rsynccmd should run outside of execcon
This commit is contained in:
Dan Walsh
parent
ed4c843b48
commit
78134e652a
@ -2125,7 +2125,7 @@ index 0000000..e7b8991
|
||||
+and
|
||||
+.I Thomas Liu <tliu@fedoraproject.org>
|
||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||
index ec692e7..d8171d8 100644
|
||||
index ec692e7..49dad71 100644
|
||||
--- a/policycoreutils/sandbox/seunshare.c
|
||||
+++ b/policycoreutils/sandbox/seunshare.c
|
||||
@@ -1,28 +1,35 @@
|
||||
@ -2256,14 +2256,10 @@ index ec692e7..d8171d8 100644
|
||||
+ retval = -1; \
|
||||
+ } while(0)
|
||||
+
|
||||
/**
|
||||
- * This function makes sure the mounted directory is owned by the user executing
|
||||
- * seunshare.
|
||||
- * If so, it returns 0. If it can not figure this out or they are different, it returns -1.
|
||||
+/**
|
||||
+ * Spawn external command using system() with dropped privileges.
|
||||
+ * TODO: avoid system() and use exec*() instead
|
||||
*/
|
||||
-static int verify_mount(const char *mntdir, struct passwd *pwd) {
|
||||
+ */
|
||||
+static int spawn_command(const char *cmd, uid_t uid){
|
||||
+ int child;
|
||||
+ int status = -1;
|
||||
@ -2323,11 +2319,15 @@ index ec692e7..d8171d8 100644
|
||||
+ (one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \
|
||||
+ (one)->st_mode == (two)->st_mode)
|
||||
+
|
||||
+/**
|
||||
/**
|
||||
- * This function makes sure the mounted directory is owned by the user executing
|
||||
- * seunshare.
|
||||
- * If so, it returns 0. If it can not figure this out or they are different, it returns -1.
|
||||
+ * Sanity check specified directory. Store stat info for future comparison, or
|
||||
+ * compare with previously saved info to detect replaced directories.
|
||||
+ * Note: This function does not perform owner checks.
|
||||
+ */
|
||||
*/
|
||||
-static int verify_mount(const char *mntdir, struct passwd *pwd) {
|
||||
+static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) {
|
||||
struct stat sb;
|
||||
- if (stat(mntdir, &sb) == -1) {
|
||||
@ -2364,7 +2364,7 @@ index ec692e7..d8171d8 100644
|
||||
break;
|
||||
}
|
||||
}
|
||||
@@ -131,45 +236,520 @@ static int verify_shell(const char *shell_name)
|
||||
@@ -131,45 +236,525 @@ static int verify_shell(const char *shell_name)
|
||||
return rc;
|
||||
}
|
||||
|
||||
@ -2797,10 +2797,6 @@ index ec692e7..d8171d8 100644
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /* ok to not reach this if there is an error */
|
||||
+ setfsuid(0);
|
||||
+ }
|
||||
@ -2853,6 +2849,15 @@ index ec692e7..d8171d8 100644
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ setfsuid(pwd->pw_uid);
|
||||
+
|
||||
+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ /* ok to not reach this if there is an error */
|
||||
+ setfsuid(0);
|
||||
+
|
||||
+ if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
|
||||
+ fprintf(stderr, _("Failed to populate runtime temporary directory\n"));
|
||||
+ cleanup_tmpdir(tmpdir, src, pwd, 0);
|
||||
@ -2899,7 +2904,7 @@ index ec692e7..d8171d8 100644
|
||||
{NULL, 0, 0, 0}
|
||||
};
|
||||
|
||||
@@ -180,6 +760,12 @@ int main(int argc, char **argv) {
|
||||
@@ -180,6 +765,12 @@ int main(int argc, char **argv) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -2912,7 +2917,7 @@ index ec692e7..d8171d8 100644
|
||||
struct passwd *pwd=getpwuid(uid);
|
||||
if (!pwd) {
|
||||
perror(_("getpwduid failed"));
|
||||
@@ -187,34 +773,30 @@ int main(int argc, char **argv) {
|
||||
@@ -187,34 +778,30 @@ int main(int argc, char **argv) {
|
||||
}
|
||||
|
||||
if (verify_shell(pwd->pw_shell) < 0) {
|
||||
@ -2958,7 +2963,7 @@ index ec692e7..d8171d8 100644
|
||||
break;
|
||||
default:
|
||||
fprintf(stderr, "%s\n", USAGE_STRING);
|
||||
@@ -223,76 +805,84 @@ int main(int argc, char **argv) {
|
||||
@@ -223,76 +810,84 @@ int main(int argc, char **argv) {
|
||||
}
|
||||
|
||||
if (! homedir_s && ! tmpdir_s) {
|
||||
@ -3092,7 +3097,7 @@ index ec692e7..d8171d8 100644
|
||||
if (display)
|
||||
rc |= setenv("DISPLAY", display, 1);
|
||||
rc |= setenv("HOME", pwd->pw_dir, 1);
|
||||
@@ -300,22 +890,41 @@ int main(int argc, char **argv) {
|
||||
@@ -300,22 +895,41 @@ int main(int argc, char **argv) {
|
||||
rc |= setenv("USER", pwd->pw_name, 1);
|
||||
rc |= setenv("LOGNAME", pwd->pw_name, 1);
|
||||
rc |= setenv("PATH", DEFAULT_PATH, 1);
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.85
|
||||
Release: 27%{?dist}
|
||||
Release: 28%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
@ -331,6 +331,9 @@ fi
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
|
||||
- rsynccmd should run outside of execcon
|
||||
|
||||
* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
|
||||
- Fix semange node handling of ipv6 addresses
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user