non regular files are specified, as inotify is ineffective with these.
[bug introduced with inotify support added in coreutils-7.5]
+ runcon now disables use of the TIOCSTI ioctl in its children, which could
+ be used to inject commands to the terminal and run at the original context.
+ [the issue dates back to the initial implementation]
+
uptime no longer outputs the AM/PM component of the current time,
as that's inconsistent with the 24 hour time format used.
[bug introduced in coreutils-7.0]
esac
fi
])
+
+ # Used by runcon.c
+ LIB_SECCOMP=
+ AC_SUBST([LIB_SECCOMP])
+ if test "$with_selinux" != no; then
+ AC_SEARCH_LIBS([seccomp_init], [seccomp],
+ [test "$ac_cv_search_seccomp_init" = "none required" ||
+ LIB_SECCOMP=$ac_cv_search_seccomp_init
+ AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
+ [test "$ac_cv_header_selinux_selinux_h" = yes &&
+ AC_MSG_WARN([libseccomp library was not found or not usable])
+ AC_MSG_WARN([runcon will be vulnerable to tty injection])])
+ fi
LIBS=$coreutils_saved_libs
# Used by sort.c.
src_mknod_LDADD += $(LIB_SELINUX)
src_mknod_LDADD += $(LIB_SMACK)
src_runcon_LDADD += $(LIB_SELINUX)
+src_runcon_LDADD += $(LIB_SECCOMP)
src_stat_LDADD += $(LIB_SELINUX)
# for nvlist_lookup_uint64_array
#include <getopt.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
+#ifdef HAVE_SECCOMP
+# include <seccomp.h>
+# include <sys/ioctl.h>
+#endif
#include <sys/types.h>
#include "system.h"
#include "die.h"
exit (status);
}
+static void
+disable_tty_inject (void)
+{
+#ifdef HAVE_SECCOMP
+ scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW);
+ if (! ctx)
+ die (EXIT_FAILURE, 0, _("failed to initialize seccomp context"));
+ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1,
+ SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0)
+ die (EXIT_FAILURE, 0, _("failed to add seccomp rule"));
+ if (seccomp_load (ctx) < 0)
+ die (EXIT_FAILURE, 0, _("failed to load seccomp rule"));
+ seccomp_release (ctx);
+#else
+ /* This may have unwanted side effects, but is a fallback
+ on older systems without libseccomp. */
+ if (setsid () != 0)
+ die (EXIT_FAILURE, errno, _("cannot create session"));
+#endif /* HAVE_SECCOMP */
+}
+
+
int
main (int argc, char **argv)
{
die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"),
program_name);
+ disable_tty_inject ();
+
if (context)
{
con = context_new (context);
tests/misc/readlink-root.sh \
tests/misc/realpath.sh \
tests/misc/runcon-no-reorder.sh \
+ tests/misc/runcon-no-inject.sh \
tests/misc/sha1sum.pl \
tests/misc/sha1sum-vec.pl \
tests/misc/sha224sum.pl \
--- /dev/null
+#!/bin/sh
+# Ensure that runcon does not reorder its arguments.
+
+# Copyright (C) 2017 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ runcon
+
+cat <<\EOF >inject.py || framework_failure_
+import fcntl, termios
+fcntl.ioctl(0, termios.TIOCSTI, '\n')
+EOF
+
+python inject.py || skip_ 'python TIOCSTI check failed'
+
+returns_ 1 runcon $(id -Z) python inject.py || fail=1
+
+Exit $fail
projects / thirdparty / coreutils.git / commitdiff
