On 09/23/2016 01:24 PM, Petr Lautrbach wrote: > It helps to prevent sandboxed processes to inject arbitrary commands > into the parent. > > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> Thanks, both patches applied. > --- > policycoreutils/sandbox/sandbox | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox > index 9cc13c2..07c340c 100644 > --- a/policycoreutils/sandbox/sandbox > +++ b/policycoreutils/sandbox/sandbox > @@ -471,10 +471,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- > cmds += ["--"] + self.__paths > return subprocess.Popen(cmds).wait() > > - selinux.setexeccon(self.__execcon) > - rc = subprocess.Popen(self.__cmds).wait() > - selinux.setexeccon(None) > - return rc > + pid = os.fork() > + if pid == 0: > + rc = os.setsid() > + if rc: > + return rc > + selinux.setexeccon(self.__execcon) > + os.execv(self.__cmds[0], self.__cmds) > + rc = os.waitpid(pid, 0) > + return os.WEXITSTATUS(rc[1]) > > finally: > for i in self.__paths: > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
