On Tue, 14 Jun 2022 at 16:50, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
> <cgzones@xxxxxxxxxxxxxx> wrote:
> > Debian uses Dash as default shell and switching via
> >
> > dpkg-reconfigure dash
> >
> > has become deprecated.
> >
> > * Use POSIX compliant `> target 2>&1` instead of `>& target`.
>
> I'm fine with this subset of changes.
>
> > * Call runcon directly to avoid a fork within Dash, which breaks tests
> > requiring to not change the PID of executing commands
>
> I don't seem to have such problem when I change the default shell to
> dash on Fedora. Can you provide a minimal reproducer?
==== test.pl ====
#!/usr/bin/perl
$basedir = $0;
$basedir =~ s|(.*)/[^/]*|$1|;
print "current PID: $$\n";
if ( ( $pid = fork() ) == 0 ) {
print "child PID: $$\n";
exec "runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
while :; do :; done'";
#alternative: exec 'runcon', '-t', 'unconfined_execmem_t', 'sh',
'-c', "echo >$basedir/flag; while :; do :; done";
exit;
}
# Wait for it to start.
#system("bash -c 'read -t 5 <>$basedir/flag'");
`/bin/bash -c 'read -t 5 <>$basedir/flag'`;
$exists = kill 0, $pid;
if ( $exists ) {
print "Process $pid is running:\n";
system("pstree -alpZ $pid");
} else {
print "Process $pid is NOT running\n";
}
# Kill the process.
kill KILL, $pid;
exit;
==== test.pl ====
normal;
current PID: 8558
child PID: 8559
Process 8559 is running:
sh,8559,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c runcon -t unconfined_execmem_t bash -c 'echo >./flag; while :; do
:; done'
└─bash,8561,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c echo >./flag; while :; do :; done
alternative:
current PID: 8599
child PID: 8600
Process 8600 is running:
sh,8600,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
-c echo >./flag; while :; do :; done
> > * Use bash explicitly for non POSIX read option -t
>
> I'd like to try to find some nicer alternative for this one first...
> If I don't find one, then yours will have to do, I guess.
>
> Any specific reason why you used `` instead of system()? AFAIK the
> only difference is that `` return the command's stdout as a string,
> while system() returns the exit code and forwards stdout.
>
> >
> > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> > ---
> > README.md | 7 -------
> > tests/binder/test | 2 +-
> > tests/bpf/test | 4 ++--
> > tests/fdreceive/test | 2 +-
> > tests/filesystem/Filesystem.pm | 14 +++++++-------
> > tests/inet_socket/test | 2 +-
> > tests/ptrace/test | 6 +++---
> > tests/sctp/test | 2 +-
> > tests/sigkill/test | 2 +-
> > tests/task_getpgid/test | 6 +++---
> > tests/task_getscheduler/test | 6 +++---
> > tests/task_getsid/test | 6 +++---
> > tests/task_setnice/test | 6 +++---
> > tests/task_setscheduler/test | 6 +++---
> > tests/unix_socket/test | 2 +-
> > tests/vsock_socket/test | 2 +-
> > 16 files changed, 34 insertions(+), 41 deletions(-)
> >
> (snip)
>
> --
> Ondrej Mosnacek
> Software Engineer, Linux Security - SELinux kernel
> Red Hat, Inc.
>
