-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch looks good to me. acked. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5dS3wACgkQrlYvE4MpobNwwACguyTbCDjkkUOWjG+qJnS3vPEf EhUAnRDpIoqXn5WtaX4Ohc3z2gnOroYZ =XniU -----END PGP SIGNATURE-----
>From 1fb3123795446e29c538359ea5a9951b59f4e669 Mon Sep 17 00:00:00 2001 From: Eric Paris <eparis@xxxxxxxxxx> Date: Mon, 15 Aug 2011 19:58:08 -0400 Subject: [PATCH 38/48] policycoreutils: sandbox: rewrite /tmp handling FIXME seunshare now creates a runtime temporary directory owned by root and with the sticky bit set properly. Files from the user-specified directory are copied to the runtime directory and the changes synced back (using rsync) at the end of the seunshare run. review needed to changelog correctness/completeness Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> --- policycoreutils/sandbox/sandbox | 8 +- policycoreutils/sandbox/seunshare.8 | 2 +- policycoreutils/sandbox/seunshare.c | 488 +++++++++++++++++++++++++++-------- 3 files changed, 386 insertions(+), 112 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 031fdc7..486cd4e 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -29,7 +29,6 @@ import commands import setools PROGNAME = "policycoreutils" -HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir SEUNSHARE = "/usr/sbin/seunshare" SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" import gettext @@ -374,23 +373,20 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile def __setup_dir(self): if self.__options.level or self.__options.session: return - sandboxdir = HOMEDIR + "/.sandbox" - if not os.path.exists(sandboxdir): - os.mkdir(sandboxdir) if self.__options.homedir: selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) self.__homedir = self.__options.homedir else: selinux.setfscreatecon(self.__filecon) - self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox") + self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") if self.__options.tmpdir: selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) self.__tmpdir = self.__options.tmpdir else: selinux.setfscreatecon(self.__filecon) - self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox") + self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") selinux.setfscreatecon(None) self.__copyfiles() diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 index a9b846b..a1bf3fa 100644 --- a/policycoreutils/sandbox/seunshare.8 +++ b/policycoreutils/sandbox/seunshare.8 @@ -16,7 +16,7 @@ within the specified context, using the alternate home directory and /tmp direct Alternate homedir to be used by the application. Homedir must be owned by the user. .TP \fB\-t\ tmpdir -Use alternate temporary directory to mount on /tmp. tmpdir must be owned by the user. +Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. .TP \fB\-c --cgroups\fR Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c index 9645b23..a4d6cdc 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -10,6 +10,7 @@ #include <sys/wait.h> #include <syslog.h> #include <sys/mount.h> +#include <glob.h> #include <pwd.h> #include <sched.h> #include <libcgroup.h> @@ -99,7 +100,7 @@ static int set_signal_handles(void) (void)sigprocmask(SIG_SETMASK, &empty, NULL); - /* Terminate on SIGHUP. */ + /* Terminate on SIGHUP */ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) { perror("Unable to set SIGHUP handler"); return -1; @@ -150,26 +151,6 @@ static int spawn_command(const char *cmd, uid_t uid){ } /** - * This function makes sure the mounted directory is owned by the user executing - * seunshare. - * If so, it returns 0. If it can not figure this out or they are different, it returns -1. - */ -static int verify_mount(const char *mntdir, struct passwd *pwd) { - struct stat sb; - if (stat(mntdir, &sb) == -1) { - fprintf(stderr, _("Invalid mount point %s: %s\n"), mntdir, strerror(errno)); - return -1; - } - if (sb.st_uid != pwd->pw_uid) { - errno = EPERM; - syslog(LOG_AUTHPRIV | LOG_ALERT, "%s attempted to mount an invalid directory, %s", pwd->pw_name, mntdir); - perror(_("Invalid mount point, reporting to administrator")); - return -1; - } - return 0; -} - -/** * Check file/directory ownership, struct stat * must be passed to the * functions. */ @@ -247,7 +228,7 @@ static int verify_shell(const char *shell_name) /* check the shell skipping newline char */ if (!strcmp(shell_name, buf)) { - rc = 1; + rc = 0; break; } } @@ -255,26 +236,60 @@ static int verify_shell(const char *shell_name) return rc; } -static int seunshare_mount(const char *src, const char *dst, struct passwd *pwd) { +/** + * Mount directory and check that we mounted the right directory. + */ +static int seunshare_mount(const char *src, const char *dst, struct stat *src_st) +{ + int flags = MS_REC; + int is_tmp = 0; + if (verbose) - printf("Mount %s on %s\n", src, dst); - if (mount(dst, dst, NULL, MS_BIND | MS_REC, NULL) < 0) { + printf(_("Mounting %s on %s\n"), src, dst); + + if (strcmp("/tmp", dst) == 0) { + flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC; + is_tmp = 1; + } + + /* mount directory */ + if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) { fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno)); return -1; } - - if (mount(dst, dst, NULL, MS_PRIVATE | MS_REC, NULL) < 0) { + if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) { fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno)); return -1; } - - if (mount(src, dst, NULL, MS_BIND | MS_REC, NULL) < 0) { + if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) { fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno)); return -1; } - if (verify_mount(dst, pwd) < 0) - return -1; + /* verify whether we mounted what we expected to mount */ + if (verify_directory(dst, src_st, NULL) < 0) return -1; + + /* bind mount /tmp on /var/tmp too */ + if (is_tmp) { + if (verbose) + printf(_("Mounting /tmp on /var/tmp\n")); + + if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) { + fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno)); + return -1; + } + if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) { + fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno)); + return -1; + } + if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) { + fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno)); + return -1; + } + } + + return 0; + } /** @@ -285,7 +300,6 @@ static int sandbox_error(const char *string) fprintf(stderr, string); syslog(LOG_AUTHPRIV | LOG_ALERT, string); exit(-1); - } /** @@ -485,18 +499,266 @@ err: return rc; } +/* + If path is empy or ends with "/." or "/.. return -1 else return 0; + */ +static int bad_path(const char *path) { + const char *ptr; + ptr = path; + while (*ptr) ptr++; + if (ptr == path) return -1; // ptr null + ptr--; + if (ptr != path && *ptr == '.') { + ptr--; + if (*ptr == '/') return -1; // path ends in /. + if (*ptr == '.') { + if (ptr != path) { + ptr--; + if (*ptr == '/') return -1; // path ends in /.. + } + } + } + return 0; +} + +static int rsynccmd(const char * src, const char *dst, char **cmdbuf) +{ + char *buf = NULL; + char *newbuf = NULL; + glob_t fglob; + fglob.gl_offs = 0; + int flags = GLOB_PERIOD; + unsigned int i = 0; + int rc = -1; + + /* match glob for all files in src dir */ + if (asprintf(&buf, "%s/*", src) == -1) { + fprintf(stderr, "Out of memory\n"); + return -1; + } + + if (glob(buf, flags, NULL, &fglob) != 0) { + free(buf); buf = NULL; + return -1; + } + + free(buf); buf = NULL; + + for ( i=0; i < fglob.gl_pathc; i++) { + const char *path = fglob.gl_pathv[i]; + + if (bad_path(path)) continue; + + if (!buf) { + if (asprintf(&newbuf, "\'%s\'", path) == -1) { + fprintf(stderr, "Out of memory\n"); + goto err; + } + } else { + if (asprintf(&newbuf, "%s \'%s\'", buf, path) == -1) { + fprintf(stderr, "Out of memory\n"); + goto err; + } + } + + free(buf); buf = newbuf; + newbuf = NULL; + } + + if (buf) { + if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) { + fprintf(stderr, "Out of memory\n"); + goto err; + } + *cmdbuf=newbuf; + } + else { + *cmdbuf=NULL; + } + rc = 0; + +err: + free(buf); buf = NULL; + globfree(&fglob); + return rc; +} + +/** + * Clean up runtime temporary directory. Returns 0 if no problem was detected, + * >0 if some error was detected, but errors here are treated as non-fatal and + * left to tmpwatch to finish incomplete cleanup. + */ +static int cleanup_tmpdir(const char *tmpdir, const char *src, + struct passwd *pwd, int copy_content) +{ + char *cmdbuf = NULL; + int rc = 0; + + /* rsync files back */ + if (copy_content) { + if (asprintf(&cmdbuf, "/usr/bin/rsync --exclude=.X11-unix -utrlHDq --delete '%s/' '%s/'", tmpdir, src) == -1) { + fprintf(stderr, _("Out of memory\n")); + cmdbuf = NULL; + rc++; + } + if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) { + fprintf(stderr, _("Failed to copy files from the runtime temporary directory\n")); + rc++; + } + free(cmdbuf); cmdbuf = NULL; + } + + /* remove files from the runtime temporary directory */ + if (asprintf(&cmdbuf, "/bin/rm -r '%s/' 2>/dev/null", tmpdir) == -1) { + fprintf(stderr, _("Out of memory\n")); + cmdbuf = NULL; + rc++; + } + /* this may fail if there's root-owned file left in the runtime tmpdir */ + if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) rc++; + free(cmdbuf); cmdbuf = NULL; + + /* remove runtime temporary directory */ + setfsuid(0); + if (rmdir(tmpdir) == -1) + fprintf(stderr, _("Failed to remove directory %s: %s\n"), tmpdir, strerror(errno)); + setfsuid(pwd->pw_uid); + + return 0; +} + +/** + * seunshare will create a tmpdir in /tmp, with root ownership. The parent + * process waits for it child to exit to attempt to remove the directory. If + * it fails to remove the directory, we will need to rely on tmpreaper/tmpwatch + * to clean it up. + */ +static char *create_tmpdir(const char *src, struct stat *src_st, + struct stat *out_st, struct passwd *pwd, security_context_t execcon) +{ + char *tmpdir = NULL; + char *cmdbuf = NULL; + int fd_t = -1, fd_s = -1; + struct stat tmp_st; + security_context_t con = NULL; + + /* get selinux context */ + if (execcon) { + setfsuid(pwd->pw_uid); + if ((fd_s = open(src, O_RDONLY)) < 0) { + fprintf(stderr, _("Failed to open directory %s: %s\n"), src, strerror(errno)); + goto err; + } + if (fstat(fd_s, &tmp_st) == -1) { + fprintf(stderr, _("Failed to stat directory %s: %s\n"), src, strerror(errno)); + goto err; + } + if (!equal_stats(src_st, &tmp_st)) { + fprintf(stderr, _("Error: %s was replaced by a different directory\n"), src); + goto err; + } + if (fgetfilecon(fd_s, &con) == -1) { + fprintf(stderr, _("Failed to get context of the directory %s: %s\n"), src, strerror(errno)); + goto err; + } + + /* ok to not reach this if there is an error */ + setfsuid(0); + } + + if (asprintf(&tmpdir, "/tmp/.sandbox-%s-XXXXXX", pwd->pw_name) == -1) { + fprintf(stderr, _("Out of memory\n")); + tmpdir = NULL; + goto err; + } + if (mkdtemp(tmpdir) == NULL) { + fprintf(stderr, _("Failed to create temporary directory: %s\n"), strerror(errno)); + goto err; + } + + /* temporary directory must be owned by root:user */ + if (verify_directory(tmpdir, NULL, out_st) < 0) { + goto err; + } + + if (check_owner_uid(0, tmpdir, out_st) < 0) + goto err; + + if (check_owner_gid(getgid(), tmpdir, out_st) < 0) + goto err; + + /* change permissions of the temporary directory */ + if ((fd_t = open(tmpdir, O_RDONLY)) < 0) { + fprintf(stderr, _("Failed to open directory %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } + if (fstat(fd_t, &tmp_st) == -1) { + fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } + if (!equal_stats(out_st, &tmp_st)) { + fprintf(stderr, _("Error: %s was replaced by a different directory\n"), tmpdir); + goto err; + } + if (fchmod(fd_t, 01770) == -1) { + fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } + /* re-stat again to pick change mode */ + if (fstat(fd_t, out_st) == -1) { + fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } + + /* copy selinux context */ + if (execcon) { + if (fsetfilecon(fd_t, con) == -1) { + fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno)); + goto err; + } + } + + setfsuid(pwd->pw_uid); + + if (rsynccmd(src, tmpdir, &cmdbuf) < 0) { + goto err; + } + + /* ok to not reach this if there is an error */ + setfsuid(0); + + if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) { + fprintf(stderr, _("Failed to populate runtime temporary directory\n")); + cleanup_tmpdir(tmpdir, src, pwd, 0); + goto err; + } + + goto good; +err: + free(tmpdir); tmpdir = NULL; +good: + free(cmdbuf); cmdbuf = NULL; + freecon(con); con = NULL; + if (fd_t >= 0) close(fd_t); + if (fd_s >= 0) close(fd_s); + return tmpdir; +} + int main(int argc, char **argv) { - int rc; int status = -1; + security_context_t execcon = NULL; - security_context_t scontext = NULL; - - int flag_index; /* flag index in argv[] */ int clflag; /* holds codes for command line flags */ - char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ - char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ int usecgroups = 0; + char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ + char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ + char *tmpdir_r = NULL; /* tmpdir created by seunshare */ + + struct stat st_homedir; + struct stat st_tmpdir_s; + struct stat st_tmpdir_r; + const struct option long_options[] = { {"homedir", 1, 0, 'h'}, {"tmpdir", 1, 0, 't'}, @@ -528,7 +790,7 @@ int main(int argc, char **argv) { } if (verify_shell(pwd->pw_shell) < 0) { - fprintf(stderr, _("Error! Shell is not valid.\n")); + fprintf(stderr, _("Error: User shell is not valid\n")); return -1; } @@ -539,22 +801,13 @@ int main(int argc, char **argv) { switch (clflag) { case 't': - if (!(tmpdir_s = realpath(optarg, NULL))) { - fprintf(stderr, _("Invalid mount point %s: %s\n"), optarg, strerror(errno)); - return -1; - } - if (verify_mount(tmpdir_s, pwd) < 0) return -1; + tmpdir_s = optarg; break; case 'h': - if (!(homedir_s = realpath(optarg, NULL))) { - fprintf(stderr, _("Invalid mount point %s: %s\n"), optarg, strerror(errno)); - return -1; - } - if (verify_mount(homedir_s, pwd) < 0) return -1; - if (verify_mount(pwd->pw_dir, pwd) < 0) return -1; + homedir_s = optarg; break; case 'v': - verbose = 1; + verbose++; break; case 'c': usecgroups = 1; @@ -563,7 +816,7 @@ int main(int argc, char **argv) { cap_set = CAPNG_SELECT_CAPS; break; case 'Z': - scontext = strdup(optarg); + execcon = optarg; break; default: fprintf(stderr, "%s\n", USAGE_STRING); @@ -572,13 +825,17 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { - fprintf(stderr, _("Error: tmpdir and/or homedir required \n"), - "%s\n", USAGE_STRING); + fprintf(stderr, _("Error: tmpdir and/or homedir required\n %s\n"), USAGE_STRING); return -1; } if (argc - optind < 1) { - fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING); + fprintf(stderr, _("Error: executable required\n %s\n"), USAGE_STRING); + return -1; + } + + if (execcon && is_selinux_enabled() != 1) { + fprintf(stderr, _("Error: execution context specified, but SELinux is not enabled\n")); return -1; } @@ -588,84 +845,105 @@ int main(int argc, char **argv) { if (usecgroups && setup_cgroups() < 0) return -1; - if (unshare(CLONE_NEWNS) < 0) { - perror(_("Failed to unshare")); + /* set fsuid to ruid */ + /* Changing fsuid is usually required when user-specified directory is + * on an NFS mount. It's also desired to avoid leaking info about + * existence of the files not accessible to the user. */ + setfsuid(uid); + + /* verify homedir and tmpdir */ + if (homedir_s && ( + verify_directory(homedir_s, NULL, &st_homedir) < 0 || + check_owner_uid(uid, homedir_s, &st_homedir))) return -1; + if (tmpdir_s && ( + verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 || + check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1; + setfsuid(0); + + /* create runtime tmpdir */ + if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s, + &st_tmpdir_r, pwd, execcon)) == NULL) { + fprintf(stderr, _("Failed to create runtime temporary directory\n")); return -1; } - if (homedir_s && tmpdir_s && (strncmp(pwd->pw_dir, tmpdir_s, strlen(pwd->pw_dir)) == 0)) { - if (seunshare_mount(tmpdir_s, "/tmp", pwd) < 0) - return -1; - if (seunshare_mount(homedir_s, pwd->pw_dir, pwd) < 0) - return -1; - } else { - if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir, pwd) < 0) - return -1; - - if (tmpdir_s && seunshare_mount(tmpdir_s, "/tmp", pwd) < 0) - return -1; - } - - if (drop_privs(uid)) - return -1; - + /* spawn child process */ int child = fork(); if (child == -1) { perror(_("Unable to fork")); - return -1; + goto err; } - if (!child) { - char *display=NULL; - /* Construct a new environment */ - char *d = getenv("DISPLAY"); - if (d) { - display = strdup(d); - if (!display) { - perror(_("Out of memory")); - exit(-1); - } - } + if (child == 0) { + char *display = NULL; + int rc = -1; - if ((rc = clearenv())) { - perror(_("Unable to clear environment")); - free(display); - exit(-1); + if (unshare(CLONE_NEWNS) < 0) { + perror(_("Failed to unshare")); + goto childerr; } - if (scontext) { - if (setexeccon(scontext)) { - fprintf(stderr, _("Could not set exec context to %s.\n"), - scontext); - free(display); - exit(-1); + /* assume fsuid==ruid after this point */ + setfsuid(uid); + + /* mount homedir and tmpdir, in this order */ + if (homedir_s && seunshare_mount(homedir_s, pwd->pw_dir, + &st_homedir) != 0) goto childerr; + if (tmpdir_s && seunshare_mount(tmpdir_r, "/tmp", + &st_tmpdir_r) != 0) goto childerr; + + if (drop_privs(uid) != 0) goto childerr; + + /* construct a new environment */ + if ((display = getenv("DISPLAY")) != NULL) { + if ((display = strdup(display)) == NULL) { + perror(_("Out of memory")); + goto childerr; } } - - if (display) + if ((rc = clearenv()) != 0) { + perror(_("Failed to clear environment")); + goto childerr; + } + if (display) rc |= setenv("DISPLAY", display, 1); rc |= setenv("HOME", pwd->pw_dir, 1); rc |= setenv("SHELL", pwd->pw_shell, 1); rc |= setenv("USER", pwd->pw_name, 1); rc |= setenv("LOGNAME", pwd->pw_name, 1); rc |= setenv("PATH", DEFAULT_PATH, 1); - + if (rc != 0) { + fprintf(stderr, _("Failed to construct environment\n")); + goto childerr; + } + + /* selinux context */ + if (execcon && setexeccon(execcon) != 0) { + fprintf(stderr, _("Could not set exec context to %s.\n"), execcon); + goto childerr; + } + if (chdir(pwd->pw_dir)) { perror(_("Failed to change dir to homedir")); - exit(-1); + goto childerr; } setsid(); execv(argv[optind], argv + optind); + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); +childerr: free(display); - perror("execv"); exit(-1); - } else { - waitpid(child, &status, 0); } - free(tmpdir_s); - free(homedir_s); - free(scontext); + drop_caps(); + /* parent waits for child exit to do the cleanup */ + waitpid(child, &status, 0); + status_to_retval(status, status); + + if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1); + +err: + free(tmpdir_r); return status; } -- 1.7.6.1