setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add a new sandbox option to run /usr/bin/shred on all files in the temp
directories before they are deleted.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since /tmp and /var/tmp get mounted over each other in sandbox we should
take the data from both.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add some definition to the standard types available for sandboxes so
users have a way to know about them and what they are intended to be
used for.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We are now building our packages with -Werror=format-security enabled.
The attached patch fix the FTBFS. More patch related to this could
follow.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This means you can still run setuid programs, but don't need special
perms to run seunshare.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix the handling of namespaces in seunshare/sandbox.
Currently mounting of directories within sandbox is propogating to the
parent namesspace. This fix will basically isolate any mounting that
happens after the unshare from the parent namespace.
Signed-off-by: Eric Paris <eparis@redhat.com
Acked-by: Dan Walsh <dwalsh@redhat.com>
Include -W
Set LDLIBS consistently (include -L$(LIBDIR))
Don't explicitly call $(CC) let make do it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order to handle properly the display on boot the sandbox init
script has to source the functions file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If sandbox init script is run multiple times to start it should still
return 0 rather than an error. Things should still be set up.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of force an arbitrary 100 category requirement, only bomb if
there is a problem. Error out if there are 0 categories or if we cannot
find a free category in a reasonable number of attempts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We calculate the number of available legit category sets for a given
user and then try to find one that many times. If we don't find one,
bail out.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
100 is very high, but at least we know the chances of finding a valid
combination is high.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since this file lives in /etc/sysconfig/ it does not include a .conf
extention. Thus the man page should not include a .conf in the
filename.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix sandbox Makefile so that make DESTDIR=~/out install works again.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When running an app within a sandbox, the application currently
switches to no LANG. This patch will cause the sandboxed app to use
the users LANG.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This is purely personal preference. Most of the Makefiles use $() for
Makefile variables, but a couple of places use ${}. Since this obscured
some later Makefile changes I figured I'd just make them all the same up
front.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Change sandbox init script to not load functions any longer, we don't use them
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
add kill option to seunshare to kill all processes that are still running
with the execcon MCS label.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
pam_namespace and sandbox both do the bind mounts internally now. No
reason to force this on everyone. Hopefully the sandbox init script
will be disappearing with systemd doing this by default.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seunshare now creates a runtime temporary directory owned by root and
with the sticky bit set properly. Files from the user-specified directory
are copied to the runtime directory and the changes synced back (using rsync)
at the end of the seunshare run.
This is hoped to address CVE-2011-1011
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Introduce a helper which will spawn children and wait for them to exit
so we don't have to keep writing that code over and over.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
These are just simple new helpers which make it easy to check uid, gid,
if two stat results are the same and things like that.
Signed-off-by: Eric Paris <eparis@redhat.com>
Some sandbox might want to be able to run a suid app. Add the -C option
to allow capabilities to stay in the bounding set, and thus be allowed
inside the sandbox.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Split drop_capabilities into drop_privs, which does the same thing, and
drop_caps, which only drops caps but doesn't affect the uid.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Little things like better error messages, usage text, code duplication
and the like.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
seunshare can be used on non-selinux systems. It can also be used
without transition to a new context. Thus we should not require that a
context be set.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
we have man pages which aren't being instelled with make install. We
also do not include -Werror -Wall -Wextra in the build like we do with
other packages, so include those.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This allows users to create sandbox windows of a specified size on the
command line.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When launching a sandbox x environment we should check up front to make
sure that the seunshare and sandboxsh files exist and bail politely if
they do not exist.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Rather than putting pathnames all throughout the file define them as
variables and reuse these variables where needed.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Just coding style, globals go at the top of .c files, not randomly
throughout.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
SELinux pythons applications should not allow the user to change the
sys.path
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If one tries to build policycoreutils it won't work because of:
seunshare.c: In function ‘main’:
seunshare.c:242:21: error: ‘CLONE_NEWNS’ undeclared (first use in this
function)
seunshare.c:242:21: note: each undeclared identifier is reported only
once for each function it appears in
make[1]: *** [seunshare.o] Error 1
Moving the #define _GNU_SOURCE earlier in the file means it is set when
sched.h is includes via some of dependancy chain. Thus it can build.
Signed-off-by: Eric Paris <eparis@redhat.com>
