 @@ index ec692e7..52362e0 100644
 +	setfsuid(pwd->pw_uid);
 +
 +	return 0;
-+}
-+
+ }
+ 
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
 +/**
 + * seunshare will create a tmpdir in /tmp, with root ownership.  The parent
 + * process waits for it child to exit to attempt to remove the directory.  If
@ -2942,10 +2959,11 @@ index ec692e7..52362e0 100644
 		{"verbose", 1, 0, 'v'},
 +		{"cgroups", 1, 0, 'c'},
 +		{"context", 1, 0, 'Z'},
+		{"capabilities", 1, 0, 'C'},
 		{NULL, 0, 0, 0}
 	};
 
-@@ -180,6 +765,12 @@ int main(int argc, char **argv) {
+@@ -180,6 +771,12 @@ int main(int argc, char **argv) {
 		return -1;
 	}
 
@ -2958,7 +2976,7 @@ index ec692e7..52362e0 100644
 	struct passwd *pwd=getpwuid(uid);
 	if (!pwd) {
 		perror(_("getpwduid failed"));
-@@ -187,34 +778,30 @@ int main(int argc, char **argv) {
+@@ -187,34 +784,33 @@ int main(int argc, char **argv) {
 	}
 
 	if (verify_shell(pwd->pw_shell) < 0) {
@ -2970,7 +2988,7 @@ index ec692e7..52362e0 100644
 	while (1) {
 -		clflag = getopt_long(argc, argv, "h:t:", long_options,
 -				     &flag_index);
-+		clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL);
+		clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
 		if (clflag == -1)
 			break;
 
@ -2999,12 +3017,15 @@ index ec692e7..52362e0 100644
 +		case 'c':
 +			usecgroups = 1;
 +			break;
+		case 'C':
+			cap_set = CAPNG_SELECT_CAPS;
+			break;
 +		case 'Z':
 +			execcon = optarg;
 			break;
 		default:
 			fprintf(stderr, "%s\n", USAGE_STRING);
-@@ -223,76 +810,84 @@ int main(int argc, char **argv) {
+@@ -223,76 +819,84 @@ int main(int argc, char **argv) {
 	}
 
 	if (! homedir_s && ! tmpdir_s) {
@ -3138,7 +3159,7 @@ index ec692e7..52362e0 100644
 		if (display) 
 			rc |= setenv("DISPLAY", display, 1);
 		rc |= setenv("HOME", pwd->pw_dir, 1);
-@@ -300,22 +895,41 @@ int main(int argc, char **argv) {
+@@ -300,22 +904,41 @@ int main(int argc, char **argv) {
 		rc |= setenv("USER", pwd->pw_name, 1);
 		rc |= setenv("LOGNAME", pwd->pw_name, 1);
 		rc |= setenv("PATH", DEFAULT_PATH, 1);
@ -5123,6 +5144,41 @@ index 059f629..81d6a3c 100644
 		case 'u':
 			set_mode(UPGRADE_M, optarg);
 			break;
+diff --git a/policycoreutils/semodule_expand/semodule_expand.8 b/policycoreutils/semodule_expand/semodule_expand.8
+index 22ad3be..35df2ed 100644
+--- a/policycoreutils/semodule_expand/semodule_expand.8
+++ b/policycoreutils/semodule_expand/semodule_expand.8
+@@ -3,7 +3,7 @@
+ semodule_expand \- Expand a SELinux policy module package.
+ 
+ .SH SYNOPSIS
+-.B semodule_expand [-V -c [version]] basemodpkg outputfile
+.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile
+ .br
+ .SH DESCRIPTION
+ .PP
+@@ -22,6 +22,9 @@ show version
+ .TP
+ .B \-c [version]
+ policy version to create
+.TP
+.B \-a
+Check assertions.  This will cause the policy to check all neverallow rules.
+ 
+ .SH SEE ALSO
+ .B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8)
+diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8
+index fb41480..29c9eb2 100644
+--- a/policycoreutils/semodule_package/semodule_package.8
+++ b/policycoreutils/semodule_package/semodule_package.8
+@@ -45,7 +45,6 @@ netfilter context file to be included in the package.
+ 
+ .SH SEE ALSO
+ .B checkmodule(8), semodule(8)
+-(8),
+ .SH AUTHORS
+ .nf
+ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
 new file mode 100644
 index 0000000..211580d
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.86
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -336,6 +336,12 @@ fi
 exit 0

 %changelog
+* Mon Jul 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-15
+- Add -C option to sandbox and seunshare to maintain capabilities, otherwise 
+the bounding set will be dropped.
+- Change --cgroups short name -c rather then -C for consistancy
+- Fix memory and fd leaks in seunshare
+
 * Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-14
 - Do not drop capability bounding set in seunshare, this allows sandbox to 
 - run setuid apps.
--- a/semanage-bash-completion.sh
+++ b/semanage-bash-completion.sh
@ -59,7 +59,7 @@ __get_user_opts () { echo '$ALL_OPTS $MANAGED_OPTS -L -r -R --role '; }
 __get_login_opts () { echo '$ALL_OPTS $MANAGED_OPTS -s -r '; }
 __get_port_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t -type -r --range -p --proto'; }
 __get_interface_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; }
-__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; }
+__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -M --mask -p --proto'; }
 __get_fcontext_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -e --equal -f --ftype '; }
 __get_module_opts () { echo '$ALL_OPTS --enable --disable '; }
 __get_dontaudit_opts () { echo '-S on off' ; }