policycoreutils: sandbox: add -C option to not drop all capabilities

Some sandbox might want to be able to run a suid app. Add the -C option to allow capabilities to stay in the bounding set, and thus be allowed inside the sandbox. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2025-02-27 23:10:30 +00:00 · 2011-06-13 13:24:38 -04:00 · 2011-06-13 13:24:38 -04:00 · 149afc688a
commit 149afc688a
parent d6c09608cd
4 changed files with 26 additions and 9 deletions
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@ -309,6 +309,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
        parser.add_option("-l", "--level", dest="level", 
                          help=_("MCS/MLS level for the sandbox"))

+        parser.add_option("-C", "--capabilities",
+                         action="store_true", dest="usecaps", default=False,
+                         help="Allow apps requiring capabilities to run within the sandbox.")
+
        self.__parser=parser

        self.__options, cmds = parser.parse_args()
@ -389,6 +393,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
    def __execute(self):
           try:
                  cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
+                  if self.__options.usecaps == True:
+                         cmds.append('-C')
                  if self.__mount:
                         cmds +=  [ "-t", self.__tmpdir, "-h", self.__homedir ]

--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@ -3,11 +3,11 @@
 sandbox \- Run cmd under an SELinux sandbox
 .SH SYNOPSIS
 .B sandbox
-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd

 .br
 .B sandbox
-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
 .br
 .SH DESCRIPTION
 .PP
@ -59,6 +59,9 @@ Default to /usr/bin/matchbox-window-manager.
 \fB\-X\fR 
 Create an X based Sandbox for gui apps, temporary files for
 $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox.  By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
 .PP
 .SH "SEE ALSO"
 .TP
--- a/policycoreutils/sandbox/seunshare.8
+++ b/policycoreutils/sandbox/seunshare.8
@ -3,7 +3,7 @@
 seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 .SH SYNOPSIS
 .B seunshare
-[ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [ -c ] [ -C ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
 .br
 .SH DESCRIPTION
 .PP
@ -21,6 +21,9 @@ Use alternate temporary directory to mount on /tmp.  tmpdir must be owned by the
 \fB\-c --cgroups\fR
 Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
 .TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
+.TP
 \fB\-Z\ context
 Use alternate SELinux context while runing the executable.
 .TP
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@ -40,19 +40,21 @@
 #endif

 #define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [-t tmpdir] [-h homedir] [-Z context] -- executable [args]")

 static int verbose = 0;

+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+
 /**
 * This function will drop all capabilities.
 */
 static int drop_caps()
 {
-	if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+	if (capng_have_capabilities(cap_set) == CAPNG_NONE)
 		return 0;
-	capng_clear(CAPNG_SELECT_BOTH);
-	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+	capng_clear(cap_set);
+	if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
 		fprintf(stderr, _("Failed to drop all capabilities\n"));
 		return -1;
 	}
@ -180,6 +182,7 @@ int main(int argc, char **argv) {
 		{"tmpdir", 1, 0, 't'},
 		{"verbose", 1, 0, 'v'},
 		{"context", 1, 0, 'Z'},
+		{"capabilities", 1, 0, 'C'},
 		{NULL, 0, 0, 0}
 	};

@ -202,8 +205,7 @@ int main(int argc, char **argv) {
 	}

 	while (1) {
-		clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options,
-				     &flag_index);
+		clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
 		if (clflag == -1)
 			break;

@ -226,6 +228,9 @@ int main(int argc, char **argv) {
 		case 'v':
 			verbose = 1;
 			break;
+		case 'C':
+			cap_set = CAPNG_SELECT_CAPS;
+			break;
 		case 'Z':
 			scontext = strdup(optarg);
 			break;