09feeab2a6
OBS-URL: https://build.opensuse.org/package/show/Base:System/at?expand=0&rev=53100d87b42901e6f6ab596e79dac7ab
162 lines
4.6 KiB
Diff
162 lines
4.6 KiB
Diff
--- Makefile.in.orig
|
|
+++ Makefile.in
|
|
@@ -27,6 +27,7 @@ LN_S = @LN_S@
|
|
YACC = @YACC@
|
|
LEX = @LEX@
|
|
LEXLIB = @LEXLIB@
|
|
+SELINUXLIB = @SELINUXLIB@
|
|
|
|
CC = @CC@
|
|
CFLAGS = @CFLAGS@
|
|
@@ -72,7 +73,7 @@ at: $(ATOBJECTS)
|
|
$(LN_S) -f at atrm
|
|
|
|
atd: $(RUNOBJECTS)
|
|
- $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS)
|
|
+ $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
|
|
|
|
y.tab.c y.tab.h: parsetime.y
|
|
$(YACC) -d parsetime.y
|
|
--- atd.c.orig
|
|
+++ atd.c
|
|
@@ -85,6 +85,14 @@
|
|
#include <syslog.h>
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/get_context_list.h>
|
|
+int selinux_enabled=0;
|
|
+#include <selinux/flask.h>
|
|
+#include <selinux/av_permissions.h>
|
|
+#endif
|
|
+
|
|
/* Local headers */
|
|
|
|
#include "privs.h"
|
|
@@ -404,6 +412,76 @@ run_file(const char *filename, uid_t uid
|
|
|
|
chdir("/");
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ if (selinux_enabled>0) {
|
|
+ security_context_t file_context=NULL;
|
|
+ security_context_t *context_list=NULL;
|
|
+ security_context_t current_con=NULL;
|
|
+ int retval=0, list_count=0, i;
|
|
+ struct av_decision avd;
|
|
+ char *seuser=NULL, *level=NULL;
|
|
+
|
|
+ if (getseuserbyname(pentry->pw_name, &seuser, &level))
|
|
+ perr("getseuserbyname FAILED for %s\n", pentry->pw_name);
|
|
+
|
|
+ if(getcon(¤t_con)) {
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ perr("Can't get current context");
|
|
+ }
|
|
+ list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
|
|
+ freecon(current_con);
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ if (list_count == -1) {
|
|
+ if (security_getenforce() > 0)
|
|
+ perr("Couldn't get security context for user %s\n", pentry->pw_name);
|
|
+ else
|
|
+ syslog(LOG_WARNING, "Couldn't get security context for user %s, but in permissive mode", pentry->pw_name);
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Since crontab files are not directly executed,
|
|
+ * crond must ensure that the crontab file has
|
|
+ * a context that is appropriate for the context of
|
|
+ * the user cron job. It performs an entrypoint
|
|
+ * permission check for this purpose.
|
|
+ */
|
|
+ if (list_count != -1) {
|
|
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
|
|
+ if (security_getenforce() > 0)
|
|
+ perr("fgetfilecon FAILED for user %s", pentry->pw_name);
|
|
+ }
|
|
+
|
|
+ for(i = 0; i < list_count; i++) {
|
|
+ retval = security_compute_av(context_list[i],
|
|
+ file_context,
|
|
+ SECCLASS_FILE,
|
|
+ FILE__ENTRYPOINT,
|
|
+ &avd);
|
|
+ if (!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT))
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ freecon(file_context);
|
|
+ if (list_count != -1 && (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))) {
|
|
+ if (security_getenforce()==1)
|
|
+ perr("Not allowed to set exec context for user %s\n", pentry->pw_name);
|
|
+ else
|
|
+ syslog(LOG_WARNING, "Not allowed to set exec context for user %s, but in permissive mode", pentry->pw_name);
|
|
+ }
|
|
+
|
|
+ if ((list_count != -1 || retval) && setexeccon(context_list[i]) < 0) {
|
|
+ if (security_getenforce()==1) {
|
|
+ perr("Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name);
|
|
+ } else {
|
|
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name);
|
|
+ }
|
|
+ }
|
|
+ freeconary(context_list);
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
|
|
perr("Exec failed for /bin/sh");
|
|
|
|
@@ -420,6 +498,13 @@ run_file(const char *filename, uid_t uid
|
|
*/
|
|
waitpid(pid, (int *) NULL, 0);
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ if (selinux_enabled>0) {
|
|
+ if (setexeccon(NULL) < 0) {
|
|
+ perr("Could not reset exec context for user %s\n", pentry->pw_name);
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
/* Send mail. Unlink the output file after opening it, so it
|
|
* doesn't hang around after the run.
|
|
*/
|
|
@@ -654,6 +739,9 @@ main(int argc, char *argv[])
|
|
struct passwd *pwe;
|
|
struct group *ge;
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ selinux_enabled=is_selinux_enabled();
|
|
+#endif
|
|
/* We don't need root privileges all the time; running under uid and gid
|
|
* daemon is fine.
|
|
*/
|
|
--- config.h.in.orig
|
|
+++ config.h.in
|
|
@@ -184,3 +184,6 @@
|
|
#undef DEFAULT_BATCH_QUEUE
|
|
|
|
#undef HAVE_ATTRIBUTE_NORETURN
|
|
+
|
|
+/* Define if you are building with_selinux */
|
|
+#undef WITH_SELINUX
|
|
--- configure.in.orig
|
|
+++ configure.in
|
|
@@ -315,4 +315,12 @@ AC_ARG_WITH(daemon_groupname,
|
|
)
|
|
AC_SUBST(DAEMON_GROUPNAME)
|
|
|
|
+AC_ARG_WITH(selinux,
|
|
+[ --with-selinux Define to run with selinux],
|
|
+AC_DEFINE(WITH_SELINUX),
|
|
+)
|
|
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
|
|
+AC_SUBST(SELINUXLIB)
|
|
+AC_SUBST(WITH_SELINUX)
|
|
+
|
|
AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
|