tequilaOS/platform_external_selinux
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

policycoreutils/newrole: Set keepcaps around setresuid calls.

Browse source 
Set the "keep capabilities" flag around the setresuid() calls in
drop_capabilities() so that we do not simultaneously drop all
capabilities (when newrole is setuid).

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2015-10-01 15:47:08 -04:00
parent 572f899267
commit 92eec06ca6
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
policycoreutils/newrole/newrole.c
View file

@ -548,11 +548,22 @@ static int drop_capabilities(int full)
capng_setpid(getpid()); capng_setpid(getpid());
capng_clear(CAPNG_SELECT_CAPS); capng_clear(CAPNG_SELECT_CAPS);
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
}
/* Change uid */ /* Change uid */
if (setresuid(uid, uid, uid)) { if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n")); fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1; return -1;
} }
if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
}
if (! full) if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
return capng_apply(CAPNG_SELECT_CAPS); return capng_apply(CAPNG_SELECT_CAPS);
@ -579,11 +590,22 @@ static int drop_capabilities(int full)
capng_setpid(getpid()); capng_setpid(getpid());
capng_clear(CAPNG_SELECT_CAPS); capng_clear(CAPNG_SELECT_CAPS);
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
}
/* Change uid */ /* Change uid */
if (setresuid(uid, uid, uid)) { if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n")); fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1; return -1;
} }
if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
}
if (! full) if (! full)
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1); capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_AUDIT_WRITE, -1);