selinux/sandbox/seunshare.c

901 lines
21 KiB
C
Raw Normal View History

/*
* Authors: Dan Walsh <dwalsh@redhat.com>
* Authors: Thomas Liu <tliu@fedoraproject.org>
*/
#define _GNU_SOURCE
#include <signal.h>
#include <sys/fsuid.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <syslog.h>
#include <sys/mount.h>
#include <glob.h>
#include <pwd.h>
#include <sched.h>
#include <string.h>
#include <stdio.h>
#include <regex.h>
#include <unistd.h>
#include <stdlib.h>
#include <cap-ng.h>
#include <getopt.h> /* for getopt_long() form of getopt() */
#include <limits.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <selinux/selinux.h>
#include <selinux/context.h> /* for context-mangling functions */
#include <dirent.h>
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
#define _(msgid) gettext (msgid)
#else
#define _(msgid) (msgid)
#endif
Author: Steve Lawrence Email: slawrence@tresys.com Subject: Updated sandbox patch. Date: Mon, 07 Jun 2010 17:53:41 -0400 On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/26/2010 04:06 PM, Steve Lawrence wrote: > > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote: > > Fixed patch that handles Spaces in homedir. > > > The following patch makes a few updates the the sandbox patch, though I > > have a question: > > > Is the sandbox.init script needed anymore? It looks like seunshare was > > changed to now bind mount and make private the necessary directories. > > The only thing that seems missing is making root rshared. Also, if the > > init script is obsolete, do the mounts also need the MS_REC flag for > > recursive bind/private like they are mounted in the init script? e.g. > > The init script is needed for the xguest package/more specifically > pam_namespace, but also needed for > mount --make-rshared / > > Whether the init script belongs in policycoreutils is questionable though. > > > > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL) > > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL) > > We probably should add these. Although it is not likely. > > > Changes the following patch makes: > > > sandbox.py > > - Removes unused 'import commands' > > - Fixes the chcon function, and replaces the deprecated os.path.walk > > with os.walk. I think this way is a bit easier to read too. > > I think chcon should be added to libselinux python bindings and then > leave the recursive flag. (restorecon is currently in python bindings._ > > > - Removes the 'yum install seunshare' message. This tool is not specific > > to RPM based distros. > > People are using seunshare without X now that I have added the -M flag. > So I will move it from the -gui package to the base package with > sandbox and then this should not be necessary. > > - Remove try/except around -I include to be consistent with the -i > > option. If we can't include a file, then this should bail, no matter > > if it's being included via -i or -I. > > Ok, I was thinking you could list a whole bunch of files in the -I case > and if one does not exist, allow it to continue. But I don't really care. > > - Fix homedir/tmpdir typo in chcon call > > > sandbox.init (maybe obsoleted?) > > - Fix restart so it stops and starts > > - unmount the bind mounts when stopped > I doubt this will work. Two many locks in /tmp /home > > - Abort with failure if any mounts fail > > > seunshare.c > > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only > > defined in the latest glibc but has been in the kernel since 2005. > > - Simplify an if-statment. Also, I'm not sure the purpose of the > > strncmmp in that conditional, so maybe I've oversimplified. > This is wrong. The problem comes about when you mount within the same > directory. > > seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home ... > > seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home > > If you do not have the check one of the above will fail. > > In the first example if Homedir is mounted first, > /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to > mount it on /tmp. > > Similarly, if /tmp is mounted first in the second example. > /tmp/sandbox/home will no longer exist. > > You have to check to make sure one of the directories is not included in > the other. > > It seems > > like maybe an error should be thrown if tmpdir_s == pw_dir or > > homedir_s == "/tmp", but maybe I'm missing something. > > See above. > > I was blowing up because I use > > ~/sandbox/tmp and ~/sandbox/home for my mountpoints. <snip> Below is an updated patch that makes a few changes the the latest Sandbox Patch [1]. This requires the chcon patch [2]. Changes this patch makes: sandbox.py - Remove unused 'import commands' - Uses new chcon method in libselinux [2] - Removes the 'yum install seunshare' message - Converts an IOError to a string for printing a warning if a file listed in -I does not exist sandbox.init - Print the standard Starting/Stoping messages with the appropriate OK/FAIL - Abort with failure if any mounts fail seunshare.c - Add the MS_REC flag during mounts to perform recursive mounts - Define the mount flags MS_PRIVATE and MS_REC if they aren't already. The flags are only defined in the latest glibc but have been in the kernel since 2005. - Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are used, it wouldn't correctly detect that tmpdir is inside homedir and change the mount order. This fixes that. [1] http://marc.info/?l=selinux&m=127429948731841&w=2 [2] http://marc.info/?l=selinux&m=127594712200878&w=2 Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 20:37:59 +00:00
#ifndef MS_REC
#define MS_REC 1<<14
#endif
#ifndef MS_SLAVE
#define MS_SLAVE 1<<19
Author: Steve Lawrence Email: slawrence@tresys.com Subject: Updated sandbox patch. Date: Mon, 07 Jun 2010 17:53:41 -0400 On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/26/2010 04:06 PM, Steve Lawrence wrote: > > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote: > > Fixed patch that handles Spaces in homedir. > > > The following patch makes a few updates the the sandbox patch, though I > > have a question: > > > Is the sandbox.init script needed anymore? It looks like seunshare was > > changed to now bind mount and make private the necessary directories. > > The only thing that seems missing is making root rshared. Also, if the > > init script is obsolete, do the mounts also need the MS_REC flag for > > recursive bind/private like they are mounted in the init script? e.g. > > The init script is needed for the xguest package/more specifically > pam_namespace, but also needed for > mount --make-rshared / > > Whether the init script belongs in policycoreutils is questionable though. > > > > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL) > > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL) > > We probably should add these. Although it is not likely. > > > Changes the following patch makes: > > > sandbox.py > > - Removes unused 'import commands' > > - Fixes the chcon function, and replaces the deprecated os.path.walk > > with os.walk. I think this way is a bit easier to read too. > > I think chcon should be added to libselinux python bindings and then > leave the recursive flag. (restorecon is currently in python bindings._ > > > - Removes the 'yum install seunshare' message. This tool is not specific > > to RPM based distros. > > People are using seunshare without X now that I have added the -M flag. > So I will move it from the -gui package to the base package with > sandbox and then this should not be necessary. > > - Remove try/except around -I include to be consistent with the -i > > option. If we can't include a file, then this should bail, no matter > > if it's being included via -i or -I. > > Ok, I was thinking you could list a whole bunch of files in the -I case > and if one does not exist, allow it to continue. But I don't really care. > > - Fix homedir/tmpdir typo in chcon call > > > sandbox.init (maybe obsoleted?) > > - Fix restart so it stops and starts > > - unmount the bind mounts when stopped > I doubt this will work. Two many locks in /tmp /home > > - Abort with failure if any mounts fail > > > seunshare.c > > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only > > defined in the latest glibc but has been in the kernel since 2005. > > - Simplify an if-statment. Also, I'm not sure the purpose of the > > strncmmp in that conditional, so maybe I've oversimplified. > This is wrong. The problem comes about when you mount within the same > directory. > > seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home ... > > seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home > > If you do not have the check one of the above will fail. > > In the first example if Homedir is mounted first, > /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to > mount it on /tmp. > > Similarly, if /tmp is mounted first in the second example. > /tmp/sandbox/home will no longer exist. > > You have to check to make sure one of the directories is not included in > the other. > > It seems > > like maybe an error should be thrown if tmpdir_s == pw_dir or > > homedir_s == "/tmp", but maybe I'm missing something. > > See above. > > I was blowing up because I use > > ~/sandbox/tmp and ~/sandbox/home for my mountpoints. <snip> Below is an updated patch that makes a few changes the the latest Sandbox Patch [1]. This requires the chcon patch [2]. Changes this patch makes: sandbox.py - Remove unused 'import commands' - Uses new chcon method in libselinux [2] - Removes the 'yum install seunshare' message - Converts an IOError to a string for printing a warning if a file listed in -I does not exist sandbox.init - Print the standard Starting/Stoping messages with the appropriate OK/FAIL - Abort with failure if any mounts fail seunshare.c - Add the MS_REC flag during mounts to perform recursive mounts - Define the mount flags MS_PRIVATE and MS_REC if they aren't already. The flags are only defined in the latest glibc but have been in the kernel since 2005. - Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are used, it wouldn't correctly detect that tmpdir is inside homedir and change the mount order. This fixes that. [1] http://marc.info/?l=selinux&m=127429948731841&w=2 [2] http://marc.info/?l=selinux&m=127594712200878&w=2 Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 20:37:59 +00:00
#endif
#ifndef PACKAGE
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
static int child = 0;
static capng_select_t cap_set = CAPNG_SELECT_CAPS;
/**
* This function will drop all capabilities.
*/
static int drop_caps(void)
{
if (capng_have_capabilities(cap_set) == CAPNG_NONE)
return 0;
capng_clear(cap_set);
if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}
return 0;
}
/**
* This function will drop all privileges.
*/
static int drop_privs(uid_t uid)
{
if (drop_caps() == -1 || setresuid(uid, uid, uid) == -1) {
fprintf(stderr, _("Failed to drop privileges\n"));
return -1;
}
return 0;
}
/**
* If the user sends a siginto to seunshare, kill the child's session
*/
static void handler(int sig) {
if (child > 0) kill(-child,sig);
}
/**
* Take care of any signal setup.
*/
static int set_signal_handles(void)
{
sigset_t empty;
/* Empty the signal mask in case someone is blocking a signal */
if (sigemptyset(&empty)) {
fprintf(stderr, "Unable to obtain empty signal set\n");
return -1;
}
(void)sigprocmask(SIG_SETMASK, &empty, NULL);
/* Terminate on SIGHUP */
if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
perror("Unable to set SIGHUP handler");
return -1;
}
if (signal(SIGINT, handler) == SIG_ERR) {
perror("Unable to set SIGINT handler");
return -1;
}
return 0;
}
#define status_to_retval(status,retval) do { \
if ((status) == -1) \
retval = -1; \
else if (WIFEXITED((status))) \
retval = WEXITSTATUS((status)); \
else if (WIFSIGNALED((status))) \
retval = 128 + WTERMSIG((status)); \
else \
retval = -1; \
} while(0)
/**
* Spawn external command using system() with dropped privileges.
* TODO: avoid system() and use exec*() instead
*/
static int spawn_command(const char *cmd, uid_t uid){
int childpid;
int status = -1;
if (verbose > 1)
printf("spawn_command: %s\n", cmd);
childpid = fork();
if (childpid == -1) {
perror(_("Unable to fork"));
return status;
}
if (childpid == 0) {
if (drop_privs(uid) != 0) exit(-1);
status = system(cmd);
status_to_retval(status, status);
exit(status);
}
waitpid(childpid, &status, 0);
status_to_retval(status, status);
return status;
}
/**
* Check file/directory ownership, struct stat * must be passed to the
* functions.
*/
static int check_owner_uid(uid_t uid, const char *file, struct stat *st) {
if (S_ISLNK(st->st_mode)) {
fprintf(stderr, _("Error: %s must not be a symbolic link\n"), file);
return -1;
}
if (st->st_uid != uid) {
fprintf(stderr, _("Error: %s not owned by UID %d\n"), file, uid);
return -1;
}
return 0;
}
static int check_owner_gid(gid_t gid, const char *file, struct stat *st) {
if (S_ISLNK(st->st_mode)) {
fprintf(stderr, _("Error: %s must not be a symbolic link\n"), file);
return -1;
}
if (st->st_gid != gid) {
fprintf(stderr, _("Error: %s not owned by GID %d\n"), file, gid);
return -1;
}
return 0;
}
#define equal_stats(one,two) \
((one)->st_dev == (two)->st_dev && (one)->st_ino == (two)->st_ino && \
(one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \
(one)->st_mode == (two)->st_mode)
/**
* Sanity check specified directory. Store stat info for future comparison, or
* compare with previously saved info to detect replaced directories.
* Note: This function does not perform owner checks.
*/
static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) {
struct stat sb;
if (st_out == NULL) st_out = &sb;
if (lstat(dir, st_out) == -1) {
fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
return -1;
}
if (! S_ISDIR(st_out->st_mode)) {
fprintf(stderr, _("Error: %s is not a directory: %s\n"), dir, strerror(errno));
return -1;
}
if (st_in && !equal_stats(st_in, st_out)) {
fprintf(stderr, _("Error: %s was replaced by a different directory\n"), dir);
return -1;
}
return 0;
}
/**
* This function checks to see if the shell is known in /etc/shells.
* If so, it returns 0. On error or illegal shell, it returns -1.
*/
static int verify_shell(const char *shell_name)
{
int rc = -1;
const char *buf;
if (!(shell_name && shell_name[0]))
return rc;
while ((buf = getusershell()) != NULL) {
/* ignore comments */
if (*buf == '#')
continue;
/* check the shell skipping newline char */
if (!strcmp(shell_name, buf)) {
rc = 0;
break;
}
}
endusershell();
return rc;
}
/**
* Mount directory and check that we mounted the right directory.
*/
static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
{
int flags = 0;
int is_tmp = 0;
if (verbose)
printf(_("Mounting %s on %s\n"), src, dst);
if (strcmp("/tmp", dst) == 0) {
flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
is_tmp = 1;
}
/* mount directory */
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
return -1;
}
/* verify whether we mounted what we expected to mount */
if (verify_directory(dst, src_st, NULL) < 0) return -1;
/* bind mount /tmp on /var/tmp too */
if (is_tmp) {
if (verbose)
printf(_("Mounting /tmp on /var/tmp\n"));
if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
return -1;
}
}
return 0;
}
/*
If path is empty or ends with "/." or "/.. return -1 else return 0;
*/
static int bad_path(const char *path) {
const char *ptr;
ptr = path;
while (*ptr) ptr++;
if (ptr == path) return -1; // ptr null
ptr--;
if (ptr != path && *ptr == '.') {
ptr--;
if (*ptr == '/') return -1; // path ends in /.
if (*ptr == '.') {
if (ptr != path) {
ptr--;
if (*ptr == '/') return -1; // path ends in /..
}
}
}
return 0;
}
static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
{
char *buf = NULL;
char *newbuf = NULL;
glob_t fglob;
fglob.gl_offs = 0;
int flags = GLOB_PERIOD;
unsigned int i = 0;
int rc = -1;
/* match glob for all files in src dir */
if (asprintf(&buf, "%s/*", src) == -1) {
fprintf(stderr, "Out of memory\n");
return -1;
}
if (glob(buf, flags, NULL, &fglob) != 0) {
free(buf); buf = NULL;
return -1;
}
free(buf); buf = NULL;
for ( i=0; i < fglob.gl_pathc; i++) {
const char *path = fglob.gl_pathv[i];
if (bad_path(path)) continue;
if (!buf) {
if (asprintf(&newbuf, "\'%s\'", path) == -1) {
fprintf(stderr, "Out of memory\n");
goto err;
}
} else {
if (asprintf(&newbuf, "%s \'%s\'", buf, path) == -1) {
fprintf(stderr, "Out of memory\n");
goto err;
}
}
free(buf); buf = newbuf;
newbuf = NULL;
}
if (buf) {
if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
fprintf(stderr, "Out of memory\n");
goto err;
}
*cmdbuf=newbuf;
}
else {
*cmdbuf=NULL;
}
rc = 0;
err:
free(buf); buf = NULL;
globfree(&fglob);
return rc;
}
/**
* Clean up runtime temporary directory. Returns 0 if no problem was detected,
* >0 if some error was detected, but errors here are treated as non-fatal and
* left to tmpwatch to finish incomplete cleanup.
*/
static int cleanup_tmpdir(const char *tmpdir, const char *src,
struct passwd *pwd, int copy_content)
{
char *cmdbuf = NULL;
int rc = 0;
/* rsync files back */
if (copy_content) {
if (asprintf(&cmdbuf, "/usr/bin/rsync --exclude=.X11-unix -utrlHDq --delete '%s/' '%s/'", tmpdir, src) == -1) {
fprintf(stderr, _("Out of memory\n"));
cmdbuf = NULL;
rc++;
}
if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
fprintf(stderr, _("Failed to copy files from the runtime temporary directory\n"));
rc++;
}
free(cmdbuf); cmdbuf = NULL;
}
/* remove files from the runtime temporary directory */
if (asprintf(&cmdbuf, "/bin/rm -r '%s/' 2>/dev/null", tmpdir) == -1) {
fprintf(stderr, _("Out of memory\n"));
cmdbuf = NULL;
rc++;
}
/* this may fail if there's root-owned file left in the runtime tmpdir */
if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) rc++;
free(cmdbuf); cmdbuf = NULL;
/* remove runtime temporary directory */
if ((uid_t)setfsuid(0) != 0) {
/* setfsuid does not return error, but this check makes code checkers happy */
rc++;
}
if (pwd->pw_uid != 0 && rmdir(tmpdir) == -1)
fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno));
if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
rc++;
}
return rc;
}
/**
* seunshare will create a tmpdir in /tmp, with root ownership. The parent
* process waits for it child to exit to attempt to remove the directory. If
* it fails to remove the directory, we will need to rely on tmpreaper/tmpwatch
* to clean it up.
*/
static char *create_tmpdir(const char *src, struct stat *src_st,
struct stat *out_st, struct passwd *pwd, const char *execcon)
{
char *tmpdir = NULL;
char *cmdbuf = NULL;
int fd_t = -1, fd_s = -1;
struct stat tmp_st;
char *con = NULL;
/* get selinux context */
if (execcon) {
if ((uid_t)setfsuid(pwd->pw_uid) != 0)
goto err;
if ((fd_s = open(src, O_RDONLY)) < 0) {
fprintf(stderr, _("Failed to open directory %s: %s\n"), src, strerror(errno));
goto err;
}
if (fstat(fd_s, &tmp_st) == -1) {
fprintf(stderr, _("Failed to stat directory %s: %s\n"), src, strerror(errno));
goto err;
}
if (!equal_stats(src_st, &tmp_st)) {
fprintf(stderr, _("Error: %s was replaced by a different directory\n"), src);
goto err;
}
if (fgetfilecon(fd_s, &con) == -1) {
fprintf(stderr, _("Failed to get context of the directory %s: %s\n"), src, strerror(errno));
goto err;
}
/* ok to not reach this if there is an error */
if ((uid_t)setfsuid(0) != pwd->pw_uid)
goto err;
}
if (asprintf(&tmpdir, "/tmp/.sandbox-%s-XXXXXX", pwd->pw_name) == -1) {
fprintf(stderr, _("Out of memory\n"));
tmpdir = NULL;
goto err;
}
if (mkdtemp(tmpdir) == NULL) {
fprintf(stderr, _("Failed to create temporary directory: %s\n"), strerror(errno));
goto err;
}
/* temporary directory must be owned by root:user */
if (verify_directory(tmpdir, NULL, out_st) < 0) {
goto err;
}
if (check_owner_uid(0, tmpdir, out_st) < 0)
goto err;
if (check_owner_gid(getgid(), tmpdir, out_st) < 0)
goto err;
/* change permissions of the temporary directory */
if ((fd_t = open(tmpdir, O_RDONLY)) < 0) {
fprintf(stderr, _("Failed to open directory %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
if (fstat(fd_t, &tmp_st) == -1) {
fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
if (!equal_stats(out_st, &tmp_st)) {
fprintf(stderr, _("Error: %s was replaced by a different directory\n"), tmpdir);
goto err;
}
if (fchmod(fd_t, 01770) == -1) {
fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
/* re-stat again to pick change mode */
if (fstat(fd_t, out_st) == -1) {
fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
/* copy selinux context */
if (execcon) {
if (fsetfilecon(fd_t, con) == -1) {
fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
}
if ((uid_t)setfsuid(pwd->pw_uid) != 0)
goto err;
if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
goto err;
}
/* ok to not reach this if there is an error */
if ((uid_t)setfsuid(0) != pwd->pw_uid)
goto err;
if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
fprintf(stderr, _("Failed to populate runtime temporary directory\n"));
cleanup_tmpdir(tmpdir, src, pwd, 0);
goto err;
}
goto good;
err:
free(tmpdir); tmpdir = NULL;
good:
free(cmdbuf); cmdbuf = NULL;
freecon(con); con = NULL;
if (fd_t >= 0) close(fd_t);
if (fd_s >= 0) close(fd_s);
return tmpdir;
}
#define PROC_BASE "/proc"
static int
killall (const char *execcon)
{
DIR *dir;
char *scon;
struct dirent *de;
pid_t *pid_table, pid, self;
int i;
int pids, max_pids;
int running = 0;
self = getpid();
if (!(dir = opendir(PROC_BASE))) {
return -1;
}
max_pids = 256;
pid_table = malloc(max_pids * sizeof (pid_t));
if (!pid_table) {
(void)closedir(dir);
return -1;
}
pids = 0;
context_t con;
con = context_new(execcon);
const char *mcs = context_range_get(con);
printf("mcs=%s\n", mcs);
while ((de = readdir (dir)) != NULL) {
if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
continue;
if (pids == max_pids) {
pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t));
if (!new_pid_table) {
free(pid_table);
(void)closedir(dir);
return -1;
}
pid_table = new_pid_table;
max_pids *= 2;
}
pid_table[pids++] = pid;
}
(void)closedir(dir);
for (i = 0; i < pids; i++) {
pid_t id = pid_table[i];
if (getpidcon(id, &scon) == 0) {
context_t pidcon = context_new(scon);
/* Attempt to kill remaining processes */
if (strcmp(context_range_get(pidcon), mcs) == 0)
kill(id, SIGKILL);
context_free(pidcon);
freecon(scon);
}
running++;
}
context_free(con);
free(pid_table);
return running;
}
int main(int argc, char **argv) {
int status = -1;
const char *execcon = NULL;
int clflag; /* holds codes for command line flags */
int kill_all = 0;
char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
char *tmpdir_r = NULL; /* tmpdir created by seunshare */
char *runuserdir_s = NULL; /* /var/run/user/UID spec'd by user in argv[] */
char *runuserdir_r = NULL; /* /var/run/user/UID created by seunshare */
struct stat st_curhomedir;
struct stat st_homedir;
struct stat st_tmpdir_s;
struct stat st_tmpdir_r;
struct stat st_runuserdir_s;
struct stat st_runuserdir_r;
const struct option long_options[] = {
{"homedir", 1, 0, 'h'},
{"tmpdir", 1, 0, 't'},
{"runuserdir", 1, 0, 'r'},
{"kill", 1, 0, 'k'},
{"verbose", 1, 0, 'v'},
{"context", 1, 0, 'Z'},
{"capabilities", 1, 0, 'C'},
{NULL, 0, 0, 0}
};
uid_t uid = getuid();
/*
if (!uid) {
fprintf(stderr, _("Must not be root"));
return -1;
}
*/
#ifdef USE_NLS
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
#endif
struct passwd *pwd=getpwuid(uid);
if (!pwd) {
perror(_("getpwduid failed"));
return -1;
}
if (verify_shell(pwd->pw_shell) < 0) {
fprintf(stderr, _("Error: User shell is not valid\n"));
return -1;
}
while (1) {
clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
if (clflag == -1)
break;
switch (clflag) {
case 't':
tmpdir_s = optarg;
break;
case 'k':
kill_all = 1;
break;
case 'h':
homedir_s = optarg;
break;
case 'r':
runuserdir_s = optarg;
break;
case 'v':
verbose++;
break;
case 'C':
cap_set = CAPNG_SELECT_CAPS;
break;
case 'Z':
execcon = optarg;
break;
default:
fprintf(stderr, "%s\n", USAGE_STRING);
return -1;
}
}
if (! homedir_s && ! tmpdir_s) {
fprintf(stderr, _("Error: tmpdir and/or homedir required\n %s\n"), USAGE_STRING);
return -1;
}
if (argc - optind < 1) {
fprintf(stderr, _("Error: executable required\n %s\n"), USAGE_STRING);
return -1;
}
if (execcon && is_selinux_enabled() != 1) {
fprintf(stderr, _("Error: execution context specified, but SELinux is not enabled\n"));
return -1;
}
if (set_signal_handles())
return -1;
/* set fsuid to ruid */
/* Changing fsuid is usually required when user-specified directory is
* on an NFS mount. It's also desired to avoid leaking info about
* existence of the files not accessible to the user. */
if (((uid_t)setfsuid(uid) != 0) && (errno != 0)) {
fprintf(stderr, _("Error: unable to setfsuid %m\n"));
return -1;
}
/* verify homedir and tmpdir */
if (homedir_s && (
verify_directory(homedir_s, NULL, &st_homedir) < 0 ||
check_owner_uid(uid, homedir_s, &st_homedir))) return -1;
if (tmpdir_s && (
verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
if (runuserdir_s && (
verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 ||
check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1;
if ((uid_t)setfsuid(0) != uid) return -1;
/* create runtime tmpdir */
if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
&st_tmpdir_r, pwd, execcon)) == NULL) {
fprintf(stderr, _("Failed to create runtime temporary directory\n"));
return -1;
}
/* create runtime runuserdir */
if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s,
&st_runuserdir_r, pwd, execcon)) == NULL) {
fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n"));
return -1;
}
/* spawn child process */
child = fork();
if (child == -1) {
perror(_("Unable to fork"));
goto err;
}
if (child == 0) {
char *display = NULL;
char *LANG = NULL;
2014-05-12 17:19:19 +00:00
char *RUNTIME_DIR = NULL;
int rc = -1;
char *resolved_path = NULL;
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
goto childerr;
}
/* Remount / as SLAVE so that nothing mounted in the namespace
shows up in the parent */
if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
perror(_("Failed to make / a SLAVE mountpoint\n"));
goto childerr;
}
/* assume fsuid==ruid after this point */
if ((uid_t)setfsuid(uid) != 0) goto childerr;
resolved_path = realpath(pwd->pw_dir,NULL);
if (! resolved_path) goto childerr;
if (verify_directory(resolved_path, NULL, &st_curhomedir) < 0)
goto childerr;
if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0)
goto childerr;
if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
perror(_("Out of memory"));
goto childerr;
}
} else {
if (asprintf(&RUNTIME_DIR, "/run/user/%d", uid) == -1) {
perror(_("Out of memory\n"));
goto childerr;
}
}
/* mount homedir, runuserdir and tmpdir, in this order */
if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
&st_runuserdir_s) != 0) goto childerr;
if (homedir_s && seunshare_mount(homedir_s, resolved_path,
&st_homedir) != 0) goto childerr;
if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp",
&st_tmpdir_r) != 0) goto childerr;
if (drop_privs(uid) != 0) goto childerr;
/* construct a new environment */
if ((display = getenv("DISPLAY")) != NULL) {
if ((display = strdup(display)) == NULL) {
perror(_("Out of memory"));
goto childerr;
}
}
/* construct a new environment */
if ((LANG = getenv("LANG")) != NULL) {
if ((LANG = strdup(LANG)) == NULL) {
perror(_("Out of memory"));
goto childerr;
}
}
if ((rc = clearenv()) != 0) {
perror(_("Failed to clear environment"));
goto childerr;
}
if (display)
rc |= setenv("DISPLAY", display, 1);
if (LANG)
rc |= setenv("LANG", LANG, 1);
2014-05-12 17:19:19 +00:00
if (RUNTIME_DIR)
rc |= setenv("XDG_RUNTIME_DIR", RUNTIME_DIR, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
rc |= setenv("SHELL", pwd->pw_shell, 1);
rc |= setenv("USER", pwd->pw_name, 1);
rc |= setenv("LOGNAME", pwd->pw_name, 1);
rc |= setenv("PATH", DEFAULT_PATH, 1);
if (rc != 0) {
fprintf(stderr, _("Failed to construct environment\n"));
goto childerr;
}
if (chdir(pwd->pw_dir)) {
perror(_("Failed to change dir to homedir"));
goto childerr;
}
setsid();
/* selinux context */
if (execcon) {
/* try dyntransition, since no_new_privs can interfere
* with setexeccon */
if (setcon(execcon) != 0) {
/* failed; fall back to setexeccon */
if (setexeccon(execcon) != 0) {
fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
goto childerr;
}
}
}
execv(argv[optind], argv + optind);
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
free(resolved_path);
free(display);
free(LANG);
2014-05-12 17:19:19 +00:00
free(RUNTIME_DIR);
exit(-1);
}
drop_caps();
Author: Steve Lawrence Email: slawrence@tresys.com Subject: Updated sandbox patch. Date: Mon, 07 Jun 2010 17:53:41 -0400 On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/26/2010 04:06 PM, Steve Lawrence wrote: > > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote: > > Fixed patch that handles Spaces in homedir. > > > The following patch makes a few updates the the sandbox patch, though I > > have a question: > > > Is the sandbox.init script needed anymore? It looks like seunshare was > > changed to now bind mount and make private the necessary directories. > > The only thing that seems missing is making root rshared. Also, if the > > init script is obsolete, do the mounts also need the MS_REC flag for > > recursive bind/private like they are mounted in the init script? e.g. > > The init script is needed for the xguest package/more specifically > pam_namespace, but also needed for > mount --make-rshared / > > Whether the init script belongs in policycoreutils is questionable though. > > > > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL) > > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL) > > We probably should add these. Although it is not likely. > > > Changes the following patch makes: > > > sandbox.py > > - Removes unused 'import commands' > > - Fixes the chcon function, and replaces the deprecated os.path.walk > > with os.walk. I think this way is a bit easier to read too. > > I think chcon should be added to libselinux python bindings and then > leave the recursive flag. (restorecon is currently in python bindings._ > > > - Removes the 'yum install seunshare' message. This tool is not specific > > to RPM based distros. > > People are using seunshare without X now that I have added the -M flag. > So I will move it from the -gui package to the base package with > sandbox and then this should not be necessary. > > - Remove try/except around -I include to be consistent with the -i > > option. If we can't include a file, then this should bail, no matter > > if it's being included via -i or -I. > > Ok, I was thinking you could list a whole bunch of files in the -I case > and if one does not exist, allow it to continue. But I don't really care. > > - Fix homedir/tmpdir typo in chcon call > > > sandbox.init (maybe obsoleted?) > > - Fix restart so it stops and starts > > - unmount the bind mounts when stopped > I doubt this will work. Two many locks in /tmp /home > > - Abort with failure if any mounts fail > > > seunshare.c > > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only > > defined in the latest glibc but has been in the kernel since 2005. > > - Simplify an if-statment. Also, I'm not sure the purpose of the > > strncmmp in that conditional, so maybe I've oversimplified. > This is wrong. The problem comes about when you mount within the same > directory. > > seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home ... > > seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home > > If you do not have the check one of the above will fail. > > In the first example if Homedir is mounted first, > /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to > mount it on /tmp. > > Similarly, if /tmp is mounted first in the second example. > /tmp/sandbox/home will no longer exist. > > You have to check to make sure one of the directories is not included in > the other. > > It seems > > like maybe an error should be thrown if tmpdir_s == pw_dir or > > homedir_s == "/tmp", but maybe I'm missing something. > > See above. > > I was blowing up because I use > > ~/sandbox/tmp and ~/sandbox/home for my mountpoints. <snip> Below is an updated patch that makes a few changes the the latest Sandbox Patch [1]. This requires the chcon patch [2]. Changes this patch makes: sandbox.py - Remove unused 'import commands' - Uses new chcon method in libselinux [2] - Removes the 'yum install seunshare' message - Converts an IOError to a string for printing a warning if a file listed in -I does not exist sandbox.init - Print the standard Starting/Stoping messages with the appropriate OK/FAIL - Abort with failure if any mounts fail seunshare.c - Add the MS_REC flag during mounts to perform recursive mounts - Define the mount flags MS_PRIVATE and MS_REC if they aren't already. The flags are only defined in the latest glibc but have been in the kernel since 2005. - Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are used, it wouldn't correctly detect that tmpdir is inside homedir and change the mount order. This fixes that. [1] http://marc.info/?l=selinux&m=127429948731841&w=2 [2] http://marc.info/?l=selinux&m=127594712200878&w=2 Signed-off-by: Chad Sellers <csellers@tresys.com>
2010-06-10 20:37:59 +00:00
/* parent waits for child exit to do the cleanup */
waitpid(child, &status, 0);
status_to_retval(status, status);
/* Make sure all child processes exit */
kill(-child,SIGTERM);
if (execcon && kill_all)
killall(execcon);
if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
err:
free(tmpdir_r);
return status;
}