cdown / rpms / util-linux

Forked from rpms/util-linux 2 years ago
Clone
05ad79
diff -up util-linux-2.23.2/sys-utils/Makemodule.am.kzak util-linux-2.23.2/sys-utils/Makemodule.am
05ad79
--- util-linux-2.23.2/sys-utils/Makemodule.am.kzak	2015-06-26 10:21:34.337221288 +0200
05ad79
+++ util-linux-2.23.2/sys-utils/Makemodule.am	2015-06-26 10:22:18.719885983 +0200
05ad79
@@ -308,7 +308,7 @@ if BUILD_NSENTER
05ad79
 usrbin_exec_PROGRAMS += nsenter
05ad79
 dist_man_MANS += sys-utils/nsenter.1
05ad79
 nsenter_SOURCES = sys-utils/nsenter.c
05ad79
-nsenter_LDADD = $(LDADD) libcommon.la
05ad79
+nsenter_LDADD = $(LDADD) libcommon.la $(SELINUX_LIBS)
05ad79
 endif
05ad79
 
05ad79
 if BUILD_HWCLOCK
05ad79
diff -up util-linux-2.23.2/sys-utils/nsenter.1.kzak util-linux-2.23.2/sys-utils/nsenter.1
05ad79
--- util-linux-2.23.2/sys-utils/nsenter.1.kzak	2015-06-26 10:14:00.947646586 +0200
05ad79
+++ util-linux-2.23.2/sys-utils/nsenter.1	2015-06-26 10:21:34.337221288 +0200
05ad79
@@ -155,6 +155,11 @@ Do not fork before exec'ing the specifie
05ad79
 PID namespace, \fBnsenter\fP calls \fBfork\fP before calling \fBexec\fP so that
05ad79
 any children will also be in the newly entered PID namespace.
05ad79
 .TP
05ad79
+\fB\-Z\fR, \fB\-\-follow\-context\fR
05ad79
+Set the SELinux security context used for executing a new process according to
05ad79
+already running process specified by \fB\-\-target\fR PID. (The util-linux has
05ad79
+to be compiled with SELinux support otherwise the option is unavailable.)
05ad79
+.TP
05ad79
 \fB\-V\fR, \fB\-\-version\fR
05ad79
 Display version information and exit.
05ad79
 .TP
05ad79
@@ -163,10 +168,14 @@ Display help text and exit.
05ad79
 .SH SEE ALSO
05ad79
 .BR setns (2),
05ad79
 .BR clone (2)
05ad79
-.SH AUTHOR
05ad79
-.MT ebiederm@xmission.com
05ad79
+.SH AUTHORS
05ad79
+.UR biederm@xmission.com
05ad79
 Eric Biederman
05ad79
-.ME
05ad79
+.UE
05ad79
+.br
05ad79
+.UR kzak@redhat.com
05ad79
+Karel Zak
05ad79
+.UE
05ad79
 .SH AVAILABILITY
05ad79
 The nsenter command is part of the util-linux package and is available from
05ad79
 .UR ftp://\:ftp.kernel.org\:/pub\:/linux\:/utils\:/util-linux/
05ad79
diff -up util-linux-2.23.2/sys-utils/nsenter.c.kzak util-linux-2.23.2/sys-utils/nsenter.c
05ad79
--- util-linux-2.23.2/sys-utils/nsenter.c.kzak	2015-06-26 10:14:00.947646586 +0200
05ad79
+++ util-linux-2.23.2/sys-utils/nsenter.c	2015-06-26 10:21:34.337221288 +0200
05ad79
@@ -30,6 +30,10 @@
05ad79
 #include <sys/wait.h>
05ad79
 #include <grp.h>
05ad79
 
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+# include <selinux/selinux.h>
05ad79
+#endif
05ad79
+
05ad79
 #include "strutils.h"
05ad79
 #include "nls.h"
05ad79
 #include "c.h"
05ad79
@@ -82,6 +86,9 @@ static void usage(int status)
05ad79
 	fputs(_(" -r, --root[=<dir>]     set the root directory\n"), out);
05ad79
 	fputs(_(" -w, --wd[=<dir>]       set the working directory\n"), out);
05ad79
 	fputs(_(" -F, --no-fork          do not fork before exec'ing <program>\n"), out);
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+	fputs(_(" -Z, --follow-context   set SELinux context according to --target PID\n"), out);
05ad79
+#endif
05ad79
 
05ad79
 	fputs(USAGE_SEPARATOR, out);
05ad79
 	fputs(USAGE_HELP, out);
05ad79
@@ -185,6 +192,9 @@ int main(int argc, char *argv[])
05ad79
 		{ "wd", optional_argument, NULL, 'w' },
05ad79
 		{ "no-fork", no_argument, NULL, 'F' },
05ad79
 		{ "preserve-credentials", no_argument, NULL, OPT_PRESERVE_CRED },
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+		{ "follow-context", no_argument, NULL, 'Z' },
05ad79
+#endif
05ad79
 		{ NULL, 0, NULL, 0 }
05ad79
 	};
05ad79
 
05ad79
@@ -194,6 +204,9 @@ int main(int argc, char *argv[])
05ad79
 	int do_fork = -1; /* unknown yet */
05ad79
 	uid_t uid = 0;
05ad79
 	gid_t gid = 0;
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+	bool selinux = 0;
05ad79
+#endif
05ad79
 
05ad79
 	setlocale(LC_ALL, "");
05ad79
 	bindtextdomain(PACKAGE, LOCALEDIR);
05ad79
@@ -201,7 +214,7 @@ int main(int argc, char *argv[])
05ad79
 	atexit(close_stdout);
05ad79
 
05ad79
 	while ((c =
05ad79
-		getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::F",
05ad79
+		getopt_long(argc, argv, "+hVt:m::u::i::n::p::U::S:G:r::w::FZ",
05ad79
 			    longopts, NULL)) != -1) {
05ad79
 		switch (c) {
05ad79
 		case 'h':
05ad79
@@ -275,11 +288,30 @@ int main(int argc, char *argv[])
05ad79
 		case OPT_PRESERVE_CRED:
05ad79
 			preserve_cred = 1;
05ad79
 			break;
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+		case 'Z':
05ad79
+			selinux = 1;
05ad79
+			break;
05ad79
+#endif
05ad79
 		default:
05ad79
 			usage(EXIT_FAILURE);
05ad79
 		}
05ad79
 	}
05ad79
 
05ad79
+#ifdef HAVE_LIBSELINUX
05ad79
+	if (selinux && is_selinux_enabled() > 0) {
05ad79
+		char *scon = NULL;
05ad79
+
05ad79
+		if (!namespace_target_pid)
05ad79
+			errx(EXIT_FAILURE, _("no target PID specified for --follow-context"));
05ad79
+		if (getpidcon(namespace_target_pid, &scon) < 0)
05ad79
+			errx(EXIT_FAILURE, _("failed to get %d SELinux context"),
05ad79
+					(int) namespace_target_pid);
05ad79
+		if (setexeccon(scon) < 0)
05ad79
+			errx(EXIT_FAILURE, _("failed to set exec context to '%s'"), scon);
05ad79
+		freecon(scon);
05ad79
+	}
05ad79
+#endif
05ad79
 	/*
05ad79
 	 * Open remaining namespace and directory descriptors.
05ad79
 	 */