mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-28 16:22:45 +00:00
582fd00c7b
Email: slawrence@tresys.com Subject: Updated sandbox patch. Date: Mon, 07 Jun 2010 17:53:41 -0400 On Thu, 2010-05-27 at 08:57 -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/26/2010 04:06 PM, Steve Lawrence wrote: > > On Wed, 2010-05-19 at 15:59 -0400, Daniel J Walsh wrote: > > Fixed patch that handles Spaces in homedir. > > > The following patch makes a few updates the the sandbox patch, though I > > have a question: > > > Is the sandbox.init script needed anymore? It looks like seunshare was > > changed to now bind mount and make private the necessary directories. > > The only thing that seems missing is making root rshared. Also, if the > > init script is obsolete, do the mounts also need the MS_REC flag for > > recursive bind/private like they are mounted in the init script? e.g. > > The init script is needed for the xguest package/more specifically > pam_namespace, but also needed for > mount --make-rshared / > > Whether the init script belongs in policycoreutils is questionable though. > > > > mount(dst, dst, NULL, (MS_BIND | MS_REC), NULL) > > mount(dst, dst, NULL, (MS_PRIVATE | MS_REC), NULL) > > We probably should add these. Although it is not likely. > > > Changes the following patch makes: > > > sandbox.py > > - Removes unused 'import commands' > > - Fixes the chcon function, and replaces the deprecated os.path.walk > > with os.walk. I think this way is a bit easier to read too. > > I think chcon should be added to libselinux python bindings and then > leave the recursive flag. (restorecon is currently in python bindings._ > > > - Removes the 'yum install seunshare' message. This tool is not specific > > to RPM based distros. > > People are using seunshare without X now that I have added the -M flag. > So I will move it from the -gui package to the base package with > sandbox and then this should not be necessary. > > - Remove try/except around -I include to be consistent with the -i > > option. If we can't include a file, then this should bail, no matter > > if it's being included via -i or -I. > > Ok, I was thinking you could list a whole bunch of files in the -I case > and if one does not exist, allow it to continue. But I don't really care. > > - Fix homedir/tmpdir typo in chcon call > > > sandbox.init (maybe obsoleted?) > > - Fix restart so it stops and starts > > - unmount the bind mounts when stopped > I doubt this will work. Two many locks in /tmp /home > > - Abort with failure if any mounts fail > > > seunshare.c > > - Define the mount flag MS_PRIVATE if it isn't already. The flag is only > > defined in the latest glibc but has been in the kernel since 2005. > > - Simplify an if-statment. Also, I'm not sure the purpose of the > > strncmmp in that conditional, so maybe I've oversimplified. > This is wrong. The problem comes about when you mount within the same > directory. > > seunshare -t /home/dwalsh/sanbox/tmp -h /home/dwalsh/sandbox/home ... > > seunshare -t /tmp/sandbox/tmp -h /tmp/sandbox/home > > If you do not have the check one of the above will fail. > > In the first example if Homedir is mounted first, > /home/dwalsh/sanbox/tmp will no longer exist when seunshare attempts to > mount it on /tmp. > > Similarly, if /tmp is mounted first in the second example. > /tmp/sandbox/home will no longer exist. > > You have to check to make sure one of the directories is not included in > the other. > > It seems > > like maybe an error should be thrown if tmpdir_s == pw_dir or > > homedir_s == "/tmp", but maybe I'm missing something. > > See above. > > I was blowing up because I use > > ~/sandbox/tmp and ~/sandbox/home for my mountpoints. <snip> Below is an updated patch that makes a few changes the the latest Sandbox Patch [1]. This requires the chcon patch [2]. Changes this patch makes: sandbox.py - Remove unused 'import commands' - Uses new chcon method in libselinux [2] - Removes the 'yum install seunshare' message - Converts an IOError to a string for printing a warning if a file listed in -I does not exist sandbox.init - Print the standard Starting/Stoping messages with the appropriate OK/FAIL - Abort with failure if any mounts fail seunshare.c - Add the MS_REC flag during mounts to perform recursive mounts - Define the mount flags MS_PRIVATE and MS_REC if they aren't already. The flags are only defined in the latest glibc but have been in the kernel since 2005. - Calls realpath(3) on tmpdir_s and homedir_s. If relative paths are used, it wouldn't correctly detect that tmpdir is inside homedir and change the mount order. This fixes that. [1] http://marc.info/?l=selinux&m=127429948731841&w=2 [2] http://marc.info/?l=selinux&m=127594712200878&w=2 Signed-off-by: Chad Sellers <csellers@tresys.com>
95 lines
1.9 KiB
Bash
95 lines
1.9 KiB
Bash
#!/bin/bash
|
|
## BEGIN INIT INFO
|
|
# Provides: sandbox
|
|
# Default-Start: 3 4 5
|
|
# Default-Stop: 0 1 2 3 4 6
|
|
# Required-Start:
|
|
#
|
|
## END INIT INFO
|
|
# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
|
|
#
|
|
# chkconfig: 345 1 99
|
|
#
|
|
# Description: sandbox and other apps that want to use pam_namespace
|
|
# on /var/tmp, /tmp and home directories, requires this script
|
|
# to be run at boot time.
|
|
# This script sets up the / mount point and all of its
|
|
# subdirectories as shared. The script sets up
|
|
# /tmp, /var/tmp, /home and any homedirs listed in
|
|
# /etc/sysconfig/sandbox and all of their subdirectories
|
|
# as unshared.
|
|
# All processes that use pam_namespace will see
|
|
# modifications to the global mountspace, except for the
|
|
# unshared directories.
|
|
#
|
|
|
|
# Source function library.
|
|
. /etc/init.d/functions
|
|
|
|
HOMEDIRS="/home"
|
|
|
|
. /etc/sysconfig/sandbox
|
|
|
|
LOCKFILE=/var/lock/subsys/sandbox
|
|
|
|
base=${0##*/}
|
|
|
|
start() {
|
|
echo -n "Starting sandbox"
|
|
|
|
[ -f "$LOCKFILE" ] && return 1
|
|
|
|
touch $LOCKFILE
|
|
mount --make-rshared / || return $?
|
|
mount --rbind /tmp /tmp || return $?
|
|
mount --rbind /var/tmp /var/tmp || return $?
|
|
mount --make-private /tmp || return $?
|
|
mount --make-private /var/tmp || return $?
|
|
for h in $HOMEDIRS; do
|
|
mount --rbind $h $h || return $?
|
|
mount --make-private $h || return $?
|
|
done
|
|
|
|
return 0
|
|
}
|
|
|
|
stop() {
|
|
echo -n "Stopping sandbox"
|
|
|
|
[ -f "$LOCKFILE" ] || return 1
|
|
}
|
|
|
|
status() {
|
|
if [ -f "$LOCKFILE" ]; then
|
|
echo "$base is running"
|
|
else
|
|
echo "$base is stopped"
|
|
fi
|
|
exit 0
|
|
}
|
|
|
|
case "$1" in
|
|
restart)
|
|
start && success || failure
|
|
;;
|
|
|
|
start)
|
|
start && success || failure
|
|
echo
|
|
;;
|
|
|
|
stop)
|
|
stop && success || failure
|
|
echo
|
|
;;
|
|
|
|
status)
|
|
status
|
|
;;
|
|
|
|
*)
|
|
echo $"Usage: $0 {start|stop|status|restart}"
|
|
exit 3
|
|
;;
|
|
esac
|