Patches from Fedora on the sandbox package.

Patches from Fedora on the sandbox package.

[Dan Walsh]

This patch set includes the setcurrent patch for setexec to handle a fix for 
of libcap-ng.

[PATCH 2/4] Update XDG_RUNTIME_DIR directory

[Dan Walsh]

---
 policycoreutils/sandbox/seunshare.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index 97f3920..596a43e 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -964,6 +964,7 @@ int main(int argc, char **argv) {
 	if (child == 0) {
 		char *display = NULL;
 		char *LANG = NULL;
+		char *RUNTIME_DIR = NULL;
 		int rc = -1;
 		char *resolved_path = NULL;
 
@@ -1014,6 +1015,13 @@ int main(int argc, char **argv) {
 			}
 		}
 
+		if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
+			if ((RUNTIME_DIR = strdup(RUNTIME_DIR)) == NULL) {
+				perror(_("Out of memory"));
+				goto childerr;
+			}
+		}
+
 		if ((rc = clearenv()) != 0) {
 			perror(_("Failed to clear environment"));
 			goto childerr;
@@ -1022,6 +1030,8 @@ int main(int argc, char **argv) {
 			rc |= setenv("DISPLAY", display, 1);
 		if (LANG)
 			rc |= setenv("LANG", LANG, 1);
+		if (RUNTIME_DIR)
+			rc |= setenv("XDG_RUNTIME_DIR", RUNTIME_DIR, 1);
 		rc |= setenv("HOME", pwd->pw_dir, 1);
 		rc |= setenv("SHELL", pwd->pw_shell, 1);
 		rc |= setenv("USER", pwd->pw_name, 1);
@@ -1049,6 +1059,7 @@ childerr:
 		free(resolved_path);
 		free(display);
 		free(LANG);
+		free(RUNTIME_DIR);
 		exit(-1);
 	}
 
-- 
1.9.0

[PATCH 3/4] Remove handling of cgroups from sandbox

[Dan Walsh]

It never worked correctly and this should be handled with an
API to systemd going forward.
---
 policycoreutils/sandbox/Makefile    |   2 +-
 policycoreutils/sandbox/sandbox     |  10 +-
 policycoreutils/sandbox/seunshare.8 |   5 +-
 policycoreutils/sandbox/seunshare.c | 218 +-----------------------------------
 4 files changed, 5 insertions(+), 230 deletions(-)

diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
index 981c56c..5671170 100644
--- a/policycoreutils/sandbox/Makefile
+++ b/policycoreutils/sandbox/Makefile
@@ -8,7 +8,7 @@ MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
 SHAREDIR ?= $(PREFIX)/share/sandbox
 override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W
-LDLIBS += -lcgroup -lselinux -lcap-ng -L$(LIBDIR)
+LDLIBS += -lselinux -lcap-ng -L$(LIBDIR)
 SEUNSHARE_OBJS = seunshare.o
 
 all: sandbox seunshare sandboxX.sh start
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 3668abe..3678c5d 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -280,9 +280,9 @@ Policy defines the following types for use with the -t:
                pass
 
         usage = _("""
-sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
 
-sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
+sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
 %s
 """) % types
 
@@ -338,10 +338,6 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
         parser.add_option("-l", "--level", dest="level", 
                           help=_("MCS/MLS level for the sandbox"))
 
-        parser.add_option("-c", "--cgroups",
-                          action="store_true", dest="usecgroup", default=False,
-                          help=_("Use cgroups to limit this sandbox."))
-
         parser.add_option("-C", "--capabilities",
                          action="store_true", dest="usecaps", default=False,
                          help="Allow apps requiring capabilities to run within the sandbox.")
@@ -426,8 +422,6 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
     def __execute(self):
            try:
                   cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
-                  if self.__options.usecgroup:
-                         cmds.append('-c')
                   if self.__options.usecaps:
                          cmds.append('-C')
                   if self.__mount:
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
index 06610c0..76b75c8 100644
--- a/policycoreutils/sandbox/seunshare.8
+++ b/policycoreutils/sandbox/seunshare.8
@@ -3,7 +3,7 @@
 seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
 .SH SYNOPSIS
 .B seunshare
-[ -v ] [ -c ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
 .br
 .SH DESCRIPTION
 .PP
@@ -18,9 +18,6 @@ Alternate homedir to be used by the application.  Homedir must be owned by the u
 \fB\-t\ tmpdir
 Use alternate tempory directory to mount on /tmp.  tmpdir must be owned by the user.
 .TP
-\fB\-c --cgroups\fR
-Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
-.TP
 \fB\-C --capabilities\fR
 Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
 .TP
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index 596a43e..a221920 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -14,7 +14,6 @@
 #include <glob.h>
 #include <pwd.h>
 #include <sched.h>
-#include <libcgroup.h>
 #include <string.h>
 #include <stdio.h>
 #include <regex.h>
@@ -53,7 +52,7 @@
 
 #define BUF_SIZE 1024
 #define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -c ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
 
 static int verbose = 0;
 static int child = 0;
@@ -290,213 +289,6 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
 
 }
 
-/**
- * Error logging used by cgroups code.
- */
-static int sandbox_error(const char *string)
-{
-	fprintf(stderr, "%s", string);
-	syslog(LOG_AUTHPRIV | LOG_ALERT, "%s", string);
-	exit(-1);
-}
-
-/**
- * Regular expression match.
- */
-static int match(const char *string, char *pattern)
-{
-	int status;
-	regex_t re;
-	if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
-		return 0;
-	}
-	status = regexec(&re, string, (size_t)0, NULL, 0);
-	regfree(&re);
-	if (status != 0) {
-		return 0;
-	}
-	return 1;
-}
-
-/**
- * Apply cgroups settings from the /etc/sysconfig/sandbox config file.
- */
-static int setup_cgroups()
-{
-	char *cpus = NULL;	/* which CPUs to use */
-	char *cgroupname = NULL;/* name for the cgroup */
-	char *mem = NULL;	/* string for memory amount to pass to cgroup */
-	int64_t memusage = 0;	/* amount of memory to use max (percent) */
-	int cpupercentage = 0;  /* what percentage of cpu to allow usage */
-	FILE* fp;
-	char buf[BUF_SIZE];
-	char *tok = NULL;
-	int rc = -1;
-	char *str = NULL;
-	const char* fname = "/etc/sysconfig/sandbox";
-
-	if ((fp = fopen(fname, "rt")) == NULL) {
-		fprintf(stderr, "Error opening sandbox config file.");
-		return rc;
-	}
-	while(fgets(buf, BUF_SIZE, fp) != NULL) {
-		/* Skip comments */
-		if (buf[0] == '#') continue;
-
-		/* Copy the string, ignoring whitespace */
-		int len = strlen(buf);
-		free(str);
-		str = malloc((len + 1) * sizeof(char));
-		if (!str)
-			goto err;
-
-		int ind = 0;
-		int i;
-		for (i = 0; i < len; i++) {
-			char cur = buf[i];
-			if (cur != ' ' && cur != '\t') {
-				str[ind] = cur;
-				ind++;
-			}
-		}
-		str[ind] = '\0';
-
-		tok = strtok(str, "=\n");
-		if (tok != NULL) {
-			if (!strcmp(tok, "CPUAFFINITY")) {
-				tok = strtok(NULL, "=\n");
-				cpus = strdup(tok);
-				if (!strcmp(cpus, "ALL")) {
-					free(cpus);
-					cpus = NULL;
-				}
-			} else if (!strcmp(tok, "MEMUSAGE")) {
-				tok = strtok(NULL, "=\n");
-				if (match(tok, "^[0-9]+[kKmMgG%]")) {
-					char *ind = strchr(tok, '%');
-					if (ind != NULL) {
-						*ind = '\0';;
-						memusage = atoi(tok);
-					} else {
-						mem = strdup(tok);
-					}
-				} else {
-					fprintf(stderr, "Error parsing config file.");
-					goto err;
-				}
-
-			} else if (!strcmp(tok, "CPUUSAGE")) {
-				tok = strtok(NULL, "=\n");
-				if (match(tok, "^[0-9]+\%")) {
-					char* ind = strchr(tok, '%');
-					*ind = '\0';
-					cpupercentage = atoi(tok);
-				} else {
-					fprintf(stderr, "Error parsing config file.");
-					goto err;
-				}
-			} else if (!strcmp(tok, "NAME")) {
-				tok = strtok(NULL, "=\n");
-				cgroupname = strdup(tok);
-			} else {
-				continue;
-			}
-		}
-
-	}
-	if (mem == NULL) {
-		long phypz = sysconf(_SC_PHYS_PAGES);
-		long psize = sysconf(_SC_PAGE_SIZE);
-		memusage = phypz * psize * (float) memusage / 100.0;
-	}
-
-	cgroup_init();
-
-	int64_t current_runtime = 0;
-	int64_t current_period = 0 ;
-	int64_t current_mem = 0;
-	char *curr_cpu_path = NULL;
-	char *curr_mem_path = NULL;
-	int ret  = cgroup_get_current_controller_path(getpid(), "cpu", &curr_cpu_path);
-	if (ret) {
-		sandbox_error("Error while trying to get current controller path.\n");
-	} else {
-		struct cgroup *curr = cgroup_new_cgroup(curr_cpu_path);
-		cgroup_get_cgroup(curr);
-		cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", &current_runtime);
-		cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", &current_period);
-	}
-
-	ret  = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
-	if (ret) {
-		sandbox_error("Error while trying to get current controller path.\n");
-	} else {
-		struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
-		cgroup_get_cgroup(curr);
-		cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", &current_mem);
-	}
-
-	if (((float) cpupercentage)  / 100.0> (float)current_runtime / (float) current_period) {
-		sandbox_error("CPU usage restricted!\n");
-		goto err;
-	}
-
-	if (mem == NULL) {
-		if (memusage > current_mem) {
-			sandbox_error("Attempting to use more memory than allowed!");
-			goto err;
-		}
-	}
-
-	long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
-
-	struct sched_param sp;
-	sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
-	sched_setscheduler(getpid(), SCHED_FIFO, &sp);
-	struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
-	cgroup_add_controller(sandbox_group, "memory");
-	cgroup_add_controller(sandbox_group, "cpu");
-
-	if (mem == NULL) {
-		if (memusage > 0) {
-			cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
-		}
-	} else {
-		cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
-	}
-	if (cpupercentage > 0) {
-		cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_runtime_us",
-					(float) cpupercentage / 100.0 * 60000);
-		cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_period_us",60000 * nprocs);
-	}
-	if (cpus != NULL) {
-		cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
-	}
-
-	uint64_t allocated_mem;
-	if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
-		sandbox_error("Attempting to use more memory than allowed!\n");
-		goto err;
-	}
-
-	rc = cgroup_create_cgroup(sandbox_group, 1);
-	if (rc != 0) {
-		sandbox_error("Failed to create group.  Ensure that cgconfig service is running. \n");
-		goto err;
-	}
-
-	cgroup_attach_task(sandbox_group);
-
-	rc = 0;
-err:
-	fclose(fp);
-	free(str);
-	free(mem);
-	free(cgroupname);
-	free(cpus);
-	return rc;
-}
-
 /*
    If path is empy or ends with  "/." or "/.. return -1 else return 0;
  */
@@ -826,7 +618,6 @@ int main(int argc, char **argv) {
 	security_context_t execcon = NULL;
 
 	int clflag;		/* holds codes for command line flags */
-	int usecgroups = 0;
 	int kill_all = 0;
 
 	char *homedir_s = NULL;	/* homedir spec'd by user in argv[] */
@@ -843,7 +634,6 @@ int main(int argc, char **argv) {
 		{"tmpdir", 1, 0, 't'},
 		{"kill", 1, 0, 'k'},
 		{"verbose", 1, 0, 'v'},
-		{"cgroups", 1, 0, 'c'},
 		{"context", 1, 0, 'Z'},
 		{"capabilities", 1, 0, 'C'},
 		{NULL, 0, 0, 0}
@@ -892,9 +682,6 @@ int main(int argc, char **argv) {
 		case 'v':
 			verbose++;
 			break;
-		case 'c':
-			usecgroups = 1;
-			break;
 		case 'C':
 			cap_set = CAPNG_SELECT_CAPS;
 			break;
@@ -925,9 +712,6 @@ int main(int argc, char **argv) {
 	if (set_signal_handles())
 		return -1;
 
-	if (usecgroups && setup_cgroups() < 0)
-		return  -1;
-
 	/* set fsuid to ruid */
 	/* Changing fsuid is usually required when user-specified directory is
 	 * on an NFS mount.  It's also desired to avoid leaking info about
-- 
1.9.0

[PATCH 4/4] seunshare: Try to use setcurrent before setexec

[Dan Walsh]

From: Andy Lutomirski <luto@amacapital.net>

If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail.  This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.

Note that this won't work without adjusting the system policy to
allow this use of setcurrent.  This rule appears to work:

    allow unconfined_t sandbox_t:process dyntransition;

although a better rule would probably relax the unconfined_t
restriction.

Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
 policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index a221920..c92e394 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -826,17 +826,25 @@ int main(int argc, char **argv) {
 			goto childerr;
 		}
 
-		/* selinux context */
-		if (execcon && setexeccon(execcon) != 0) {
-			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
-			goto childerr;
-		}
-
 		if (chdir(pwd->pw_dir)) {
 			perror(_("Failed to change dir to homedir"));
 			goto childerr;
 		}
 		setsid();
+
+		/* selinux context */
+		if (execcon) {
+			/* try dyntransition, since no_new_privs can interfere
+			 * with setexeccon */
+			if (setcon(execcon) != 0) {
+				/* failed; fall back to setexeccon */
+				if (setexeccon(execcon) != 0) {
+					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+					goto childerr;
+				}
+			}
+		}
+
 		execv(argv[optind], argv + optind);
 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
 childerr:
-- 
1.9.0

Re: Patches from Fedora on the sandbox package.

[Stephen Smalley]

On 05/12/2014 01:19 PM, Dan Walsh wrote:
> This patch set includes the setcurrent patch for setexec to handle a fix for 
> of libcap-ng.

Thanks, applied on #next.