Attachment 710206 Details for Bug 919385 – really fix it this time!

[patch] really fix it this time!

tmp.patch (text/plain), 4.82 KB, created by Eric Paris on 2013-03-14 20:13:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Eric Paris

Created: 2013-03-14 20:13:05 UTC

Size: 4.82 KB

patch

obsolete

>diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
>index 3753ef4..d24bad4 100644
>--- a/policycoreutils/newrole/newrole.c
>+++ b/policycoreutils/newrole/newrole.c
>@@ -75,7 +75,7 @@
> #ifdef USE_AUDIT
> #include <libaudit.h>
> #endif
>-#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
>+#if defined(AUDIT_LOG_PRIV) || defined(NAMESPACE_PRIV)
> #include <sys/prctl.h>
> #include <cap-ng.h>
> #endif
>@@ -532,72 +532,48 @@ static int restore_environment(int preserve_environment,
> 	return rc;
> }
> 
>-/**
>- * This function will drop the capabilities so that we are left
>- * only with access to the audit system. If the user is root, we leave
>- * the capabilities alone since they already should have access to the
>- * audit netlink socket.
>- *
>- * Returns zero on success, non-zero otherwise
>- */
>-#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
>-static int drop_capabilities(int full)
>-{
>-	uid_t uid = getuid();
>-	if (!uid) return 0;
>+#ifdef AUDIT_LOG_PRIV
>+#define SAVE_AUDIT_CAP	CAP_AUDIT_WRITE,
>+#else
>+#define SAVE_AUDIT_CAP
>+#endif
> 
>-	capng_setpid(getpid());
>-	capng_clear(CAPNG_SELECT_BOTH);
>-	if (capng_lock() < 0) 
>-		return -1;
>+#ifdef NAMESPACE_PRIV
>+#define SAVE_NAMESPACE_CAP CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE,
>+#else
>+#define SAVE_NAMESPACE_CAP
>+#endif
> 
>-	/* Change uid */
>-	if (setresuid(uid, uid, uid)) {
>-		fprintf(stderr, _("Error changing uid, aborting.\n"));
>-		return -1;
>-	}
>-	if (! full) 
>-		capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
>-	return capng_apply(CAPNG_SELECT_BOTH);
>-}
>-#elif defined(NAMESPACE_PRIV)
>+#define SAVE_CAPS	SAVE_AUDIT_CAP SAVE_NAMESPACE_CAP -1
> /**
>- * This function will drop the capabilities so that we are left
>- * only with access to the audit system and the ability to raise
>- * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
>- * before invoking pam_namespace.  These capabilities are needed
>- * for performing bind mounts/unmounts and to create potential new
>- * instance directories with appropriate DAC attributes. If the
>- * user is root, we leave the capabilities alone since they already
>- * should have access to the audit netlink socket and should have
>- * the ability to create/mount/unmount instance directories.
>+ * This function will drop some, or all of the capabilities, depending on the
>+ * value passed in full.  If full is 0 it will drop all capabilities except
>+ * those needed for pam authentication.  Once the pam stack has been run this
>+ * function will typically be called a second time to drop all of the
>+ * remaining capabilities.
>  *
>  * Returns zero on success, non-zero otherwise
>  */
>+
>+#if defined(AUDIT_LOG_PRIV) || defined(NAMESPACE_PRIV)
> static int drop_capabilities(int full)
> {
>-	capng_setpid(getpid());
>-	capng_clear(CAPNG_SELECT_BOTH);
>-	if (capng_lock() < 0) 
>-		return -1;
>+	int rc;
> 
>-	uid_t uid = getuid();
>-	/* Change uid */
>-	if (setresuid(uid, uid, uid)) {
>-		fprintf(stderr, _("Error changing uid, aborting.\n"));
>-		return -1;
>-	}
>+	capng_clear(CAPNG_SELECT_CAPS);
>+	capng_setpid(getpid()); /* needed because libcapng caches this for some foolish reason */
> 	if (! full) 
>-		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
>-	return capng_apply(CAPNG_SELECT_BOTH);
>+		rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, SAVE_CAPS);
>+		if (rc)
>+			return rc;
>+	return capng_apply(CAPNG_SELECT_CAPS);
> }
>-
>-#else
>+#else /* defined(AUDIT_LOG_PRIV) || defined(NAMESPACE_PRIV) */
> static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
> {
> 	return 0;
> }
>-#endif
>+#endif /* defined(AUDIT_LOG_PRIV) || defined(NAMESPACE_PRIV) */
> 
> #ifdef NAMESPACE_PRIV
> /**
>@@ -1287,14 +1263,17 @@ int main(int argc, char *argv[])
> 	freecon(old_context); old_context=NULL;
> 	freecon(new_context); new_context=NULL;
> 
>-#ifdef NAMESPACE_PRIV
>-	if (transition_to_caller_uid())
>+#if defined(AUDIT_LOG_PRIV) || defined(NAMESPACE_PRIV)
>+	if (transition_to_caller_uid()) {
>+		fprintf(stderr, _("Failed to transition to namespace\n"));
> 		goto err_close_pam_session;
>+	}
> #endif
> 
>-	if (drop_capabilities(TRUE))
>+	if (drop_capabilities(TRUE)) {
>+		fprintf(stderr, _("Failed to drop capabilities %m\n"));
> 		goto err_close_pam_session;
>-
>+	}
> 	/* Handle environment changes */
> 	if (restore_environment(preserve_environment, old_environ, &pw)) {
> 		fprintf(stderr, _("Unable to restore the environment, "
>diff --git a/policycoreutils/newrole/newrole.pamd b/policycoreutils/newrole/newrole.pamd
>index d1b435c..de3582f 100644
>--- a/policycoreutils/newrole/newrole.pamd
>+++ b/policycoreutils/newrole/newrole.pamd
>@@ -1,4 +1,6 @@
> #%PAM-1.0
>+# Uncomment the next line if you do not want to enter your passwd everytime
>+# auth       sufficient   pam_rootok.so
> auth       include	system-auth
> account    include	system-auth
> password   include	system-auth

Actions: View | Diff

Attachments on bug 919385: 706980 | 709119 | 710206