Le mardi 03 septembre 2013 à 15:37 -0400, Jay Greguske a écrit :
> On 09/03/2013 12:29 PM, Michael scherer wrote:
> > On Tue, Sep 03, 2013 at 09:48:52AM -0600, Kevin Fenzi wrote:
> >> On Tue, 03 Sep 2013 10:10:32 -0400
> >> Jay Greguske <jgregusk@xxxxxxxxxx> wrote:
> >>
> >>> If we had SELinux policy enabled on the builders and used MLS on the
> >>> chroots that would mitigate chroot-to-chroot attacks. I'm not sure if
> >>> policy could prevent a chroot'ed process from getting access to the
> >>> builder's certificate. If it could, I think getting SELinux working on
> >>> the builders would be an easier path than re-writing koji to use VMs.
> >>>
> >>> Maybe someone with more expertise could comment on the latter issue.
> >>
> >> In the past we had selinux disabled on the builders, as mock didn't
> >> handle selinux very well at all and there were issues. (even in
> >> permissive mode).
> >>
> >> With this switch to Fedora 19 for builders, we also enabled selinux in
> >> permissive mode to gather information on any outstanding issues/avcs.
> >>
> >> Ideally I would like to get them all to enforcing and make sure we lock
> >> down the builds as much as we are able from the vm.
> >
> > the main issue is that mock should do the transition to a different domain once it
> > run anything in chroot. I do have a patch but I was not able to make a policy for the transition
> > ( or my patch is buggy ) and I didn't look at it since a few weeks. I can send it
> > if someone want to take a look.
> >
>
> Please post it. :)
Sure, here it is.
I just rebased on newer mock yesterday, and didn't tested at all ( it
didn't rebase well, so maybe there is something missing ).
I also didn't spent much time on the integration on a config point of
view, ie config for each domain, or that's not needed, etc, etc. But
that's polish I plan to keep once I had it working (and i do not
remember the status at all, maybe that's completely broken and will not
have time to work on it before 2 weeks )
--
Michael Scherer
>From 3fc44d9bc2cdb4ea04d7040e6e137aafcdf7e3f5 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@xxxxxxxx>
Date: Wed, 17 Jul 2013 07:52:04 +0200
Subject: [PATCH] add options to make process run in a chroot in a different
context
---
py/mock.py | 3 +++
py/mockbuild/backend.py | 9 ++++++---
py/mockbuild/util.py | 21 ++++++++++++++++-----
3 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/py/mock.py b/py/mock.py
index a91b030..5008b9e 100755
--- a/py/mock.py
+++ b/py/mock.py
@@ -443,6 +443,9 @@ def main(ret):
execfile(cfg)
uidManager.restorePrivs()
+ # TODO do not hardcode it
+ config_opts['chrootcontext'] = 'mock_chroot_t'
+
# configure logging
config_opts['chroot_name'] = options.chroot
log_ini = os.path.join(config_path, config_opts["log_config_file"])
diff --git a/py/mockbuild/backend.py b/py/mockbuild/backend.py
index 4b4940e..0e7e5c6 100644
--- a/py/mockbuild/backend.py
+++ b/py/mockbuild/backend.py
@@ -77,6 +77,7 @@ class Root(object):
self.chrootuid = config['chrootuid']
self.chrootuser = 'mockbuild'
self.chrootgid = config['chrootgid']
+ self.context = config['chrootcontext']
self.chrootgroup = 'mockbuild'
self.yum_conf_content = config['yum.conf']
self.yum_priorities_conf_content = config['priorities.conf']
@@ -541,13 +542,14 @@ class Root(object):
# bad hack
# comment out decorator here so we dont get double exceptions in the root log
#decorate(traceLog())
- def doChroot(self, command, shell=True, returnOutput=False, printOutput=False, raiseExc=True, *args, **kargs):
+ def doChroot(self, command, shell=True, returnOutput=False, printOutput=False, raiseExc=True, context=None, *args, **kargs):
"""execute given command in root"""
self._nuke_rpm_db()
return mockbuild.util.do(command, chrootPath=self.makeChrootPath(),
env=self.env, raiseExc=raiseExc,
returnOutput=returnOutput, shell=shell,
- printOutput=printOutput, *args, **kargs)
+ printOutput=printOutput, context=context,
+ *args, **kargs)
def doNonChroot(self, command, shell=True, returnOutput=False, printOutput=False, raiseExc=True, *args, **kargs):
'''run a command *without* chrooting'''
@@ -738,6 +740,7 @@ class Root(object):
self.tryLockBuildRoot()
log.debug("shell: calling preshell hooks")
self._callHooks("preshell")
+ context=self.context
if options.unpriv or self.no_root_shells:
uid=self.chrootuid
gid=self.chrootgid
@@ -761,7 +764,7 @@ class Root(object):
ret = mockbuild.util.doshell(chrootPath=self.makeChrootPath(),
environ=self.env,
uid=uid, gid=gid,
- cmd=cmd)
+ cmd=cmd, context=context)
finally:
log.debug("shell: unmounting all filesystems")
self._umountall()
diff --git a/py/mockbuild/util.py b/py/mockbuild/util.py
index 9ac0b40..60f652d 100644
--- a/py/mockbuild/util.py
+++ b/py/mockbuild/util.py
@@ -20,6 +20,7 @@ import time
import errno
import grp
from glob import glob
+import selinux
# our imports
import mockbuild.exception
@@ -232,6 +233,14 @@ def condEnvironment(env=None):
for k in env.keys():
os.putenv(k, env[k])
+def condSELinuxContext(context=None):
+ if context:
+ if selinux.is_selinux_enabled():
+ rc,ctx=selinux.getcon()
+ new_ctx = selinux.context_new(ctx)
+ selinux.context_type_set(new_ctx, context)
+ selinux.setexeccon(selinux.context_str(context))
+
def logOutput(fds, logger, returnOutput=1, start=0, timeout=0, printOutput=False):
output=""
done = 0
@@ -303,12 +312,12 @@ def selinuxEnabled():
decorate(traceLog())
def do(command, shell=False, chrootPath=None, cwd=None, timeout=0, raiseExc=True,
returnOutput=0, uid=None, gid=None, personality=None,
- printOutput=False, env=None, *args, **kargs):
+ printOutput=False, env=None, context=None, *args, **kargs):
logger = kargs.get("logger", getLog())
output = ""
start = time.time()
- preexec = ChildPreExec(personality, chrootPath, cwd, uid, gid)
+ preexec = ChildPreExec(personality, chrootPath, cwd, uid, gid, context)
if env is None:
env = clean_env()
try:
@@ -363,7 +372,7 @@ def do(command, shell=False, chrootPath=None, cwd=None, timeout=0, raiseExc=True
return output
class ChildPreExec(object):
- def __init__(self, personality, chrootPath, cwd, uid, gid, env=None, shell=False):
+ def __init__(self, personality, chrootPath, cwd, uid, gid, env=None, shell=False, context=None):
self.personality = personality
self.chrootPath = chrootPath
self.cwd = cwd
@@ -371,6 +380,7 @@ class ChildPreExec(object):
self.gid = gid
self.env = env
self.shell = shell
+ self.context = context
def __call__(self, *args, **kargs):
if not self.shell:
@@ -378,6 +388,7 @@ class ChildPreExec(object):
os.umask(002)
condPersonality(self.personality)
condEnvironment(self.env)
+ condSELinuxContext(self.context)
condChroot(self.chrootPath)
condDropPrivs(self.uid, self.gid)
condChdir(self.cwd)
@@ -391,7 +402,7 @@ def is_in_dir(path, directory):
return os.path.commonprefix([path, directory]) == directory
-def doshell(chrootPath=None, environ=None, uid=None, gid=None, cmd=None):
+def doshell(chrootPath=None, environ=None, uid=None, gid=None, cmd=None, context=None):
log = getLog()
log.debug("doshell: chrootPath:%s, uid:%d, gid:%d" % (chrootPath, uid, gid))
if environ is None:
@@ -406,7 +417,7 @@ def doshell(chrootPath=None, environ=None, uid=None, gid=None, cmd=None):
else:
cmdstr = "/bin/bash -i -l"
preexec = ChildPreExec(personality=None, chrootPath=chrootPath, cwd=None,
- uid=uid, gid=gid, env=environ, shell=True)
+ uid=uid, gid=gid, env=environ, shell=True, context=context)
log.debug("doshell: command: %s" % cmdstr)
return subprocess.call(cmdstr, preexec_fn=preexec, env=environ, shell=True)
--
1.8.3.1
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
