0c97661a07
- Version bump to 3.1.16 to match latest upstream:
* Fix regression for sec-fix in bash we applied in form of patch
till now - deleting at-3.1.15-sane-envkeys.patch
- Sync/split features to be patch specific, modifying:
* at-3.1.13-pam.patch
* at-3.1.14-parse-suse-sysconfig.patch
* at-3.1.14-selinux.patch
- Cleanup with spec-cleaner
- Remove systemd conditional (we do not work on sle11 anyway)
OBS-URL: https://build.opensuse.org/request/show/313129
OBS-URL: https://build.opensuse.org/package/show/Base:System/at?expand=0&rev=97
227 lines
7.2 KiB
Diff
227 lines
7.2 KiB
Diff
Index: atd.c
|
|
===================================================================
|
|
--- atd.c.orig
|
|
+++ atd.c
|
|
@@ -83,6 +83,14 @@
|
|
#include "getloadavg.h"
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/get_context_list.h>
|
|
+int selinux_enabled=0;
|
|
+#include <selinux/flask.h>
|
|
+#include <selinux/av_permissions.h>
|
|
+#endif
|
|
+
|
|
/* Macros */
|
|
|
|
#define BATCH_INTERVAL_DEFAULT 60
|
|
@@ -195,6 +203,68 @@ myfork()
|
|
#define fork myfork
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+static int set_selinux_context(const char *name, const char *filename) {
|
|
+ security_context_t user_context=NULL;
|
|
+ security_context_t file_context=NULL;
|
|
+ struct av_decision avd;
|
|
+ int retval=-1;
|
|
+ char *seuser=NULL;
|
|
+ char *level=NULL;
|
|
+
|
|
+ if (getseuserbyname(name, &seuser, &level) == 0) {
|
|
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ if (retval) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("execle: couldn't get security context for user %s\n", name);
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Since crontab files are not directly executed,
|
|
+ * crond must ensure that the crontab file has
|
|
+ * a context that is appropriate for the context of
|
|
+ * the user cron job. It performs an entrypoint
|
|
+ * permission check for this purpose.
|
|
+ */
|
|
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
|
|
+ perr("fgetfilecon FAILED %s", filename);
|
|
+
|
|
+ retval = security_compute_av(user_context,
|
|
+ file_context,
|
|
+ SECCLASS_FILE,
|
|
+ FILE__ENTRYPOINT,
|
|
+ &avd);
|
|
+ freecon(file_context);
|
|
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
+ retval = -1;
|
|
+ goto err;
|
|
+ }
|
|
+ }
|
|
+ if (setexeccon(user_context) < 0) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
|
|
+ retval = -1;
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
|
|
+ }
|
|
+ }
|
|
+ err:
|
|
+ freecon(user_context);
|
|
+ return 0;
|
|
+}
|
|
+#endif
|
|
+
|
|
static void
|
|
run_file(const char *filename, uid_t uid, gid_t gid)
|
|
{
|
|
@@ -442,9 +512,21 @@ run_file(const char *filename, uid_t uid
|
|
perr("Cannot reset signal handler to default");
|
|
|
|
chdir("/");
|
|
-
|
|
+#ifdef WITH_SELINUX
|
|
+ if (selinux_enabled > 0) {
|
|
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
|
|
+ perr("SELinux Failed to set context\n");
|
|
+ }
|
|
+#endif
|
|
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
|
|
perr("Exec failed for /bin/sh");
|
|
+#ifdef WITH_SELINUX
|
|
+ if (selinux_enabled>0)
|
|
+ if (setexeccon(NULL) < 0)
|
|
+ if (security_getenforce()==1)
|
|
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
|
|
+#endif
|
|
+//end
|
|
|
|
PRIV_END
|
|
}
|
|
@@ -717,6 +799,10 @@ main(int argc, char *argv[])
|
|
struct passwd *pwe;
|
|
struct group *ge;
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ selinux_enabled=is_selinux_enabled();
|
|
+#endif
|
|
+
|
|
/* We don't need root privileges all the time; running under uid and gid
|
|
* daemon is fine.
|
|
*/
|
|
Index: config.h.in
|
|
===================================================================
|
|
--- config.h.in.orig
|
|
+++ config.h.in
|
|
@@ -71,6 +71,9 @@
|
|
/* Define to 1 for PAM support */
|
|
#undef HAVE_PAM
|
|
|
|
+/* Define if you are building with_selinux */
|
|
+#undef WITH_SELINUX
|
|
+
|
|
/* Define to 1 if you have the `pstat_getdynamic' function. */
|
|
#undef HAVE_PSTAT_GETDYNAMIC
|
|
|
|
Index: configure.ac
|
|
===================================================================
|
|
--- configure.ac.orig
|
|
+++ configure.ac
|
|
@@ -5,7 +5,7 @@ AC_CONFIG_SRCDIR(at.c)
|
|
|
|
AC_PREFIX_DEFAULT(/usr)
|
|
AC_CONFIG_HEADER(config.h)
|
|
-AC_PREREQ([2.64])
|
|
+AC_PREREQ([2.69])
|
|
|
|
VERSION=AC_PACKAGE_VERSION
|
|
if test "X$CFLAGS" = "X"; then
|
|
@@ -40,18 +40,17 @@ case "$host" in
|
|
esac
|
|
|
|
AC_MSG_CHECKING(__attribute__((noreturn)))
|
|
-AC_TRY_COMPILE([], [void __attribute__((noreturn)) panic(void);],
|
|
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[void __attribute__((noreturn)) panic(void);]])],[
|
|
AC_MSG_RESULT(yes)
|
|
AC_DEFINE(HAVE_ATTRIBUTE_NORETURN, 1,
|
|
[Define to 1 if compiler supports __attribute__((noreturn))]),
|
|
AC_MSG_RESULT(no)
|
|
-)
|
|
+])
|
|
dnl Checks for libraries.
|
|
|
|
AC_CHECK_LIB(fl,yywrap,
|
|
[],
|
|
- AC_DEFINE(NEED_YYWRAP, 1,
|
|
- [Define to 1 if we need to provide our own yywrap()])
|
|
+ AC_DEFINE([NEED_YYWRAP], 1, [need yywrap])
|
|
)
|
|
|
|
dnl Checks for header files.
|
|
@@ -63,7 +62,17 @@ AC_CHECK_HEADERS(stdarg.h)
|
|
|
|
dnl Checks for typedefs, structures, and compiler characteristics.
|
|
AC_C_CONST
|
|
-AC_TYPE_SIGNAL
|
|
+AC_DIAGNOSE([obsolete],[your code may safely assume C89 semantics that RETSIGTYPE is void.
|
|
+Remove this warning and the `AC_CACHE_CHECK' when you adjust the code.])dnl
|
|
+AC_CACHE_CHECK([return type of signal handlers],[ac_cv_type_signal],[AC_COMPILE_IFELSE(
|
|
+[AC_LANG_PROGRAM([#include <sys/types.h>
|
|
+#include <signal.h>
|
|
+],
|
|
+ [return *(signal (0, 0)) (0) == 1;])],
|
|
+ [ac_cv_type_signal=int],
|
|
+ [ac_cv_type_signal=void])])
|
|
+AC_DEFINE_UNQUOTED([RETSIGTYPE],[$ac_cv_type_signal],[Define as the return type of signal handlers
|
|
+ (`int' or `void').])
|
|
AC_TYPE_UID_T
|
|
AC_TYPE_MODE_T
|
|
AC_TYPE_OFF_T
|
|
@@ -260,5 +269,13 @@ AC_ARG_WITH(daemon_groupname,
|
|
)
|
|
AC_SUBST(DAEMON_GROUPNAME)
|
|
|
|
+AC_ARG_WITH(selinux,
|
|
+[ --with-selinux Define to run with selinux],
|
|
+AC_DEFINE([WITH_SELINUX] , [1], [enable selinux]),
|
|
+)
|
|
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
|
|
+AC_SUBST(SELINUXLIB)
|
|
+AC_SUBST(WITH_SELINUX)
|
|
+
|
|
AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch)
|
|
AC_OUTPUT
|
|
Index: Makefile.in
|
|
===================================================================
|
|
--- Makefile.in.orig
|
|
+++ Makefile.in
|
|
@@ -40,6 +40,8 @@ LIBS = @LIBS@
|
|
LIBOBJS = @LIBOBJS@
|
|
INSTALL = @INSTALL@
|
|
PAMLIB = @PAMLIB@
|
|
+SELINUXLIB = @SELINUXLIB@
|
|
+
|
|
|
|
CLONES = atq atrm
|
|
ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
|
|
@@ -73,7 +75,7 @@ at: $(ATOBJECTS)
|
|
$(LN_S) -f at atrm
|
|
|
|
atd: $(RUNOBJECTS)
|
|
- $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
|
|
+ $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) $(SELINUXLIB)
|
|
|
|
y.tab.c y.tab.h: parsetime.y
|
|
$(YACC) -d parsetime.y
|