-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7dHI8ACgkQrlYvE4MpobPvsACgwBnbAlHTop2MK2K8ybmfdQOg
xTgAn2OdXyzq2YtQ3DW+GnZSs3YnQ2Ic
=a0Du
-----END PGP SIGNATURE-----
>From b8267ea65a5a003a6917fa374333bca3541820a5 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 9 Nov 2011 16:26:02 -0500
Subject: [PATCH 28/48] policycoreutils: sandbox: make sure the domain
launching sandbox has at least 100 categories
100 is very high, but at least we know the chances of finding a valid
combination is high.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/sandbox/sandbox | 19 +++++++++++++++++--
1 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index dd2e345..55a4dab 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -118,10 +118,25 @@ def reserve(level):
sock.bind("\0%s" % level)
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+def get_range():
+ try:
+ level =selinux.getcon_raw()[1].split(":")[4]
+ lowc,highc = level.split(".")
+ low = int(lowc[1:])
+ high = int(highc[1:])+1
+ if high - low < 100:
+ raise IndexError
+
+ return low,high
+ except IndexError:
+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
+
def gen_mcs():
+ low, high = get_range()
+
while True:
- i1 = random.randrange(0, 1024)
- i2 = random.randrange(0, 1024)
+ i1 = random.randrange(low, high)
+ i2 = random.randrange(low, high)
if i1 == i2:
continue
if i1 > i2:
--
1.7.7.4
