Re: [PATCH 1/4] support Dash as default shell

Ondrej Mosnacek <omosnace@xxxxxxxxxx> · Thu, 16 Jun 2022 12:01:13 +0200

On Wed, Jun 15, 2022 at 4:31 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Tue, 14 Jun 2022 at 16:50, Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > On Tue, Jun 14, 2022 at 12:21 PM Christian Göttsche
> > <cgzones@xxxxxxxxxxxxxx> wrote:
> > > Debian uses Dash as default shell and switching via
> > >
> > >     dpkg-reconfigure dash
> > >
> > > has become deprecated.
> > >
> > > * Use POSIX compliant `> target 2>&1` instead of `>& target`.
> >
> > I'm fine with this subset of changes.
> >
> > > * Call runcon directly to avoid a fork within Dash, which breaks tests
> > >   requiring to not change the PID of executing commands
> >
> > I don't seem to have such problem when I change the default shell to
> > dash on Fedora. Can you provide a minimal reproducer?
>
>
> ==== test.pl ====
> #!/usr/bin/perl
>
> $basedir = $0;
> $basedir =~ s|(.*)/[^/]*|$1|;
>
> print "current PID: $$\n";
>
> if ( ( $pid = fork() ) == 0 ) {
>    print "child PID: $$\n";
>    exec "runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
> while :; do :; done'";
>    #alternative: exec 'runcon', '-t', 'unconfined_execmem_t', 'sh',
> '-c', "echo >$basedir/flag; while :; do :; done";
>    exit;
> }
>
> # Wait for it to start.
> #system("bash -c 'read -t 5 <>$basedir/flag'");
> `/bin/bash -c 'read -t 5 <>$basedir/flag'`;
>
> $exists = kill 0, $pid;
> if ( $exists ) {
>    print "Process $pid is running:\n";
>    system("pstree -alpZ $pid");
> } else {
>    print "Process $pid is NOT running\n";
> }
>
> # Kill the process.
> kill KILL, $pid;
>
> exit;
> ==== test.pl ====
>
> normal;
> current PID: 8558
> child PID: 8559
> Process 8559 is running:
> sh,8559,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c runcon -t unconfined_execmem_t bash -c 'echo >./flag; while :; do
> :; done'
>  └─bash,8561,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c echo >./flag; while :; do :; done

Hm, still not able to reproduce this behavior... Perhaps Debian's
version of dash doesn't implicitly exec the last command like bash and
Fedora 36's dash seem to do? Can you try if just adding "exec " before
"runcon" also fixes the issue?

exec "exec runcon -t unconfined_execmem_t sh -c 'echo >$basedir/flag;
while :; do :; done'";

>
> alternative:
> current PID: 8599
> child PID: 8600
> Process 8600 is running:
> sh,8600,`unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023
> -c echo >./flag; while :; do :; done

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.