Mixing LDFLAGS in CFLAGS can lead to compiler errors. For example in
policycoreutils/sandbox:
$ make CC=clang LDFLAGS='-Wl,-as-needed,-no-undefined'
clang -Wl,-as-needed,-no-undefined -I/usr/include
-DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W -c -o
seunshare.o seunshare.c
clang-3.8: error: -Wl,-as-needed,-no-undefined: 'linker' input
unused
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The next patch will update info() and search() to use the setools4 api.
setools4 makes heavy use of generators so info() and search() will as
well. Pre-emptively update users to cast to a list where required.
Signed-off-by: Jason Zaman <jason@perfinion.com>
sandbox tried to copy all affected files to the new home
or tmp even though -M or -X was not specified and there was no new
directory.
Fixes:
$ sandbox ls ~
/usr/bin/sandbox: [Errno 17] File exists: '/root'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.
This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.
With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
p1.stdout should be closed after it's connected to p2 according to
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline
Fixes:
$ make PYTHON=python3 test
Verify that we can read file descriptors handed to sandbox ...
/usr/lib64/python3.5/unittest/case.py:638: ResourceWarning: unclosed
file <_io.BufferedReader name=4>
testMethod()
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The tests executed sandbox from $PATH while they should test sandbox in
cwd. At the same time, tests should be run using the same python as is
used by make to run them.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
The commit 7574a50f tried to improve compatibility with Python 3. It changed
the code to use subprocess.getstatusoutput() instead of
commands.getstatusoutput(). Unfortunately subprocess.getstatusoutput() is not
available in Python 2. This patch changes how getstatusoutput() is imported so
the code works on Python 2 and Python 3.
Fixes:
$ chcat -d something
Traceback (most recent call last):
File "/usr/bin/chcat", line 432, in <module>
sys.exit(chcat_replace(["s0"], cmds, login_ind))
File "/usr/bin/chcat", line 271, in chcat_replace
rc = subprocess.getstatusoutput(cmd)
AttributeError: 'module' object has no attribute 'getstatusoutput'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Install gettext the same way everywhere and have fallbacks to use
str/unicode depending on python version.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
- Handling of cgroups was remove in de0795a12e but
-c option was still documented in sandbox.8
- Minor formatting fix
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
If "level" option is used to start sandbox commands, this level is not propagated
to specified homedir and tmpdir directories. See rhbz #1279006.
Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
When trying to get policycoreutils working in python3, I kept running
into TabErrors:
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.3/semanage", line 27, in <module>
import seobject
File "/usr/lib64/python3.3/site-packages/seobject.py", line 154
context = "%s%s" % (filler, raw)
^
TabError: inconsistent use of tabs and spaces in indentation
Python3 is a lot stricter than python2 regarding whitespace and looks like
previous commits mixed the two. When fixing this, I took the chance to fix
other PEP8 style issues at the same time.
This commit was made using:
$ file $(find . -type f) | grep -i python | sed 's/:.*$//' > pyfiles
$ autopep8 --in-place --ignore=E501,E265 $(cat pyfiles)
The ignore E501 is long lines since there are many that would be wrapped
otherwise, and E265 is block comments that start with ## instead of just #.
Signed-off-by: Jason Zaman <jason@perfinion.com>
- gettext.install() only takes optional "unicode" keyword argument in
Python 2, and its default value is "False". This keyword argument
doesn't exist in Python 3
- __builtin__ module has been renamed to "builtins" in Python 3
- raw_input() has been renamed to input() in Python 3
- specify octal literals in form compatible with both Python 2 and 3
- migrate from commands to subprocess
- replace print statement with print function
- use reserved word `as` in try-except
- replace deprecated assert_() method with assertTrue() in unit tests
Signed-off-by: Michal Srb <msrb@redhat.com>
This fixes the build with "make PYTHON=python2" on systems where python
is python3.
For PYLIBVER and PYTHONLIBDIR definitions, I tested Python 2.5, 2.6, 2.7,
3.3 and 3.4. For each of them, these commands print the expected result:
python -c 'import sys;print("python%d.%d" % sys.version_info[0:2])'"
python -c "from distutils.sysconfig import *;print(get_python_lib(1))"
Acked-by: Steve Lawrence <slawrence@tresys.com>
In C, defining a function with () means "any number of parameters", not
"no parameter". Use (void) instead where applicable and add unused
parameters when needed.
Acked-by: Steve Lawrence <slawrence@tresys.com>
Building from the root directory with "make DEBUG=1" enables -Wshadow
option. This makes the compilation fails with the following error:
cc -g3 -O0 -gdwarf-2 -fno-strict-aliasing -Wall -Wshadow -Werror -g
-I/usr/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-W -c -o seunshare.o seunshare.c
seunshare.c: In function 'spawn_command':
seunshare.c:141:6: error: declaration of 'child' shadows a global declaration [-Werror=shadow]
int child;
^
seunshare.c:58:12: error: shadowed declaration is here [-Werror=shadow]
static int child = 0;
^
Fix this error by renaming the "child" variable in spawn_command.
Acked-by: Steve Lawrence <slawrence@tresys.com>
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail. This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.
Note that this won't work without adjusting the system policy to
allow this use of setcurrent. This rule appears to work:
allow unconfined_t sandbox_t:process dyntransition;
although a better rule would probably relax the unconfined_t
restriction.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Sandbox policy is huge do to macro expansion. We do not install this by default
but sandbox command can fail without it installed. This patch prints a message to the
user to install the package.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
setfsuid return codes were not being checked. Add checks to make sure
we are switching from and to what we expect. Bail (most places) if we
didn't switch successfully.
Signed-off-by: Eric Paris <eparis@redhat.com>
We were doing x = realloc(x, ) which is a big no no, since it leaks X
on allocation failure. Found with static analysis tool from David
Malcolm.
Signed-off-by: Eric Paris <eparis@redhat.com>
Add a new sandbox option to run /usr/bin/shred on all files in the temp
directories before they are deleted.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since /tmp and /var/tmp get mounted over each other in sandbox we should
take the data from both.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
add some definition to the standard types available for sandboxes so
users have a way to know about them and what they are intended to be
used for.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We are now building our packages with -Werror=format-security enabled.
The attached patch fix the FTBFS. More patch related to this could
follow.
Signed-off-by: Laurent Bigonville <bigon@debian.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This means you can still run setuid programs, but don't need special
perms to run seunshare.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix the handling of namespaces in seunshare/sandbox.
Currently mounting of directories within sandbox is propogating to the
parent namesspace. This fix will basically isolate any mounting that
happens after the unshare from the parent namespace.
Signed-off-by: Eric Paris <eparis@redhat.com
Acked-by: Dan Walsh <dwalsh@redhat.com>
Include -W
Set LDLIBS consistently (include -L$(LIBDIR))
Don't explicitly call $(CC) let make do it.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
In order to handle properly the display on boot the sandbox init
script has to source the functions file.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
If sandbox init script is run multiple times to start it should still
return 0 rather than an error. Things should still be set up.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Instead of force an arbitrary 100 category requirement, only bomb if
there is a problem. Error out if there are 0 categories or if we cannot
find a free category in a reasonable number of attempts.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We calculate the number of available legit category sets for a given
user and then try to find one that many times. If we don't find one,
bail out.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
100 is very high, but at least we know the chances of finding a valid
combination is high.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Since this file lives in /etc/sysconfig/ it does not include a .conf
extention. Thus the man page should not include a .conf in the
filename.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
Fix sandbox Makefile so that make DESTDIR=~/out install works again.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
When running an app within a sandbox, the application currently
switches to no LANG. This patch will cause the sandboxed app to use
the users LANG.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
