sandbox: do not run xmodmap in a new X session

Message ID	1474472393-2208-1-git-send-email-plautrba@redhat.com (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3AOHKGkBz/7LfkOQvXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e8WIJqq85mqBkHD//Il1AaPBtSBraoewLqG+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?= =?us-ascii?q?d76zQtSZ35T//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?= =?us-ascii?q?1XwWR1OQDbxE6ktY+N5porzwB887JkrpYBAu3GePEjQLhZCik2G3wk783s8x/Y?= =?us-ascii?q?RE2A4WVPfH8Rl09wDhTfpDXzQ4vruCLxtqIpwC2TINHsR7kcQzmu7653DhTvjX?= =?us-ascii?q?FUZHYC7GjLh5ko3+pgqxW7qkk6mtbZ?= IronPort-PHdr: =?us-ascii?q?9a23=3A2cDKwBVLKK+JYBF7TSshG6k6p9fV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZheCt8tkgFKBZ4jH8fUM07OQ6PG6HzRaqsbR+Fk5M7V0Hycfjs?= =?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?= =?us-ascii?q?K/jvHcaK1oLshrr0o8eYM1UArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?= =?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBL73e6U+UKxwECUtM2dz4tbi8xbE?= =?us-ascii?q?U1ih/HwZB10bjgAAJwHY8AvwV5zx+n/isuNgxDOQNOXsQLw0UCjk5KBuHky7wB?= =?us-ascii?q?wbPiI0pTmEwvd7i7hW9Uqs?= From: Petr Lautrbach <plautrba@redhat.com> To: selinux@tycho.nsa.gov Subject: [PATCH] sandbox: do not run xmodmap in a new X session Date: Wed, 21 Sep 2016 17:39:53 +0200 Message-Id: <1474472393-2208-1-git-send-email-plautrba@redhat.com> In-Reply-To: <45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov> References: <45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Message ID

1474472393-2208-1-git-send-email-plautrba@redhat.com (mailing list archive)

State

Not Applicable

Headers

IronPort-PHdr: =?us-ascii?q?9a23=3AOHKGkBz/7LfkOQvXCy+O+j09IxM/srCxBDY+r6Qd?=
	=?us-ascii?q?0e8WIJqq85mqBkHD//Il1AaPBtSBraoewLqG+4nbGkU4qa6bt34DdJEeHzQksu?=
	=?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?=
	=?us-ascii?q?d76zQtSZ35T//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?=
	=?us-ascii?q?1XwWR1OQDbxE6ktY+N5porzwB887JkrpYBAu3GePEjQLhZCik2G3wk783s8x/Y?=
	=?us-ascii?q?RE2A4WVPfH8Rl09wDhTfpDXzQ4vruCLxtqIpwC2TINHsR7kcQzmu7653DhTvjX?=
	=?us-ascii?q?FUZHYC7GjLh5ko3+pgqxW7qkk6mtbZ?=
IronPort-PHdr: =?us-ascii?q?9a23=3A2cDKwBVLKK+JYBF7TSshG6k6p9fV8LGtZVwlr6E/?=
	=?us-ascii?q?grcLSJyIuqrYZheCt8tkgFKBZ4jH8fUM07OQ6PG6HzRaqsbR+Fk5M7V0Hycfjs?=
	=?us-ascii?q?sXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aJBzzOEJP?=
	=?us-ascii?q?K/jvHcaK1oLshrr0o8eYM1UArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf?=
	=?us-ascii?q?9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBL73e6U+UKxwECUtM2dz4tbi8xbE?=
	=?us-ascii?q?U1ih/HwZB10bjgAAJwHY8AvwV5zx+n/isuNgxDOQNOXsQLw0UCjk5KBuHky7wB?=
	=?us-ascii?q?wbPiI0pTmEwvd7i7hW9Uqs?=
From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH] sandbox: do not run xmodmap in a new X session
Date: Wed, 21 Sep 2016 17:39:53 +0200
Message-Id: <1474472393-2208-1-git-send-email-plautrba@redhat.com>
In-Reply-To: <45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov>
References: <45d0fdf5-48ad-242c-fa77-314bdf052bb7@tycho.nsa.gov>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Commit Message

Petr Lautrbach Sept. 21, 2016, 3:39 p.m. UTC

xmodmap causes Xephyr X server to reset itself when it's run before wm
and even right after wm. It causes termination of the server as we use
-terminate. The -terminate option seems be important enough in order not
to left running the server when the last client connection is closed.

This patch drops the execution of xmodmap from .sandboxrc until there's
a better solution.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/sandbox/sandbox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Petr Lautrbach Sept. 21, 2016, 4 p.m. UTC | #1

On 09/21/2016 05:39 PM, Petr Lautrbach wrote:
> xmodmap causes Xephyr X server to reset itself when it's run before wm
> and even right after wm. It causes termination of the server as we use
> -terminate. The -terminate option seems be important enough in order not
> to left running the server when the last client connection is closed.
> 
> This patch drops the execution of xmodmap from .sandboxrc until there's
> a better solution.
> 

Note that when I only removed -terminate from Xephyr command line,
xmodmap didn't modify keymaps anyway.

And using the Fedora patch with "-terminate -reset" is the same as just
drop "-terminate" as "-reset" overrides "-terminate" option and -reset
is used by default.





> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>  policycoreutils/sandbox/sandbox | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 726ba9b..4ed57c1 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -282,7 +282,7 @@ class Sandbox:
>                  command += "'%s' " % p
>              fd.write("""#! /bin/sh
>  #TITLE: %s
> -/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
> +# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>  %s &
>  WM_PID=$!
>  dbus-launch --exit-with-session %s
>

Stephen Smalley Sept. 21, 2016, 4:35 p.m. UTC | #2

On 09/21/2016 12:00 PM, Petr Lautrbach wrote:
> On 09/21/2016 05:39 PM, Petr Lautrbach wrote:
>> xmodmap causes Xephyr X server to reset itself when it's run before wm
>> and even right after wm. It causes termination of the server as we use
>> -terminate. The -terminate option seems be important enough in order not
>> to left running the server when the last client connection is closed.
>>
>> This patch drops the execution of xmodmap from .sandboxrc until there's
>> a better solution.
>>
> 
> Note that when I only removed -terminate from Xephyr command line,
> xmodmap didn't modify keymaps anyway.
> 
> And using the Fedora patch with "-terminate -reset" is the same as just
> drop "-terminate" as "-reset" overrides "-terminate" option and -reset
> is used by default.

Thanks for investigating it further.  Applied.

> 
> 
> 
> 
> 
>> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
>> ---
>>  policycoreutils/sandbox/sandbox | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
>> index 726ba9b..4ed57c1 100644
>> --- a/policycoreutils/sandbox/sandbox
>> +++ b/policycoreutils/sandbox/sandbox
>> @@ -282,7 +282,7 @@ class Sandbox:
>>                  command += "'%s' " % p
>>              fd.write("""#! /bin/sh
>>  #TITLE: %s
>> -/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>> +# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>>  %s &
>>  WM_PID=$!
>>  dbus-launch --exit-with-session %s
>>
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 726ba9b..4ed57c1 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -282,7 +282,7 @@  class Sandbox:
                 command += "'%s' " % p
             fd.write("""#! /bin/sh
 #TITLE: %s
-/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
+# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
 %s &
 WM_PID=$!
 dbus-launch --exit-with-session %s

sandbox: do not run xmodmap in a new X session

Commit Message

Comments

Patch