This reverts commit
v8.27-97-g8cb06d4 because
the setsid() fallback was not implemented correctly
and disabling the ioctl was not a complete solution
to the security issue of the child being passed
the tty of the parent.
Given runcon is not really a sandbox command,
the advice is to use `runcon ... setsid ...`
to avoid this particular issue.
non regular files are specified, as inotify is ineffective with these.
[bug introduced with inotify support added in coreutils-7.5]
- runcon now disables use of the TIOCSTI ioctl in its children, which could
- be used to inject commands to the terminal and run at the original context.
- [the issue dates back to the initial implementation]
-
uptime no longer outputs the AM/PM component of the current time,
as that's inconsistent with the 24 hour time format used.
[bug introduced in coreutils-7.0]
esac
fi
])
-
- # Used by runcon.c
- LIB_SECCOMP=
- AC_SUBST([LIB_SECCOMP])
- if test "$with_selinux" != no; then
- AC_SEARCH_LIBS([seccomp_init], [seccomp],
- [test "$ac_cv_search_seccomp_init" = "none required" ||
- LIB_SECCOMP=$ac_cv_search_seccomp_init
- AC_DEFINE([HAVE_SECCOMP], [1], [libseccomp usability])],
- [test "$ac_cv_header_selinux_selinux_h" = yes &&
- AC_MSG_WARN([libseccomp library was not found or not usable])
- AC_MSG_WARN([runcon will be vulnerable to tty injection])])
- fi
LIBS=$coreutils_saved_libs
# Used by sort.c.
src_mknod_LDADD += $(LIB_SELINUX)
src_mknod_LDADD += $(LIB_SMACK)
src_runcon_LDADD += $(LIB_SELINUX)
-src_runcon_LDADD += $(LIB_SECCOMP)
src_stat_LDADD += $(LIB_SELINUX)
# for nvlist_lookup_uint64_array
#include <getopt.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
-#ifdef HAVE_SECCOMP
-# include <seccomp.h>
-# include <sys/ioctl.h>
-#endif
#include <sys/types.h>
#include "system.h"
#include "die.h"
exit (status);
}
-static void
-disable_tty_inject (void)
-{
-#ifdef HAVE_SECCOMP
- scmp_filter_ctx ctx = seccomp_init (SCMP_ACT_ALLOW);
- if (! ctx)
- die (EXIT_FAILURE, 0, _("failed to initialize seccomp context"));
- if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EPERM), SCMP_SYS (ioctl), 1,
- SCMP_A1 (SCMP_CMP_EQ, (int) TIOCSTI)) < 0)
- die (EXIT_FAILURE, 0, _("failed to add seccomp rule"));
- if (seccomp_load (ctx) < 0)
- die (EXIT_FAILURE, 0, _("failed to load seccomp rule"));
- seccomp_release (ctx);
-#else
- /* This may have unwanted side effects, but is a fallback
- on older systems without libseccomp. */
- if (setsid () != 0)
- die (EXIT_FAILURE, errno, _("cannot create session"));
-#endif /* HAVE_SECCOMP */
-}
-
-
int
main (int argc, char **argv)
{
die (EXIT_FAILURE, 0, _("%s may be used only on a SELinux kernel"),
program_name);
- disable_tty_inject ();
-
if (context)
{
con = context_new (context);
tests/misc/readlink-root.sh \
tests/misc/realpath.sh \
tests/misc/runcon-no-reorder.sh \
- tests/misc/runcon-no-inject.sh \
tests/misc/sha1sum.pl \
tests/misc/sha1sum-vec.pl \
tests/misc/sha224sum.pl \
+++ /dev/null
-#!/bin/sh
-# Ensure that runcon does not reorder its arguments.
-
-# Copyright (C) 2017 Free Software Foundation, Inc.
-
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
-print_ver_ runcon
-
-cat <<\EOF >inject.py || framework_failure_
-import fcntl, termios
-fcntl.ioctl(0, termios.TIOCSTI, '\n')
-EOF
-
-python inject.py || skip_ 'python TIOCSTI check failed'
-
-returns_ 1 runcon $(id -Z) python inject.py || fail=1
-
-Exit $fail
projects / thirdparty / coreutils.git / commitdiff
