policycoreutils: sandbox: make sure the domain launching sandbox has at least 100 categories

100 is very high, but at least we know the chances of finding a valid combination is high. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Dan Walsh <dwalsh@redhat.com>
2011-11-09 16:26:02 -05:00 · 2011-11-09 16:26:02 -05:00 · 78b077cd09
parent 7ece124c51
commit 78b077cd09
1 changed files with 17 additions and 2 deletions
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@ -118,10 +118,25 @@ def reserve(level):
    sock.bind("\0%s" % level)
    fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)

+def get_range():
+       try:
+              level =selinux.getcon_raw()[1].split(":")[4]
+              lowc,highc = level.split(".")
+              low = int(lowc[1:])
+              high = int(highc[1:])+1
+              if high - low < 100:
+                     raise IndexError
+
+              return low,high
+       except IndexError:
+              raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
+
 def gen_mcs():
+       low, high = get_range()
+
       while True:
-              i1 = random.randrange(0, 1024)
-              i2 = random.randrange(0, 1024)
+              i1 = random.randrange(low, high)
+              i2 = random.randrange(low, high)
              if i1 == i2:
                     continue
              if i1 > i2: