From b1b6c5eb24e004dd36c7dcc864f0870fecec5184 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Tue, 24 Aug 2010 22:53:08 -0400
Subject: [PATCH] - Tighten down seunshare to create /tmp dir with sticky bit
 and  MS_NODEV | MS_NOSUID | MS_NOEXEC; - Remove setsid on seunshare so ^c on
 sandbox will cause apps to exit - Add dbus-launch --exit-with-session so all
 processes launched within the sandbox exit with the sandbox - Clean up error
 handling so error will get sent back to sandbox tool

---
 policycoreutils-rhat.patch | 111 +++++++++++++++++++++++++++++++------
 policycoreutils.spec       |   8 ++-
 2 files changed, 102 insertions(+), 17 deletions(-)

diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index ad6bb3a..b83ee85 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1589,7 +1589,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  	@python test_sandbox.py -v
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox	2010-08-13 15:05:03.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/sandbox	2010-08-24 22:50:26.000000000 -0400
 @@ -1,5 +1,6 @@
 -#! /usr/bin/python -E
 +#! /usr/bin/python -Es
@@ -1682,7 +1682,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  %s &
  WM_PID=$!
 -%s
-+dbus-launch %s
++dbus-launch --exit-with-session %s
  kill -TERM $WM_PID  2> /dev/null
  """ % (command, wm, command))
             fd.close()
@@ -1883,6 +1883,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  #
  
  # Source function library.
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.83/sandbox/sandboxX.sh
+--- nsapolicycoreutils/sandbox/sandboxX.sh	2010-06-16 08:03:38.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/sandboxX.sh	2010-08-24 17:04:39.000000000 -0400
+@@ -7,7 +7,16 @@
+ 
+ (/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do 
+     export DISPLAY=:$D
+-    python -c 'import gtk, os, commands; commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])'
++    python << __EOF
++import gtk, os, commands
++rc = [-1,'']
++try:
++    rc=commands.getstatusoutput("%s/.sandboxrc" % os.environ["HOME"])
++except:
++    pass
++if rc[0] == 0:
++    print rc[1]
++__EOF
+     export EXITCODE=$?
+     kill -HUP 0
+     break
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.83/sandbox/seunshare differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.83/sandbox/seunshare.8
 --- nsapolicycoreutils/sandbox/seunshare.8	1969-12-31 19:00:00.000000000 -0500
 +++ policycoreutils-2.0.83/sandbox/seunshare.8	2010-07-30 13:50:40.000000000 -0400
@@ -1926,8 +1948,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-07-30 13:50:40.000000000 -0400
-@@ -1,13 +1,20 @@
++++ policycoreutils-2.0.83/sandbox/seunshare.c	2010-08-24 22:49:42.000000000 -0400
+@@ -1,13 +1,21 @@
 +/*
 + * Authors: Dan Walsh <dwalsh@redhat.com>
 + * Authors: Thomas Liu <tliu@fedoraproject.org>
@@ -1936,6 +1958,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +#define _GNU_SOURCE
  #include <signal.h>
  #include <sys/types.h>
++#include <sys/stat.h>
  #include <sys/wait.h>
  #include <syslog.h>
  #include <sys/mount.h>
@@ -1949,15 +1972,23 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  #include <unistd.h>
  #include <stdlib.h>
  #include <cap-ng.h>
-@@ -21,7 +28,6 @@
+@@ -15,14 +23,11 @@
+ #include <limits.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <fcntl.h>
  
- #include <sys/types.h>
- #include <sys/stat.h>
+ #include <selinux/selinux.h>
+ #include <selinux/context.h>	/* for context-mangling functions */
+ 
+-#include <sys/types.h>
+-#include <sys/stat.h>
 -#include <unistd.h>
- 
+-
  #ifdef USE_NLS
  #include <locale.h>		/* for setlocale() */
-@@ -39,6 +45,12 @@
+ #include <libintl.h>		/* for gettext() */
+@@ -39,6 +44,12 @@
  #define MS_PRIVATE 1<<18
  #endif
  
@@ -1970,12 +2001,56 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  /**
   * This function will drop all capabilities 
   * Returns zero on success, non-zero otherwise
-@@ -151,25 +163,57 @@
+@@ -134,42 +145,98 @@
+ static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
+ 	if (verbose)
+ 		printf("Mount %s on %s\n", src, dst);
+-	if (mount(dst, dst,  NULL, MS_BIND | MS_REC, NULL) < 0) {
++
++	int flags = MS_REC;
++	if (strcmp("/tmp", dst) == 0) {
++		flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
++	}
++
++	if (mount(dst, dst,  NULL, MS_BIND | flags, NULL) < 0) {
+ 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
+ 		return -1;
+ 	}
+ 
+-	if (mount(dst, dst, NULL, MS_PRIVATE | MS_REC, NULL) < 0) {
++	if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
+ 		fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
+ 		return -1;
+ 	}
+ 
+-	if (mount(src, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
++	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+ 		return -1;
+ 	}
  
  	if (verify_mount(dst, pwd) < 0) 
  		return -1;
 +
++	if (strcmp("/tmp", dst) == 0) {
++		struct stat sb;
++		int fd = open(dst,O_RDONLY);
++		if ( fd == -1 ) goto err;
++		if (fstat(fd, &sb) == -1) {
++			close(fd);
++			goto err;
++		}
++		if (fchmod(fd, sb.st_mode | S_ISVTX) < 0) {
++			close(fd);
++			goto err;
++		}
++		close(fd);
++	}
++
 +	return 0;
++err:
++	fprintf(stderr, _("Invalid mount point %s: %s\n"), src, strerror(errno));
++	return -1;
 +}
 +
 +#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] --  executable [args] ")
@@ -2030,7 +2105,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		{NULL, 0, 0, 0}
  	};
  
-@@ -180,6 +224,12 @@
+@@ -180,6 +247,12 @@
  		return -1;
  	}
  
@@ -2043,7 +2118,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  	struct passwd *pwd=getpwuid(uid);
  	if (!pwd) {
  		perror(_("getpwduid failed"));
-@@ -192,30 +242,30 @@
+@@ -192,30 +265,30 @@
  	}
  
  	while (1) {
@@ -2083,7 +2158,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		default:
  			fprintf(stderr, "%s\n", USAGE_STRING);
  			return -1;
-@@ -223,21 +273,179 @@
+@@ -223,21 +296,179 @@
  	}
  
  	if (! homedir_s && ! tmpdir_s) {
@@ -2269,7 +2344,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  
          if (unshare(CLONE_NEWNS) < 0) {
  		perror(_("Failed to unshare"));
-@@ -286,11 +494,13 @@
+@@ -286,11 +517,13 @@
  			exit(-1);
  		}
  		
@@ -2288,8 +2363,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
  		}
  
  		if (display) 
-@@ -308,14 +518,12 @@
- 		setsid();
+@@ -305,17 +538,14 @@
+ 			perror(_("Failed to change dir to homedir"));
+ 			exit(-1);
+ 		}
+-		setsid();
  		execv(argv[optind], argv + optind);
  		free(display);
 +		freecon(scontext);
@@ -2304,6 +2382,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 -
  	return status;
  }
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.83/sandbox/seunshare.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.83/scripts/chcat
 --- nsapolicycoreutils/scripts/chcat	2010-05-19 14:45:51.000000000 -0400
 +++ policycoreutils-2.0.83/scripts/chcat	2010-07-30 13:50:40.000000000 -0400
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 473b1d9..828e0a2 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -315,6 +315,12 @@ fi
 exit 0
 
 %changelog
+* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-20
+- Tighten down seunshare to create /tmp dir with sticky bit and  MS_NODEV | MS_NOSUID | MS_NOEXEC;
+- Remove setsid on seunshare so ^c on sandbox will cause apps to exit
+- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox
+- Clean up error handling so error will get sent back to sandbox tool
+
 * Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-19
 - Fix translation handling in file context page of system-config-selinux