diff mbox

[2/2] sandbox: create a new session for sandboxed processes

Message ID 20160923172416.25050-2-plautrba@redhat.com (mailing list archive)
State Not Applicable
Headers show

Commit Message

Petr Lautrbach Sept. 23, 2016, 5:24 p.m. UTC 
It helps to prevent sandboxed processes to inject arbitrary commands
into the parent.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 policycoreutils/sandbox/sandbox | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Comments

Stephen Smalley Sept. 23, 2016, 7:55 p.m. UTC | #1 
On 09/23/2016 01:24 PM, Petr Lautrbach wrote:
> It helps to prevent sandboxed processes to inject arbitrary commands
> into the parent.
> 
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>

Thanks, both patches applied.

> ---
>  policycoreutils/sandbox/sandbox | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 9cc13c2..07c340c 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -471,10 +471,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
>                      cmds += ["--"] + self.__paths
>                  return subprocess.Popen(cmds).wait()
>  
> -            selinux.setexeccon(self.__execcon)
> -            rc = subprocess.Popen(self.__cmds).wait()
> -            selinux.setexeccon(None)
> -            return rc
> +            pid = os.fork()
> +            if pid == 0:
> +                rc = os.setsid()
> +                if rc:
> +                    return rc
> +                selinux.setexeccon(self.__execcon)
> +                os.execv(self.__cmds[0], self.__cmds)
> +            rc = os.waitpid(pid, 0)
> +            return os.WEXITSTATUS(rc[1])
>  
>          finally:
>              for i in self.__paths:
>
diff mbox

Patch

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 9cc13c2..07c340c 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -471,10 +471,15 @@  sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
                     cmds += ["--"] + self.__paths
                 return subprocess.Popen(cmds).wait()
 
-            selinux.setexeccon(self.__execcon)
-            rc = subprocess.Popen(self.__cmds).wait()
-            selinux.setexeccon(None)
-            return rc
+            pid = os.fork()
+            if pid == 0:
+                rc = os.setsid()
+                if rc:
+                    return rc
+                selinux.setexeccon(self.__execcon)
+                os.execv(self.__cmds[0], self.__cmds)
+            rc = os.waitpid(pid, 0)
+            return os.WEXITSTATUS(rc[1])
 
         finally:
             for i in self.__paths: