RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-28 16:22:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Author: Steve Lawrence

Browse Source 
Email: slawrence@tresys.com
Subject: Updated sandbox patch.
Date: Mon, 07 Jun 2010 17:53:41 -0400

On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/26/2010 04:06 PM, Steve Lawrence wrote:
> > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote:
> > Fixed patch that handles Spaces in homedir.
>
> > The following patch makes a few updates the the sandbox patch, though I
> > have a question:
>
> > Is the sandbox.init script needed anymore? It looks like seunshare was
> > changed to now bind mount and make private the necessary directories.
> > The only thing that seems missing is making root rshared. Also, if the
> > init script is obsolete, do the mounts also need the MS_REC flag for
> > recursive bind/private like they are mounted in the init script? e.g.
>
> The init script is needed for the xguest package/more specifically
> pam_namespace, but also needed for
> mount --make-rshared /
>
> Whether the init script belongs in policycoreutils is questionable though.
>
>
> > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL)
> > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL)
>
> We probably should add these.  Although it is not likely.
>
> > Changes the following patch makes:
>
> > sandbox.py
> > - Removes unused 'import commands'
> > - Fixes the chcon function, and replaces the deprecated os.path.walk
> >   with os.walk. I think this way is a bit easier to read too.
>
> I think chcon should be added to libselinux python bindings and then
> leave the recursive flag.  (restorecon is currently in python bindings._
>
> > - Removes the 'yum install seunshare' message. This tool is not specific
> >   to RPM based distros.
>
> People are using seunshare without X now that I have added the -M flag.
>  So I will move it from the -gui package to the base package with
> sandbox and then this should not be necessary.
> > - Remove try/except around -I include to be consistent with the -i
> >   option. If we can't include a file, then this should bail, no matter
> >   if it's being included via -i or -I.
>
> Ok, I was thinking you could list a whole bunch of files in the -I case
> and if one does not exist, allow it to continue.  But I don't really care.
> > - Fix homedir/tmpdir typo in chcon call
>
> > sandbox.init (maybe obsoleted?)
> > - Fix restart so it stops and starts
> > - unmount the bind mounts when stopped
> I doubt this will work.  Two many locks in /tmp /home
> > - Abort with failure if any mounts fail
>
> > seunshare.c
> > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only
> >   defined in the latest glibc but has been in the kernel since 2005.
> > - Simplify an if-statment. Also, I'm not sure the purpose of the
> >   strncmmp in that conditional, so maybe I've oversimplified.
> This is wrong.  The problem comes about when you mount within the same
> directory.
>
> seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home   ...
>
> seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home
>
> If you do not have the check one of the above will fail.
>
> In the first example if Homedir is mounted first,
> /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to
> mount it on /tmp.
>
> Similarly, if /tmp is mounted first in the second example.
> /tmp/sandbox/home will no longer exist.
>
> You have to check to make sure one of the directories is not included in
> the other.
>
> It seems
> >   like maybe an error should be thrown if tmpdir_s == pw_dir or
> >   homedir_s == "/tmp", but maybe I'm missing something.
>
> See above.
>
> I was blowing up because I use
>
> ~/sandbox/tmp and ~/sandbox/home for my mountpoints.

<snip>

Below is an updated patch that makes a few changes the the latest
Sandbox Patch [1]. This requires the chcon patch [2].

Changes this patch makes:

sandbox.py
- Remove unused 'import commands'
- Uses new chcon method in libselinux [2]
- Removes the 'yum install seunshare' message
- Converts an IOError to a string for printing a warning if a file
  listed in -I does not exist

sandbox.init
- Print the standard Starting/Stoping messages with the appropriate
  OK/FAIL
- Abort with failure if any mounts fail

seunshare.c
- Add the MS_REC flag during mounts to perform recursive mounts
- Define the mount flags MS_PRIVATE and MS_REC if they aren't already.
  The flags are only defined in the latest glibc but have been in the
  kernel since 2005.
- Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are
  used, it wouldn't correctly detect that tmpdir is inside homedir and
  change the mount order. This fixes that.

[1] http://marc.info/?l=selinux&m=127429948731841&w=2
[2] http://marc.info/?l=selinux&m=127594712200878&w=2

Signed-off-by: Chad Sellers <csellers@tresys.com>
This commit is contained in:
Steve Lawrence 2010-06-10 16:37:59 -04:00 committed by Chad Sellers
parent d6848ea77d
commit 582fd00c7b
3 changed files with 61 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
policycoreutils/sandbox/sandbox
View File

@ -24,7 +24,6 @@ import selinux
import signal
from tempfile import mkdtemp
import pwd
import commands
PROGNAME = "policycoreutils"
HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
@ -64,14 +63,6 @@ def error_exit(msg):
sys.stderr.flush()
sys.exit(1)
def chcon(path, context, recursive=False):
""" Restore SELinux context on a given path """
mode = os.lstat(path)[stat.ST_MODE]
lsetfilecon(path, context)
if recursive:
os.path.walk(path, lambda arg, dirname, fnames:
map(chcon, [os.path.join(dirname, fname)
for fname in fnames]), context)
def copyfile(file, dir, dest):
import re
if file.startswith(dir):
@ -173,10 +164,6 @@ class Sandbox:
if not os.path.exists("/usr/sbin/seunshare"):
raise ValueError(_("""
/usr/sbin/seunshare is required for the action you want to perform.
Install seunshare by executing:
# yum install /usr/sbin/seunshare
"""))
def __mount_callback(self, option, opt, value, parser):
@ -206,7 +193,7 @@ Install seunshare by executing:
try:
self.__include(option, opt, i[:-1], parser)
except IOError, e:
sys.stderr.write(e)
sys.stderr.write(str(e))
fd.close()
def __copyfiles(self):
@ -347,14 +334,14 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
os.mkdir(sandboxdir)
if self.__options.homedir:
chcon(self.__options.homedir, self.__filecon, True)
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
self.__homedir = self.__options.homedir
else:
selinux.setfscreatecon(self.__filecon)
self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox")
if self.__options.tmpdir:
chcon(self.__options.homedir, self.__filecon, True)
selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
self.__tmpdir = self.__options.tmpdir
else:
selinux.setfscreatecon(self.__filecon)

52
policycoreutils/sandbox/sandbox.init
View File

@ -34,37 +34,57 @@ LOCKFILE=/var/lock/subsys/sandbox
base=${0##*/}
case "$1" in
restart)
start)
[ -f "$LOCKFILE" ] && exit 0
start() {
echo -n "Starting sandbox"
[ -f "$LOCKFILE" ] && return 1
touch $LOCKFILE
mount --make-rshared /
mount --rbind /tmp /tmp
mount --rbind /var/tmp /var/tmp
mount --make-private /tmp
mount --make-private /var/tmp
mount --make-rshared / || return $?
mount --rbind /tmp /tmp || return $?
mount --rbind /var/tmp /var/tmp || return $?
mount --make-private /tmp || return $?
mount --make-private /var/tmp || return $?
for h in $HOMEDIRS; do
mount --rbind $h $h
mount --make-private $h
mount --rbind $h $h || return $?
mount --make-private $h || return $?
done
exit $?
;;
return 0
}
status)
stop() {
echo -n "Stopping sandbox"
[ -f "$LOCKFILE" ] || return 1
}
status() {
if [ -f "$LOCKFILE" ]; then
echo "$base is running"
else
echo "$base is stopped"
fi
exit 0
}
case "$1" in
restart)
start && success || failure
;;
start)
start && success || failure
echo
;;
stop)
rm -f $LOCKFILE
exit 0
stop && success || failure
echo
;;
status)
status
;;
*)

27
policycoreutils/sandbox/seunshare.c
View File

@ -31,6 +31,14 @@
#define _(msgid) (msgid)
#endif
#ifndef MS_REC
#define MS_REC 1<<14
#endif
#ifndef MS_PRIVATE
#define MS_PRIVATE 1<<18
#endif
/**
* This function will drop all capabilities
* Returns zero on success, non-zero otherwise
@ -126,17 +134,17 @@ static int verify_shell(const char *shell_name)
static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) {
if (verbose)
printf("Mount %s on %s\n", src, dst);
if (mount(dst, dst, NULL, MS_BIND, NULL) < 0) {
if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
return -1;
}
if (mount(dst, dst, NULL, MS_PRIVATE, NULL) < 0) {
if (mount(dst, dst, NULL, MS_PRIVATE | MS_REC, NULL) < 0) {
fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
return -1;
}
if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
if (mount(src, dst, NULL, MS_BIND | MS_REC, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
return -1;
}
@ -191,11 +199,17 @@ int main(int argc, char **argv) {
switch (clflag) {
case 't':
tmpdir_s = optarg;
if (!(tmpdir_s = realpath(optarg, NULL))) {
fprintf(stderr, _("Invalid mount point %s: %s\n"), optarg, strerror(errno));
return -1;
}
if (verify_mount(tmpdir_s, pwd) < 0) return -1;
break;
case 'h':
homedir_s = optarg;
if (!(homedir_s = realpath(optarg, NULL))) {
fprintf(stderr, _("Invalid mount point %s: %s\n"), optarg, strerror(errno));
return -1;
}
if (verify_mount(homedir_s, pwd) < 0) return -1;
if (verify_mount(pwd->pw_dir, pwd) < 0) return -1;
break;
@ -300,5 +314,8 @@ int main(int argc, char **argv) {
waitpid(child, &status, 0);
}
free(tmpdir_s);
free(homedir_s);
return status;
}