Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps. Cleanup policy generation template Pass dpi settings to sandbox Add .config/* to restorecond_users.conf
This commit is contained in:
parent
397914a5b7
commit
f415a12acc
|
@ -0,0 +1,77 @@
|
|||
diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
|
||||
--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox 2011-06-13 13:47:06.552590955 -0400
|
||||
+++ policycoreutils-2.0.86/restorecond/restorecond_user.conf 2011-06-13 13:47:27.757820459 -0400
|
||||
@@ -4,4 +4,4 @@
|
||||
~/local/*
|
||||
~/.fonts/*
|
||||
~/.cache/*
|
||||
-
|
||||
+~/.config/*
|
||||
diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
|
||||
--- policycoreutils-2.0.86/sandbox/sandbox.sandbox 2011-06-13 13:44:44.678086035 -0400
|
||||
+++ policycoreutils-2.0.86/sandbox/sandbox 2011-06-13 13:44:45.252092012 -0400
|
||||
@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
|
||||
|
||||
except shutil.Error, elist:
|
||||
for e in elist.message:
|
||||
- # ignore files that are missing
|
||||
- if not e[2].startswith("[Errno 2]"):
|
||||
- sys.stderr.write(e[2])
|
||||
+ sys.stderr.write(e[2])
|
||||
|
||||
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
|
||||
|
||||
@@ -321,7 +319,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||
|
||||
if self.__options.X_ind:
|
||||
self.setype = DEFAULT_X_TYPE
|
||||
-
|
||||
+ self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
|
||||
if self.__options.setype:
|
||||
self.setype = self.__options.setype
|
||||
|
||||
@@ -405,7 +403,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||
|
||||
self.__setup_sandboxrc(self.__options.wm)
|
||||
|
||||
- cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
|
||||
+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
|
||||
else:
|
||||
cmds += [ "--" ] + self.__paths
|
||||
return subprocess.Popen(cmds).wait()
|
||||
diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
|
||||
--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox 2011-06-13 13:44:44.684086096 -0400
|
||||
+++ policycoreutils-2.0.86/sandbox/sandboxX.sh 2011-06-13 13:44:45.253092023 -0400
|
||||
@@ -1,10 +1,11 @@
|
||||
#!/bin/bash
|
||||
-context=`id -Z | secon -t `
|
||||
-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
|
||||
-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
|
||||
+context=`id -Z | secon -t -l -P`
|
||||
+export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
|
||||
+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
|
||||
+[ -z $2 ] && export DPI="96" || export DPI="$2"
|
||||
trap "exit 0" HUP
|
||||
|
||||
-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
export DISPLAY=:$D
|
||||
cat > ~/seremote << __EOF
|
||||
#!/bin/sh
|
||||
diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
|
||||
--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox 2011-06-13 13:44:44.687086129 -0400
|
||||
+++ policycoreutils-2.0.86/sandbox/seunshare.c 2011-06-13 13:44:45.255092045 -0400
|
||||
@@ -63,10 +63,10 @@ static int verbose = 0;
|
||||
*/
|
||||
static int drop_caps()
|
||||
{
|
||||
- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
|
||||
+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE)
|
||||
return 0;
|
||||
- capng_clear(CAPNG_SELECT_BOTH);
|
||||
- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
|
||||
+ capng_clear(CAPNG_SELECT_CAPS);
|
||||
+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) {
|
||||
fprintf(stderr, _("Failed to drop all capabilities\n"));
|
||||
return -1;
|
||||
}
|
Loading…
Reference in New Issue