-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5WtJQACgkQrlYvE4MpobMPQACgmVrhXNB27FVhon99oFab+JWy
rAUAoIvk33x3f8Cf2Gz/O5lWH/GaKLhc
=WApq
-----END PGP SIGNATURE-----
>From a52c43db7bde8803c211b92aeb7e091d1356e8be Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Mon, 13 Jun 2011 13:24:38 -0400
Subject: [PATCH 57/77] policycoreutils: sandbox: add -C option to not drop
all capabilities
Some sandbox might want to be able to run a suid app. Add the -C option
to allow capabilities to stay in the bounding set, and thus be allowed
inside the sandbox.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/sandbox/sandbox | 6 ++++++
policycoreutils/sandbox/sandbox.8 | 7 +++++--
policycoreutils/sandbox/seunshare.8 | 5 ++++-
policycoreutils/sandbox/seunshare.c | 17 +++++++++++------
4 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 45030af..06593e1 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -314,6 +314,10 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
action="store_true", dest="usecgroup", default=False,
help=_("Use cgroups to limit this sandbox."))
+ parser.add_option("-C", "--capabilities",
+ action="store_true", dest="usecaps", default=False,
+ help="Allow apps requiring capabilities to run within the sandbox.")
+
self.__parser=parser
self.__options, cmds = parser.parse_args()
@@ -396,6 +400,8 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
cmds = [ SEUNSHARE, "-Z", self.__execcon ]
if self.__options.usecgroup == True:
cmds.append('-c')
+ if self.__options.usecaps == True:
+ cmds.append('-C')
if self.__mount:
cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
index 63ec905..2b37e63 100644
--- a/policycoreutils/sandbox/sandbox.8
+++ b/policycoreutils/sandbox/sandbox.8
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
.br
.B sandbox
-[-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
.br
.SH DESCRIPTION
.PP
@@ -62,6 +62,9 @@ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
\fB\-c\fR
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
index d3eff96..a9b846b 100644
--- a/policycoreutils/sandbox/seunshare.8
+++ b/policycoreutils/sandbox/seunshare.8
@@ -3,7 +3,7 @@
seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
.SH SYNOPSIS
.B seunshare
-[ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [ -c ] [ -C ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
.br
.SH DESCRIPTION
.PP
@@ -21,6 +21,9 @@ Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the
\fB\-c --cgroups\fR
Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
.TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities. Default is no capabilities.
+.TP
\fB\-Z\ context
Use alternate SELinux context while runing the executable.
.TP
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index aa9d93d..2cc9aff 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -51,19 +51,21 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -C ] [-t tmpdir] [-h homedir] [-Z context] -- executable [args]")
static int verbose = 0;
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+
/**
* This function will drop all capabilities.
*/
static int drop_caps()
{
- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+ if (capng_have_capabilities(cap_set) == CAPNG_NONE)
return 0;
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+ capng_clear(cap_set);
+ if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}
@@ -401,6 +403,7 @@ int main(int argc, char **argv) {
{"verbose", 1, 0, 'v'},
{"cgroups", 1, 0, 'c'},
{"context", 1, 0, 'Z'},
+ {"capabilities", 1, 0, 'C'},
{NULL, 0, 0, 0}
};
@@ -429,8 +432,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options,
- &flag_index);
+ clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -456,6 +458,9 @@ int main(int argc, char **argv) {
case 'c':
usecgroups = 1;
break;
+ case 'C':
+ cap_set = CAPNG_SELECT_CAPS;
+ break;
case 'Z':
scontext = strdup(optarg);
break;
--
1.7.6
