rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not drop capability bounding set in seunshare, this allows sandbox to 

run setuid apps.
Cleanup policy generation template
Pass dpi settings to sandbox
Add .config/* to restorecond_users.conf
This commit is contained in:
Dan Walsh 2011-06-13 14:00:27 -04:00
parent 397914a5b7
commit f415a12acc
1 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
policycoreutils-sandbox.patch Normal file
View File

@ -0,0 +1,77 @@
diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox 2011-06-13 13:47:06.552590955 -0400
+++ policycoreutils-2.0.86/restorecond/restorecond_user.conf 2011-06-13 13:47:27.757820459 -0400
@@ -4,4 +4,4 @@
~/local/*
~/.fonts/*
~/.cache/*
-
+~/.config/*
diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
--- policycoreutils-2.0.86/sandbox/sandbox.sandbox 2011-06-13 13:44:44.678086035 -0400
+++ policycoreutils-2.0.86/sandbox/sandbox 2011-06-13 13:44:45.252092012 -0400
@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
except shutil.Error, elist:
for e in elist.message:
- # ignore files that are missing
- if not e[2].startswith("[Errno 2]"):
- sys.stderr.write(e[2])
+ sys.stderr.write(e[2])
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
@@ -321,7 +319,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
if self.__options.X_ind:
self.setype = DEFAULT_X_TYPE
-
+ self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
if self.__options.setype:
self.setype = self.__options.setype
@@ -405,7 +403,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
self.__setup_sandboxrc(self.__options.wm)
- cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
else:
cmds += [ "--" ] + self.__paths
return subprocess.Popen(cmds).wait()
diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox 2011-06-13 13:44:44.684086096 -0400
+++ policycoreutils-2.0.86/sandbox/sandboxX.sh 2011-06-13 13:44:45.253092023 -0400
@@ -1,10 +1,11 @@
#!/bin/bash
-context=`id -Z | secon -t `
-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
+context=`id -Z | secon -t -l -P`
+export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
+[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox 2011-06-13 13:44:44.687086129 -0400
+++ policycoreutils-2.0.86/sandbox/seunshare.c 2011-06-13 13:44:45.255092045 -0400
@@ -63,10 +63,10 @@ static int verbose = 0;
*/
static int drop_caps()
{
- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
return 0;
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+ capng_clear(CAPNG_SELECT_CAPS);
+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}